Ransomware attack, every minute counts

When a small or medium-sized business (SMB) is hit with a ransomware attack, every minute counts. Here’s a clear, action-focused guide to help you respond effectively and recover with resilience:

1. Isolate Affected Systems Immediately

• Disconnect infected devices from the internet and internal networks.
• Disable Wi-Fi, unplug Ethernet cables, and turn off Bluetooth to stop the spread.

2. Document Everything

• Take screenshots of ransom notes and error messages.
• Record filenames, timestamps, and any suspicious activity for forensic analysis.

3. Activate Your Incident Response Plan

• If you’ve prepared a plan, follow it step by step.
• If not, designate a response lead and begin documenting actions taken.

4. Notify Internal Teams and External Authorities

• Inform leadership, IT staff, and legal/compliance teams.
• Report the incident to law enforcement and your country’s cyber response agency (e.g., NCSC in the UK).

5. Identify the Ransomware Variant

• Use tools like ID Ransomware to analyse the ransom note or encrypted files.
• This helps determine if a free decryptor exists.

6. Assess and Restore from Clean Backups

• Only use backups that were offline or stored in immutable/cloud environments.
• Verify backups are clean before restoring.

7. Clean and Rebuild Infected Systems

• Wipe compromised machines and reinstall operating systems and applications.
• Patch vulnerabilities and reset credentials.

8. Preserve Evidence for Investigation

• Don’t delete logs or ransom notes—these are critical for understanding the attack and supporting legal action.

9. Conduct a Post-Incident Review

• Analyse how the attack occurred and what gaps were exploited.
• Update your response plan, security tools, and employee training.

10. Strengthen Defences

• Implement multi-factor authentication (MFA), endpoint detection and response (EDR), and regular patching.
• Train staff to recognize phishing and social engineering tactics.