Breached! 6 Actionable Steps to Take in the Event of a Ransomware Attack

You’ve just been breached. What do you do next? Before you hit the panic button, we’ve outlined a 6-step actionable plan any MSP can implement immediately during a ransomware attack to protect your client’s data. Let’s dive right in. Every second here is valuable. 

How to Spot a Ransomware Attack – 4 Warning Signs

Ransomware attacks are on the rise and becoming more sophisticated each year. 

Research showed that in 2023, 46% of SMBs and enterprises experienced a ransomware attack. The threat is quite real. But the main question is if they were prepared for it. Did they miss a potential sign that could have prevented the attack from escalating?   

Here are four common signs of a ransomware attack in progress. 

• Sign #1: Sudden file encryption: During the encryption process, the ransomware typically modifies the file names or appends new extensions to them. Keep a sharp eye out for any unusual-looking file extensions. You can almost always expect to see a ransom note or pop-up message accompanied after the files have been encrypted.  
• Sign #2 Unusual network activity: Pay close attention to any unexpected outbound network traffic, particularly to suspicious IP addresses. Other signs to be aware of include unusual patterns of data transfer, communication, or connections to unknown servers.
• Sign #3 Unusual System Resource Usage: If you notice a sudden spike in CPU or memory usage without any explanation, especially if you’re not running resource-intensive applications, it could be a sign of malicious activity. Another sign is if your hard drive or storage devices show unusually high levels of read-and-write activity. This is most likely the ransomware actively encrypting the files. 
• Sign #4 Altered File Timestamps: If the files appear to have been recently modified despite no legitimate user activity, it may indicate ransomware tampering during the encryption process, potentially compromising the integrity of the data. Check for inconsistencies in file creation and modification dates.  

Now that you’re a bit more familiar with some of the main signs of a ransomware attack, it’s time to implement an immediate course of action. But first, should you pay the ransom fee if you’ve been breached? 

Looking to boost your MSP revenue? Guardz got your back!

Should You Pay the Ransom Fee? (The Expensive Question)

The short answer is no. 

Paying a ransom provides absolutely no guarantee that the attackers will restore access to the encrypted data or provide decryption keys. According to Sophos, it cost companies an average of $1.82 million to recover from a ransomware attack in 2023, excluding the hefty ransom fees. 

Another crucial point to take into consideration is that paying the ransom fee might not address the root cause of the security breach, leaving the organization vulnerable to future attacks. You can’t honestly believe the attacker, can you? 

Every MSP should have an emergency course of action to implement in the event of a ransomware attack to maintain business integrity, avoid compliance penalties, and skip out on paying the ransom demand without a guarantee of receiving any files or data back.

6 Actionable Steps an MSP Should Take in the Event of a Ransomware Attack

1. Get Visual Proof of the Ransomware Incident: The first step is to take a photo of the ransomware message through your smartphone or screenshot and report it right away. This will serve as proof of the ransomware incident, documenting the specific message, demands, and any unique identifiers provided by the attackers. This step is crucial for initiating the appropriate response measures, such as investigation, containment, and recovery of the ransomware incident. 
2. Activate Incident Response Plan: Start by defining the severity levels for incidents, including criteria for categorizing a ransomware attack. Develop a severity matrix outlining criteria for incident classification. Conduct a thorough analysis of affected systems and networks and determine the initial point of compromise. This involves investigating whether the ransomware originated from an endpoint device, a network vulnerability, or another entry point in the MSP’s infrastructure. 
3. Isolate and Contain Affected Systems: Disable network access for affected devices and disconnect any external storage devices. Identify and isolate the impacted systems to prevent the ransomware from spreading further within your network and to client environments. This includes cutting off access to third-party vendors and external entities connected to your network to further enhance containment measures. 
4. Notify Your Clients and Stakeholders: As a service professional, your next priority and obligation is to immediately notify your clients about the ransomware incident. This is certainly an unpleasant task, but you must be completely transparent and have clear communication to maintain client trust and integrity, not to mention the potential legal ramifications of a data privacy compliance breach. 
5. Restore Affected Systems from Backups: Always have a backup plan. Conduct a thorough verification of the integrity of the identified backups. Check for any corruption or inconsistencies in the backup data and ensure that the backup files have not been compromised during the incident. Prioritize the restoration of critical systems and data based on business objectives. Before bringing the restored systems back, ensure that all software, operating systems, and applications are updated and patched to the latest secure versions. Oh, by the way, unpatched vulnerabilities account for 60% of all data breaches.
6. Strengthen Cybersecurity Measures: Start by implementing MFA across critical systems and applications to secure your clients’ data and safeguard against unauthorized access. Ensure that endpoint protection solutions are up-to-date. Educate clients on cybersecurity best practices, emphasizing the risks associated with a potential ransomware attack and the importance of recognizing and reporting suspicious activities. The final step is to consolidate your cybersecurity solutions with an all-in-one cybersecurity platform like Guardz.  

Protect Your Clients’ Data from Ransomware Threats with Guardz

Having a plan of action is essential but not enough to protect against evolving ransomware threats. Guardz ransomware protection empowers MSPs to automatically detect and respond to threats. Guardz conducts external scans to identify exposed vulnerabilities and outdated operating systems, providing you with a first line of defense against a potential attack. Don’t wait until that ransomware threat escalates. Take proactive security measures and consolidate your cybersecurity solutions.