8 Critical steps to take after a ransomware attack: Ransomware response guide for businesses

Fresh start: How to prevent malware infections in 2021

Failing to prepare is preparing to fail.

Case in point – ransomware attacks.

It’s imperative that you know how to respond to ransomware attacks.

In such events, an effective ransomware response plan can mean the difference between panic and decisive action. It can mean the difference between a company-wide infection and a contained incident; the difference between swift remediation and permanent business closure.

In this guide, we’re going to discuss in detail a ransomware response plan. Learn exactly how businesses and management teams should respond to a ransomware attack and explore preventative measures that can help reduce the risk of infection.

What to do after a ransomware attack

If preventative measures fail, organizations should go through the following ransomware response checklist immediately after identifying an infection.

1. Isolate affected systems

Isolation should be considered top priority. The vast majority of ransomware will search the target network, encrypt files stored on network shares and try to propagate laterally to other systems. To contain the infection and prevent the ransomware from spreading, infected systems must be removed from the network as soon as possible.

2. Secure backups

While backups play a crucial role in remediation, it’s important to remember that they are not immune to ransomware. To thwart recovery efforts, many modern ransomware strains will specifically target a company’s backups and try to encrypt, override or delete them.

In the event of a ransomware incident, organizations must secure their backups by disconnecting backup storage from the network or locking down access to backup systems until the infection is resolved.

See this guide for more information on how to create and maintain ransomware-proof backups.

3. Disable maintenance tasks

Organizations should immediately disable automated maintenance tasks such as temporary file removal and log rotation on affected systems, as these tasks can interfere with files that may be useful for investigators and forensics teams.

For example, file logs may contain valuable clues regarding the initial point of infection, while some poorly programmed ransomware variants may store important information (such as encryption keys) inside temporary files.

4. Create backups of the infected systems

Organizations should create backups or images of the infected systems after isolating them from the network. There are two main reasons for doing so:

Prevent data loss

Some ransomware decryptors contain bugs that can damage data. For instance, the decryptor of a prolific ransomware family known as Ryuk was known to truncate files, effectively cutting off one byte of each file during the decryption process. While this didn’t cause major issues for some file formats, other file types – like virtual hard disk files formats such as VHD/VHDX as well as a lot of Oracle and MySQL database files – store important information in the last byte and were at risk of being corrupted after decryption.

Having a backup of infected systems ensures data integrity. If something goes wrong during the decryption process, victims can restore their systems and try to repeat the decryption, or contact a ransomware recovery specialist for a reliable, custom-built decryption solution.

Free decryption may be possible in the future

If the encrypted data is not critical to an organization’s operations and does not need to be urgently recovered, it should be backed up and stored securely as there’s a chance that it may be able to be decrypted in the future.

There have been instances of law enforcement agencies apprehending ransomware authors and C&C servers being found, which resulted in the release of decryption keys and allowed victims to recover their data for free. In addition, a number of ransomware groups – including Shade, TeslaCrypt and CrySis, among others – have willingly released decryption keys after shutting down their operations.

5. Quarantine the malware

Victims should never outright remove, delete, reformat or reimage infected systems unless specifically instructed to by a ransomware recovery specialist. Instead, the malware should be quarantined, which allows investigators to analyze the infection and identify the exact strain of ransomware responsible for encrypting files. Removing the entire infection makes it extremely difficult for recovery teams to find the specific ransomware sample involved in the attack.

If the malware is still running, memory dumps should be made prior to quarantine to create a full record of any malicious processes that are running. The memory dump may contain the key material that was used to encrypt the files, which can potentially be extracted and used to help victims decrypt files without paying the ransom.

6. Identify and investigate patient zero

Identifying patient zero (i.e. the source of the infection) is crucial for understanding how attackers gained access to the system, what other actions they took while they were on the network and the extent of the infection. Detecting the source of the infection is useful for not only resolving the current incident, but can also help organizations address vulnerabilities and reduce the risk of future compromise.

It can be challenging to identify the original point of compromise because, in many cases, the threat actors will have been on the system for long periods – sometimes weeks or even months – before deploying the ransomware payload. Companies that lack the resources or expertise to perform thorough digital forensics should consider enlisting the services of a professional forensics company.

7. Identify the ransomware strain

Organizations can use free services such as Emsisoft’s online ransomware identification tool or ID Ransomware to determine which strain of ransomware they have been impacted by.

These tools allow users to upload a ransom note, a sample encrypted file and the attacker’s contact information, and analyze the data to identify which ransomware strain has impacted the user’s files. It also directs the user to a free decryption tool if one is available.

8. Decide whether to pay the ransom

If backups are damaged and there is no appropriate decryption tool available, organizations may be tempted to pay the ransom in order to recover their files.

While paying the ransom can help reduce disruption and may be cheaper than the overall cost of downtime, it is not a decision that should be taken lightly. Organizations should only consider paying the ransom if all other options have been exhausted and the loss of data will likely result in the company going out of business.

The following factors should be considered:

How NOT to respond to a ransomware attack

Incorrectly handling a ransomware incident can hinder recovery efforts, jeopardize data and result in victims paying ransoms unnecessarily. In the wake of a ransomware attack, organizations should avoid the following mistakes:

1. Do NOT restart impacted devices

Organizations should avoid restarting devices that have been impacted by ransomware. Many ransomware strains will detect attempts to reboot and penalize victims by corrupting the device’s Windows installation so that the system will never boot up again, while others may begin to delete encrypted files at random. The infamous Jigsaw ransomware, which was prolific in 2016, randomly deleted 1,000 encrypted files each time an infected device was rebooted.

Restarting the system can also hinder forensics efforts. Rebooting clears the machine’s memory which, as noted earlier, may contain clues that can be useful for investigators. Instead, impacted systems should be put into hibernation, which writes all data in memory to a reference file on the device’s hard disk, which can then be used for future analysis.

2. Do NOT connect external storage devices to infected systems

Many ransomware families intentionally target storage devices and backup systems. As such, external storage devices and backup systems must not be connected (physically or via network access) to infected systems until organizations are fully confident that the infection has been removed.

It is not always obvious that ransomware is running. Sadly, there have been many cases of businesses commencing the recovery process without realizing that ransomware is still present on their system, resulting in ransomware encrypting their backup systems and storage devices.

3. Do NOT pay the ransom immediately

While the prospect of downtime and potential reputational loss can be daunting, organizations should not immediately pay the ransom. There are always other options, and these should be explored in full before resorting to paying the ransom.

4. Do NOT communicate on the impacted network

During recovery, victims should assume that attackers still have access to the compromised network and therefore may be able to intercept any communications that are sent and received over the network. Organizations should establish secure out-of-band communication channels and prohibit users from communicating on the compromised network until remediation is complete and the network is clear of intruders.

5. Do NOT delete files

Files should not be deleted from encrypted systems unless a ransomware recovery specialist has advised to do so. Not only are encrypted files useful for forensics, but some ransomware families store encryption keys within the encrypted files – if the files are deleted, the decryptor won’t work.

Similarly, ransom notes should never be deleted. Some ransomware families, such as DoppelPaymer and BitPaymer, create a ransom note for every file they encrypt, which contains the encoded and encrypted key necessary for decryption. If a ransom note is deleted, its corresponding file cannot be decrypted.

6. Do NOT trust ransomware authors

Despite increasingly trying to adopt a facade of professionalism, ransomware authors are criminals who are not obligated to uphold any agreements or abide by any code of ethics. Organizations should not believe any information provided by ransomware groups, including information in the ransom note (such as the ransomware strain) nor trust that paying the ransom will lead to the recovery of encrypted data.

Trusted services such as Emsisoft’s online ransomware identification tool and ID Ransomware should always be used to identify strains. Victims should be mindful that attackers may not provide a decryptor after payment, and that attacker-provided decryption tools may be faulty and/or potentially damage encrypted data.

How to reduce the risk of a ransomware infection

Taking a proactive approach to security can help reduce the risk of a ransomware incident. Businesses of all sizes should implement, enforce and regularly test the following preventative measures:

Any incident response plan should be tested regularly to ensure that employees are familiar with security processes and understand exactly what to do in the event of an infection. Testing also helps companies identify and rectify flaws in the response chain. The worst time for a company to try and work out what to do in a ransomware attack is during a real ransomware attack. See this FBI alert for more information on detecting and remediating malicious activity.

Conclusion

A proactive ransomware response plan can help companies significantly reduce the risk of infection. In the event of an incident, organizations must have effective response procedures in place to contain the incident, prevent data loss and safely initiate the recovery process.

The ransomware response plan described in this article can help any organization know what to do after ransomware attacks, and mitigate its impact. Do note, however, that these best practices should be considered general and non-comprehensive advice. Security requirements can vary significantly, and security systems should always be tailored according to industry, regulatory requirements and the company’s unique security needs.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

 

Jareth

Jareth

Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next