Ransomware attacks are on the rise, along with both the demands and payments. And with double (and triple) extortion techniques being used, and Ransomware-as-a-Service becoming more popular, I think it would be reasonable to assume that the problem will likely get worse, before, or if, it gets better. Sure, we can educate our employees to ensure that they know how to identify potentially malicious emails, and we can monitor and respond to anomalous activities and network traffic, however, these approaches to preventing ransomware attacks are far from fool-proof. We must always prepare for the worst case scenario, which means developing an effective strategy for quickly responding and recovering from ransomware attacks.
What Are the Early Signs of Ransomware Attacks?
Before we talk about ways to recover from a ransomware attack, let’s first review the types of activities we might see once an attack has been initiated, as this will help us develop an incident response plan.
Firstly, since a ransomware application will search for, and encrypt the files on our network, there will be a spike in disk activity, which will likely be accompanied by poor system performance.
We may also notice suspicious inbound and outbound network traffic, as the script sends data between the compromised system, and the Command & Control (C&C) Server. We may find unauthorized software installed on our systems, which the attackers will use to exploit vulnerabilities and conduct various reconnaissance activities.
We may also see security systems and backups being tampered with, and certain systems becoming inaccessible. Having the right tools in place to help us understand how the incident unfolded will no doubt make it easier to recover from a ransomware attack.
How to Prevent and Detect Ransomware
Given that this article is about recovering from a ransomware attack, I will provide only a brief overview of the techniques used to prevent and detect ransomware attacks, which are as follows:
- Identify your exposed assets, particularly those that are sensitive.
- Use multi-factor authentication (MFA) to minimize the chance of unauthorized access.
- Restrict access to sensitive data to prevent the attack from moving laterally throughout the network.
- Keep all systems and applications up-to-date. Perhaps use an automated patch management solution.
- Detect and respond to events that match a pre-defined threshold condition, such as when multiple files have been copied or encrypted within a given time-frame.
- Proactively monitor your network and data, including any backups.
- Educate your users about malicious spam and the importance of creating strong passwords.
- Use the latest endpoint protection solutions, such as next-gen firewalls, IPDS, DLP and SIEM solutions.
Best Practices and Tips to Recover from Ransomware
If you are reading this article, there’s a good chance that you have decided not to pay the ransom, or at least you are exploring other possibilities. If so, this is good, because paying the ransom is very risky. Obviously, you have no idea if the attacker will actually deliver on their promise to provide you with the decryption key, and if they took copies of your data before initiating the attack, they will likely use or sell the data without you knowing.
Also, paying the ransom could make you a potential target for future attacks, and let’s not forget, you would also be funding criminal activities. With this in mind, what steps will you need to take to help you recover from a ransomware attack?
Immediately disconnect all computers and turn off your Wi-Fi, Bluetooth, NFC, etc.
Reset passwords for administrator and other system accounts.
Any updates/patches relating to your operating system, applications, and antivirus software, should be installed ASAP.
Determine the ransomware strain
Identifying the ransomware strain and version of the ransomware program will help you determine what has happened, and how to recover. For example, you may be able to obtain a decryptor, to decrypt your files (although I wouldn’t hold your breath).
Determine the scope of the infection
Check all systems for signs of infection, including all drives and devices, both on-premise and in-the-cloud.
Analyze your event logs
You will need to check your event logs for any suspicious activity, which can help you determine both the source and status of the infection. If you have a file auditing solution in place, you should keep a look out for events where a large number of files were copied or encrypted, or if any privileged accounts have been accessed in an atypical manner. The event logs might also help you understand if your backups have been tampered with. You should also look at your firewall logs to identify suspicious inbound and outbound network traffic, and also check the logs associated with any IPDS, DLP or SIEM solutions you have in place.
Test your backups
Locate and test your backups to ensure that they haven’t been infected.
Reformat, reinstall and restore
Wipe the infected devices and reinstall the OS. Once you have done this you can restore your data from the backup. It’s generally a good idea to do this offline, or at least on a different network.
Continuously monitor for signs of infection
Monitor network traffic and user behavior, and run antivirus scans to check if any infection remains.