So far in this series we've talked about how to protect yourself from getting (or spreading) ransomware and other malware through the various threat vectors. Now we are going to take a look at what to do if ransomware gets through your multiple layers of security and actually infects your network.
First, let's talk about what you don't want to do, which is pay the ransom. Several things may happen when you capitulate to the criminals:
- They might not release your data. There's no guarantee that you will be able to decrypt your data just because you've paid the ransom.
- You could be targeted in future attacks, and the ransom amounts will be higher. Criminals now know you are willing to pay, and they will punish you for not ‘learning your lesson' the first time.
- You contribute to the success of the criminals, and encourage them to continue spreading ransomware.
So if you don't want to pay the ransom, what should you do?
Quarantine the system and protect what you can: Stop the spread of the ransomware as quickly as you can. Unplug the infected PC from the network, disconnect network shares, unplug USB drives, and so on.
Assess the damage: Exactly what was encrypted? How many systems were affected? Is it limited to one system, or did it spread across the network? Were there multiple sources of infection?
Identify the ransomware: Procedures to remove the ransomware and decrypt your files will depend on what type of ransomware it is. There are tools (and more tools) and information online to help you in this process.
Remove the malware: Antivirus, malware removal tools, and manual repairs may be needed here. If you've been lucky enough to minimize the outbreak, this might not take long. You should also consider running further scans to see if anything is hiding on your network.
Decrypt your files: If the ransomware has a decryption tool, you may find it here. You can use this to decrypt your files without paying the ransom.
Restore using disaster recovery tools: Regular backups, shadow volume copies, current system restore images, and other data protection tools can be used to restore the files that cannot be decrypted. You might also need to use these tools to ensure that your infected system has been restored to a clean image.
Investigate the cause: Data is available and your systems are running, but you aren't done yet. Now you need to be sure that you know exactly how this ransomware infected your network. You may need to question users, examine system logs, and run scans on servers or other systems that didn't appear to be affected by the incident. Until you know how your systems were infected, you cannot be sure it won't happen that way again.
Prevent future infections: Upon identifying the cause and source of infection, take action to defend that attack surface. Was it an email attachment detonated by a user? You may need to update or upgrade your email defenses so that suspicious attachments are detonated in a sandbox. Was a system infected by a drive-by download? You may need a better web security gateway to prevent that type of attack. Did a careless user try to install a malicious file, thinking it was a free application? It may be time to update or reinforce your user training.
Check disaster recovery: Once you have completed removal, restoration, and investigation, it's time to make sure your disaster recovery tools are back in place and configured properly. Did you move any critical data? Was anything changed during your recovery process? This is where you make sure your backup is still backing up the right things. If you had to bring your offsite storage on-site for recovery, it's time to re-set it and take it offsite again.
Think about the next attack: You probably learned some things during the incident. Your backups aren't organized well enough, your users don't recognize risky online behavior, or your anti-virus is configured improperly and is either too slow or not comprehensive enough. Now is the time to think about solutions for any problems you've found, and to mentally walk through what you might do better if this happened again. From there you can develop a plan to address anything that needs to be changed.
Of course, the above steps are just a framework to help keep you on track. It's easy to get overwhelmed when a disaster strikes, and you want to have some idea of what steps to take before it happens. All of this assumes that you are already doing the basic best practices: up-to-date antivirus and anti-malware, current backups, robust email protection, and good knowledge and documentation of your network infrastructure. If you don't have this in place, you should start working on it as soon as possible.
If you are infected by ransomware, you may find yourself in a position where it is better to pay the ransomware. You either don't have backups, you don't have the expertise to decrypt the ransomware, or it's just such a small ransom that you're willing to take the risk. That's a choice that each victim has to make for himself. The important thing for you is that you take action to prevent being infected again.