There are situations for which you are simply not prepared and yet you have to act quickly and rightly. A ransomware attack is such situation having high relevance. Last year, one in three companies was affected. Read here what to do then. 3 minutes reading that will pay off to build your ransomware defence plan.

1. Have I been attacked by ransomware?

You are first in the office in the morning, grab yourself a cup of coffee, boot up your computer and experience a surprise. Instead of access to your servers, you get a message.

“your personal files are encrypted – pay for unlock”.

It’s not a joke since your colleagues can’t access the servers either. You are the victim of a so-called ransomware attack. Hackers have penetrated your corporate network and installed malware that encrypts all your data and takes it as a digital hostage. The hackers then offer to decrypt your data in return for a ransom. Typically, they request payment in crypto-currency. Variations of this strategy are to threaten to make the data public if you don’t pay or to increase the requested amount in large steps if you don’t pay within a certain period of time.

How could this happen? Perhaps you opened a phishing email, perhaps a colleague passed on his password carelessly, or perhaps there is a security gap in a software. You may find out, or you may not. Either way, you better put that question aside for now as the answer won’t help you right now. Focus on the issues you have in hand that will help you.

2. Your Ransomware Defence Plan

The attack on your company has led to the failure of your IT or relevant parts of it. In our digitalized world of business, this can quickly become an existential threat. You need to act quickly and rightly to recover your IT and thus your company quickly. The following Ransomware Defence Plan contains the important aspects to consider.

2.1. Organisation and Team Setup

During perhaps your company’s biggest crisis, you need all the help you can get.

  • Do you have cyber insurance? Contact them directly. Most policies include support in a state of crisis. Make sure to use it if possible. 

Whether you have insurance or not, you need to put together a crisis team that will help you deal with as many of the expected challenges as possible. Think about these areas in particular:

  • IT and IT-Security
  • Data protection, IT-law and liability issues
  • Internal and external communication 

Get the internally available colleagues for these areas into your crisis team. The typical members of a crisis team are management, IT, data protection and the legal department. If you are unable to represent one or more of these areas, don’t hesitate to call in external help. Perhaps you have a crisis plan with external experts or know the right consultants personally. If not, ask within your network. More companies are affected by ransomware attacks than you think. The chances of a referral are good.

2.2. IT Defence and Recovery

Your team is ready? Start defending against the attack and recovering your IT. Your goal, of course, must be to restore secure IT operations as quickly as possible. Ideally, you already have experts on your side who know what to do. If not, this checklist can be your roadmap until the experts are on board. It is crucial in order to safely restore operations that the ransomware is removed from your IT systems or effectively isolated. This is the highest priority and should be taken into account in each of the steps described below.

  • Quick solution in sight? On the website of Europol’s NOMORERANSOM project (link), there are tips on dealing with ransomware attacks and a tool for decrypting data. This could be your rescue. It is definitely worth a try.
  • Rescue what can be rescued. Take measures to prevent further infections. Disconnect your network connections. Identify and isolate affected systems.
  • Analyse the damage and restore functionality. First temporarily, then permanently, but in any case, securely. Be sure to only ever bring your IT systems back live when you’re sure it’s safe to do so.
  • Rebuild your IT. Safety first applies here as well. Affected IT components should only go live again when you are sure it is safe.
  • Lessons learned? Analyse the attack and the vulnerabilities in your IT that made the ransomware attack possible. It is bad enough that you were attacked once. It should never happen again in the same way.

Alongside these steps, it makes sense to preserve evidence for later evaluation and, if necessary, for handing over to the prosecuting authorities. 

2.3. Legal Defence and Protection

There can be multiple legal liabilities arising from a ransomware attack. Incorrect behaviour can even lead to heavy fines or compensation claims. Therefore: Once your IT defence is in place, take care of your legal protection. Think in particular of these topics:

  • Data protection and notification requirements. In many cases, a ransomware attack is a data protection incident and must be reported to the relevant data protection authority within 72 hours. This is due to the fact that the attackers typically had the opportunity to access personal data. If you cannot exclude the possibility and the risk to the data subjects, you are obliged to notify your data protection authority and eventually the data subjects. Data protection authorities have notification forms for this purpose. You can find these and a lot of helpful information on reporting data protection violations here.
  • IT-Security-Legislation and reporting obligations. If you are an operator of critical infrastructure under the German Critical Infrastructure Legislation, you must report the incident to the German Federal Office for Information Security (BSI) without delay. Click here for the BSI FAQs and the link to the reporting portal.
  • Report to the police? Ransomware attacks are criminal offenses and can be reported to the police. A list of the responsible offices of the state criminal investigation departments can be found here.
  • Cyber insurance. If you have cyber insurance, report the attack immediately.
  • Business partners and customers. Are there business partners or customers to whose IT systems you are connected and whose IT systems are at risk from the attack or who depend on you for other reasons, for example because they urgently need your products or services? You should inform them and support them in defending against any damage. Otherwise you could be held liable.

2.4. The key question: Pay the ransom?

The attackers want to ransom you. If you pay the ransom, everything will be fine – that is the promise. In fact, in about 2/3 of the cases, the data is “released” if the ransom is paid, according to the results of a study by a British security software company. The police – unsurprisingly – strongly advise against paying the ransom. The reason is probably partly to keep the market for ransomware attacks as unattractive as possible. Of course, this is not a binding argument for you. You have to decide for yourself whether to pay the ransom. No one can take this decision away from you. In general, if you are not able to restore your IT, or only to a very limited extent, and especially if you do not have a sufficient backup, you will be more tempted to pay a ransom. The better and faster you have your IT up and running again and the more complete your backup is, the easier it will be for you to rule out paying the ransom as an option.

2.5. Communication

It will not be possible to hide the attack on your IT permanently. Your employees will notice that your IT no longer works, business partners that you can no longer provide your services or communicate with you. If your company is in the spotlight, the attack could soon be a media topic. You should keep that in mind for your ransomware defence plan. Keeping your own employees and business partners up to date and providing them with information relevant to their situation is part of good crisis management. Whether and to what extent you are willing and able to influence the public image of your company is a question of how your company is present in the media and of individual crisis management. In other words, you have to decide for yourself – there is no clear right or wrong here.

3. Bottom Line

If you are victim of a ransomware attack, we hope this article helps to take the first steps to overcome the situation. We keep our fingers crossed that you’ll never need it.