The number of cyberattacks continues to rise worldwide and Belgium is no exception. Both large and small organizations are increasingly falling victim to cybercriminals. This year we expect more and larger ransomware attacks, in which suppliers will also play an increasingly important role. Good security monitoring and a strong security culture are crucial to detect potential attacks and vulnerabilities in your own IT environment in a timely manner.

Regularly train your employees on phishing, encourage strong passwords using a password manager, and use multi-factor authentication. Despite these measures, cybercriminals still manage to break into company systems and steal or encrypt important data every day. That’s why knowing what steps to take if your company is faced with ransomware will help you limit damage, recover your systems, and learn from it for future threats.

1. Isolate the device, but do not turn it off

Once you discover that a cybercriminal has carried out a successful cyberattack and installed ransomware, it is important to disconnect the device, such as your laptop or a server, from the network it is connected to. This will prevent ransomware from spreading further within your organization. Do not turn off the device. This is to allow for a forensic investigation to be conducted, examine the ransomware and also determine the damage.

2. Get help from cybersecurity specialists

Seek professional help as soon as possible. There are several cybersecurity companies that specialize in ransomware attacks. Whether it’s forensic work to determine root causes, negotiating with cybercriminals, decrypting and restoring data and your environment, or notifying the right authorities. If you have little or no cybersecurity expertise in your organization, it’s wise to partner with a partner who can provide you with advice and support if you’re hit by a ransomware attack. You can of course arrange this in advance, but you can also ask these parties for help in the event of an attack.

3. Report the incident to the relevant authorities

Providers of critical services, such as energy companies and hospitals, as well as digital service providers must report a serious ransomware attack to the Centre for Cybersecurity Belgium (CERT) if it threatens services. In addition, almost every ransomware attack involving personal data must be reported to the Data Protection Authority within 72 hours due to a data breach.

4. Always report it to the police

Because (cyber)crime is involved, it is extremely important that you always report a ransomware attack to the police. The police will take the report, start an investigation and provide support and advice. All reports of cyberattacks give the police a more comprehensive picture of cybercrime in Belgium. If a cybercriminal or perhaps an entire ransomware gang is caught, all reports also help the public prosecutor to gather sufficient evidence to draw up a (more serious) criminal complaint.

5. Communicate with all your stakeholders as quickly as possible

Limiting and remediating a ransomware attack is of course a top priority. But communicating with your key stakeholders, such as your customers and employees, is just as important. Even if you don’t yet have enough information about the impact of the incident and when it will be resolved, it is advisable to start communicating about it. In general, open and transparent communication about a security incident is seen as very valuable by customers. Don’t forget your own employees. They are in close contact with your customers and therefore need to be well informed about the current state of affairs.

6. Do not pay ransom, decrypt your data or take a backup

Of course, the answer to whether or not you should pay a ransom is not so black and white. Business continuity could be at stake, or worse. Critical systems have been hit, resulting in physical danger. The temptation to pay a ransom can then be strong. In any case, do not rush to pay, but first start an investigation. Decryption tools may be available. In any case, buy time by negotiating with the criminals so that you have time to determine the impact and decrypt the data. The No more ransom website lists many keys that have been used previously to decrypt hijacked files, so it’s always worth taking a look.

If that doesn’t work, start restoring from your backup. A good offline backup of your data is a must to minimize the damage caused by ransomware. Paying for ransomware directly funds criminal activities. As long as cybercriminals can continue to collect ransoms, the cybercrime economy will continue to thrive. Moreover, it is far from certain that the data can be recovered once the ransom is paid. This can also be a signal to the criminals that you will be a target for future attacks or extortion.

7. Offer your employees aftercare

A ransomware attack not only has technical and economic implications, but it can also impact your employees. Starting with that one employee who mistook a phishing email for a real one and accidentally clicked on the link or opened a malicious file. But in general, many employees are both shocked and angry when their company is hit by a ransomware attack. That’s why it’s important to continue communicating and paying attention to the human well-being of employees both during and after the incident.

Caring for employees after a ransomware attack is critical to recovering not only technical systems, but also human well-being and organizational resilience. Learning from a crisis with the entire organization ensures that you can emerge from a crisis stronger and better prepared.

Don’t forget to improve your security

It is important not only to recover the systems, but of course to strengthen them. Consider updating systems to the latest versions, training employees with the latest best practices or implementing additional security measures. And of course, evaluate the crisis plan and update it with the new insights you gained before, during or after the attack.

Make sure you have this crisis plan (even on paper!) ready for a possible next attack so you know exactly which agency to report to and when, which key stakeholders to reach and how, and this includes a communication strategy built in so you can fall back on templates and formats already considered in the crisis. And make sure you have a good backup solution today. Practicing a crisis can also give your employees a lot of confidence and is good preparation for a crisis situation. This can also be a really fun team building activity.

This is a post by Cindy Wubben, Chief Information Security Officer at Visma. Click here for more information about the SaaS solutions the company offers.