Most realizations of a ransomware attack begin with a profound feeling of “oh shit”. Staff begin reporting they are unable to open or access files. When you investigate you see that file names or extensions have been changed and there are documents with ransom payment instructions. You have become the victim of a ransomware attack. The question now is, how do you deal with a ransomware attack and what do you do?
What is ransomware?
Ransomware is a type of malware that holds your data, information or systems as hostage until a sum of money is paid. Ransomware exploits cyber security vulnerabilities on computers, systems and servers that are vulnerable and open to infection or have not been patched. Ransomware will encrypt any data it can gain access to and demand a payment or a sum of money be paid to regain access to the data again.
So what do you do if you get a ransomware attack?
1. Go offline
The best advice in this situation is to go offline immediately. Take all your systems offline, unplug network cables, turn off the WiFi. If you are lucky and have been alerted to the attack early then the ransomware software may still be in the early stages of its attack and may not yet have had a chance to spread across the network.
2. Find the ransomware attack point of infection
You need to find which user or device was originally infected so you can eliminate the threat. Until you can be sure that the source of infection has been found and cleaned there is too much risk to bring any systems back online, some forms of malware may remain dormant and attack again after you recover or restore systems. You may need to disable the user’s access or wipe their devices to ensure the threat is stopped.
3. Find the infection delivery method
Once you know who got infected, you need to find out how. Find out from the staff member if they received any suspicious emails and opened links or attachments from them. Most ransomware is delivered through email so the chances are that other staff in your organization also received the same email. If you can identify it then alert all other staff about it so nobody else makes the same mistake.
4. Assess the ransomware attack damage
Once things have calmed down you will need to assess the damage and find out exactly what has been infected. Search across all shared and local storage for encrypted files and folders as this will help you plan for recovery. If possible find out what type of ransomware you have been attacked with.
5. Recovery from a ransomware attack
Although the chance is very slim, you may have been attacked with an older form of ransomware for which the encryption has been broken. If you have no backups this may be your only chance of recovery. Great if you have backups now is the time to go to your last good backups and begin the recovery process by restoring the data. If you have entire systems that have been encrypted or infected it may be worthwhile to rebuild them or restore the entire system from backup as well.
6. Review security and procedures
Once recovered from a ransomware attack it is the best time to review your security and find out exactly what happened and how. Look at who got attacked and how far the infection spread. Ransomware attacks from the system or user who was infected, so everything they can access, so too can the ransomware. Is there anything they should not have been able to access? Also consider changing passwords and updating accounts. Some ransomware can also steal data.
Use a tool like Bitdefender to help protect your computer and prevent ransomware specific infections.
7. Get your systems and mitigation strategies up to date
In most cases up to date systems and cyber security prevention tools will prevent a ransomware attack. When a vulnerability is found the vendor such as Microsoft or Apple will have updated their software very quickly. Make sure in future you keep up to date.
8. Educate your team
Finally, use the opportunity to educate yourself and staff about what happened, how it happened and what they need to look out for in the future to prevent another such occurrence.
Worried about a ransomware attack?
Speak to the experienced team at Stanfield IT on 1300 910 333