An all-out attack on a company network usually causes havoc. Normal operation ceases for the most part, and the entire organisation switches to "emergency mode". Bouncing back from that can be a challenge that might take weeks or months. Here are some practical considerations.
Ransomware attacks are still on the rise and they possibly will never go away. Organizations and companies must assume that sooner or later they will be confronted with a ransomware or malware attack. Preparation is always the key here. We tried to sum up all the different steps and actions for companies or organizations that became victims of a ransomware attack. Preparation is very important when dealing with a ransomware attack. The primary goal is to ensure that companies are prepared and do not have to improvise when disaster strikes, which will lead to additional mistakes that could result in the loss of even more data. While your preparations are underway (i.e. your emergency and contingency plans are available, and have been tested in an exercise), you must ensure that this also includes a process to keep everything up-to-date. The steps below are the minimum steps you should follow in the event of a cyberattack. Be aware that recovering from a cyberattack is not always done in a few hours and is more likely to take weeks or months.
To prevent the further spread of ransomware, it is important to isolate infected devices as much as possible. This means removing the devices from the network and disconnecting any network cables or connections, including Wi-Fi networks. If your network is segmented, you may also want to consider disconnecting the potentially infected network segment. While it may be tempting to shut down infected systems, it is important to avoid doing so as there may still be active malware present that could cause additional damage. Instead, try to keep the systems running so that you can call in an incident response team to conduct a thorough investigation. It is also a good idea to act quickly to limit the impact of the attack, as the attackers may already be well-established in your environment by the time the ransomware is deployed. If your infrastructure contains potentially affected virtual machines, make sure to create snapshots of them and store them in a secure location.
To identify which devices have been infected with ransomware, look for recently encrypted files with unusual file extensions and reports of difficulty opening files. It is also a good idea to isolate and disable devices that have not been fully encrypted to prevent further spread of the ransomware. Make a comprehensive list of all affected systems, including NAS devices, cloud storage, external hard drives, smartphones, and laptops, and consider locking shares to stop ongoing encryption processes and prevent other shares from becoming infected. Before isolating and disabling devices, review the encrypted shares to gather additional information about the attack. For example, if one device has a higher than normal number of open files, it may be the first infected device in the chain. You can also check for alerts from your anti-malware system or monitoring platform and verify what people are doing with emails and attachments. Examining the properties of the files may also provide clues, such as the person listed as the owner of the file. Remember that most ransomware enters networks through malicious email links and attachments, so it is important to be cautious when interacting with these types of content.
It is a good idea to check whether your insurance contract includes incident response coverage where the insurer can send in a team to address the incident. If not, you may need to hire a professional incident response team yourself to assist with assessing the attack vector and point of intrusion and implementing appropriate mitigation measures. This type of help is often provided by your anti-malware vendor or specialized service providers or resellers. Alternatively, you may have internal expertise that can be utilized to respond to the attack. Regardless of the approach you take, it is important to have the necessary resources in place to effectively assess and mitigate the attack. When contacting an incident response provider, make sure you have as much information at had as possible. Of greatest importance is the nature of the incident, the number of affected systems, actions taken as well as indicators and timeline when the attack was noticed.
If you don't have a usable backup, there's still a chance you can get your data back. Several free decryption keys can be found on No More Ransom. ( https://www.nomoreransom.org/en/index.html ) Please note that even with a decryption key it can take weeks to recover the files. The reason for this to take so long is that any decryption tools are not optimized for speed, even if they are procured by the ransomware group. This makes sense, because the main focus of criminal groups is to encrypt quickly and efficiently in order to be able to demand a ransom as early as possible. Performance in their decryption tools is not a primary concern.
One thing is very important and we already written a full blog about that a while ago: we strongly advise against the payment of ransoms! Keep in mind that the attackers are most likely interested in financial gain, so they will try every means to extort more money from you. Be careful when dealing with the attackers. Hiring a professional negotiator is not a panacea. There have been many cases of ransom sums doubling after a negotiator has been hired and remember that a professional negotiator is not always the best solution. There is also no guarantee that you will receive the decryption keys from the cybercriminals.