9 ransom.jpg

8 critical steps to fight off a ransomware attack

Reacting as quickly as possible and restoring data from backups are key ingredients for recovery.
0 ransom AdobeStock_159926885.jpeg
Ransomware alert message on a laptop screen - man at work

What to do if systems are encrypted by ransomware

As with any security incident, it is important to keep cool and approach the problem systematically. Of course, that is easier said than done, acknowledges data security vendor Barkly, but having a basic frame for a response plan and practicing it ahead of time can help. The company offers eight steps to take.
1 ransom AdobeStock_122034287.jpeg
Disconnected Disconnect Error Inaccessible Concept

1. Disconnect infected machines from the network; lock down shared drives

With ransomware, the primary problem is its speed. Unlike other cyberattacks that prioritize stealth to maintain system access and control for long periods, ransomware simply prioritizes encrypting as much as possible as fast as it can. The first step is to isolate any infected machines immediately aware of by taking them off the network and Wi-Fi. It may be necessary to temporarily lock down shared network drives and also check file servers.
2 ransom AdobeStock_77388789.jpeg
Chemical Scientist Holding Digital Tablet Computer and Gesturing Stop Sign. Chemical disaster, pollution or virus threat conceptual image with selective focus and shallow DOF.

2. Determine the full extent of the infection

Most ransomware makes changes to encrypted file names, often changing all the extensions to something that corresponds with the ransomware name (ex: .Zepto or .locky). They also often create README.txt and README.html files with ransom instructions. These markers can give an idea of the extent of the infection and how far it has spread. Track down any devices with these signs of infection and take them offline.
3 ransom AdobeStock_161855265.jpeg
White number 0 and 1 on blackground

3. Determine the type of ransomware causing the infection

Some variants have been identified as being fake, meaning they don’t actually encrypt data effectively. Other variants have been cracked, and decryption tools are available. Still other variants may not have a track record of actually delivering a working decryption key even if it is decided to try paying the ransom.
4 ransom AdobeStock_154245643.jpeg
Laptop can not access the file its show message wanna cry on display for malware; hacker; online ransom; virus; network risk system concept

4. Determine the source and cause of the infection

To understand how the attack started, identify “patient zero”—the first person in the organization who got infected. This may not be the user who reported the incident. It may be possible to determine patient zero by looking at the properties of one of the infected files and seeing who the owner is listed as. Because most ransomware doesn’t take long to proliferate, it may be possible to find out what triggered the attack by finding what the user was doing shortly before the ransom screen appeared.
5 ransom AdobeStock_93365196.jpeg
Data Recovery concept image with business icons and

5. Try to restore encrypted data

Malware researchers are sometimes able to exploit flaws in ransomware encryption methods and develop decryption tools. If no such tools are available, the only option is to restore files from backups—if a viable backup is available. A recent poll found that only 42 percent of respondents were able to fully recover data, even with backups in place.
6 ransom AdobeStock_112793648.jpeg
Ransomware written on keyboard button with finger pressing on it

6. Decide if ransom must be paid

If locked files can’t be decrypted or files can’t be recovered from backups, a difficult decision must be made. While authorities recommend not paying ransom, and statistics indicate few organizations do pay, the decision will be based on the situation of the organization and not by another organization’s situation. Make decisions on the importance of various types of data before a ransom attack happens, thus avoiding making uninformed decisions in the heat of the moment.
7 ransom AdobeStock_7734370.jpeg
pencil deleting hard disk drive

7. Wipe infected machines to avoid re-infection

The safest way to deal with the problem is to restore the computer back to factory standards, then restore the data that was on it from backup. Absent backup, the situation becomes trickier. There are tools to try to salvage some files, such as malware removal tools—Microsoft offers a free one.
8 ransom AdobeStock_109374076.jpeg
Meeting of young business people in a modern office - Start up company, workers brainstorming

8. Conduct a post-attack retrospective

With the immediate crisis over, take time to do a full assessment of what happened, how the organization responded and any surprises or gaps along the way. Starting with how the ransomware was successfully delivered, retrace the trajectory of the attack. Try to identify vulnerabilities that were exploited and specific controls that could have been in place to eliminate or mitigate them. And remember that the organization is now a future target, because half of ransomware victims experience repeat attacks.
This article originally appeared in Health Data Management.