www.belgium.be Logo of the federal government

In case of a ransomware attack, there are several steps that you can take to handle the incident efficiently. In this document we will give more information on how to respond to the incident and to help prevent this in the future.

1. Determine and confirm the extent of the Ransomware attack

Rebuilding systems is NOT the first step in your response. Assess the extent of the ransomware attack by focusing on what has been encrypted and/or potentially taken by the intruder.
Providing an answer to this question is critical to your response. Try to document what data was on the encrypted machines and look for data that may have been stolen.

2. Isolate affected devices as much as possible to prevent any further spread

When ransomware strikes, it’s essential to isolate affected devices as much as possible to prevent any further spread. Assume attackers are already deep in your environment before the ransomware attack is performed.
Start by isolating the infected devices and removing them from the network. Unplug network cables, and stop network connections (including WiFi-networks). If your network permits it and is properly segmented, you can also disconnect the infected network segment.

• Do NOT turn OFF the infected devices, and avoid shutting down systems. There still might be malware installed that is not activated. Having a running system might also help when seeking help from an incident response firm to conduct investigations.

• Do not start recovery operations until the extent of the attack is known, this includes the method, time, and impacted systems.

3. Assess the integrity of your backups

Verify that the attackers have not also compromised the integrity of your backup system.
You should have confirmation that the backups have not been compromised or accessed before using these to restore your environment.

4. Start your incident response

If you have an internal IT department , they can start working on resolving the issue.
If not, hire a professional incident response team to help you in assessing the extent of the damage.
Since it is expensive to hire an incident response team, check if incident response is part of your insurance contract.
The Centre for Cybersecurity Belgium (CCB) strongly discourages the payment of a ransom.
There might be situations where paying seems to be the only remaining option. Please remember that the attackers are very likely interested in financial gain. All opportunities to extort more money from your organization will be evaluated by those actors.
Use caution when interacting with the attacker: hiring a professional negotiator is not a silver bullet. Remember that there is no guarantee that the decryption keys will be received after payment.

5. Inform the authorities

File a report with your local police department. And inform the data protection authority if there is an indication that data was stolen. Reporting the possible loss of personal data is obligated by law and must be done as a priority.

To help prevent future ransomware attacks, use the following preventative measures

1. Keep your systems up to date

Keep your operating systems, software, and security solutions up to date to reduce their vulnerability to attacks. Do this by patching often and check for possible exploits. Your IT provider can and should be held accountable for keeping your systems up to date. While even a fully patched system is not waterproof, it can be the difference between an incident happening or not.

2. Use strong passwords and 2FA

Use strong and unique passwords for all of your accounts and change them regularly.
2FA is a must have for your accounts, this will provide an added layer of security and is overall one of the best defenses you can have.

3. Train your employees

Train your employees on how to recognize phishing, such as avoiding suspicious emails and links.
These mails are often times the way your organization becomes compromised.
For this you can find more information on safeonweb.be.