What to do if you get hit by a Ransomware attack?
Dealing with a Ransomware Attack
Recently I published a blog post which looked at methods for detecting Ransomware on your network. I also used this topic as a subject for a number of webinars that I hosted and one of the most common questions asked was what to do if you get hit by a Ransomware attack. The obvious response to this is just to restore the encrypted data but this may be a waste of time unless you put a proper incident response in place.
If you don’t have a documented incident response in place and you have not been hit by a Ransomware attack, now is a good time to get something ready. Your incident response document should include:
- Incident handling and Management
- Incident Notification and identification
- Incident Classification
- Incident Response
- Incident Response Team
- Processes and procedures
- Incident remediation
A decent incident response document will make it easier to deal with cyber security incidents as you will have everything in one place. Make sure you cover off what to do during business hours and outside business hours.
If you have been hit by Ransomware then the following steps should help you deal with the situation.
Getting your data decrypted
In 2016 the infosec industry rallied around a common goal to combat ransomware under the No More Ransom initiative. Whilst the public face of this initiative is the portal nomoreransom.org where almost 100 decryption tools are provided freely to anyone who may have the misfortune of being a victim of ransomware, the initiative is a true collective of organizations and law enforcement agencies combating ransomware and those behind such cowardly attacks.
Find out what variant of Ransomware you are dealing with by reviewing any splash screens or by checking for information within ransom note text files. You can then search for a decryption tool on the nomoreransom.org website.
Find the source of the Ransomware infection
One of the biggest mistakes I see when Ransomware hits is that people focus on getting data restored first. This can be a waste of time as an infected client will encrypt freshly restored data just as quick as you can get it restored.
Before you go near your backups you need to find the source of the infection. There are many methods you can use to do this but they one I use all the time is to use network traffic as a data source. If you extract certain metadata like file renames you can quickly find the source of the infection.
Once the infected systems are located, disconnect them from the network and check your monitoring tools for any other infected systems. The problematic client(s) may have been powered down so you need to make sure you have continuous network monitoring in place.
Getting your data restored
Once you have your network cleared of infected hosts you can then focus on data restores. In most cases you won’t need to pay a ransom, most of the analysis shows that this only funds the next Ransomware attack.
If you have a network traffic analysis system in place like LANGuardian, check its reports to find out when the Ransomware was first detected. This will allow you to pinpoint what backups you should use to restore the data.
If your backups are corrupt or not available then you need to make a decision. Do you take a hit and try and get users to manually recreate data. Many of your users will have local copies of their own data so this may bring back a large percentage of it. These private backups could save the day!
If you are faced with no option but to pay the ransom, check if any master keys are available to decrypt the data. For example, a master decryption key for TeslaCrypt was released in May 2016 that unlocks files encrypted by the malware. Another example is the master boot record killer Petya, if you can extract some data from the disk you may be able to get your data back without paying the ransom. For other crypto variants, check forums like Reddit and see if there are any discussions on the subject.
Paying the ransom should be your very last option. Remember, your payment will only fund the next variant.
Also, don’t forget about end user education, continuous training (and testing) is absolutely critical. Send some ‘test emails’ regularly. You can never give users too much training !