What do I do if I'm attacked by Ransomware?
How to deal with an assault by cybercriminals
There are so many security concerns in the IT industry these days, and ransomware is one of the ugliest. Ransomware is the newest and biggest threat to companies and/or individuals. When ransomware attacks you, it renames every file on your machine to a different name and extension (e.g., “myinfo.txt” is renamed to “190xd.xfg”). The extension name is variable, and you will not know what it is until it has hit, and then – to make matters worse - each machine will likely have a different extension assigned. Finally, your computer wallpaper has likely changed from a heartwarming picture of your spouse and kids to a skull and crossbones image with a URL demanding cryptocurrency payment as “ransom” to release the captive files and machines the bad guys hold hostage.
The big question people ask themselves now is, how do I protect myself or my company? When ransomware infiltrates a network, it spreads quickly from machine to machine in a matter of mere minutes as employees begin realizing their productivity has ground to a halt while a sickening feeling spreads throughout their stomach and they find themselves staring at a screen with a ransom note. This is make-or-break time for your IT gang. If you’ve planned and prepared for attacks like this, along with having a solid disaster recovery plan in place, you can now confidently set all those plans into motion.
So, how do you plan and prepare for a ransomware attack? What tools do you have to respond if an attack takes place? Below, I’ve outlined some basic rules to follow to help prevent and recover from a Ransomware attack.
Hopefully, these tips will help you to be able to answer the what-ifs and to be proactive in preventing attacks. First and foremost: back up, back up, back up! Back up critical data and systems on a routine and frequent basis. Make sure to use offsite backups, but have an onsite redundant backup, where one is connected to the network and the other is disconnected from the network. This provides you with the immediate ability to begin restoring the various affected machines. Remember, at this point, the internet is your enemy. It’s where the ransomware came from in the first place, and why a disconnected backup is going to be critical in restoring your data and systems.
- Invest in anti-ransomware software. Anti-ransomware software is similar to anti-virus software, but it has the key ability to recognize the activity of ransomware before the ransomware grows on your machine, thereby allowing it to stop the ransomware from spreading on your network.
- Educate your employees on security awareness. Key topics to cover with them include:
- Strong password user profiles
- Recognizing and avoiding phishing emails
- The danger of clicking random links in emails or IM’s
- Follow basic network management protocols
- Appropriately configure your firewall and regularly test it for intrusion detection
- Block known ransomware extensions
- Apply the latest patches and updates to all your anti-everything software
- Segregate your organization's network into different zones to eliminate the chance of spreading a virus or ransom attack throughout your entire organization
- Eliminate BYOD (Bring Your Own Device) or create a separate network for BYOD’s.
What to do if you notice signs of Ransomware:
If your network becomes compromised - keep calm and concentrate on the fastest way to stop the spread of the ransomware. Start looking in your directories for the crazy extensions, and if you notice one, disconnect the device from your network by unplugging the network cable or disabling the WIFI. If all else fails, power it off.
- If you are flooded with notices of a breach, you may want to consider a system-wide power shutdown. Follow that by slowly bringing each machine back up in a clean room (no internet, or connections to another machine).
- Divide and Conquer - separate the machines that are clean from those that are affected.
- Remember - each machine has a limited number of USB connections and copy commands, so one backup unit can only restore a finite number of machines at one time.
- Contact your anti-virus/anti-ransomware vendor - several vendors offer removal tools and may be able to help identify which ransomware attacked you and the best way to exterminate it.
- Never Pay the Ransom! This is certainly the easiest and quickest way out, but this is exactly what encourages these malevolent folks to keep building their malicious programs. Ransom fees from $300 and up (in cryptocurrency) per device. Prepare properly and do the work to restore yourself.
Other things to remember:
When it comes to restoring hundreds of machines with only one main backup unit, the amount of time it takes to restore is now going to be one of your biggest issues. Keep the following information in mind because having several backup machines will be extremely beneficial to restoring in a timely manner.
- One backup server can usually process up to 6 restore commands. It’s important to note that with each added restore the process will slow down.
- Create more than one physical backup server/system. Keep one connected, but keep others disconnected from the network to safeguard the backups.
- Create multiple restore points. This will provide you with some flexibility as to which point to restore from.
- A single, full restore of a 2-3TB server is a 12-24-hour process. Note: this time-frame has a large number of variables that will affect the restore process.
- Keep your operating system disks, backups and licenses in a safe location as you may need to re-install the entire operating system. Don’t forget any additional software needed for your daily routines will need to be re-installed as well.
Once attacked, even the biggest of companies can be brought to their knees. Plan ahead, educate your employees and keep reinforcing the lessons. If you have a strong plan and execute it efficiently when needed, you just might make it out alive.