When the Alarms Sound: Leading Through a Malware Crisis
t this year’s The-C2 conference, discussions shifted from fear to a calm readiness to face reality. Business leaders, Chief Information Security Officers, and incident responders came together to acknowledge a shared truth: malware and ransomware are no longer just abstract threats; they are real events that happen in the business world and are becoming more frequent.
Amid the landscape of cyber threats, one message resonated strongly: when leadership steps in early, sets expectations, and facilitates thoughtful planning, the chaos that comes with a malware attack can be transformed into an opportunity for resilience.
So, what does effective leadership look like when disaster strikes?
You’ve Been Hit. What Happens Now?
The moments following the discovery of a malware infection are crucial. Time is of the essence, and remaining silent can be dangerous. Yet panicking can often lead to worse outcomes.
Participants at The-C2 shared insights from their organisations’ responses to actual incidents, highlighting lessons learned from both successful efforts and challenges faced. Everyone agreed that the very first step should be to immediately isolate the infection. This action goes beyond simply telling IT to investigate. It means physically disconnecting infected devices from the network, cutting off Wi-Fi access when feasible, and in severe cases, turning off network switches or segmenting the network. Far from being excessive, this approach is essential for containment.
Once malware manages to gain a foothold, it spreads quickly, often moving laterally. This is particularly true for ransomware. If it is left alone for just a few minutes, it can leap from one device or server to another, encrypting everything in its path. Many organisations that believed they had contained the problem discovered too late that the infection had already spread deeper.
As one leader simply put it, “We isolated first, then diagnosed. It saved our business.”
Securing the Keys to the Kingdom
After cutting off access to the infected systems, an important but often overlooked step in the heat of the moment is to reset credentials.
It’s critical to assume that any account used recently could be compromised. In particular, any accounts with admin-level or domain administrator privileges should be changed right away. If an attacker has moved laterally through your environment, they may have gathered credentials, which can allow them to reinfect even systems that appear clean.
This process should be handled carefully. A rushed password reset without proper planning can lock out IT staff and complicate recovery efforts, while waiting too long can give attackers a clear advantage. The best strategy is to implement a planned, staged credential reset, ideally guided by a well-rehearsed incident response playbook.
Rebuilding From the Ground Up
With the infection contained and credentials secured, the focus then shifts to restoring operations. Many businesses encounter a significant challenge at this stage.
Do you trust your systems enough to use them again, or is it safer to rebuild?
The clear consensus from attendees at The-C2 was to wipe and rebuild. It’s essential to reinstall affected systems from clean, trusted sources rather than attempting to manually clean the malware. This is important because it’s nearly impossible to guarantee success, and many modern forms of malware have persistence mechanisms that can survive even after a reboot.
This is where having secure, tested backups becomes your lifeline. Restoring from backup is not just about having copies of files; it’s crucial to verify that the backups were made before the infection, ensuring they are clean, and confirming that restoration can occur successfully. Several organisations recounted stories of discovering too late that their backup schedules had failed or, even worse, that their backups were encrypted as well.
If there is one lesson to remember, it’s to prepare your backups as if you will actually use them – not just for compliance, but for survival.
Bringing Systems Back Online: Gently, Carefully
Once the systems have been rebuilt, reconfigured, and restored, they should not be reconnected to the production network all at once.
Leaders discussed the importance of a careful, staged approach to reintroducing systems, starting with a segregated part of the network. Before anything goes live, each system should be thoroughly patched, antivirus scans must be conducted, and the environment should be monitored in real-time for any unusual activity.
This stage is also when additional network monitoring should ramp up. It’s essential not just to watch for infections, but also to look for signs of persistence, late-stage payloads, or unexpected outbound traffic. One Chief Information Security Officer at the event shared how they used this phase to enhance their visibility, saying, “We didn’t just recover, we came back better.”
To Pay or Not to Pay?
During a ransomware attack, executives often find themselves facing a tough question: should we pay the ransom?
The strong consensus among the group at The-C2 was a resounding no. The reasons are compelling:
- There are no guarantees that you will get your data back.
- Even if you do receive it, there is a chance it might be corrupted or incomplete.
- Paying contributes to criminal activity and encourages further attacks.
- Once you pay once, you may be seen as a willing payer and targeted again.
One CEO shared their own temptation; the ransom was relatively small, and time was of the essence. But in the end, they decided against it, opting instead to focus on resilience and recovery.
In a world where malware and ransomware are becoming all too common, proactive leadership and prepared responses can make all the difference.
