Nine actions to take immediately in the event of a hack
If some of your files become blocked or you can no longer access your computer, it’s possible you’ve been hacked with ransomware or other malware. Here are nine actions you can take straight away to fend off any attack
Map out the attack and immediately isolate infected devices
Start by determining the scope of the attack. Document exactly what has been encrypted or stolen in as much detail as possible. Then isolate the infected devices to prevent the malware from spreading any further. Unplug network cables and disconnect network segments and connections, including for wireless networks. Act immediately because the attackers have already infiltrated the network and could quickly extend the malware attack.
Communicate via new channels
The attackers are potentially already listening. You should assume they have access to your email traffic. So limit your network communications to the very minimum straight away, and use a separate and secure channel to communicate with your technical and management team about the incident. Analyse in advance what alternative systems you can use for your internal and external communications
Appoint a crisis team
Appoint a crisis team to stay in contact with security experts, determine how to communicate, deal with legal issues and set priorities for recovery. The crisis team includes representatives from communications and legal teams, IT, the business and your data protection officer (DPO). Depending on the size of your organization, you may consider having two crisis teams: one for the business side and one for operational IT (that reports directly to the crisis team).
Set a cyber incident response team to work
Call in help from cyber specialists such as forensic experts. They will establish how the incident occurred and help prevent new attacks. Check whether you are insured for incident management. If you don’t have the necessary expertise in-house, hire a professional incident response team to assess, map out and avert the attack
Communicate early and often, including with the authorities
Communicate early and often with employees, suppliers, journalists, service providers and customers. Hiding an attack is generally a bad idea as this could damage your brand reputation and image. It’s therefore best to be as transparent as possible, even if you don’t have all the answers yet. You are also legally obliged to inform the data protection authority about suspected breaches, which you can do here (only in Dutch and French). Involve your DPO and take legal advice from experts about whether to file a complaint with the police.
Don’t pay
The Centre for Cyber Security Belgium advises against paying any ransom. Attackers will make every effort to keep extorting more money – ransom amounts can suddenly double, and you are never certain to receive the decryption keys. Having a separate and verified copy of your data is
the best tip for avoiding paying a ransom. Make sure your backups have not been compromised or accessed, and indeed it’s best to also have immutable backups. If you do feel you need to negotiate, consider hiring an expert. Communicating with hackers is a specialist skill in itself.
Tighten up your security immediately
You need to acknowledge that you are still vulnerable. Make sure you have at least Olympic-level security straight away: security monitoring by a security operations centre (SOC) with malware detection for critical systems and devices with an internet connection. This gives you visibility into the data traffic on your network.
You also need to use the necessary updates to patch your systems against known vulnerabilities straight away. Change the passwords for all your accounts and start using multifactor authentication. Do your privileged accounts such as admins first. And don’t give everyone internet access – just the teams that are working on the recovery.
Save your encrypted copies
Clean your systems and make sure they don’t get reinfected. Scan them thoroughly before including them in your network again. Then gradually restore your business-critical systems and servers before reinstating user devices. Finally, save a copy of your encrypted data. A free decryption tool for the ransomware might still become available at later date. Remove or isolate obsolete systems and protocols.
Make it as difficult as possible
Up and running again? Now make sure you take the time to analyse and document the attack in detail. Update your controls and processes to prevent any subsequent attack. You can never fully rule out another attack, but you can make it as difficult as possible for the hackers.