What to Do If Your Financial Firm Gets Infected with Ransomware

by | Jan 21, 2020 | Security, Strategy

What to do if your financial firm is hit with ransomware

Ransomware happens.  You do your best to prevent it from happening to you, but inevitably someone clicks on something they shouldn’t or your protection tool misses the latest strain of hack and your systems get infected.  There is no “one size fits all” solution for firms in the complex, regulated financial services industry. Whether you’re a bank, financial adviser or real estate broker, here are some essential things to do and not do that have proven effective for our clients.

Stay calm when you learn that you’ve been infected. We’ve seen companies get hacked and then compound the issue by making poor decisions in their panicked attempt to fix things. A harried approach makes the whole ordeal a lot worse. Breathe.

Activate your Incident Response Plan.  It’s there for a reason. It helps you avoid panic and it covers all the bases. Follow the plan. If you don’t have a plan, once everything has settled down, make one. You can google “IT incident response plan” and find a template to get started.

Stop the ransomware still running rabid through your systems.  Identifying a breach is the first step, but noticing the effects of the ransomware breakout does not stop its march. It is still infecting machines. Stop it immediately by

  • Removing the infected machine(s) from the network. Pull the network cable, shut off the WIFI, or turn the machine off.
  • Look at the infected files to see which login is now the owner by right clicking over the file and choosing Properties and looking at the Security tab.  This is the one that is infecting the files and often points to the root user or computer that started the outbreak. Scan and clean that machine first.
  • Scan the infected machines and all computers. Run your anti-virus and anti-spyware cleanup on all computers. The infected computer will have a readme file or have a pop-up with ransomware instructions and in that it should show the strain of infection you have.
  • On a clean machine do a Google search to find cleanup tools for that ransomware strain. Run the tool on the infected machines. Then run scans on all machines.

Notify the appropriate regulatory bodies and financial partners. Financial firms often need to let a federal agency know about any successful security breaches. Get it done ASAP to demonstrate that you are on top of the problem.

Communicate the situation and recovery efforts internally. Let your users know that you are aware of the ransomware outbreak, you are handling it, and things are under control. You want all of your users to stay calm too.

Let the FBI know. Yes, that FBI, and they really do want to know so they can help globally track these hacks and prevent them from happening again.

Perform a post-mortem. Last, but not least, do a deep dive into the infection’s roots and a deeper dive into all of your systems to ensure the hackers have been booted and everything is clean. Statistics show that 50% of ransomware victims, will get infected again. This is the result of ransomware remnants not being fully cleaned out of your systems by IT.

In the end, the best way to address a ransomware infection is to not get one in the first place. For more information on how financial firms can prevent a ransomware infection or address one after it hits check out these posts:

How Do You KNOW That You Have Not Been Hacked?

Phishing Happens and MFA May Not Save You

3 Security Vulnerabilities You Don’t Realize You Have

John Ahlberg, CEO, Waident Technology Solutions

John Ahlberg
CEO, Waident

CIO in the corporate world and now for Waident clients. John injects order and technology into business process to keep employees productive, enterprises running, and data safe.

Recovering from Cyber Risks in SMBs Using the NIST Framework

Recovering from Cyber Risks in SMBs Using the NIST Framework

A ransomware attack happens every 11 seconds. In 40% of companies that get hacked, the same organization is hit again within 9 months. I don't share that to scare you (Although, it should get your attention.) It happens because companies think they have addressed and...

Responding to Cyber Risks in SMBs Using the NIST Framework

Responding to Cyber Risks in SMBs Using the NIST Framework

Prudent business leaders and risk managers understand that identifying, protecting against, and detecting risks are necessary, albeit fallible, actions to mitigate a complex world full of risks. As we have seen from prior posts, cost, time, and resource tradeoffs...

Detecting Cyber Risks in SMBs Using the NIST Framework

Detecting Cyber Risks in SMBs Using the NIST Framework

You have been following the NIST framework and have successfully identified the areas of risk and implemented protections against them. We're now at the stage to ensure that we are able to detect any breaches that make it over the proverbial "wall." This is a CRITICAL...

Share This