Ransomware attack is one of the most damaging types of cyber attacks of all time, and the one feared the most by business owners and cybersecurity defenders. This worry is not without reason. In an instant, an organization’s critical IT infrastructure can be brought down for weeks to months, completely stopping all business. Some data and systems may be lost forever.
Ransomware can take different forms, causing many different types of threats and damage. In its most common form, criminals use it to threaten to prevent access to critical data and systems and/ or to release sensitive data unless a ransom has been paid. Here are some of the common impacts of ransomware:
- Encrypts data and systems, causing downtime and recovery costs
- Steals confidential data, exfiltrates it outside the organization, and threatens to release it
- Steals organization, employee and customer login credentials
- Uses compromised victims’ systems and earned trust to compromise customers and business partners
- Publicly shames victim, causing reputational damage
Once you have determined you have been exploited by ransomware, it is imperative to immediately take action. The following graphic summarizes the steps:
STEP 1: Initial investigation
1. Determine if it is a real ransomware attack
2. Determine if more than one device is exploited
STEP 2: Declare if ransomware event confirmed
1. Declare ransomware event
2. Begin using predefined, alternate communications
3. Notify team members, senior management and legal
STEP 3: Disconnect network
1. Disable networking (from network devices, if possible)
2. Power off devices if need it
STEP 4: Determine the scope of the exploitation
Check the Following for Signs:
a. Mapped or shared drives
b. Cloud-based storage: DropBox, Google Drive, OneDrive, etc.
c. Network storage devices of any kind
d. External hard drives
e. USB storage devices of any kind (USB sticks, memory sticks, attached phones/cameras)
f. Mapped or shared folders from other computers
Determine if data or credentials have been stolen
a. Check logs and DLP software for signs of data leaks
b. Look for unexpected large archival files (e.g., zip, arc, etc.) containing confidential data that could have been used as staging files
c. Look for malware, tools and scripts that could have been used to look for and copy data
d. Of course, one of the most accurate signs of ransomware data theft is a notice from the involved ransomware gang announcing that your data and/or credentials have been stolen
Determine Ransomware Strain
a. What strain/type of ransomware? For example: Ryuk, Dharma, SamSam, etc.
STEP 5: Limit initial damage
Initial investigators should try to stop/reduce any damage they discover, if possible
STEP 6: Gather team to share Information
The goal is to make sure the team correctly understands all information, including scope and extent of damage
STEP 7: Determine response
1. Pay the ransom or not?
2. Repair or rebuild?
3. Invite in additional external parties?
4. Notify regulator bodies, law enforcement, CISA, FBI, etc.?
STEP 8: Recover environment
1. Repair only or rebuild
2. Need to preserve evidence?
3. Use business impact analysis to determine what devices and systems to recover and the associated timing
4. Restore critical infrastructure first
Step 9:Postmortem analysis/lessons learned
Prevent the Next Cyber Attack:
1. Mitigate social engineering
2. Patch software
3. Use multifactor authentication (MFA) where you can
4. Use strong, unique passwords
5. Use antivirus or endpoint detection and response software
6. Use anti-spam/anti-phishing software
7. Use data leak prevention (DLP) software
8. Have a good back up and regularly test
Hopefully this article has provided you with a summarized series of steps to include in your ransomware response plan. We hope you and your organization are never successfully exploited by ransomware, but if you are, this manual can tell you how to proceed, recover, and prevent in the future.
Be an ethical and save your privacy!