Getting infected with ransomware is the last thing any business would want. Even worse would be not having a concrete response plan. If there is no immediate response, the malware could go on and infect the whole network.
In the event of an attack, the critical first steps a business takes can limit further spread of the malware, and also help with a swift restoration of business activities.
In this post, we will go over the first steps a business should take in response to ransomware. In addition, we’ll suggest what not to do and why those actions may worsen the infection.
First Steps to Take When Attacked
The initial steps taken after a ransomware attack are crucial and determine if/how the infection spreads. Once all infected systems are isolated and recovery devices are prioritized, a managed service provider, or internal IT lead, can move on to restoring devices to the pre-infection stage.
Resist the Urge to Shut Down Your PC
According to Emisoft, many ransomware strains can detect shutdown and reboot attempts. If you try either, there are high chances the ransomware will corrupt the Windows installation files or permanently delete the encrypted files.
Instead, identify impacted computers and disconnect them from the network. If there are portable devices like laptops or tablets connected to a wireless network, turn on Airplane mode to disconnect the devices from the network.
While all ransomware strains cannot move between computers, some can. Disconnecting the impacted devices stops the ransomware from communicating with their authors and also thwarts their attempt to spread laterally on the network.
Unplug Locally Attached Storage Devices
If there are external storage devices like USB pen drives, Hard Drives, flash drives or any similar devices attached to the infected computers, immediately unplug them. These are easy to remove and generally not the immediate target of ransomware. Disconnecting these storage devices can prevent the files stored on them from getting infected.
Some organizations also use external devices to store backups. To thwart recovery efforts, many modern ransomware strains specifically target the company’s backup files and try to encrypt, override or delete them. Unplugging the storage device will ensure the backups don’t get affected and restoration can be done from them. Many emerging ransomware strains specifically target backup resources to strengthen the claim of a ransom demand.
Let The Right People Know
Assign someone to call the respective authority who can help counter the malware attack. Based on the policy followed by businesses it could be the local law enforcement agency, managed service provider or the local system administrator. We recommend first informing the managed service provider about the attack. Since they are in charge of your IT networks and know where the critical files and backups are stored, they can better respond to the attack. For our clients, it is an established process to communicate about an attack to the CoreTech team.
Next, communicate with all coworkers about the attack. Ask if they received a suspicious call/email. Did they open the files and click on links or download attachments? If someone has found suspicious files, ask them not to open them as it could further infect other devices on the network.
Document Every Step and Related Events
Write down everything that could have possibly led to the breach. Was it opening an email that triggered the ransomware? A flash drive that someone found in the parking lot and wanted to see the contents? Did plugging in external devices cause the ransomware to infect the system? What time was it when someone first noticed the malware (virus)?
While the attack is still in its initial stages, making a note of these events could help cybersecurity experts narrow down to the cause of ransomware.
Make a List of Infected Devices
The next step is to distinguish between devices that are infected and the ones that are less likely infected. Then prioritize restoring and recovering critical computers, computers that are not infected, or are not critical for business operations can be deprioritized in order to speed up recovery.
Mistakes to Avoid
Wrong handling of an attack can lead to further damage like permanent data loss, inoperative devices or unnecessarily paying the ransom. To safeguard from these troubles avoid making these mistakes.
Do Not Restart Impacted Devices
Many modern ransomware variants can detect restart attempts and can trigger the deletion of encrypted files. While restarting may seem like an easy fix, it could render the system completely unusable.
However, the Hibernate feature can be used to save information to the disk and minimize risk. This will not cause the ransomware to perform severe actions or spread to other devices. Hibernate mode only puts the device to rest.
Do Not Trust Ransomware Authors
Trusting ransomware authors and paying the ransom amount in no way ensures that all data will be recovered. In many cases, organizations have been unable to recover their data even after paying the full ransom amount. On average, around 65% of data was recovered in 2021 after paying the ransom.
Before deciding to pay a ransom demand, remember you are dealing with criminals. CISA, MS-ISAC, other federal and local law enforcement agencies strictly advise against paying the ransom. Paying also makes the criminals stronger and increases their credibility in the malware “community.”
Do Not Delete Files
If there are automatic maintenance tasks scheduled, disable them immediately. The maintenance tasks could modify or delete temporary/log files that could be valuable in identifying the source of infection.
A few poorly designed ransomware strains may even store encryption keys inside these temporary files. Sometimes the ransom note itself could contain the decryption key.
Do Not Communicate On The Impacted Network
If the system has been infected, assume that the ransomware authors are still on the network. In all possibilities, they can see the data or files that are being transferred through the organization’s network.
Avoid using business channels to communicate about ransomware as it could tip off the authors that the infection has been detected. This could motivate them to block the entire system or permanently delete the encrypted files. A better way to communicate would be to use out-of-network communication channels like phone calls or personal emails.
The first priority of every organization should be prevention. This should be accompanied by establishing effective response steps if a ransomware attack happens. The security requirements can vary for different industries but following these, in general, can contain the infection.
Ransomware can cripple your business, let us help you.
That's why it's important to implement protection, detection, and response mechanisms into your IT security stack.
Additionally, training your staff on the latest cyber threats can minimize the risk of getting infected.
Have doubts or concerns about your current IT security?
Contact CoreTech today. We're happy to evaluate and discuss your security needs.