If you suspect you’ve been hit with a ransomware attack, it’s important to act quickly. Fortunately, there are several steps you can take to give you the best possible chance of minimizing damage and quickly returning to business as usual.
1.Isolate the infected device: Ransomware that affects one device is a moderate inconvenience, but if it infects all of your enterprise’s devices it becomes a major catastrophe, and could put you out of business for good. The difference between the two often comes down to reaction time. To ensure the safety of your network, share drives and other devices, it’s essential that you disconnect the affected device from the network, internet and other devices as quickly as possible. The sooner you do so, the less likely it is that other devices will be infected.
2. Stop the spread: Ransomware moves quickly and while you should immediately isolate the infected device, that won’t guarantee the ransomware doesn’t exist elsewhere on your network. To effectively limit its scope, you’ll need to disconnect from the network all devices that are behaving suspiciously, including those operating off-premises. If they’re connected to the network, they present a risk no matter where they are. Shutting down wireless connectivity (Wi-Fi, Bluetooth, etc.) is also a good idea at this point.
3. Assess the damages: To determine which devices have been infected, check for recently encrypted files with strange file extension names, and look for reports of odd file names or users having trouble opening files. If you discover any devices that haven’t been completely encrypted, they should be isolated and turned off to help contain the attack and prevent further damage and data loss. Your goal is to create a comprehensive list of all affected systems, including network storage devices, cloud storage, external hard drive storage (including USB thumb drives), laptops, smartphones, and any other possible vectors.
At this point, it’s prudent to lock shares. All of them should be restricted if possible; if not, restrict as many as you can. Doing so will halt any ongoing encryption processes and will also keep additional shares from being infected while remediation occurs. But before you do that, you’ll want to take a look at the encrypted shares. Doing so can provide a useful piece of information: If one device has a much higher number of open files than usual, you may have just found your Patient Zero (the initial point of an attack to isolate the source). Otherwise…
4. Locate Patient Zero: Tracking the infection becomes considerably easier once you’ve identified the source. To do so, check for any alerts that may have come from your antivirus/antimalware, EDR, or any active monitoring platform. Since most ransomware enters networks through malicious email links and attachments, which require an end user action, asking people about their activities (such as opening suspicious emails) and what they’ve noticed can be useful as well. Finally, taking a look at the properties of the files themselves can also provide a clue, the person listed as the owner is likely the entry point. (Keep in mind, however, that there can be more than one Patient Zero!)
5. Identify the ransomware: Before you go any further, it’s important to discover which variant of ransomware you’re dealing with. One way is to visit No More Ransom, a site that has a suite of tools to help you free your data, including the Crypto Sheriff tool: Just upload one of your encrypted files and it will scan to find a match. You can also use the information included in the ransom note: If it doesn’t spell out the ransomware variant directly, using a search engine to query the email address or the note itself can help. Once you’ve identified the ransomware and done a bit of quick research about its behavior, you should alert all unaffected employees as soon as possible so they’ll know how to spot the signs that they’ve become infected.
6. Report the ransomware to authorities: As soon as the ransomware is contained, you’ll want to contact law enforcement, for several reasons. First of all, ransomware is against the law and like any other crime, it should be reported to the proper authorities. Secondly, according to the United States Federal Bureau of Investigation, “Law enforcement may be able to use legal authorities and tools that are unavailable to most organizations.” Partnerships with international law enforcement can be leveraged to help find the stolen or encrypted data and bring the perpetrators to justice.
Under the terms of the FBI and CISA victims’ of a ransomware attack will have 72 hours to report attacks, however, businesses, nonprofits, state, and local governments will be forced to report ransomware payments to the federal government within 24 hours of a payment being made. You can report incidents through CISA’s reporting tool. Additionally, organizations should report anomalous cyber activity and/or cyber incidents 24/7 to email@example.com or (888) 282-0870.
7. Evaluate your backups: Now it’s time to begin the incident response process. The quickest and easiest way to do so is to restore your systems from a backup. Ideally, you’ll have an uninfected and complete backup created recently enough to be beneficial. If so, the next step is to employ an antivirus/antimalware solution to ensure all infected systems and devices are wiped free of ransomware, otherwise it will continue to lock your system and encrypt your files, potentially corrupting your backup.
Once all traces of malware have been eliminated, you’ll be able to restore your systems from this backup and once you’ve confirmed that all data is restored, all apps and processes are back up and running normally, return to business as usual. Unfortunately, many organizations do not realize the importance of creating and maintaining backups until they need them and they aren’t there. Modern ransomware is increasingly sophisticated and resilient, some of those who do create backups soon find out that the ransomware has corrupted or encrypted them, too, rendering them completely useless.
8. Research your decryption options: If you find yourself without a viable backup, there’s still a chance you can get your data back. A growing number of free decryption keys can be found at No More Ransom. If one is available for the variant of ransomware you’re dealing with (and assuming you’ve wiped all traces of malware from your system by now), you’ll be able to use the decryption key to unlock your data. Even if you’re fortunate enough to find a decryptor, however, you’re not done yet, you can still expect hours or days of downtime as you work on remediation.
9. Move on: Unfortunately, if you have no viable backups and cannot locate a decryption key, your only option may be to cut your losses and start from scratch. Rebuilding won’t be a quick or inexpensive process, but once you’ve exhausted your other options, it’s the best you can do.
Why you shouldn’t just pay the ransom
When faced with the possibility of weeks or months of recovery, it might be tempting to give in to a ransom demand, but there are several reasons why this is a bad idea:
- You may never get a decryption key: When you pay a ransomware demand, you’re supposed to get a decryption key in return. However, when you conduct a ransomware transaction, you’re depending on the integrity of criminals. Many people and organizations have paid the ransom only to receive nothing in return, leaving them out tens or hundreds or thousands of dollars, and they still have to rebuild their systems from scratch.
- You could get repeated ransom demands: Once you pay a ransom, the cybercriminals who deployed the ransomware know you’re at their mercy. They may give you a working key if you’re willing to pay a little (or a lot) more.
- You may receive a decryption key that works, kind of: The creators of ransomware aren’t in the file recovery business; they’re in the moneymaking business. In other words, the decryptor you receive may be just good enough for the criminals to say they held up their end of the deal. Moreover, it’s not unheard of for the encryption process itself to corrupt some files beyond repair. If this happens, even a good decryption key will be unable to unlock your files, meaning they’re gone forever.
- You may be painting a target on your back: Once you pay a ransom, criminals know you’re a good investment. An organization that has a proven history of paying the ransom is a more attractive target than a new target that may or may not pay. What’s going to stop the same group of criminals from attacking again in a year or two, or logging onto a forum and announcing to other cybercriminals that you’re an easy mark?
- Even if everything somehow ends up fine, you’re still funding criminal activity: Say you pay the ransom, receive a good decryption key, and get everything back up and running. This is merely the best worst-case scenario (and not just because you’re out a lot of money). When you pay the ransom, you’re funding criminal activities. Putting aside the obvious moral implications, you’re reinforcing the idea that ransomware is a business model that works. Think about it, if no one ever paid the ransom, do you think they’d keep putting out ransomware? Criminals are bolstered by their success and their outsized payday, these criminals will continue wreaking havoc on unsuspecting businesses, and will continue putting time and money into developing newer and even more nefarious strains of ransomware, one of which may find its way onto your devices in the future.