What to Do When Infected by Ransomware
Often ransomware can end small businesses. Using this attack, the hackers, often foreign nation-state actors, encrypt all files on a computer or as much of the network as they can reach, including backups. Then they demand money to decrypt the files. If the unthinkable happens, stay calm, and here's what you can do:
Disconnect
Physically unplugging or disconnecting the infected computer from the network is best. Typically, by the time a message is displayed all the files are encrypted. You do not want it to spread to other PCs on the network, however, the encryption key may still be in memory on the computer so do not turn it off.
Prioritize critical systems first. If the attack is widespread, it may be faster to turn off switches to disconnect multiple PCs at once. Turn off wireless access points or routers, since if you can't get to the Internet the bad guys can't control your PC, and if they can't connect to other PCs in the office that will halt the spread.
Use out-of-band communications with co-workers, law enforcement, and IT consultants, such as cell phones instead of company email. If hackers know they are detected, they may trigger remaining attacks.
Powering off computers is a last resort and may result in loss of evidence or encryption keys.
Ask For Help
Contact your cyber insurance company or agent, who will have a team that can help. Contact your local police department who can also help. If you're lucky, they may have tools to decrypt known encryption algorithms and keys.
Analyze
Figure out what has been accessed. If there is a message on screen, take a picture or video of it, and record any sounds played.
- Who or what was compromised?
- What permissions/access do those people or computers have?
(often, ransomware triggers only after the threat actor has moved around the network) - What type of attack is it?
(remote access tool, installed software, etc.) - Take a snapshot of cloud/virtual systems to aid in later forensic analysis.
- When did it start? Is today's attack a follow up to previous compromise?
Usually if there is one infection there are more, and attackers take steps to maintain persistent access such as triggering a program to run at boot or via scheduled task.
Execute Your Response Plan
Ideally, it's one computer that can be restored from backup, and the backup carefully analyzed to make sure it does not include the infection. Potentially, keep those computers isolated and restore backups to new hardware.
In the worst case it may affect all computers and systems. They should be kept offline until in a "known clean" state.
Assume all data is compromised. If the hackers have access to your files, they can upload your files. Change all passwords starting with anything not protected by MFA, as well as email accounts and financial accounts, and watch for signs of compromise.
Prioritize recovery for critical assets based on predefined planning, such as safety, revenue, or customer service.
Strongly consider wiping computers and restoring data files from backup, rather than simply restoring the computer. A PC that has been compromised long term will just grant the attacker access again if the compromise is on the backup.
Paying Ransom
Payments to unknown parties can be illegal due to international sanctions or other federal regulations, even if you don't know who you are paying. There is no guarantee a decryption key will be provided. Files accessed to encrypt, may have also been uploaded. Consider whether the payment will fund further criminal activity. Also consider whether safety of employees or customers is a factor.
Preventing Tragedy
With a few easy steps one can avoid most hack attempts:
- Use a good antivirus system like ITS Antivirus, with the Advanced Threat Security add-on
- Keep recent/valid back ups off-site, or at minimum disconnected (air-gapped)
- Keep several weeks or months of backups, in case the compromise started before anyone discovered it
- Enable MFA on all accounts where offered
- Train staff how to identify phishing emails, scams, and social engineering
December 2023
Send this article to a friend!
Subscribe to The ITS Connection
Related articles