The Thinker’s survival guide to ransomware attacks

You’ve been hit by a ransomware attack! What do you do now? How you respond in the first hours after a cyberattack can have a lasting impact on the future of your business.

Hackers are smart. First, they learned how to crack your firewall and lock up your data, then they learned how to overcome encryption, and now they’re going after your backups. Think ahead, prepare for recovery, and know what to do when cybercriminals come knocking. 

There are 19 ransomware attacks every second, and ransomware is expected to cost USD $265 billion annually by 2031.
You can’t always stop cyberattacks, but you won’t be (as) scared if you’re prepared!  

The Ransomware median dwell time has decreased from 4.5 days to less than 24 hours in the past year, with some instances of ransomware being deployed within five hours of threat actors getting into your system. 

You’ve been hit! What to expect and what to do within the first 24 hours

Can you spot the hidden facts about cyberattacks? Hover to discover what lies beneath!

^

Hour 1-2:
Initial Breach 

What to expect: Reconnaissance for vulnerabilities. 

What NOT to do: Do not panic! 

Actions to take: Stay calm. Activate the incident response  team. 

^

Hour 2-4:
Assessment 

What to expect: Exploitation of compromised systems, lateral movement. 

What NOT to do: Do not ignore security alerts; do not assume the threat is contained. 

Actions to take: Secure critical systems and isolate affected areas. 

^

Hour 4-8:
Containment 

What to expect: Data exfiltration, further compromise of network(s). 

What NOT to do: Do not overlook unusual activity. Do not hesitate to escalate. 

Actions to take: Implement network segmentation, monitor for anomalies. 

^

Hour 8-12:
Response
 

What to expect: Deploys ransomware, attempts to escalate privileges. 

What NOT to do: Do not engage with attackers, do not negotiate with ransom demands. 

Actions to take: Assess impact, engage cybersecurity experts. 

^

Hour 12-16:
Mitigation
 

What to expect: Continued attempts to disrupt operations, potential for further data theft. 

What NOT to do: Do not underestimate the persistence of attackers, do not neglect patching and updating systems. 

Actions to take: Mitigate ongoing threats, fortify defences. 

^

Hour 16-20:
Investigation
 

What to expect: Exploration of additional vulnerabilities, reconnaissance for future attacks. 

What NOT to do: Do not overlook vulnerabilities, do not neglect staff training. 

Actions to take: Review incident response procedures, train staff and monitor their well-being. 

^

Hour 20-24:
Monitoring
 

What to expect: Monitoring for response from target organisation (that’s you!), refining attack strategies. 

What NOT to do: Do not relax. Remain vigilant and don’t assume the attack is over. 

Actions to take: Enhance monitoring capabilities, analyse attacker tactics. 

^

Hour 24+:
Coordination & Resolution 

What to expect: Potential escalation of attack, communication of demands or threats. 

What NOT to do: Do not delay legal involvement, do not ignore threats or demands – AND DO NOT GIVE INTO THEM! 

Actions to take: Coordinate with law enforcement, prepare for legal action. 

Preparation is key

Cyberattacks are inevitable, so preparation is crucial. Involve all levels of your organization in a multi-faceted strategy to prioritize business continuity. Get 5 more fast facts about ransomware attacks with this infographic.