Ransomware happens. You do your best to prevent it from happening to you, but inevitably someone clicks on something they shouldn’t or your protection tool misses the latest strain of hack and your systems get infected. There is no “one size fits all” solution for firms in the complex, regulated financial services industry. Whether you’re a bank, financial adviser or real estate broker, here are some essential things to do and not do that have proven effective for our clients.
Stay calm when you learn that you’ve been infected. We’ve seen companies get hacked and then compound the issue by making poor decisions in their panicked attempt to fix things. A harried approach makes the whole ordeal a lot worse. Breathe.
Activate your Incident Response Plan. It’s there for a reason. It helps you avoid panic and it covers all the bases. Follow the plan. If you don’t have a plan, once everything has settled down, make one. You can google “IT incident response plan” and find a template to get started.
Stop the ransomware still running rabid through your systems. Identifying a breach is the first step, but noticing the effects of the ransomware breakout does not stop its march. It is still infecting machines. Stop it immediately by
- Removing the infected machine(s) from the network. Pull the network cable, shut off the WIFI, or turn the machine off.
- Look at the infected files to see which login is now the owner by right clicking over the file and choosing Properties and looking at the Security tab. This is the one that is infecting the files and often points to the root user or computer that started the outbreak. Scan and clean that machine first.
- Scan the infected machines and all computers. Run your anti-virus and anti-spyware cleanup on all computers. The infected computer will have a readme file or have a pop-up with ransomware instructions and in that it should show the strain of infection you have.
- On a clean machine do a Google search to find cleanup tools for that ransomware strain. Run the tool on the infected machines. Then run scans on all machines.
Notify the appropriate regulatory bodies and financial partners. Financial firms often need to let a federal agency know about any successful security breaches. Get it done ASAP to demonstrate that you are on top of the problem.
Communicate the situation and recovery efforts internally. Let your users know that you are aware of the ransomware outbreak, you are handling it, and things are under control. You want all of your users to stay calm too.
Let the FBI know. Yes, that FBI, and they really do want to know so they can help globally track these hacks and prevent them from happening again.
Perform a post-mortem. Last, but not least, do a deep dive into the infection’s roots and a deeper dive into all of your systems to ensure the hackers have been booted and everything is clean. Statistics show that 50% of ransomware victims, will get infected again. This is the result of ransomware remnants not being fully cleaned out of your systems by IT.
In the end, the best way to address a ransomware infection is to not get one in the first place. For more information on how financial firms can prevent a ransomware infection or address one after it hits check out these posts: