How do you recover from a ransomware attack?
How do you recover from a Ransomware attack?
Don’t get infected in the first place!! Harsh,
but so is the reality of Ransomware.
Senior Fellow - Institute for Critical Infrastructure Technology
“Ransomware is not only about weaponizing encryption, its more about bridging the fractures in the mind with a
weaponized message that demands a response from the victim.”
How do you recover from a Ransomware attack? Don’t get infected in the first place!!
That is probably a bit harsh, but if you are looking for a recovery plan for a ransomware attack you really should be starting by looking at the attack vectors that your business and network has. “How do you avoid a Ransomware attack?” is very much a project for your cyber security team, while ‘How do you recover from a Ransomware attack’ should be a joint project for Cyber, IT Support and Disaster Recovery teams.
If you’re a smaller business then continue to read on as this article applies to all sizes of business although the approach and size of the issues may be different..
I would highly recommend that you read our previous blog, “What is a Ransomware attack and who are the real victims ?”, which will give you all the background you need before tackling this article.
Don’t wait, pull the plug!!!
The worst has happened, what next??
Let’s start with a quick summary of what needs to be done….
- Isolate the infection.
- Identify the infection.
- Report the infection.
- Determine your options.
- Plan for prevention.
1. Isolate the Infection
This has to be the most important thing to do other than not getting infected. Don’t hesitate and don’t think about it. It is in high pressure moments like this that a well rehearsed plan is worth its weight in gold. Go as far as to apply bright and distinct tape to any cables that need to be unplugged so you can minimise the time taken to isolate your network.
When a computer is suspected of being infected it needs to be isolated as quickly as possible, but let’s be realistic as it may be too late. Often Cryptoworms have already spread before they show themselves. Like the common cold you are infectious long before you start to sneeze and show symptoms. However, it is better to be safe than sorry to isolate your network from any other sites you may have and isolate your individual servers, turn off your PC’s and any other devices that are likely to become infected such as PC equipped production machinery such as milling machines or laser cutters etc. Anything that behaves like a computer needs to be shut down. Be suspicious of everything in your organisation.
2. Identify the infection
More often than not the ransomware will identify itself at the point at which it makes its demands. There is a certain amount of kudos to be had by the ransomware writers so they like to tell you who they are and they wouldn’t want to be mistaken for someone else.
There are a number of online resources to help you find out more about how the ransomware propagates, what files it encrypts and if it can be removed or disabled. Try….
Identifying the version of ransomware will also allow you to report it on the Report a Cyber Security Incident on the NCSC website
3. Report the Infection
We are all in this together and there is no shame in falling foul to a ransomware attack. These guys are professionals in the same way a pick pocket is. They are highly intelligent, skilled individuals who make a living through this.
In the UK we have the National Cyber Security Centre (NCSC) which is the government unit tasked with investigating and stopping cyber crime. Their website is well worth a visit and is packed with information and advice on keeping safe and also how to help prevent cyber crime.
Victim reporting provides NCSC and other law enforcement bodies with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help them to determine who is behind the attacks and how they are identifying or targeting victims. Remember that this is international crime not just UK based.
4. Determine Your Options
There are generally just three options available to you!
- Pay the ransom
- Try to remove the malware
- Wipe the system and reinstall from scratch
4.1 Pay the ransom
No… No…No! Let’s remember that these are criminals we are dealing with not pranksters. If you pay the money there is no guarantee that they will decrypt your data. Well, they may do the first time. After all these guys are running a business and wouldn’t want to get a bad reputation. They want the next guy to pay too, but there is nothing to say that they will not come back and encrypt you again and again. You did pay the first time so why not a second.
In a recent survey, more than three-quarters of organisations said they were unlikely to pay the ransom in order to recover their data (77%). Only a small minority said they were willing to pay some ransom (3% of companies have already set up a Bitcoin account in preparation!).
That leaves us with 2 options…
4.2 Try to remove the malware
There are software packages that claim to be able to remove ransomware. Whether you are able to remove an infection and fully decrypt the data is open to debate. Certainly some infections do have decrypters but the number is few and the newer the ransomware the more complex it tends to be and the less likely that someone has developed a decryption solution.
That leaves us the option that is the most painful but most likely to work.
4.3 Wipe the system and start from scratch.
In our heart of hearts we know that this is the best solution, but it does smack of defeat. However, look at it this way…. you have saved on the ransom payment. That is probably a rather simplistic view and is reliant on one thing in particular – effective off site backups.
Hopefully you have a robust backup strategy in place and therefore have copies of all your files, document, databases and email databases saved offsite. It has been known for backup files to become encrypted so keep files off site and even on different media.
Forensic investigation of the infected machines should allow you to determine the date of the initial ransomware infection. Failure to identify the correct date could mean that you are simply going to restore the malware right back into your clean environment – not what we want to be doing.
Remember that an infection might have been dormant in your system for a while before it activated and made significant changes to your system. Identifying and learning about the particular malware that attacked your systems will enable you to understand how that malware functions and what your best strategy should be for restoring your systems.
Don’t be tempted to use a System Restore point to get your system back up and running. System Restore is not a good solution for removing viruses or other malware. Malicious software is typically buried away in all kinds of places, you can’t rely on System Restore being able to find all the parts of the malware. Also, System Restore does not save old copies of your personal files as part of its snapshot. It also will not delete or replace any of your personal files when you perform a restoration, so don’t count on System Restore as working like a backup. You should always have a good backup procedure in place for all your personal files.
Local backups can also be encrypted by ransomware. If your backup solution is local and connected to a computer that gets hit with ransomware, the chances are good your backups will be encrypted along with the rest of your data.
With a good backup solution that is isolated from your local computers, you can easily obtain the files you need to get your system working again. You have the flexibility to determine which files to restore, from which date you want to restore, and how to obtain the files you need to restore your system
You’ll need to reinstall your OS and software applications from the source media or the internet. You should be able to reactivate accounts for applications that require it. If you use a password manager to store your account numbers, usernames, passwords, and other essential information, you can access that information through their web interface or mobile applications. You just need to be sure that you still know your master username and password to obtain access to these programs.
This is going to be a major undertaking that will need many man hours depending on the size of your organisation and some will never recover.
5. Plan for prevention
At the beginning of this article we posed the question and answer…
How do you recover from a Ransomware attack? Don’t get infected in the first place!!
Which brings us to plan for prevention. More often than not ransomware infections start from one of two human failings:
- Weak credentials that are used multiple times. (Read “How Safe Are Your Online Accounts”)
- Clicking on a link or infected attachment
This is an ideal opportunity for educating your employees and a number of resources are available on the internet, we may even provide some articles ourselves in the future, but for now I would recommend taking a look at the resources at Knowbe4.
That about wraps it up for now but if you have not read part 1 of this article it is entitled “What is a ransomware attack and who are the true victims?“