In the case of a cyber-attack, an SME should first achieve damage limitation and secondly plan for restoration. For both, a professional expert is essential, because a careless approach can lead to serious problems. So first contact an incident response partner and then go through the recommended steps together. This typically involves isolating all attacked devices and systems from the network. This involves disconnecting network cables, stopping WLAN connections, or making adjustments to firewalls. It is very important not to shut down or turn off the devices under any circumstances, as the memory content in RAM must be preserved in order to analyse the malware. The analysis of the malware is usually done by the incident response company, the cantonal police, or the NSCS.
Likewise, the incident response team builds an enhanced detection, that is, monitoring the activities on the network. For this purpose, the URL and IP addresses are continuously monitored on the firewalls and proxy servers for unwanted connection to the attackers’ infrastructure (C2C – Command and Control Server). This makes it possible to check whether the attack has been successfully contained.
After analysing the situation, the specialists in the incident response team can decide what resources can be used to restore the system. This is not always possible with backups; sometimes all systems must be restarted. This process can take weeks.
We recommend filing a criminal complaint with the relevant police authority or the NSCS. Even if the attackers are abroad, the local police may be able to assist in securing lost data or misdirected bank transactions. A forensic investigation may be needed. This requires experts to perform an expert backup of hard drives and memory. One should likewise back up encrypted data, as a key to the data may become known at a later date.
In all of this, there should be open communication with customers, business partners and employees. This should be centrally coordinated and agreed with an expert.
In most cases, modern attacks also make copies of the data and additionally blackmail the victims with their publication. Therefore, even in the case of a successful recovery, a proactive approach to the affected persons is necessary.
Tip: It is not advised to pay a ransom, although the enterprising attackers are generally reliable and release the keys to the data after paying the ransom. But paying reinforces the attackers’ business model and encourages them to continue.