Ransomware recovery: Plan for it now
You will need to implement your disaster recovery plan (DR) if your computer environment is affected by a ransomware attack. Before you can begin to restore systems, you must be identified and stopped the infection. It could make matters worse if you rush to the restore phase. Understanding how ransomware works are crucial to understanding why this is so.
Ransomware spreading in your environment
There are many articles such as this one that describe what ransomware does, but it’s important to emphasize that the goal of ransomware is rarely to infect just one system. Ransomware will attempt to infect your entire network by identifying and exploiting various vulnerabilities within operating systems. Every ransomware variant will contact these servers to get instructions. The attack will be coordinated through command-and-control servers. The key to responding to an active ransomware infection is stopping all communications with C&C servers as well as any further communications between the infected system and the rest of your network.
If you have not been infected yet, it is a good time to create a plan for your response and to test it as frequently as your DR plan.
It is not a good idea to try to do everything alone after a major ransomware attack. Some resources can help you stop and recover when all hell breaks loose. And some steps could help authorities catch criminals. These resources should be included in your ransomware response plan.
Cyber-insurance policies can be extremely helpful. You can get in touch with experts to assist you with your response. Before you are attacked, contact them immediately to discuss their response process. You can also document this in your plan. Consider getting one if you don’t have one.
Also, you should immediately contact your local FBI field office. The extent and nature of the attack will determine the level of involvement, but the FBI says notifying them about all ransomware attacks will help them respond better to it. They have access to resources and tools that are not available to other organizations, which can be especially helpful if the attack is from another country.
Beware of companies that claim they can decrypt your data. They simply pay the ransom and then pass on the cost to you in their bill. You can now vet any companies that you may want to use in the ransomware response.
Stop spreading infection
Find out as much information as you can about ransomware and how to stop it from spreading. You might not be able to choose between a small amount of downtime and a large amount of downtime.
All computers in your environment should immediately be shut down. You can also shut down communications between your LAN (or any other network) and the outside world if you are unable to do so. This will prevent infected computers from being able to receive any further instructions from their C&C servers.
As ransomware is spreading in your environment through RDP, it’s the most common method. The easiest way is by changing a registry key. Since it’s important to do this as quickly as possible, automate it via PowerShell.
Change administrator passwords, and close all administrative sessions. This will prevent further damage from computers that have been compromised. This is also best done via Powershell.
If you don’t automate these tasks, it can be a tedious task. Develop and test your automated tasks before you need them.
After you’ve completed the above steps, it is safest to turn off all computers until you identify which ones are infected. Although this is a drastic step, it will stop further spread and damage. It will also give you the time to think clearly while you decide what is next.
Identify the ransomware
The best tool to find out what ransomware variant has hit you is the ID ransomware project that can make the identification with a sample of the ransom message you have received as well as files that have been encrypted.
Install a malware scanner tool on an infected computer. Scanning it will be done. Once the tool has identified and quarantined the ransomware, you can do the same on all other computers in your environment. As many people can perform this manual process, it is important to include training in ransomware recovery.
Ransomware can make infected computers difficult to scan since the files required to log in or boot the system are encrypted. These infected computers will need to be completely erased and then restored.