In the past year, 92% of organizations reported that their organization had seen ransomware delivered via email attachments and nearly 30% have seen business operations impacted by ransomware. You’ve read thousands of articles on guarding your network from every threat under the sun. But sometimes, despite all precautions, an infection gets in. Now is the time for cool heads and quick, decisive actions. Your response will help determine whether the incident becomes a deadly headache for the company or a feather in your cap as an IT administrator.
Locate and Isolate
Your first step is to determine the extent of the intrusion. How far has the virus spread? Has it infected the entire network? Has it spread to other offices?
Start by looking for infected computers and network segments in the corporate infrastructure, and immediately isolate them from the rest of the network to limit contamination then move to antivirus and firewall logs. It may be that you have to physically walk from machine to machine and check them. If were talking about lots of computers, you’ll want to analyze the events and logs in a SIEM (security information and event management) system.
After isolating infected machines from the network, create disk images of them and if possible leave these machines alone until the investigation is over.
Analyze and Act
Once you’ve checked the perimeter, you now have a list of machines with disks full of encrypted files, plus images of those disks. They are all disconnected from the network and no longer pose a threat. Before you start the recovery process, see to the security of the rest of the network.
Now is the time to analyze the ransomware and figure out how it got in and what groups usually use it…in other words start the threat-hunting process. Ransomware doesn’t just suddenly appear, a dropper or trojan loader had to have installed it. You need to root out what that was.
Try digging around the logs to determine which computer was hit first and why that computer failed to halt the onslaught. Based on the results of your analysis, get rid of any trace of advanced stealthy malware and if possible restart business operations. Then figure out what would have stopped it.
Moving forward install updates and patches in good time. Updates and patch management is a critical priority for IT managers as malware often creeps through vulnerabilities for which patches were made available.
Clean up and Restore
Now that you’ve managed the threat to the network and the hole it came through its time to turn your attention to the computers it took out of commission.
If they are no longer needed for your investigation format the drives and then restore the data from the most recent clean backup. A good practice is to use a cloud backup solution to make this process easy and timely. If you don’t have a backup you can try to decrypt whatever’s on the drives with a No Ransom website where you might find a decryptor already exists for the ransomware you encountered. But regardless of the particulars, don’t every pay up. You’d be sponsoring criminal activity and likely guarantee that this happens again in the future. There is also no guarantee that the criminals will restore your data even if you paid. All paying them does is encourage them to ask for more. In general consider any stolen data public knowledge and be prepared to deal with the leak.
Take Preventative Measures
Any Cybersecurity incident always means big problems. Prevention is the best cure so prepare in advance for what could happen.
- Install network endpoint protections on everything
- Look beyond antivirus to powerful threat-hunting tools. Proactive tools including email security.
- Train employees in cybersecurity awareness with regular interactive sessions. This is the single biggest threat, some employee clicking on that curious email.
- Segment the network and invest in secure cloud backup
Cyber criminals have gone beyond baiting user to unknowingly download ransomware. Cyber criminals gain access to systems over the internet while no on is around. The attacks are constantly evolving, making your ransomware backup solution more important than ever.