8 Critical steps to take after a ransomware attack: Ransomware response guide for businesses
Failing to prepare is preparing to fail.
Case in point – ransomware attacks.
It’s imperative that you know how to respond to ransomware attacks.
In such events, an effective ransomware response plan can mean the difference between panic and decisive action. It can mean the difference between a company-wide infection and a contained incident; the difference between swift remediation and permanent business closure.
In this guide, we’re going to discuss in detail a ransomware response plan. Learn exactly how businesses and management teams should respond to a ransomware attack and explore preventative measures that can help reduce the risk of infection.
What to do after a ransomware attack
If preventative measures fail, organizations should go through the following ransomware response checklist immediately after identifying an infection.
1. Isolate affected systems
Isolation should be considered top priority. The vast majority of ransomware will search the target network, encrypt files stored on network shares and try to propagate laterally to other systems. To contain the infection and prevent the ransomware from spreading, infected systems must be removed from the network as soon as possible.
2. Secure backups
While backups play a crucial role in remediation, it’s important to remember that they are not immune to ransomware. To thwart recovery efforts, many modern ransomware strains will specifically target a company’s backups and try to encrypt, override or delete them.
In the event of a ransomware incident, organizations must secure their backups by disconnecting backup storage from the network or locking down access to backup systems until the infection is resolved.
See this guide for more information on how to create and maintain ransomware-proof backups.
3. Disable maintenance tasks
Organizations should immediately disable automated maintenance tasks such as temporary file removal and log rotation on affected systems, as these tasks can interfere with files that may be useful for investigators and forensics teams.
For example, file logs may contain valuable clues regarding the initial point of infection, while some poorly programmed ransomware variants may store important information (such as encryption keys) inside temporary files.
4. Create backups of the infected systems
Organizations should create backups or images of the infected systems after isolating them from the network. There are two main reasons for doing so:
Prevent data loss
Some ransomware decryptors contain bugs that can damage data. For instance, the decryptor of a prolific ransomware family known as Ryuk was known to truncate files, effectively cutting off one byte of each file during the decryption process. While this didn’t cause major issues for some file formats, other file types – like virtual hard disk files formats such as VHD/VHDX as well as a lot of Oracle and MySQL database files – store important information in the last byte and were at risk of being corrupted after decryption.
Having a backup of infected systems ensures data integrity. If something goes wrong during the decryption process, victims can restore their systems and try to repeat the decryption, or contact a ransomware recovery specialist for a reliable, custom-built decryption solution.
Free decryption may be possible in the future
If the encrypted data is not critical to an organization’s operations and does not need to be urgently recovered, it should be backed up and stored securely as there’s a chance that it may be able to be decrypted in the future.
There have been instances of law enforcement agencies apprehending ransomware authors and C&C servers being found, which resulted in the release of decryption keys and allowed victims to recover their data for free. In addition, a number of ransomware groups – including Shade, TeslaCrypt and CrySis, among others – have willingly released decryption keys after shutting down their operations.
5. Quarantine the malware
Victims should never outright remove, delete, reformat or reimage infected systems unless specifically instructed to by a ransomware recovery specialist. Instead, the malware should be quarantined, which allows investigators to analyze the infection and identify the exact strain of ransomware responsible for encrypting files. Removing the entire infection makes it extremely difficult for recovery teams to find the specific ransomware sample involved in the attack.
If the malware is still running, memory dumps should be made prior to quarantine to create a full record of any malicious processes that are running. The memory dump may contain the key material that was used to encrypt the files, which can potentially be extracted and used to help victims decrypt files without paying the ransom.
6. Identify and investigate patient zero
Identifying patient zero (i.e. the source of the infection) is crucial for understanding how attackers gained access to the system, what other actions they took while they were on the network and the extent of the infection. Detecting the source of the infection is useful for not only resolving the current incident, but can also help organizations address vulnerabilities and reduce the risk of future compromise.
It can be challenging to identify the original point of compromise because, in many cases, the threat actors will have been on the system for long periods – sometimes weeks or even months – before deploying the ransomware payload. Companies that lack the resources or expertise to perform thorough digital forensics should consider enlisting the services of a professional forensics company.
7. Identify the ransomware strain
Organizations can use free services such as Emsisoft’s online ransomware identification tool or ID Ransomware to determine which strain of ransomware they have been impacted by.
These tools allow users to upload a ransom note, a sample encrypted file and the attacker’s contact information, and analyze the data to identify which ransomware strain has impacted the user’s files. It also directs the user to a free decryption tool if one is available.
8. Decide whether to pay the ransom
If backups are damaged and there is no appropriate decryption tool available, organizations may be tempted to pay the ransom in order to recover their files.
While paying the ransom can help reduce disruption and may be cheaper than the overall cost of downtime, it is not a decision that should be taken lightly. Organizations should only consider paying the ransom if all other options have been exhausted and the loss of data will likely result in the company going out of business.
The following factors should be considered:
- There is a 1 in 20 chance that the ransomware authors will take the money but not provide a decryptor. Generally speaking, larger, more “professional” ransomware gangs are more likely to provide a working decryptor than variants that are typically sold to and run by individuals, such as Dharma and Phobos. Regardless of who is behind the attack, victims have to rely on criminals to provide a decrytpor with no guarantee that they’ll hold up their end of the bargain.
- The attacker-provided decryptor may not work properly.
- Ransom payments may be used to fund serious criminal activity, including human trafficking and terrorism.
- Paying the ransom substantiates the ransomware business model and perpetuates further attacks.
How NOT to respond to a ransomware attack
Incorrectly handling a ransomware incident can hinder recovery efforts, jeopardize data and result in victims paying ransoms unnecessarily. In the wake of a ransomware attack, organizations should avoid the following mistakes:
1. Do NOT restart impacted devices
Organizations should avoid restarting devices that have been impacted by ransomware. Many ransomware strains will detect attempts to reboot and penalize victims by corrupting the device’s Windows installation so that the system will never boot up again, while others may begin to delete encrypted files at random. The infamous Jigsaw ransomware, which was prolific in 2016, randomly deleted 1,000 encrypted files each time an infected device was rebooted.
Restarting the system can also hinder forensics efforts. Rebooting clears the machine’s memory which, as noted earlier, may contain clues that can be useful for investigators. Instead, impacted systems should be put into hibernation, which writes all data in memory to a reference file on the device’s hard disk, which can then be used for future analysis.
2. Do NOT connect external storage devices to infected systems
Many ransomware families intentionally target storage devices and backup systems. As such, external storage devices and backup systems must not be connected (physically or via network access) to infected systems until organizations are fully confident that the infection has been removed.
It is not always obvious that ransomware is running. Sadly, there have been many cases of businesses commencing the recovery process without realizing that ransomware is still present on their system, resulting in ransomware encrypting their backup systems and storage devices.
3. Do NOT pay the ransom immediately
While the prospect of downtime and potential reputational loss can be daunting, organizations should not immediately pay the ransom. There are always other options, and these should be explored in full before resorting to paying the ransom.
4. Do NOT communicate on the impacted network
During recovery, victims should assume that attackers still have access to the compromised network and therefore may be able to intercept any communications that are sent and received over the network. Organizations should establish secure out-of-band communication channels and prohibit users from communicating on the compromised network until remediation is complete and the network is clear of intruders.
5. Do NOT delete files
Files should not be deleted from encrypted systems unless a ransomware recovery specialist has advised to do so. Not only are encrypted files useful for forensics, but some ransomware families store encryption keys within the encrypted files – if the files are deleted, the decryptor won’t work.
Similarly, ransom notes should never be deleted. Some ransomware families, such as DoppelPaymer and BitPaymer, create a ransom note for every file they encrypt, which contains the encoded and encrypted key necessary for decryption. If a ransom note is deleted, its corresponding file cannot be decrypted.
6. Do NOT trust ransomware authors
Despite increasingly trying to adopt a facade of professionalism, ransomware authors are criminals who are not obligated to uphold any agreements or abide by any code of ethics. Organizations should not believe any information provided by ransomware groups, including information in the ransom note (such as the ransomware strain) nor trust that paying the ransom will lead to the recovery of encrypted data.
Trusted services such as Emsisoft’s online ransomware identification tool and ID Ransomware should always be used to identify strains. Victims should be mindful that attackers may not provide a decryptor after payment, and that attacker-provided decryption tools may be faulty and/or potentially damage encrypted data.
How to reduce the risk of a ransomware infection
Taking a proactive approach to security can help reduce the risk of a ransomware incident. Businesses of all sizes should implement, enforce and regularly test the following preventative measures:
- Credential hygiene: Practicing good credential hygiene can help prevent brute force attacks, mitigate the effects of credential theft and reduce the risk of unauthorized network access.
- Principle of least privilege: All organizations should adhere to the principle of least privilege, a security concept in which users, programs and processes are given only the bare minimum privileges necessary to perform their tasks.
- Employee training: Because ransomware frequently spreads through user-initiated actions, companies should provide regular cybersecurity training with an emphasis on phishing, malicious email attachments and other social engineering tactics.
- Multi-factor authentication (MFA): MFA should be made mandatory wherever possible to reduce the risk of unauthorized access.
- Review Active Directory: Organizations should regularly review the Active Directory (AD) to locate and close existing backdoors such as compromised service accounts, which often have administrative privileges and are a popular target for attackers who wish to obtain credentials.
- Network segregation: Effective network segregation is crucial for containing incidents and minimizing disruption to the wider business.
- Secure remote access: As RDP is an extremely popular attack vector, organizations must take steps to secure remote access (or disable it if it is not required). Remote access should only be available via certain networks or MFA-enabled VPN, and limited only to users who require it for their work.
- Avoid BYOD: Implementing and strictly enforcing security protocols on employees’ personal devices is extremely challenging. Ideally, companies should provide dedicated devices and hardware and discourage employees from using personal devices for work-related tasks.
- PowerShell: PowerShell is one of the most common tools used by ransomware gangs to move laterally within a target network and should be uninstalled if possible. If PowerShell is required, it must be very closely monitored via endpoint detection and response systems. Administrators should be aware of every single PowerShell script that is running on their endpoints.
- Cybersecurity insurance: Organizations should consider cybersecurity insurance to help mitigate the impact of a ransomware incident. Cybersecurity insurance can be particularly beneficial for MSPs, which are often responsible for protecting other companies’ data. Some cyber insurance companies lean toward readily paying ransoms, while others prefer to explore other remediation options, so companies should talk to prospective insurers and discuss policies before committing to an insurance provider.
Any incident response plan should be tested regularly to ensure that employees are familiar with security processes and understand exactly what to do in the event of an infection. Testing also helps companies identify and rectify flaws in the response chain. The worst time for a company to try and work out what to do in a ransomware attack is during a real ransomware attack. See this FBI alert for more information on detecting and remediating malicious activity.
Conclusion
A proactive ransomware response plan can help companies significantly reduce the risk of infection. In the event of an incident, organizations must have effective response procedures in place to contain the incident, prevent data loss and safely initiate the recovery process.
The ransomware response plan described in this article can help any organization know what to do after ransomware attacks, and mitigate its impact. Do note, however, that these best practices should be considered general and non-comprehensive advice. Security requirements can vary significantly, and security systems should always be tailored according to industry, regulatory requirements and the company’s unique security needs.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trial