Most realizations of a ransomware attack begin with a similar scenario. Staff begin reporting that they are unable to open or access files. When you investigate you see that file names or extensions have been changed and there are documents with ransom payment instructions. You have become the victim of a ransomware attack. The question now is, how do you deal with a ransomware attack and what do you do?
The best advice in this situation is to go offline immediately. Take all your systems offline, unplug network cables, turn off the WiFi. If you are lucky and have been alerted to the attack early then the ransomware software may still be in the early stages of its attack and may not yet have had a chance to spread across the network.
Find the Ransomware point of infection
You need to find which user or device was originally infected so you can eliminate the threat. Until you can be sure that the source of infection has been found and cleaned there is too much risk to bring any systems back online, some forms of malware may remain dormant and attack again after you recover or restore systems. You may need to disable the user’s access or wipe their devices to ensure the threat is stopped.
Find the infection delivery method
Once you know who got infected, you need to find out how. Find out from the staff member if they received any suspicious emails and opened links or attachments from them. Most ransomware is delivered through email so the chances are that other staff in your organization also received the same email. If you can identify it then alert all other staff about it so nobody else makes the same mistake.
Assess the Ransomware Attack damage
Once things have calmed down you will need to assess the damage and find out exactly what has been infected. Search across all shared and local storage for encrypted files and folders as this will help you plan for recovery. If possible find out what type of ransomware you have been attacked with.
Recovery from a Ransomware Attack
Although the chance is very slim, you may have been attacked with an older form of ransomware for which the encryption has been broken. If you have no backups this may be your only chance of recovery. If you have backups now is the time to go to your last good backups and begin the recovery process by restoring the data. If you have entire systems that have been encrypted or infected it may be worthwhile to rebuild them or restore the entire system from backup as well.
Review security and procedures
Once recovered from a ransomware attack it is the best time to review your security and find out exactly what happened and how. Look at who got attacked and how far the infection spread. Ransomware attacks from the system or user who was infected, so everything they can access, so too can the ransomware. Is there anything they should not have been able to access? Also consider changing passwords and updating accounts. Some ransomware can also steal data.
Finally, use the opportunity to educate yourself and staff about what happened, how it happened and what they need to look out for in the future to prevent another such occurrence.
Further reading: Ransomware: What your business needs to know
Worried about a Ransomware Attack?
Speak to the experienced team at Stanfield IT on 1300 910 333