5 Steps Your Business MUST Take If Infected With Ransomware
A ransomware attack is probably the LAST thing you’d want to happen to your business. Way behind a tornado or flood (which insurance will cover without doubt), cyberattacks—especially ransomware attacks—are often far out of sight (and out of mind) until they strike.
I wouldn’t wish a ransom attack on anyone and hope that Philadelphia-area businesses are doing their due diligence to protect themselves from a cyberattack, though the cold hard facts are that most businesses are unprepared to pick up the pieces after a cyber event hits their offices.
Today I want to go through the basic steps your business should be thinking about (and preparing for) in the event of a cyberattack.
5 Steps Your Business MUST Take If Infected With Ransomware
As in any security breach or disaster, the most important thing to keep in mind is to stay calm. You have already should have a plan to deal with most of the nitty gritty details in the event a cyber breach or attack occurred.
[Note: if you are unsure if your plan is adequate or if you have overlooked creating a business disaster recovery plan, you should really consider a 3rd party network security assessment as a safety net in the event your business was unfortunate enough to join the growing number of businesses around Philadelphia falling for cyberattacks.]
But for a refresher, I want to walk through the basic 5 steps in dealing with a ransom infection in case you need to update your business continuity plan.
Step 1: Isolate the infected machines—just as the CDC would recommend with someone infected with a potent virus or bacterial infection, IT Security experts recommend isolation as one of the first steps in overcoming a ransom attack. Disconnect ALL infected machines from your network—unplug their Ethernet cables, turn off wireless access and consider unplugging the machines altogether if in doubt. Your primary goal is to lock down shared network drives and protect your network from further infection.
With ransomware, you are really against the clock. Unlike other cyberattacks, ransom attacks stealthily move through your network looking for valuable files. These ransomware viruses prioritize encrypting as much as it can as fast as it can.
Keep in mind that some ransomware variants are able to spread through shared network drives, so you may also want to temporarily lock those down as well. Check your file servers to see if they are infected as well. As a precaution, you may want to completely disconnect every machine on your network to be safe that even the ones that appear to be uninfected stay that way.
The bottom line for this first step is to react quickly. As soon as someone gets a pop up screen, blue screen, or ransom note on their desktop, make sure they disconnect their computer. My recommendation would be to routinely remind folks about this. Inaction will only create more headaches.
Remind your staff that your business HAS regular successful backups of their data (disconnecting their machine won’t be the end of the world and they should be up and running in no time).
[Note: your business should expect minimal downtime from a minor ransom attack IF your IT Support has been regularly backing up your network. The problem we see most often is they say they are backing everything up (i.e., a report tells them your backups are going), BUT when someone needs to recover from backup, the backup doesn’t work or the needed files weren’t getting backed up! Consider a 3rd party security assessment to ensure your backups are working the way they should be!]
Step 2: Investigate what type of ransomware you have—the next step (once you’ve protected your network from spread of the virus) is to specifically investigate what type of infection you have. The reason why identifying the virus is so critical is that ransomware variants may behave quite differently.
Just as a flu virus is quite different and often more potent than the common cold, the consequences of a misdiagnosis may be fatal. Misdiagnosing a ransom virus may mislead you into taking unnecessary or harmful steps that might risk your business security.
The file extension type of the encrypted files will give you a good key into what specific type of ransomware you’re dealing with. Likewise, information on the ransom note, may also clue you into what specific variant of ransomware you have.
If the variant has been around for a while (at least a month), you are likely to see similar reports of the virus and how it presents on screen online. Simple googling for the file extension and ransom note message will elucidate what type of virus you have, and often will explain how mean or conniving the hackers are that have crawled your network (some have a history of delivering a decryption key 100% of the time when a ransom is paid, while many are less than 80% responsive after businesses have made payment).
[Note: ransom payments are NOT a recommended way of dealing with an attack. Paying a ransom (1) emboldens more attacks on your business—you are a proven victim that will pay (cyber criminals are taking note of folks that pay) and (2) you never know if the $35K payment to an unmarked account will actually pay off with your files. The cybersecurity experts all discourage from shelling over hard earned for ransom payments.]
Step 3: Determine the spread of the ransomware infection—the majority of ransomware variants will encrypt all of your file names and change all of your file extensions. For a recent example, see our discussion on the Samsam variant that has hit the Philadelphia-metro with force in recent weeks.
Many of these ransom variants also leave a README.txt or README.html file on the desktop with ransom instruction.
Your second step in curing your network from infection is to identify the extent of the infection. If you notice a README file on the desktop OR encrypted files with a weird extension, you certainly have a computer with ransomware on your hands.
But sometimes, the virus may not encrypt everything. If you were able to find information online on the virus, you likely can find key signatures of where it infects first or places it always infects. Since ransom viruses are looking to encrypt valuable data, they often target your C drive, but specific ransomware variants may encrypt specific files within your operating system. I am just talking about Windows machines here, but Macs are also vulnerable to attacks!
If you can’t find specific information on where to look to see if an apparently uninfected machine is infected, you should follow the following procedure:
- Navigate around your file system looking in a variety of folders to see if encrypted files are present. Consider searching the C drive on each machine for the specific file extension of encrypted files on the infected machines.
- Search online if any antivirus software can detect the ransomware variant and use an updated version of that software to make sure that no virus is present.
- Make sure you have a heuristic-based firewall (i.e., a smart firewall that is able to detect and block suspicious traffic coming and going on your network). This firewall should be able to identify suspicious computers and your IT Support should be able to disconnect and clean undetected computers before the virus continues to spread.
[Note: this procedure can sometimes be tedious (taking days to weeks for some IT Support teams depending on the size of your network!). Many IT Support teams fail to implement or effectively monitor networks for suspicious activity. If you are unsure whether your IT Support team is securing your network with a smart firewall or that they are adequately monitoring your network, consider a 3rd party network security assessment.]
Step 4: Determine the cause of infection—there are innumerable reasons how a network gets infected with a ransomware virus. By identifying a patient zero (i.e., the first machine to get infected on your network), you’ll be able to understand the cause of infection.
While in some cases, the person that clicked on a malicious link or email attachment self-identifies as being the cause of a ransomware attack, more often, you will end up infect with no clue of why.
Keep in mind, that while users often contribute to an attack, they are by no means the only way a cybercriminal can break into your network.
If you’ve identified a ransomware attack to a specific user, ask that user to retrace their steps before a ransom screen popped up.
Did they open a new document?
Did they click on a link or file attachment in an email?
Did they visit a website they normally don’t visit?
Knowing theses specifics should help your team identify how the infection happened and to warn other users of the event—keeping cybersecurity top of mind includes continual communications about terror stories to your team so that they (1) recognize attacks and (2) are able to help your business prevent getting hit by the next one.
If a user wasn’t specifically the seeming cause for an infection, hackers may have entered your network because IT Support failed to patch your network—maybe a software vulnerability or operating system patch. Often hackers look for low hanging fruit—easy security vulnerabilities that have been published—to get easy access in.
[Note: Zog customers should be assured that we regularly check AND test patches to ensure your business is protected from unwarranted attacks.]
Step 5: Network recovery—because you’ve heeded warnings of ransom attacks and other disasters, your IT Support should have all (or at least most) of your files for complete recovery without relying on a ransom payment.
Unfortunately, encrypted files from a ransom attack will stay encrypted (these encrypted files are often use encryption techniques far more sophisticated than current enterprise encryption methods). Restoring your files from backup is likely your best bet to a quick and full recovery.
The problem? Only 42% of businesses are able to completely recover from backups because their IT Support FAILED to adequately back up and test their backups. And over 75% of businesses are not able to recover quickly from data loss because they lacked a business continuity plan!
My recommendation: figure out what your backup and disaster recovery plan should look like and make sure you have a solid plan to deal with any pending disaster in 2018. Test your backups and ensure that your IT Support is keeping backups a regular priority (as I said before, you cannot be too careful when it comes to backups. If you’re at all in doubt about whether and how your IT Support is backing your network’s data, consider a 3rd party security assessment).
My question to you: are you prepared for the next ransom attack? Will you be able to recover from it (if your business becomes a target)? Contact us today for a FREE security assessment to put together your 2018 security roadmap.