Knowing how to react to a ransomware attack is crucial, as ransomware continues to disrupt businesses across the globe, with a 93% increase in the last 6 months alone. To make matters worse, increasingly more attackers are using the “Triple Extortion” technique, which is where the attackers steal sensitive data before initiating the attack, and then threaten to publicly disclose the data unless a payment is made.
Learn all about ransomware and the buying and selling of stolen data in our executive's guide to malware
Preventing such attacks is tricky, as attackers will often try to target unsuspecting employees, usually via some form of phishing technique. So, what should organizations do once they realize that they have been infected? Below are some of the steps that should be taken to recover from a ransomware attack.
1. Isolate the Affected Systems
In the majority of cases, the ransomware program will scan your network for vulnerabilities in order to propagate laterally to other parts of the network, hence why it is crucial that you isolate the affected systems as quickly as you can.
2. Report the attack
As soon as you have isolated the affected systems, the best thing to do is report the attack to the relevant authorities, as this may help them identify the perpetrators. If you help them identify the perpetrators, they might be able to obtain the decryption key on your behalf. Reporting the attack will also help the authorities understand which organizations are being targeted, and thus warn potential targets in advance. If you are based in the UK you can report the incident to Action Fraud. If you are unsure about how/where to report a ransomware attack, contact your local police and they should provide you with the relevant details.
3. Shut down "Patient Zero"
Patient Zero is a term used to describe the source of the infection. A good place to start would be to list all of the open files that have been encrypted and take note of which users were accessing those files before and during the attack. If you a see one user with access to a large number of open files, there’s a good chance that they were the source of infection. In this scenario, the best thing to do would be to disable their account immediately in order to mitigate the chance of further infection and prevent the attack from spreading.
4. Secure your Backups
In the event of a ransomware attack, the first thing that most organizations will try to do is restore a backup in order to avoid paying the ransom. Of course, attackers will be aware of this, and will thus do everything they can to locate the backups and either encrypt or delete them. Organizations should always try to keep an offline copy of their backups and ensure that they are password protected.
5. Disable all Maintenance Tasks
Following a ransomware attack, your security team will need to launch a forensic investigation into the cause of the incident. This will involve scrutinizing the log files, scanning for vulnerabilities, etc. However, certain maintenance tasks, such as tasks that delete unnecessary/temporary files, install updates, and so on, can interfere with the investigation and should be disabled.
6. Backup the Infected Systems
Once your system has been infected with ransomware, the intuitive course of action is to reformat the affected drives and restore a backup. However, bear in mind that by doing so, you are effectively removing all evidence of the incident, which means you won’t be able to determine the cause. There are free ransomware decryption tools that make it possible to unlock your files without paying the ransom.
However, it should be noted that some of them contain bugs that may corrupt some of the files in the process. As such, before reformatting your drives and/or using any decryption tools, make sure that you create a backup of all infected systems. That way, if your chosen decryption tool doesn’t work as expected, you can restore the backup, repeat the process, or try a different tool.
There are also companies that will develop a custom-built decryption solution if none of the free tools work. It’s also possible that the law enforcement agencies actually catch the bad guys and force them to hand over the decryption keys. If the ransomware script is still executing, it would also be good idea to do a memory dump in order to record any malicious processes that are running. Doing so might help to determine how the files are being encrypted thus making it easier to decrypt them.
7. Identify the Strain
In order to improve your chances of decrypting your files without paying the ransom, it is a good idea to find out which strain of ransomware you have been infected with. There are various online ransomware identification tools, such as ID Ransomware, Emsisoft, and No Ransom, where you can either upload a ransom note and/or sample encrypted file, and it will tell you which strain it is.
8. Decide Whether to Pay the Ransom
If all of the above options fail, you will find yourself in a situation where you may have to consider paying the ransom, especially if you need to get your systems back online without any further delay. Of course, there’s no guarantee that the attackers will actually decrypt your data, although there’s a good chance they will, otherwise other victims may choose not to pay. Make sure that you have exhausted all possible options before doing so, as paying the ransom will only encourage them to launch more attacks and develop even more sophisticated strains. It’s also worth bearing in mind that paying the ransom could inadvertently fund other types of criminal activity, such as human trafficking and terrorism.
As they say, prevention is better than a cure, but as we know, preventing ransomware attacks is a lot easier said than done. It’s worth noting that there are solutions available that can identify and respond to bulk file encryption – a technique referred to as “threshold alerting”. For example, if X number of files have been encrypted within Y period of time, a custom script can be executed which may disable a user account, terminate a specific process, adjust the firewall settings, or simply shut down the affected server.