An all-out attack on a company network usually causes havoc. Normal operation ceases for the most part, and the entire organisation switches to "emergency mode". Bouncing back from that can be a challenge that might take weeks or months. Here are some practical considerations.
Ransomware attacks are still on the rise and they possibly will never go away. Organizations and companies must assume that sooner or later they will be confronted with a ransomware or malware attack. Preparation is always the key here. We tried to sum up all the different steps and actions for companies or organizations that became victims of a ransomware attack. Preparation is very important when dealing with a ransomware attack. The primary goal is to ensure that companies are prepared and do not have to improvise when disaster strikes, which will lead to additional mistakes that could result in the loss of even more data. While your preparations are underway (i.e. your emergency and contingency plans are available, and have been tested in an exercise), you must ensure that this also includes a process to keep everything up-to-date. The steps below are the minimum steps you should follow in the event of a cyberattack. Be aware that recovering from a cyberattack is not always done in a few hours and is more likely to take weeks or months.
1. Assess the Damage
- One of the initial actions to take in response to a ransomware attack is to assess the extent of the attack by identifying the data that has been encrypted and potentially exfiltrated. This information is crucial in developing an effective response plan. Knowing the extent of the attack is important because it allows you to understand the internal and external implications of the attack and formulate a plan to address them. To determine the extent of the attack, try to identify which data was stored or processed on the encrypted machines and search for any data that may have been exfiltrated.
2. Isolate
To prevent the further spread of ransomware, it is important to isolate infected devices as much as possible. This means removing the devices from the network and disconnecting any network cables or connections, including Wi-Fi networks. If your network is segmented, you may also want to consider disconnecting the potentially infected network segment. While it may be tempting to shut down infected systems, it is important to avoid doing so as there may still be active malware present that could cause additional damage. Instead, try to keep the systems running so that you can call in an incident response team to conduct a thorough investigation. It is also a good idea to act quickly to limit the impact of the attack, as the attackers may already be well-established in your environment by the time the ransomware is deployed. If your infrastructure contains potentially affected virtual machines, make sure to create snapshots of them and store them in a secure location.
3. Identify
To identify which devices have been infected with ransomware, look for recently encrypted files with unusual file extensions and reports of difficulty opening files. It is also a good idea to isolate and disable devices that have not been fully encrypted to prevent further spread of the ransomware. Make a comprehensive list of all affected systems, including NAS devices, cloud storage, external hard drives, smartphones, and laptops, and consider locking shares to stop ongoing encryption processes and prevent other shares from becoming infected. Before isolating and disabling devices, review the encrypted shares to gather additional information about the attack. For example, if one device has a higher than normal number of open files, it may be the first infected device in the chain. You can also check for alerts from your anti-malware system or monitoring platform and verify what people are doing with emails and attachments. Examining the properties of the files may also provide clues, such as the person listed as the owner of the file. Remember that most ransomware enters networks through malicious email links and attachments, so it is important to be cautious when interacting with these types of content.
4. Get Outside Assistance
It is a good idea to check whether your insurance contract includes incident response coverage where the insurer can send in a team to address the incident. If not, you may need to hire a professional incident response team yourself to assist with assessing the attack vector and point of intrusion and implementing appropriate mitigation measures. This type of help is often provided by your anti-malware vendor or specialized service providers or resellers. Alternatively, you may have internal expertise that can be utilized to respond to the attack. Regardless of the approach you take, it is important to have the necessary resources in place to effectively assess and mitigate the attack. When contacting an incident response provider, make sure you have as much information at had as possible. Of greatest importance is the nature of the incident, the number of affected systems, actions taken as well as indicators and timeline when the attack was noticed.
5. Communicate
- It is important to communicate sensitive information about the ransomware attack through a separate, secure channel to protect against potential compromise. If your mail systems are still functioning, the best course of action is to assume that they may also be compromised and that the attacker has access to them. Therefore, it is important to minimize communication on your network and use alternative methods to communicate internally and externally. Consider setting up a secure communication channel, such as Signal or WhatsApp, or using a temporary external conferencing system and creating separate groups for communication. Effective coordination and communication are key to effectively responding to a ransomware attack, so it is important to establish a plan for communication and follow it closely.
- Effective communication with the public is critical in the aftermath of a ransomware attack. It is important to communicate early and often with internal staff, suppliers, service providers, and customers to keep them informed about the situation. Hiding the attack is generally not a good idea as it can damage your brand's reputation. Be transparent with your employees, stakeholders, customers, and the press about the attack and consider setting up an alternative communication webpage to provide updates and information. It is important to be open and honest with your audience to maintain trust and minimize the negative impact of the attack.Give whichever information you can, without giving away details that may compromise the incident response process. Establish Single Points of Truth and Contact and make sure that any and all information is only being distributed through those contacts.
6. Manage
- it is also best to establish a crisis management team to help resolve any conflicts and prioritize the restoration of business functions. This team should be responsible for coordinating all internal and external communication and ensuring that a consistent message is conveyed during the crisis. The crisis management team should also address any legal issues that may arise and work with professionals to develop a communication strategy. The primary role of the crisis management team is to coordinate efforts and ensure that the response to the attack is effective and efficient.
7. Legal
- In addition to addressing the technical aspects of the cyber attack, it is important to consider any legal obligations you may have to notify authorities of suspected data breaches. Depending on the regulations in your region, you may be required to report a data breach within a certain timeframe to avoid fines or other penalties. For example, under the General Data Protection Regulation (GDPR), if you fail to notify authorities of a data breach involving EU citizen data within 72 hours, your business could be subject to significant fines. It is also a good idea to file a complaint with the appropriate federal or local law enforcement agency to ensure that the attack is properly investigated.
8. Restoring and Bootstrapping
- Once you have assessed the extent of the cyber attack and taken steps to isolate and secure affected devices, it is time to begin the process of restoring your systems. One of the quickest and easiest ways to do this is to use a recent, uninfected backup to restore your systems. This will allow you to return your systems to a functional state as quickly as possible. It is important to have a reliable and up-to-date backup system in place in case of a ransomware attack or other data loss event. The only potential catch: Depending on how long the attacker has had access to your network infrastructure, there is a possibility that some backups are already compromised. Consult with your incident response team before attempting to restore any machines.
If you don't have a usable backup, there's still a chance you can get your data back. Several free decryption keys can be found on No More Ransom. ( https://www.nomoreransom.org/en/index.html ) Please note that even with a decryption key it can take weeks to recover the files. The reason for this to take so long is that any decryption tools are not optimized for speed, even if they are procured by the ransomware group. This makes sense, because the main focus of criminal groups is to encrypt quickly and efficiently in order to be able to demand a ransom as early as possible. Performance in their decryption tools is not a primary concern.
- To restore your IT operations after a ransomware attack, it is important to focus first on the users who are necessary for the restoration process. Do not immediately allow all users to access the internet, as this could potentially expose your systems to further threats. Instead, patch and update any known vulnerable systems that were affected by the attack, and consider implementing multi-factor authentication (my personal favorite data-loss preventing technique) if it is not already in place. Focus on privileged accounts and services first, such as management accounts and management services. Use an endpoint security solution to ensure that all infected systems and devices are free of ransomware, as dormant malware may continue to lock your network and systems and corrupt your backups. Implement security monitoring services to gain a better understanding of activities taking place on your network. This will help you identify any potential threats and take appropriate action to protect your systems.
9. Be Prepared for "The Next Big One"
- Be aware that a new attack is always possible. Take the time to analyze and document the attack to be ready for the next one. There is also a joint advisory which is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. It highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices.
Closing Remarks
One thing is very important and we already written a full blog about that a while ago: we strongly advise against the payment of ransoms! Keep in mind that the attackers are most likely interested in financial gain, so they will try every means to extort more money from you. Be careful when dealing with the attackers. Hiring a professional negotiator is not a panacea. There have been many cases of ransom sums doubling after a negotiator has been hired and remember that a professional negotiator is not always the best solution. There is also no guarantee that you will receive the decryption keys from the cybercriminals.
Eddy Willems
Security Evangelist