Having an incident response program is one thing. But how do you deal with a type of attack that acts immediately and takes everyone by surprise?
As the 2016 SANS Incident Response Survey explains:
If companies with an entire team of people dedicated to incident response and a full suite of sophisticated software at their disposal are having trouble responding to ransomware, how can companies with smaller budgets and fewer resources be expected to react smoothly to a ransomware attack?
With ransomware infections continuing to climb (reports estimate over 56,000 in March 2016, alone), organizations of all sizes are scrambling to tighten up their security and plan for the increasingly likely scenario that they’ll be targeted by a ransomware attack.
If you’re one of the thousands of IT pros and security leaders looking for answers, here are answers to some of the most urgent questions you’re likely to face during and immediately following a ransomware attack. Knowing the answers and working out a plan to address them ahead of time will help you move through the recovery process much more smoothly and get your organization back to normal.
Maybe you get a notification from a user (or, worse, a group of users) that they can’t open their files. Or maybe you notice accessibility issues firsthand. You get a sinking feeling and worst-case scenarios flash through your head. Your stress level is growing. Take a deep breath, grab some coffee, and dive in. All that matters right now is getting more info and minimizing the damage.
Depending on how you discovered/were notified of the infection, you may find yourself dealing with one or multiple users and machines. Your first step should be isolating any infected machines by disconnecting them from the network. Keep in mind many ransomware variants are able to spread through shared network drives, so you may need to temporarily lock those down and check your file servers, too.
The majority of ransomware variants will make changes to encrypted filenames, often changing all the extensions to something that corresponds with the ransomware name (ex: .zepto or .locky). They also often create README.txt and README.html files with ransom instructions. Looking for these markers can give you an idea as to the extent of the infection and how far it’s spread.
To understand how the infection started you’ll also want to identify “patient zero”. Keep in mind that may not always be the user who reported the incident. In some cases, you may be able to determine the source of the infection by looking at the properties of one of the infected files and seeing who the owner is listed as For more on how to identify patient zero, see this thread in Spiceworks.
If a user reported the attack, get them off the network while you figure out what’s going on. The same goes for any other impacted users if you’re getting multiple complaints.
Once you determine the cause of the infection it may also be a good idea to share an alert with other users letting them know what to be on the lookout for (ex: phishing emails with fake invoices, etc.).
In the meantime, is there anyone else who needs to know about the ransomware attack right away? If so, now’s the time to tell them.
If you didn’t hear about the attack from patient zero, talk to them now. Most ransomware typically doesn’t wait long to get going once it’s on a machine, so in many cases you should be able to find out what triggered the attack by finding out what the user was doing shortly before the ransom screen popped up.
Ask users to retrace their steps:
Unfortunately, in most cases, once files are encrypted there’s no way of unlocking them without the decryption key.
That said, malware researchers are sometimes able to exploit flaws in ransomware encryption methods and develop decryption tools. Our Ransomware Decryption Tool Finder is an easy way to find out whether a decryption tool is available for the strain of ransomware you’ve been infected with.
If no decryption tool is available then your only other option is to restore your files from backup. Having a backup system is part of any good disaster recovery plan, but is your current backup good enough to get your users up and running quickly after you’ve been hit? If not, you have some thinking to do. For tips on tightening up your backup strategy, see our blog post “3 Better Ways to Use Backup to Recover from Ransomware.”
If you can’t decrypt or recover your files from backup, you’re left with a difficult decision to make that may come down to how integral access to the encrypted information is. It’s a good idea to think about how valuable your data is — are you dealing with law case files, patient health records, customer sales orders, etc. — and make decisions on how you’ll handle various encryption scenarios ahead of time.
The FBI has become more clear as of late that you should not pay the ransom, and when we surveyed IT pros on Spiceworks, only 5% of people hit with ransomware even considered paying the ransom an option. But ultimately, your decision will have to be based on your situation, not other people’s.
Another factor that may play into your decision of whether to pay or not is the type of ransomware you’re infected with. Some variants have been identified as being “fake” ransomware that doesn’t actually encrypt your data effectively. Other variants have been cracked and decryption tools have been made available. Still other variants may not have a good track record of actually delivering a working decryption key.
There are several ways to learn what type of ransomware you’ve been infected with. The first thing you can try is using our Ransomware Decryption Tool Finder. Even if a decryption tool isn’t available, typing in the encrypted file extension will provide you a list of the possible ransomware types.
Information included in the ransom screens — specifically, any URLs it points you to for more info/payment steps — can also provide you with identifying clues. Researcher Michael Gillespie has a website that allows you to upload a ransom note or a sample encrypted file to learn what type it is.
Lastly, you can try some good old-fashioned googling. Search for the ransom screen messaging, for the extension that has been applied to your locked files, or for some of the symptoms you’re experiencing such as encrypted unmapped network shares or encrypted shadow copies. A great resource to check out is BleepingComputer.com.
The safest way is to nuke the computer and bring it back to factory settings. Then restore from backup.
If you don’t have backup you can use, the situation becomes trickier. There are things you can try to salvage some of the files from the computer such as malware-removal tools (Microsoft offers a free one), but you do run a risk of a file getting missed and the infection starting back up again.
If she isn’t scared off by the fact that your organization was hit with a ransomware attack in the first place, make sure you explain to her just how bad the attack was or could have been if you hadn’t intervened. Spend time calculating the cost in terms of downtime and lead with that.
Be sure to come prepared to discuss not just the problem, but specific solutions. Do your homework on potential fixes for the problem and determine how the cost of implementing them compares to downtime and disruption costs. The clearer you can make the business case, the better.
The good news is there are things you can do now to prepare yourself for dealing with ransomware and to stop it from infecting your system in the first place.
Sometimes you think you’re doing everything right and malware still gets through. New variants of ransomware are being created everyday. It’s hard to keep track of the new ways they operate. Barkly is pioneering a new approach to endpoint security. Try us free for 15 days and block ransomware attacks on your users’ devices.
Brianna is helping us grow an active community of security beginners and experts alike. She is exploring topics like security in healthcare and how to keep companies safe from ransomware.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.