What You Should Do When Ransomware Attacks
“Why can’t you open that file?” “My P drive is full of files with funny names.” Help! It all starts the same. Someone logs in and notices strange file names, or files missing. These are signs that you have been attacked by ransomware.
Good news! You’ve found the right place. The video below provides a quick overview. This article will help you on your journey to recovery step-by-step.
BEFORE You Start: This advice is given as-is and without warranty. This has been proven to work for many ransomware infections. Your mileage may vary. Use at your own risk. This information could be out of date as the situation changes rapidly. As new information becomes available, we will update this page. If you need help, just ask us! Comments and suggestions are appreciated.
Step 1: Get to Know Your Situation
Malware has infected your computer. Your antivirus and other security measures have been bypassed by the malware. Although it is most likely that the malware was created by user actions (such as clicking on a link), this is not always the case. Ransomware uses the user’s permission for accessing and encrypting files. Ransomware can encrypt files on the operating system, network shares, and cloud file systems.
You may be able to decrypt these files using a free online tool that is available from several security companies. Even though this is the best-case scenario, it will result in downtime of up to hours and only works with specific ransomware types. Most cases will require you to either restore files from backups or pay the ransom. Large data recovery can take several hours or even days. You can expect to pay between several hundred and several thousand dollars if you decide to pay the ransom.
This is the best time to inform executives and employees that there is an issue. For a prolonged period, critical systems may not be available. It will be a long day.
Step 2: Secure It
We don’t know much about you at this point. The source could be one or more of your friends. It could be days or hours old. Before we can treat the patient, we need to stop the bleeding. It is necessary to immediately take the shares off-line.
By locking these shares before, we may be able to save time later. Take a look at the files that are not encrypted. This will help you to identify the source of infection (what we call Patient Zero). If one user has hundreds of open files they are most likely the source of infection.
What shares should you lock? While all of these are the best answers, your specific situation will determine which shares you should lock. This guide is too complex to cover all the factors.
If encryption is ongoing, locking the shares will stop it from progressing and prevent any other shares from being encrypted while you are removing the infection from your network.
Step 3: Turn off patient zero
It is crucial to identify the source of infection and close it down. This can be difficult in larger organizations. Here are some suggestions:
- Who owns the new files (instructions to the decryption), and who is it?
- Which permissions were required to modify encrypted files? Who is the owner of these permissions?
- To find infected users, view the files that are open on the shared drives.
It is possible to stop the infection if you quickly identify patient zero. Sometimes, the infection may not be detected until all shares have been encrypted.
All infected devices should be turned off and disconnected from the network. They pose a risk to network security and can cause re-infection.
Step 4: Identify the Infection
Next, identify the variant to determine the best recovery options for you. Your antivirus and other defenses are already ineffective against the infection, so they won’t be of much help. This is how it works.
You’ll find a text file in the affected shares. It will look something like the one below.
Important Note: Ransomware variants often have a timer that starts when you click on the instructions file. Two different outcomes have been achieved by this timer. Sometimes the ransom is doubled when the timer is over. Other times, the files are encrypted for life. You should not click on the links until after you have read this guide.
These files are crucial for removing the infection. You can often identify the variant by searching the internet for the text contained in these files. You must study each variant for its critical characteristics. Some tools can decrypt some variants. Others may not have encrypted the files but still demand the ransom. It should take only a few minutes to identify the variant. Move quickly.
Step 5: Verify Your Backups
You will need to decide whether to restore from backup or pay the ransom. Before you attempt to pay the ransom, ensure that your backups are current and up-to-date. It would be a disaster if you attempt to restore the system only to have it fail hours later. If the timer expires, you may lose the ability to pay the ransom.
We always perform a test restore. We ensure that only a limited but important number of encrypted files can be successfully restored.
Calculate the Restore TimeEveryone will want to know when it will be completed. If the backup is on-site, restoring a few gigabytes of data will take only a few hours. The restore process may take several days for offsite backups, TB+ data, or backups on slower media. We don’t have the ability to give specific advice so we will just say that you can start the restore and let it run for between 15-30 minutes. Calculate the restore time using this experiment and then plan and communicate accordingly.
If your test restore was successful and the restore time is within a reasonable amount of time, then you can avoid paying the ransom. If the test restores failed, your most recent backup is not sufficient, or you prefer to wait for the restore process to finish, you can pay the ransom.
Step 6: Paying the ransom
The FBI advises ransomware victims not to pay the ransom. “Paying a ransom not only emboldens current cybercriminals to target more organizations, but it also offers an incentive for other criminals to get involved in this type of illegal activity.” The FBI Blog
Here are some details to help you decide if you want to pay the ransom.
Bitcoin is used to pay the ransom. If you don’t already have them, you will need to purchase them. There are many ways to buy Bitcoin in the US. The process of buying Bitcoin is similar to opening a bank account. However, these companies are required to adhere to the Know Your Customer regulations by the US government. It can take some time to buy bitcoins and you may not be able to purchase as many at once.
These sites allow you to pay the attacker directly after you have purchased the bitcoin. You can transfer the bitcoin to their address by using these links. There are no refunds once you have sent the bitcoins.
It is dangerous to communicate with attackers. Some variants require email communication to obtain the decryption software. Clients often pay ransoms and are then attacked again. You just proved that the bad guys can run a profitable business. Avoid communicating with anyone who discloses your identity. Use a disposable email account, such as a Gmail account or Outlook.com account to communicate with others.
GCS has found that most communication takes place over the night. Texas has a 12-hour time difference between the attackers and us.
The ransom may not work. These men are criminals. You must not trust them. GCS usually requests proof of encryption by sending the attacker one of the unencrypted files. Paying the ransom is a waste of time if they are unable to decrypt that file.
Step 7: Encrypting
You may be able to decrypt files depending on how ethical and helpful your attacker is. You will need to use the software provided by the attacker to decrypt your files. If this doesn’t make you nervous, then you haven’t been paying enough attention.
GCS recommends that you use a virtual machine for one-time purposes. It should be locked down and secured to decryption. After the decryption is completed, you can destroy the virtual machine. This will significantly slow down the decryption process and is much more efficient than running the tool on the file server/s.
Although anti-virus/malware products aren’t effective in preventing infection, they can identify the decryption software as malware. This can make it more difficult to decrypt the files and could take longer.
Last Thoughts
This document could include many more details. GCS has become an expert in ransomware infection recovery. As we learn more about the attacks, we will update this document. GCS can assist clients with these recoveries if they agree.
To prevent ransomware attacks from recurring, our advice is simple: Train employees to be cautious and ensure you have backups. You can add additional layers of security to your system by using OpenDNS, a DNS filtering service. You can improve your backup by including a Datto business continuity component. To identify any potential issues in your organization, you should conduct a security audit.