Ransomware attacks have become increasingly common in recent years. These cyber attacks involve malware that encrypts an organization’s files and essentially holds the data hostage until a ransom is paid. Dealing with a ransomware attack can be a stressful and challenging situation. However, there are steps that can be taken to address the attack and recover from it.
Should you pay the ransom?
One of the first decisions that needs to be made is whether or not to pay the ransom. There are pros and cons to paying:
- Pros: Paying the ransom may be the quickest way to regain access to encrypted files. It incentivizes the attackers to follow through and provide the decryption key.
- Cons: Paying the ransom rewards the attackers and encourages more ransomware attacks in the future. There is no guarantee you will actually receive a working decryption key after payment.
In general, most experts advise against paying the ransom. The FBI recommends not paying as there is no assurance you will get the data back. Paying also perpetuates the problem. There may be other options available for file recovery.
Disconnect infected systems
Once a ransomware attack is detected, the first step is to immediately disconnect all infected computers from any network they are on. This helps isolate the infection and prevent it from spreading and infecting more devices on the network.
All Wi-Fi, ethernet cables, and other connections to infected systems should be removed. It is critical to stop the malware from propagating. Networking hardware may need to be shut down and restarted following disinfection.
Determine the strain of ransomware
There are many variants of ransomware in circulation. Determining which particular strain is responsible for the attack can help inform next steps.
Analyzing any ransom note that appears on screens can provide clues about the variant. Security firms may be able to use details about the specific ransomware behavior to pinpoint the type. Some strains decrypt for free once security weaknesses are discovered.
Stop the ransomware process
The ransomware process or executable file needs to be stopped and disabled. This can be done through the Windows Task Manager in some cases. Endpoint protection software may also be able to terminate malicious processes.
Be sure to disable any associated ransomware service that is running in the background. This may require rebooting the infected computer in safe mode.
Check for encrypted files
Following isolation and termination of the ransomware process, check for any encrypted files on the infected systems. This provides insight into the scope of the infection and damage done.
Typical file extensions appended to encrypted files include:
- .encrypted
- .locked
- .crypt
The ransom note may also specify the new file extension added during encryption.
Assess restoration options
With an understanding of which files have been encrypted, options for restoration can be explored:
- Backups – Leverage clean backups to recover encrypted files and return to a pre-incident state. Ensure backups are isolated from any network connection.
- Shadow copies – If System Restore was enabled, Windows may have shadow copies that can restore previous versions of files.
- Decryption tools – For some ransomware strains, decryption tools are available through security firms and researchers once flaws are found.
- Ransomware decryption services – Third party services claim the ability to decrypt some forms of ransomware through proprietary methods.
Wipe infected systems
If encrypted files cannot be recovered through other means, wiping and rebuilding infected systems may be required. This ensures any residual malware or vulnerabilities left by the attack are eliminated.
Before wiping devices, be sure to backup any unencrypted files you want to preserve. Then reset devices to factory settings or re-image them before restoring clean data.
Restore from clean backups
Once infected systems are reset, formatted, or re-imaged, files can be restored from clean backups in a phased approach. No infected systems should be connected to the network during this process.
Verify the integrity of backups before restoring data to avoid reinfecting systems. Backups should be disconnected from any network and scanned using updated antivirus software.
Change all passwords
After recovery from the ransomware incident, all passwords should be changed enterprise-wide. This includes:
- User login credentials
- Application passwords
- System passwords
- Service accounts
- Privileged admin accounts
Assume all passwords have been potentially compromised. Require use of new strong passwords following best practices for password complexity and length.
Reconnect restored systems incrementally
Only after backups are verified clean and passwords reset should restored systems be reconnected to the network. This should be done in an incremental fashion with observation.
If any suspicious activity is detected post-restoration, immediately isolate the system to prevent any potential reinfection.
Run system scans
With systems restored and reconnected, comprehensive scans should be run to check for any lingering vulnerabilities or malware. Next-gen antivirus, anti-malware, and anti-ransomware tools should be utilized for this.
Isolate and re-image any endpoints still deemed infected based on scan results.
Report the attack
Ransomware attacks should be reported to appropriate parties such as:
- Managed service providers
- Local authorities
- FBI Internet Crime Complaint Center
- United States Computer Emergency Readiness Team (US-CERT)
Reporting assists with tracking ransomware threat actors and campaigns.
Implement prevention measures
With recovery from the ransomware attack complete, focus needs to shift to preventing future incidents. Some prevention measures include:
- Security awareness training – Educate users about ransomware risks and phishing attacks.
- Network segmentation – Isolate and segment systems to limit spread of malware.
- Strong firewalls – Use next-generation firewall technology.
- Updated antivirus/anti-malware – Maintain real-time scanning capabilities.
- Email filtering – Block dangerous file types and scan attachments.
- Backups – Maintain regular offline and immutable backups.
- Patch management – Immediately patch known software vulnerabilities.
- Privileged access controls – Limit admin and system access.
- Log analysis – Audit logs to identify threats.
Dedicated cybersecurity personnel or managed service providers can assist with evaluating prevention and response plans.
Test incident response
Any incident response plan should be tested with mock ransomware scenarios to identify gaps and areas for improvement. This helps strengthen reaction and remediation if faced with another real-world ransomware event.
Testing validates steps like system isolation, backup restoration, and malware scanning/removal. Response processes can be refined based on lessons learned.
Consider cyber insurance
Cyber insurance is an option that can help provide coverage for costs associated with ransomware attacks including:
- Incident response fees
- Business interruption
- Data restoration
- Crisis management services
- PR and legal costs
Policies vary, so ensure adequate ransomware coverage is included. Insurance can offset some financial impact.
Implement cybersecurity framework
Adopting a cybersecurity framework can help strengthen defenses against ransomware. The NIST Cybersecurity Framework provides risk-based guidelines for the following areas:
- Identify – Develop organizational understanding to manage cybersecurity risk.
- Protect – Implement safeguards to ensure delivery of critical services.
- Detect – Develop capabilities for timely discovery of cybersecurity events.
- Respond – Take action to contain the impact of potential cybersecurity incidents.
- Recover – Restore capabilities and services impaired by an incident.
This framework provides a strategic approach to improving cyber resilience.
Review third party security
Review security measures for third party vendors, managed service providers, and partners. Ransomware incidents can originate from security gaps within third parties and spread globally.
Mandate they maintain adequate controls and credential protection. Limit third party access to only essential systems through network segmentation.
Increase threat monitoring
Expand threat monitoring capabilities and active defense measures to identify ransomware campaigns targeting the organization or industry. This allows greater visibility into the threat landscape to prevent and respond to attacks.
Techniques like threat hunting, dark web monitoring, honeypots, and sinkholes can help proactively detect ransomware operators.
Design resilient IT architecture
When designing new infrastructure and systems, ransomware prevention should be a key consideration. IT architecture should be resilient by default to limit potential ransomware impact.
Tactics include keeping critical data segmented, increasing use of cloud infrastructure, maintaining redundant systems and data stores, and facilitating recovery automation.
Consider paying ransom as last resort
After exhausting all other options, payment of ransom demands could be considered as a final recourse. This difficult decision should involve board members, legal counsel, insurers, and law enforcement.
Only transact and communicate with attackers using trusted cybersecurity partners to negotiate and facilitate payment. Understand that paying still provides no definite guarantee of receiving decryption keys or restored data.
Conclusion
Recovering from a ransomware incident requires comprehensive assessment, remediation, restoration, and prevention planning. While resource-intensive, these best practices help securely restore business operations and prevent follow-on attacks.
Leveraging guidance from cybersecurity experts, law enforcement, regulators, and IT solution providers ensures the best possible outcome when dealing with a ransomware event. Attackers rely on organizations being unprepared – by implementing resilience capabilities in advance, the impact of ransomware can be reduced.