8 critical steps to fight off a ransomware attack
Reacting as quickly as possible and restoring data from backups are key ingredients for recovery.
What to do if systems are encrypted by ransomware
As with any security incident, it is important to keep cool and approach the problem systematically. Of course, that is easier said than done, acknowledges data security vendor Barkly, but having a basic frame for a response plan and practicing it ahead of time can help. The company offers eight steps to take.
1. Disconnect infected machines from the network; lock down shared drives
With ransomware, the primary problem is its speed. Unlike other cyberattacks that prioritize stealth to maintain system access and control for long periods, ransomware simply prioritizes encrypting as much as possible as fast as it can. The first step is to isolate any infected machines immediately aware of by taking them off the network and Wi-Fi. It may be necessary to temporarily lock down shared network drives and also check file servers.
2. Determine the full extent of the infection
Most ransomware makes changes to encrypted file names, often changing all the extensions to something that corresponds with the ransomware name (ex: .Zepto or .locky). They also often create README.txt and README.html files with ransom instructions. These markers can give an idea of the extent of the infection and how far it has spread. Track down any devices with these signs of infection and take them offline.
3. Determine the type of ransomware causing the infection
Some variants have been identified as being fake, meaning they don’t actually encrypt data effectively. Other variants have been cracked, and decryption tools are available. Still other variants may not have a track record of actually delivering a working decryption key even if it is decided to try paying the ransom.
4. Determine the source and cause of the infection
To understand how the attack started, identify “patient zero”—the first person in the organization who got infected. This may not be the user who reported the incident. It may be possible to determine patient zero by looking at the properties of one of the infected files and seeing who the owner is listed as. Because most ransomware doesn’t take long to proliferate, it may be possible to find out what triggered the attack by finding what the user was doing shortly before the ransom screen appeared.
5. Try to restore encrypted data
Malware researchers are sometimes able to exploit flaws in ransomware encryption methods and develop decryption tools. If no such tools are available, the only option is to restore files from backups—if a viable backup is available. A recent poll found that only 42 percent of respondents were able to fully recover data, even with backups in place.
6. Decide if ransom must be paid
If locked files can’t be decrypted or files can’t be recovered from backups, a difficult decision must be made. While authorities recommend not paying ransom, and statistics indicate few organizations do pay, the decision will be based on the situation of the organization and not by another organization’s situation. Make decisions on the importance of various types of data before a ransom attack happens, thus avoiding making uninformed decisions in the heat of the moment.
7. Wipe infected machines to avoid re-infection
The safest way to deal with the problem is to restore the computer back to factory standards, then restore the data that was on it from backup. Absent backup, the situation becomes trickier. There are tools to try to salvage some files, such as malware removal tools—Microsoft offers a free one.
8. Conduct a post-attack retrospective
With the immediate crisis over, take time to do a full assessment of what happened, how the organization responded and any surprises or gaps along the way. Starting with how the ransomware was successfully delivered, retrace the trajectory of the attack. Try to identify vulnerabilities that were exploited and specific controls that could have been in place to eliminate or mitigate them. And remember that the organization is now a future target, because half of ransomware victims experience repeat attacks.