Chances are, your organisation is going to have to contend with a ransomware attack in the near future. There were more than 850 million infections reported in 2018, and there are no signs of things slowing down.
Attacks can be a stressful time for organisations, with infections designed to scare recipients and grind your organisation’s productivity to a halt. Fortunately, we’re here to explain how to manage the situation as smoothly as possible.
1. What you need to do before being attacked
True ransomware is not designed to scare but to extort money.
Ransomware attacks are based on a simple premise: organisations need access to their files to operate and make money. When they’re locked out of those files, a ransom payment is the most affordable way to get back to work.
But the files are only as valuable as they are if they are the only copy. Organisations that regularly back up their files can simply ignore the fraudsters, because they’d be better off deleting the infected files and rebuilding their systems with the backups.
In order to prepare for an attack, organisations need to conduct a BIA (business impact analysis) to determine the RTO (recovery time objective) and criticality of your data and implement a back-up strategy to meet those determined requirements.
As a general rule, the shorter the time you can’t do without the data the more frequent it must be backed up.
It’s important to remember that backups need to be either created offline or stored where they can’t be directly reached by devices likely to be infected. Modern ransomware goes after backup files on network shares, it even deletes shadow copies on the workstation to prevent restoration.
2. An incident has been detected and you need to determine what has happened
Ransomware attacks are so common now that you might assume that you’ve been infected whenever a security incident occurs. This could cause the organisation to respond one way when certain measures are unnecessary.
The same problem will happen if Patient Zero doesn’t know that the attack is ransomware. They will be busy calling IT, thinking the problem is specifically to do with their computer, while the infection spreads across the organisation.
It’s therefore essential that you have good detection processes in place to detect the encryption process before the ransomware note is displayed.
Most ransomware notes will mention files are encrypted. Once one user has a ransomware attack it is important to determine if it isolated to that machine or has spread around the network.
With some attacks the infection has been on the network for a period of time and spread around the network before being triggered. Isolating infected machines is critical as well as examining other machines for indicators of compromise.
TrendMicro provides examples of common ransomware notes
Fraudsters will let you know whether they expect a payment and how to make it, usually in a note that looks like a security warning from your computer.
The notes generally don’t use the word ‘ransomware’, which can make it tricky for infected users to understand and communicate exactly what’s happened to them.
You should therefore be teach your staff about ransomware, helping them identify how attacks happen, spot when an infection has occurred and what their next steps should be.
3. Disconnect infected devices from the network
In the case of a wide spreading infection it may be necessary to be bold and shut down the whole network.
However, you must have plans in place to create a clean network and restore services as quickly as possible.
Isolating machines, cleaning and restoring to the existing network can lead to reinfection if the network is not clean. If cleaned machines get infected when restored to the network then it will be necessary to shut the network down and cleanse it.
4. Notify your employees
At this point, it’s normal for employees to panic. Even if their devices haven’t been affected, they’ll see that others’ have and that certain systems are unavailable.
If you have an incident response plan, now is the time to roll it out.
A communication plan should be in place to communicate issues to employees using out of bands communications that don’t rely on the network. Do this face-to-face where possible and calling plans that utilise a tree structure allowing messages to filter down from senior management should be in place.
Employees who can perform their tasks during the disruption can continue as normal. Those who are completely unable to work should help out in other parts of the business, assist in the recovery process or, if neither of those things are possible, go home.
5. Photograph the ransom note
You will need evidence of the ransomware infection when submitting a police report and filing a cyber insurance claim.
If you don’t already have cyber insurance, it’s worth considering. Damages associated with information security incidents don’t tend to be mentioned in commercial insurance policies, meaning providers won’t pay out if you make a claim based on, for example, a business interruption.
6. Find out what kind of ransomware it is
Now you’re ready to move on to the recovery part of the process, and that begins by working out what strain of ransomware you’ve been hit with.
The ransom note might say what strain it is, but if it doesn’t, you can try uploading the encryption file type and URLs within it to a website like ID Ransomware. This site contains a database of information relared to more than 700 strains of ransomware, so you should be able to identify what you’ve been infected with.
ID Ransomware helps you identify the malware strain you’ve been infected with.
7. Remove the ransomware from your device
How you proceed from here depends on the type of ransomware you’ve been attacked with. If it’s been cracked, you can simply use an online decryptor to remove the infection. Similarly, if you’ve been attacked with a fake, you can simply delete the malicious file.
But what if it’s the real thing?
There are tools that can remove some of the strains of ransomware, in some cases the ransomware is designed to be persistent and recovery volumes on devices may not be clean. A lot of malware takes advantage of unpatched systems or out of date software. Rebuilding from secure up to date hardened images will help prevent reinfection.
Alternatively, restore your infected devices to factory settings. You can do this on Windows devices by going to the update and security menu within your settings, or by holding F8 as your computer turns on until the recovery screen appears.
If the ransomware stops you from reaching recovery screens, you can use the installation disk or USB sticks on which your operating system is stored.
Be warned that this process will remove all data stored on the device, which is why it’s important to have backups.
Once your computer has been restored, you can transfer the duplicate files back onto your device. Depending on how much data you have, this could take anywhere from a few hours to a few days – so you’re not completely out of the woods.
However, this process won’t take much longer than getting the decryptor from the fraudster and regaining access to your files.
Beware of paying ransomware demands
It is important to note that not all ransomware authors will supply decryption keys if a ransomware is paid. In some case it is it is impossible for the files to be decrypted either due to programming mistake on the part of the authors or by design. There are free decryptors that are supplied by AV companies and CERT bodies and organisations such “As no more ransom”.
The key to preventing ransomware
No matter how efficiently you respond to a ransomware attack, you’ll still face lengthy delays and a loss of productivity. This is something all organisations must accept, because it’s practically impossible to remove the possibility of infections altogether.
There are steps you can take to mitigate the risk, though. For example, did you know that the majority of infections are caused by employees accidentally opening phishing emails that unleash the ransomware on their systems?
Teaching staff to spot scams and respond appropriately can go a long way to keeping your organisation secure – and it won’t take long. Our Phishing and Ransomware – Human patch e-learning course delivers consistent, comprehensive training your staff in just ten minutes.