If your computing environment is subject to a large ransomware attack, you will most certainly be enacting your disaster recovery (DR) plan. But before you begin restoring systems, you must first ensure you have stopped the infection, identified it, and removed it. Jumping too quickly to the restore phase could actually make things worse. To understand why this is the case, it’s important to understand how ransomware works.
How ransomware spreads in your environment
There are many articles such as this one that describe what ransomware does, but it’s important to emphasize that the goal of ransomware is rarely to infect just one system. Modern ransomware variants will immediately attempt to identify and execute various operating system vulnerabilities to gain administrative access and spread to the rest of your LAN. The attack will be coordinated via command-and-control (C&C) servers, and contacting these servers for instructions is the first thing that every ransomware variant does. They key in responding to an active ransomware attack is stopping further communications with C&C servers, as well as further communications between infected systems and the rest of your network.
If you are not currently infected, now is the time to develop a response plan tailored to your network and test it as often as you test your DR plan.
Line up help
A big ransomware attack is not the time to go it alone. There are resources available that will assist you halting and recovering when it feels like all hell is breaking loose, and there are steps to take that might help authorities catch the criminals. Part of your ransomware-response plan should include the contact information of these resources.
If you have a cyber-insurance policy, it can be very helpful. It can put you in touch with specialists to help guide you through your response. Contact them now, before you are attacked, to establish their response process and document it in your plan. If you don’thave such a policy, consider getting one.
You should also immediately contact the local field office of the FBI. Its level of involvement in a particular case will be driven by the extent and nature of the attack, but it says that notifying them of all attacks helps them to better respond to ransomware in general. They also have access to tools and resources unavailable to many other organizations that can help especially if it identifies another country as the source.
When reaching out for help, beware companies that claim to decrypt the data for you. All they do is pay the ransom and pass on its price in their bill. Take the time now to vet companies you might want to use during the ransomware response.
Stop further infection
Learn all you can about how ransomware spreads and shut down the mechanisms it uses to do so. Some of the steps you might take may seem extreme, and you will have to decide which is worse: a little bit of unplanned downtime or the risk of a lot of unplanned downtime.
Immediately shut down communications among all computers in the environment. If you cannot do that, a least shut down communication between your LAN and the external world. This would stop prevents your infected computers from getting any more instructions from their C&C servers.
Turn off the Remote Desktop protocol (RDP), as it is the number-one way ransomware spreads itself inside your environment. The easiest way is by changing a registry key. Since it’s important to do this as quickly as possible, automate it via powershell.
Change administrator passwords and end all current administrative sessions. If any computers have been compromised, this will stop further damage to them. This is also best done via powershell.
All these tasks can take a long time if you haven’t automated them, so develop and test them before you actually need them.
Once the above actions have been completed, the safest thing is to shut down all computers until you have identified which are infected and which are clean. This is extreme step, but it will absolutely stop the spread and further damage if you do it, and it will give you time to think straight while you figure out what to do next.
ID the ransomware
The best tool to find out what ransomware variant has hit you is the ID ransomware project that can make the identification with a sample of the ransom message you have received as well as files that have been encrypted.
Install a malware scanning tool on a known infected computer and scan it. Assuming it identifies and quarantines the ransomware, do the same thing on every other computer in your environment. This manual process should be performed by as many people as possible, so training on how to do it should be included as part of your ransomware recovery plan.
Depending on the ransomware, infected computers might not be scannable, as the files necessary to login or boot the system have been encrypted. These computers will have to be completely wiped and restored.
What about the restore itself, you ask? That also needs to be done in a particular way, and will be covered next time. For now, meet to talk about the things mentioned here. Plan now, so you’re ready if it happens.