You’ve read our thousand and one articles on guarding your network from every threat under the sun. But sometimes, despite all precautions, an infection gets in. Now is the time for cool heads and quick, decisive actions. Your response will help determine whether the incident becomes a deadly headache for the company or a feather in your cap.
As you step through the recovery process, don’t forget to document all of your actions for transparency in the eyes of both employees and the wider world. And try to preserve any evidence you can of the ransomware for later efforts to locate any other malicious tools targeting your system. That means saving logs and other traces of malware that may come in handy during later investigation.
Part one: Locate and isolate
Your first step is to determine the extent of the intrusion. Has the malware spread through the entire network? To more than one office?
Start by looking for infected computers and network segments in the corporate infrastructure, and immediately isolate them from the rest of the network to limit contamination.
If the company doesn’t have many computers, start with antivirus, EDR, and firewall logs. Alternatively, for very limited implementations, physically walk from machine to machine and check them.
If we’re talking about lots of computers, you’ll want to analyze the events and logs in the SIEM system. That won’t eliminate all later legwork, but it’s a good start at sketching your big picture.
After isolating infected machines from the network, create disk images of them, and if possible leave these machines alone until the investigation is over. (If the company cannot afford the computer downtime, make images anyway — and save the memory dump for the investigation.)
Part two: Analyze and act
Having checked the perimeter, you now have a list of machines with disks full of encrypted files, plus images of those disks. They are all disconnected from the network and no longer pose a threat. You could start the recovery process right away, but first, see to the security of the rest of the network.
Now is the time to analyze the ransomware, figure out how it got in and what groups usually use it — that is, start the threat-hunting process. Ransomware doesn’t simply appear; a dropper, RAT, Trojan loader, or something of that ilk installed it. You need to root out that something.
To do so, conduct an internal investigation. Dig around in the logs to determine which computer was hit first and why that computer failed to halt the onslaught.
Based on the investigation results, rid the network of advanced stealthy malware and, if possible, restart business operations. Then, figure out what would have stopped it: What was missing in terms of security software? Plug those gaps.
Next, alert employees about what happened, brief them on spotting and avoiding such traps, and let them know training will follow.
Finally, from here on out, install updates and patches in good time. Updates and patch management are a critical priority for IT administrators; malware often creeps in through vulnerabilities for which patches are already available.
Part three: Clean up and restore
By this point, you’ve managed the threat to the network, as well as the hole it came through. Now, turn your attention to the computers that are out of commission. If they are no longer needed for the investigation, format the drives and then restore data from the most recent clean backup.
If, however, you have no backup copy, then you will have to try to decrypt whatever’s on the drives. Start at Kaspersky’s No Ransom website, where a decryptor may already exist for the ransomware you encountered — and if it doesn’t, contact your cybersecurity provider in case help is available. In any event, don’t delete the encrypted files. New decryptors appear from time to time, and there might be one tomorrow; it wouldn’t be the first time.
Regardless of the particulars, don’t pay up. You’d be sponsoring criminal activity, and anyway, the chances of getting your data decrypted are not great. In addition to blocking your data, ransomware attackers may have stolen it for blackmail purposes. Finally, paying greedy cybercriminals encourages them to ask for more. In some cases, just a few months after being paid, the intruders came back to demand more money, and they threatened to publish everything unless they got it.
In general, consider any stolen data public knowledge, and be prepared to deal with the leak. Sooner or later, you will have to talk about the incident: with employees, shareholders, government agencies and, quite possibly, journalists. Openness and honesty are important and will be appreciated.
Part four: Take preventive measures
A major cyberincident always equals big trouble, and prevention is the best cure. Prepare in advance for what could go wrong:
- Install reliable protection on all network endpoints (including smartphones);
- Segment the network and furnish it with well-configured firewalls; better still, use a next-generation firewall (NGFW) or a similar product that automatically receives data about new threats;
- Look beyond antivirus to powerful threat-hunting tools;
- Deploy a SIEM system (for large companies) for immediate alerts;
- Train employees in cybersecurity awareness with regular interactive sessions.