Make no mistake, a cyber crisis is just around the corner. Per recent research, 80% of 1,100 organizations surveyed claimed to have been hit by a ransomware attack last year. Even the Cybersecurity and Infrastructure Security Agency (CISA) indicated that 2022 could be yet another banner year for ransomware.
In case your organization encounters a ransomware scam, the following eight steps might aid in identification, containment, remediation, and recovery.
1. DETERMINE IF IT’S A REAL RANSOMWARE ATTACK
Some malware subspecies (i.e., scareware) trick users into believing they have downloaded ransomware. However, if one is able to check under the hood, they’ll notice how their files are still intact. Look for things like weird file extensions because it’s common for ransomware to encrypt files so that they become unusable or inaccessible. Check if this problem is only occurring on one device or whether it has affected multiple systems and locations.
2. DECLARE A RANSOMWARE EVENT AND COMMENCE INCIDENT RESPONSE
Once security teams determine it’s ransomware, immediately notify executive teams, legal and marketing, HR, and other important stakeholders. Although it may not be necessary to inform the insurance carrier right away, some insurance companies do offer hands-on resources to help out with the response process. Document the entire incident response process so all evidence is retained for either prosecution or post-incident analysis.
3. DISCONNECT THE NETWORK
If security teams discover that ransomware is hitting more than one location or affecting more than one device, then it’s a good idea to disconnect the network. One can re-enable networking later during recovery and restoration mode. Try disabling network connections at the network hubs, switches, and devices. If the victim believes they have been infected by wiperware (a type of ransomware that destroys the victim’s systems instead of encrypting them), they must immediately power off and isolate those devices to prevent the malware from deleting more files.
4. ASCERTAIN THE SCOPE OF THE EXPLOITATION
It’s time to deep dive into the nature of the attack and the extent of the damage. What did and didn’t get hit? What locations? What operating systems? What types of files? What got compromised? Has data been stolen? Is it more than one machine? What type of ransomware strain is it (Ryuk, Dharma, SamSam, Conti, etc.)?
One can check logs from security software like data leakage prevention to spot signs of data leaks. Unexpectedly large archival files (e.g., zip, arc) containing sensitive information can indicate stolen data. Scan for malware, tools, and scripts that may have been used to conduct reconnaissance and exfiltrate data. Check back-ups and ensure they are intact. To determine if credentials have been stolen, verify user credentials on password dump sites like haveibeenpwned.com or MyPwd.
5. LIMIT INITIAL DAMAGE
By now security teams should’ve disabled networking, including the internet, to prevent hackers from peering inside the network or remote-controlling the ransomware. Some ransomware incidents might also be a result of a prior unresolved network compromise (i.e., malware infections such as TrickBot, Dridex or Emotet). Care must be taken to identify and clean up any such malware to prevent continued compromise. It’s usually a good idea to call in experts for help in stopping further damage.
6. SHARE INFORMATION ACROSS TEAMS
Security teams should share what is known across the organization so everyone has a common understanding of the damages inflicted. Make sure everyone agrees with the initial assessment. In the end, you want everyone to be on the same page because only then can you arrive at an effective response to the situation.
7. DETERMINE RANSOMWARE RESPONSE
While paying the ransom is not recommended, data shows that 60% of businesses pay the ransom. If one does decide to pay, they need to first check if it’s legal to do so (especially in the U.S.). One can also ditch the ransom option and choose to repair or rebuild systems. Rebuilding is always safer since repairing systems is riskier and can leave unplugged vulnerabilities, given how 80% of victims suffer repeat attacks.
8. RECOVER THE ENVIRONMENT
Focus on mission-critical applications first to get the business up and running. Determine any critical dependencies ahead of time. Rebuild or repair infrastructure (DNS, IP address scheme, DHCP, Active Directory) beforehand and ensure IT security systems are running and monitoring as soon as you get online. Reset all system, log-in, and email passwords (assuming all passwords were stolen). Users should be instructed to use commercial password managers and to never use the same password twice. Avoid performing recovery on systems that have been impacted. Instead, make a data copy of that hard drive and then do the recovery. Perform full-scale unit testing before a full roll-out, testing systems and applications to determine they are working as expected.
Finally, ransomware is a symptom, not the problem. Make fixing the issues that led to the ransomware incident your priority. Prevention will always be better and cheaper than the cure. No organization is truly immune from ransomware. More detailed advice on ransomware response can be found on the federal CISA website.
Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.