More than a third of global organizations have experienced a ransomware attack or breach in the past 12 months. Fortinet research shows the average number of weekly ransomware attacks increased by nearly 1000%, from about 14,000 in June 2020 to 149,000 in June 2021. Extortion demands have also skyrocketed—the average demand in H1 2021 is 518% more than it was in H1 2020.
From hospitals to education, retail to finance, manufacturing to critical infrastructure, supply chain to SMBs, ransomware is wreaking havoc across every industry. Ransomware is no longer a case of “if” but a case of “when.” Should your organization be hit by ransomware, the six steps below can help security teams identify, contain, and mitigate the threat.
STEP 1: DISCONNECT THE NETWORK
Isolate the infected computer immediately from any network it’s connected to. You might not want to unplug storage devices if they’ve already been encrypted. Refrain from erasing anything, cleaning up files or using any kind of anti-malware. Check properties of encrypted files to identify the “patient zero” (first infected computer). Disabling the network from network devices is the best course of action because it prevents spread and doesn’t require someone to physically or remotely visit every impacted device.
STEP 2: DETERMINE THE SCOPE OF THE INFECTION
Evaluate how much of your file structure is compromised or encrypted. Ensure that patient zero did not have access to things like shared or unshared drives, external hard drives and USBs, network storage, or cloud storage. Check these for any signs of infection or encryption. Confirm if the system registry and file listings are encrypted. If you have backups, verify that they are intact and up to date. Remember, ransomware can latch onto other computers on your network even if they have not been directly shared. As long as patient zero is connected to a shared network, drive, or folder, ransomware can replicate and install itself on other machines (similar to a biological worm or virus).
STEP 3: VERIFY IF DATA OR CREDENTIALS WERE STOLEN
Most ransomware infections exfiltrate data. Determine whether your data or login credentials have been compromised and if so, how much and what. Check your logs and data leakage prevention (DLP) software to ascertain what data were stolen. Look for large unauthorized archives (e.g., .zip, .arc, .7z, etc.) that contain your data. These might have been used as staging files. Check system records along with malware, tools, and scripts to conclude if data was copied. Most ransomware infections display a notification or message if they have successfully stolen your data. Don’t take this too lightly. If attackers say they have copied your data, they are not bluffing.
STEP 4: KNOW THE RANSOMWARE STRAIN OR VERSION
Knowing your adversary is a critical step in crafting an effective response plan. Security teams must invest time in identifying the ransomware strain (example: Ryuk, Dharma, SamSam, etc.). Each ransomware family or version will follow a standard pattern of encryption and exfiltration. For example, some are costlier than others, some offer more payment options than others, some exfiltrate data, others don’t. Consult a security professional or spend time going through various system files to determine the ransomware version.
STEP 5: EVALUATE YOUR OPTIONS
Once the scope of damages and particular strain of ransomware are ascertained, a more informed decision on subsequent actions can be made. If no data was exfiltrated, you usually have four choices.
1. Restoring from a recent backup: Restoring backups (provided they’re intact) is a no-brainer; however, you have to consider the time factor too. Downloading terabytes of data from a cloud backup is time-consuming, and sometimes victims are under tremendous pressure to get their services back online. Consider restoring shadow copies, although recent forms of ransomware are known to erase shadow copies.
2. Decrypt using a third-party decryptor: If you’re lucky, one of the older ransomware strains has a decryptor available online. Before you download a potential antidote, verify if it’s endorsed by a reputable source. It’s always wise to check with a professional before you experiment.
3. Do nothing: If one is not concerned with the impact of the breach, doing nothing is probably the best option. Remember to rid your machine of all forms of malware, install fresh software, and put defenses in place to avoid repeat incidents.
4. Pay the ransom: Once you have run out of all other options, paying the ransom might be your only choice. Note that many victims don’t receive their data post-payment. Contact a professional negotiator who can help negotiate the extortion demand.
STEP 6: PROTECT YOURSELF FROM FUTURE ATTACKS
Most ransomware victims suffer repeat attacks because they treat the symptoms and not the causes. Protecting your business from attack requires a multi-layered defense strategy. This includes a combination of:
• Backups (software-based, hardware-based, cloud-based or a combination).
• Users (regular security awareness training and simulation exercises).
• Advanced security tools (next-gen firewalls; endpoint detection and response; anti-phishing; multi-factor authentication; vulnerability management; zero-trust, etc.).
• Data and credential theft protection (DLP tools, SIEM, logs, and network analysis).
If at all possible, don’t succumb to extortion demands. Paying the ransom will only encourage more ransomware crime. The FBI and CISA (Cybersecurity & Infrastructure Security Agency) do not recommend paying the ransom, and certain states have already proposed a ban on ransomware payments. Contact your local FBI field office instead or the Internet Crime Complaint Center. Ransomware response advice can also be found at the CISA website.
Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.