05, Oct, 2019
RANSOMWARE RESPONSE - WHAT TO DO AFTER AN ATTACK
On May 12, 2017, hundreds of thousands of computer users and organizations across more than 100 countries woke up to a crisis. A sophisticated and viral form of malware had encrypted their computers and systems thus preventing them from accessing valuable personal and business information. Access could only be regained if a ransom was paid via bitcoin. Payment via a cryptocurrency like bitcoin would make it extremely difficult to trace the recipient. The malware, which was known as Wannacry, was a form of ransomware (you can read a nice summary of the May 2017 attack here). The vast majority of the world’s population was hearing the term ransomware (and ransomware response) for the first time. In reality, though, ransomware had been around since the late 1980s. Nevertheless, ransomware has evolved tremendously since then thanks to huge advances in cryptography over the last 30 years.
What is ransomware?
At its most basic, ransomware captures, encrypts, and blocks access to data until the ransom demand is paid. Ransomware is most often delivered via email or the web.
There are two main categories of ransomware — locker and crypto. Crypto ransomware encrypts all files on the affected device and only reinstates it once the ransom is paid. Locker ransomware is simpler and only locks out users from the device in lieu of a ransom.
The elements of a ransomware response
As with any other form of malware, prevention is always the best strategy. Nevertheless, despite your best efforts at prevention and considering the high profile of the organizations that have fallen prey to ransomware, you can be attacked successfully. What you do when that happens is vital in ensuring your organization can resume operations quickly and with little to no loss of your most valuable data. Here are some of the more important ransomware response actions you should take.
1.Secure the data before taking any ransomware response action
Take a read-only snapshot of the infected computer, virtual machine, or storage device. Doing this allows you to protect any part of your data that hasn’t been infiltrated, corrupted, or locked by the ransomware. It also ensures that as you work on reversing the damage and protecting your information, you always have a copy available that would form the basis for starting over repair works if need be.
2. Trace the attack
We mentioned before that ransomware will usually infiltrate your network via a website or an email. If you know where the attack originated, you can better track its spread or stop it in its tracks before it propagates even further. For instance, if you locate some of the files encrypted by the ransomware, take note of which user account last modified them. You could find this information in audit logs. You could follow this knowledge and work backward until you land on the device or user where it all started. During your investigation, do not forget to cover any remote workers you may have. The faster you can isolate and unplug the affected machines from your network, the lower the danger of new machines becoming infected.
3. Assess the impact
Faced with ransomware, your first instinct is to launch into remedial action immediately. Nevertheless, this can be a waste of precious time and effort. If the ransomware is spreading, every minute wasted means one more computer succumbing to the attack. So, before you kick off defensive and corrective actions, take a step back from the chaos and perform a comprehensive assessment of the damage. Establish the what, who, when, and where of the incident. This assessment is should be the basis of your subsequent course of action.
4. Notify law enforcement
A ransomware attack is a criminal incident. Notifying the relevant law enforcement agencies is, therefore, something you should do. In many jurisdictions, this is required by law (for example, the GDPR for organizations handling the data of European Union citizens). Start with local police but also get in touch with any national cybersecurity agency. A failure to report may not only mean you could be in breach of cybersecurity regulations but also robs you of the massive resources law enforcement has at its disposal to resolve the matter conclusively and at no cost to you. Note, however, that involving law enforcement could see the ransom demanded increase and in certain cases could lead to the data never being recovered.
5. Notify affected customers
No company is eager to announce to its customers that it’s been hit by a ransomware attack. It’s embarrassing and inevitably calls into question the business’ ability to safeguard sensitive customer data. There’s the risk that many customers could opt to leave for good. Yet, the potential consequences of failing to notify affected customers are far greater than any immediate inconvenience and lost business that would result from nondisclosure. What’s more, privacy and data security laws may require the business to notify customers. In any case, transparency is something most customers will view in a positive light. If you demonstrate you have nothing to hide, it will be easier for stakeholders to have confidence that you’ll eventually resolve the matter to the satisfaction of all parties. Notification is not about doing one press release and calling it done. Provide regular updates of progress. Announce resources you’ve made available that will minimize the threat to their data and privacy.
6. Clean up your systems
Some organizations opt to pay off the ransom as a means of getting back their systems in the shortest time possible. It may seem like a quick fix but the reality is anyone willing to go to the lengths of encrypting your systems to bar you from access isn’t someone whose word you can take to the bank. So regardless of whether you choose to pay the ransom or not, you have to assess your system in the aftermath to clean up any remnants of ransomware, restore your data to its pre-attack state, and establish measures that make it much harder for a similar attack to recur.
7. Update your systems
Operating system developers are constantly creating patches that seek to seal the loopholes that have been exploited by ransomware in the past. In fact, regularly patching and updating enterprise systems can block all but the most recent ransomware. But even after a successful attack, run patches for all your systems to reduce the risk of a similar incident in the future.
Ransomware response is just the start of recovery
While the tips we’ve covered here are useful and practical, there’s no silver bullet for ransomware response and recovery. That’s part of the reason ransomware has grown so quickly in popularity among cyberattackers. Nevertheless, doing nothing is not an option. Let these tips form the basis of your ransomware response plan. You’ll have a much greater chance of getting back your systems in one piece.