You just found a malware infection – now what? Follow these steps to avoid making it even worse

The risk of getting infected with malware is always greater than zero. Regardless of your stringent security policies, the technology you invest in, or the size of your organization, there’s always a chance that something malicious will manage to slip past your defenses.

When – and it should be thought of as a when, not an if – that moment occurs, it’s important to know how to respond correctly. Having a clear response plan in place is crucial for containing and remediating an infection and stopping an already difficult situation from going from bad to worse.

Not sure where to start? This article is for you. Here are eight critical steps to take after discovering a malware infection on your system.

1. Identify infected hosts

The first step in resolving a malware incident is to verify that you have, in fact, been infected with malware. In some cases, like an organization-wide ransomware attack, validating a suspected malware incident may not be necessary because the presence of an infection is obvious.

However, infections may not always be so black and white. In these scenarios, it’s important to examine detection sources in order to get a better understanding of the nature of the incident. Forensic data from your antivirus software, content filters, IPS, and SIEM technologies can usually provide insight into the type of malware you’re dealing with and how your system was compromised, which can be used to tailor your response procedures. Log data should be retained for at least one year to allow for a thorough post-incident investigation.

Analysis tools like Emsisoft EDR can be very useful for examining an incident in real-time and helping IT teams understand how the threat was initiated, which systems were impacted, and how best to respond to the incident.

2. Contain the infection

After establishing a thorough understanding of the incident, the next step in the recovery process is containment. Containing an infection serves two purposes: firstly, it stops the malware from spreading to other devices on the network; and secondly, it prevents further damage to already-contaminated machines.

In an ideal world, impacted networks would be taken offline entirely during remediation, but this won’t always be possible. For example, temporarily shutting down network access might be a very effective way of stopping the spread of malware, but the damage caused by the disruption might be greater than the security risks posed by not isolating the affected network. If this is the case, all infected hosts should be disconnected from the network while non-impacted devices should be closely monitored for signs of malicious activity.

3. Backup the compromised hosts

Data integrity may be jeopardized when triaging some types of malware, including certain strains of malware. To mitigate this risk, it’s good practice to always create a backup of ransomware-infected systems before beginning remediation. This way, if something unexpected occurs during decryption, you can always restore the system (to its encrypted, unusable state) and try to repeat the decryption process.

Check out this blog post for more information on how to respond to a ransomware incident.

4. Reset compromised credentials

There’s a significant risk that multiple credentials may have been stolen and transmitted to threat actors in the time between infection and discovery of the malware. With this in mind, it’s important to reset any login credentials that may have been compromised during the incident, being careful to adhere to best practices for creating and managing new passwords. When resetting credentials, be wary of locking yourself out of any systems or services that may be needed during recovery.

5. Eradicate the malware

The process of removing malware from impacted hosts can vary depending on the extent of the infection. For regular infections, a good antivirus solution will be capable of removing the malware. In these cases, malware should usually be quarantined rather than deleted so that it can be analyzed later if needed.

For more complex incidents, wiping the affected devices and reinstalling the operating system may be a better option, particularly if:

• Ransomware is involved.
• The host has been infected for an unknown period of time.
• The host has been infected with backdoors, rootkits, or other complex forms of malware.
• It’s not clear if the additional malicious activity has taken place on the infected host.

In the above scenarios, rebuilding compromised hosts from scratch is the most reliable way for an organization to be certain that the infection has been fully eradicated.

6. Restore from backups

If you are restoring your hosts from backups, you must be absolutely certain that the backups are free from malware to avoid reinfecting your system. Once a device has been restored, it can be connected to a clean network to download and install updates for the operating system and other applications.

7. Reconnect to the network

At its core, recovering from a malware incident is all about temporary containment and restoring the functionality of impacted devices. Now that you’ve eradicated the malware via disinfection or reimaging, the last step in the recovery process is to put an end to your temporary containment measures.

Once you’re confident that the impacted network is clean, reconnect the recovered devices to the network and enable any services that you might have disabled. In the hours, days, and weeks that follow, you’ll need to keep a close eye on the network for signs of suspicious activity that could indicate potential compromise.

8. Learn from the incident

Treat every malware incident as a learning opportunity. It might sound a little trite, but looking back at the incident with a critical eye can help you better understand how the infection occurred, how prepared you were to deal with the threat, and what improvements you could make to your response procedures.

Post-mortem learning exercises can help identify and resolve vulnerabilities, and reduce the risk of a repeat incident. Possible actions may include making changes to the organization’s security policies, tweaking software or operating system settings, reconfiguring security applications, investing in new cybersecurity tools, amending formal response procedures, and so on.

Conclusion

Knowing how to effectively respond to a malware infection can stop an incident from snowballing into a bigger, costlier, and more disruptive problem.

The guidance provided in this article covers general best practices for resolving a malware incident. However, it’s important to note that malware can vary greatly in terms of capability, complexity, and persistence; as such, remediation should always be tailored to the unique requirements of the impacted organization.