You know it’s going to be a bad day when that screen appears on one of your computer monitors letting you know that one of your systems has been taken over by ransomware. Your first response may be to panic. But try to avoid that. Instead, take a few initial steps that may help you protect your data and which may also help in recovering your systems.
While this article can’t cover all scenarios, there are actions you can take in nearly every case after a ransomware attack. There are also some actions that you may be tempted to take, but which you should avoid.
Even paying the ransom doesn’t fix the security issues
· First, take time to record the details of the ransom note that appears on the screen. You may need to take a photo with your phone. That note contains details of how to pay the ransom if you decide to pay it, but it will also help any recovery teams you engage to help to determine which ransomware hit you. That can help the recovery experts find an existing decryption key.
· Second, disconnect the affected computer from the network. While the ransomware may have already found your existing network drives, it may not have found all of your backups, especially if you have cloud backups, or you have backup images that weren’t connected to the network at the time of the infection. Disconnecting the affected computer prevents the ransomware from finding them.
· Third, consider paying the ransom. While it may gall you to support someone’s illegal activity, paying the ransom is frequently the easiest and cheapest way of ending the problem. If the ransom is more than you can pay, you may be able to negotiate with the ransomware distributor for a lesser amount. Also, consider your costs if you don’t pay the ransom, and you can’t quickly recover your data. Remember that the city of Baltimore, Maryland, lost over $18 million to avoid paying a ransom of approximately $65,000.
· Fourth, consider engaging a firm that specializes in ransomware recovery to help you work through the process whether you’re planning to pay the ransom or not. They may be able to perform the decryption for you, and they can help you pay the ransom if that’s what you want to do, and make sure that your data is recovered.
There’s more to do
Whether you paid the ransom or not, and whether you’ve recovered your data or not, there are other steps. There are also some steps you should not take.
· Don’t turn off the computer immediately. The machine is already encrypted, and if you’ve disconnected it from the network, it can’t spread. But you may need the data in the computer, including in memory, for forensic analysis.
· Don’t erase the encrypted files. If you hire a recovery service, they need something to recover. In addition, they may be able to use the information in the files to determine what strain of ransomware hit you, and that can aid in recovery.
· Don’t fail to correct the vulnerabilities that brought you the ransomware in the first place. Victor Congionti, CEO of Proven Data, said that he has a client who has been hit by ransomware repeatedly, because the client doesn’t perform the follow-up tasks to prevent a ransomware attack in the future.
Congionti also suggests making a complete copy of the encrypted files so that you have those to work with when you try to recover your data. He also suggests that you tighten up your security by taking steps such as turning off the Windows Remote Desktop, or at least making sure it has a secure password, and that you consider an email screening service to help prevent phishing and malware laden emails from compromising your security.
“Even paying the ransom doesn’t fix the security issues,” Congionti said, noting that when his company does a ransomware recovery, it provides a detailed list of instructions that companies should take to secure their systems.
Unfortunately, you may find that having your files encrypted is only part of your ransomware problem. According to Marcus Chung, CEO of BoldCloud, cyber criminals are also breaking into systems and downloading sensitive files before they perform the encryption process.
“It exfiltrates the data before it does the encryption and notifies the ransom request,” Chung said. “This increases the chances that you’ll pay the ransom.”
Recovering from the attack
Once your systems are up and running, it’s important that you clean any trace of the ransomware attack by doing a complete wipe and restore. To be safe, you might want to remove the storage that was affected, preserve if for forensic analysis, and replace it with new drives before restoring.
When you restore the drive from your backup, it’s critical that you examine it for traces of the malware that contained the ransomware. Chung said that some ransomware can have dwell times of as much as six months, meaning that the malware may have been included in your backups.
This means that you will need to run an anti-malware package to remove any malware from your recovered data. In addition, it’s really useful to install a cloud-based anti-ransomware package such as the Cybereason package. That way, if the malware does emerge from the backups, you’ll be ready.
“’Cybereason’s anti-malware technology will prevent ransomware by detecting and preventing it when it executes and exhibits ransomware indicators,” said Israel Barak, CISO of Cybereason in an email. “In particular, Cybereason’s anti-ransomware technology will use deception techniques to detect, prevent and recover from attempts to encrypt files, remove local data backups, or modify critical system areas such as the master boot record.”
A number of ransomware experts caution against paying the ransom. The reasons include that it may encourage the criminals to attack again, that they may demand more money or that you may be funding a criminal enterprise. All of these are true, so a decision to pay needs to be made on the basis of your business versus the potential risk down the road.
But there are other reasons, most notably that the unlocking process may not work because the person writing the code may not know what they’re doing.
But there’s also the possibility that the encryption of your files and the ransom demand was really a ruse. They’ll take your money and run, and you won’t be given an unlock code.
These are reasons you should ask for help from the beginning. One source is the No More Ransom website. That site has a number of good resources that you can use yourself.
But whatever you do, don’t forget to fix the problem that allowed the ransomware in, or you’ll just be attacked again