Ransomware attacks are on the rise and now, rather than simply demanding money in return for the release of a company’s data, many cybercriminals are deploying double or even multiple extortion attacks. Not only do they encrypt the victim company’s data, but they also steal it. This adds an extra level of incentive to pay the ransom as the data could be sold on the black market otherwise.
What to do in case of a double extortion ransomware attack
According to the US Cybersecurity and Infrastructure Security Agency (CISA), there are several key steps to take when responding to a potential ransomware attack:
- Determine which systems were affected and isolate them. If it appears that several systems or subnets are affected, then take the whole network offline, or unplug the infected devices from the network. This will prevent the virus spreading to other computers.
- Triage impacted systems and prioritise critical systems for restoration on a clean network. This should be based on a pre-defined critical asset list, e.g., information systems critical for health and safety, revenue generation or other critical services.
- Once the ransomware has been prevented from spreading, assess and document the situation to understand what happened so that you know what steps to take next, and how to prevent future incidents.
- Report and notify the relevant people and engage internal and external teams to help mitigate, respond to and recover from the incident.
How to retrieve your data
You will also need to decide whether to pay the ransom. The general advice from law enforcement in most countries is not to do this, as there is no guarantee the criminals will release the data, and it only encourages further attacks.
Instead, to retrieve the encrypted data you should consider:
- Consulting federal law enforcement to find out if there are any possible decryptors available, as security researchers may have discovered flaws for some ransomware.
- Researching trusted guidance (either published by government agencies or reputable cybersecurity vendors) for the relevant variant and find out if there are any recommended techniques or decryptors that can help you recover your data. They may also be able to provide additional advice on how to contain systems or networks that have been impacted.
As with all cyber attacks, it’s better if you can avoid them in the first place, so it’s important that everyone in your organisation has good cybersecurity practices, and that your cybersecurity systems and processes are regularly updated.