Ransomware Response

So the shit has hit the proverbial IT fan. You’ve just discovered after seeing a menacing & scary message appearing on one of your computers that you’ve been hit by malware…. But it’s no ordinary infection, as the message on the screen tells you that it has encrypted all of your files, and is holding all of them to ransom.

Excel documents, word documents, business documents… orders, HR files,… .eeek! So what do you do – apart from panic?

Whilst many will tell you that you need to put together an “incident response plan” what do you do if the incident has already happened?!…

 

Validate

If you see a ransomware message demanding payment to unlock files, and your system or files are locked or frozen, then to cut to the chase… it’s a confirmed hit. You should take some photos or screen shots of the message, plus take note of the files it’s impacted. What is the extension that they have been changed to? This is important, as it helps to identify the type of ransomware you have. Your IT staff will want to know this.

 

Contain

This is the most important step. Time is of the essence to minimise any further impact of the infection.

Ransomware will encrypt any files it can get to, so pull out the network cable on the back of ALL your desktop machines, local servers, and for portable devices disable Wi-Fi on any laptops or devices connected to your local network. Disconnect any backup USB hard drives. Turn off your internet router or cable modem. This is to minimise the potential for more files being encrypted and lost forever.

Don’t use any of your computers, and leave all of your devices contained until you get some IT help to further clean, and check each machine, before putting it back onto the local network.  This often involves fully wiping each machine infected, and re-installing the operating system, applying all updates before putting back onto the local network.

Cleaning with antivirus is not enough, and you leave yourself exposed to future incidents. A full machine restoration prevents other ransomware or malware from causing problems on the computer, and it also prevents backdoors or other software that the ransomware might have installed from being used to infect the machine later.

 

Investigate

Bet you’re not sure how you got hit in the first place? Therefore hire an IT company who know how to deal with cyber security incidents, and how to grab data about the incident itself. They should come on site, and start by preserving evidence. Some machines will need to be returned to service as soon as possible while others might be less critical. Evidence such as log files or system images should be taken from the affected machines so they can work out how it happened.

Talk to you staff – did anyone open a suspicious email, or bring in a USB?

 

Eradicate
The eradication phase removes the ransomware from machines and brings them back into a functioning state. Isolated machines are wiped, and then data is restored from backup to each of the machines after the evidence on the computers has been preserved.

In some cases, companies might decide to remove the ransomware and then restore files that were encrypted by the ransomware without wiping the device first. Don’t fall for this mistake. Most new malware and ransomware variants are not always detectable by the majority of popular antivirus products, so you’re putting yourself at great risk if you only clean and don’t fully wipe, and rebuild the device from scratch.

 

No backup or corrupt backup to restore from – so should I pay the ransom?

In some circumstances, many business discover that they have been hit by ransomware, and their online backups have been impacted too. Some just don’t have backups at all, or only had local copies of files, and didn’t understand how at risk they are.

Many then contemplate paying the ransom, as is their only option. So should you?…. the answer is… a big NO!

I do know however of one individual who very sadly lost all of their personal photos and videos of their recently deceased partner because they got hit by ransomware…. They didn’t pay and lost all their photos and memories forever….. Maybe if there’s nothing else to be lost then it might be worth considering paying…. but I wouldn’t recommend it.

If you do decide to pay the ransom, you’ll need to use bitcoins (an online currency that protects the recipient from being identified). It’s important to note that there’s no guarantee that even if you pay they will follow through with giving you the key to decrypt, or once they know that you will pay up, they may target you with more ransomware, with the intent of asking for yet more money the next time round. It’s just not worth taking the risk.

 

Remediate 

The last step is to remediate the problem that the ransomware exploited in the first place. This is usually user awareness issue, so many small businesses and companies look to implement more awareness training or coaching about common cyber threats. In other cases, new technology needs to be put in place.

Don’t wrongly assume that antivirus will always protect you – it certainly helps to have up-to-date antivirus software, but that doesn’t guarantee that you won’t get hit. You need to ensure all your systems are fully patched and up-to-date, you don’t run as local administrators on any of your machines, and that all your staff are cyber savvy and aware of the common ways that the cyber crooks will try to infect you. Be aware of phishing, and other common ways in which malware may take effect.

Get familiar by reading through details provided on the Australian Cybercrime Online Reporting Network (ACORN), plus Scamwatch.  You might also want to read up on other ways you can ensure your business is protected by using online resources such as the ASD.

 

Backup, backup, and BACKUP!.. and test restores!

After this horrible experience you will now understand that backups are the most important thing you need to do on a regular basis (ensuring they are offline and you test them once in a while), so that if you do get hit again in the future, you have a fall back position.

A USB always connected to your computer with copies of files is not good enough – as it is online and connected to a machine that could be hit with ransomware. Backup to the cloud or a USB and make sure it’s not connected to your network or computer. Ideally have it offsite unplugged in a safe.

 

How did you get hit?

It’s important not to get hit again, so you need to understand what happened in the first place. Was it an email with a sense of urgency to click on a link? An undelivered parcel, speeding ticket, tax return, ebay account error, or something of the like? Did you click on any links in emails prior to the incident? This is often the cause of the attack . Did someone bring in a usb stick with files on? User awareness is key so you don’t fall for it again.

You might also now realise that the malware often relies on unpatched devices to do its nasty work, so if all of your devices were fully patched and up-to-date, plus running up-to-date antivirus, that you would be better protected in future. It’s not bullet proof or a guarantee, but reduces the likelihood.

As you can see there are many steps involved in solving the problem once you’ve identified it. This is where you may need the help of a third-party expert. Security experts deal with issues like these on a regular basis and they’re the ones who will be able to get your business back up and running as quickly as possible. At the end of the day your investment in this area will go towards making your business productive again, and ensuring that a similar breach will be less likely to affect you in the future.

 

Customer Data Exposed?

Do you store customer data on your internal systems that were impacted? If sensitive personal data has been stolen or exposed, you have to notify the appropriate parties as well as regulatory agencies.  It’s something that should be taken seriously, as an incident not managed properly can go from bad to your company completely going out of business. You might want to read this.

 

Be prepared for next time!

You have learnt the hard way that it’s important to have a plan so that when this happens next time, you are prepared and can respond quickly. The ransomware incident should result in some improvement actions that you can perform to be better prepared for future incidents, as they sadly WILL happen again.

 

Handy Cyber Ransom Response Guide

If you would like some direct help, some more information, or a handy cyber response pack, please get in touch using the contact page on this site.