You’ve just been hit with a ransomware attack. Now what? Obviously, the easiest thing to do (for some) seems to be to give into hackers’ demands. This is most true when paying the ransom is less expensive than the potential loss of productivity. However, hackers are counting on this, which is why many are targeting smaller firms. Easy pickins’, as they say. And paying the ransom only encourages them to strike other small organizations. And you might not even get your data back or set your organization up as a potential repeat victim. Obviously, the only other option is to try and remove it, report it, and hopefully recover from it.
Assuming your organization doesn’t already have an Incident Response Team in place and prepared for this sort of event, here are the basic steps you should take if faced with a ransomware attack.
Trace and isolate
Find out who and what have already been infected and take immediate action to isolate them from the rest of the network. Unplug network cables or remove their access to WiFi. If several systems appear impacted and you are able to, take the entire network offline completely at the switch level. DO NOT power down individual devices; doing so can erase necessary forensic information. Try to isolate systems in a coordinated manner and communicate using off-network methods like phone calls. Not doing so will tip off any malicious actors who might be monitoring your response. This could trigger them to move laterally to deploy the ransomware widely, prior to your chance to get the networks offline. According to CISA, this has become common practice.
If the ransomware appears to only have infected a single machine or small part of the network (thus far), it is critical to notify employees as to what is happening. If the ransomware is the byproduct of a phishing email (which is by far the most common source) you should provide other employees with specifics of that email so they do not respond if they receive it.
Document the threat
Take a screenshot – or even a cell phone picture – of the threat. Take a system image and memory capture of some of the affected devices. Turn off automated maintenance; this will preserve and protect information that could be useful during investigation and recovery. Quarantine the malware and back up all infected systems. While it seems like a strange assignment to make a backup of infected systems, again, this preserved information will be important in the digital forensics to come.
Identify and counteract
Try to identify the strain of ransomware you have been infected with. Websites like ID Ransomware and Crypto Sheriff can help. Once you’ve identified it, look online for free decryption tools. If there is one available for your ransomware strain you should download and deploy it (only after documenting your infected files, as described above). If one is not available for your variant, then your only other option is to restore your files from backup.
It should go without saying that even if the infection appears to be caught at a local level, the best precaution is to change all admin, staff and device passwords immediately.
Report to Authorities
File a report with your local FBI field office. Reporting the attack is how you help others from becoming victimized. With every attack reported, the authorities get a better picture of who is behind attacks, how they gain access to your system, and what can be done to stop them.
We’re here for you!
And remember, CGNET is here to help you if you are the unfortunate victim of a ransomware attack. Be sure to reach out to us immediately for advice and assistance!