Disconnecting the compromised device from the network, internet, and other devices as soon as possible is crucial for the security of your shared files, network, and other devices.
Stop the spread: Immediate isolation of the compromised device won’t ensure that the ransomware doesn’t exist elsewhere on your network because ransomware spreads quickly and the infected device isn’t always Patient Zero. You must disconnect any suspicious-behaving devices from the network, even those that are off-premises, in order to effectively limit its reach. Once a device is linked to the network, it poses a risk wherever it is. It’s also a good idea to turn off wireless connectivity (Bluetooth, Wi-Fi, etc.) at this time.
Evaluate the damage: Search for recently encrypted files with unusual file extensions, and look for reports of strange file names or people experiencing problems accessing files in order to identify which devices have been compromised. To assist confine the attack, stop additional harm and data loss, and isolate any devices that you find that haven’t been fully encrypted, switch them off.
Including network storage devices, cloud storage, external hard drive storage (including USB thumb drives), laptops, smartphones, and any other potential vectors, your objective is to compile an exhaustive inventory of all impacted systems. It is wise to lock shares at this time. If it’s not feasible to restrict all of them, then try to restrict as many as you can.
In addition to stopping any active encryption operations, doing this will prevent further shares from becoming affected while repair takes place. However, you should first check at the encrypted shares before moving forward. By doing this, you may obtain this helpful information: It’s possible that you’ve just located your Patient Zero if one of your devices has significantly more open files than normal. If not…
Find Patient Zero: Once the source of the virus has been determined, tracking it becomes much simpler. Check for any alerts from EDR, your antivirus/antimalware program, or any other active monitoring platform in order to accomplish this. Inquiring about people’s activities, such as opening strange emails, and what they’ve noticed might also be helpful, as the majority of ransomware infiltrates networks through malicious email links and attachments that demand user action.
The individual named as the owner is probably the access point, thus looking at the attributes of the files themselves can also reveal information. (Remember that there may be more than one Patient Zero, though!)
Determine the ransomware: It’s critical to ascertain the specific ransomware version you are dealing with before proceeding. All you have to do is submit an encrypted file, and it will search for matches. The following details are also applicable, as stated in the ransom note: Searching for the email address or the note itself using a search engine can be helpful if it doesn’t specifically mention the ransomware type. You should notify all unaffected staff as soon as you’ve located the ransomware and done a little investigation into its behavior so they can recognize the telltale indications of infection.
Notify the authorities about the ransomware: You should get in touch with law enforcement as soon as the ransomware is contained for a number of reasons. Ransomware is illegal, to start with, and it should be reported to the appropriate authorities just like any other crime. Second, “Law enforcement may be able to use legal authorities and tools that are unavailable to most organizations,” as stated by the US Federal Bureau of Investigation. Collaborations with global law enforcement can be utilized to locate pilfered or encrypted data and apprehend those responsible. Lastly, the attack could have an impact on compliance: According to the GDPR, your company may face severe fines if you fail to notify the ICO of a breach involving the personal data of EU citizens within 72 hours.
Assess your backups: It’s time to start the reaction procedure at this point. Restoring your systems from a backup is the quickest and most straightforward way to accomplish this. Ideally, you will have a full, uncontaminated backup that was made recently enough to be useful. If this is the case, you should use an antivirus or antimalware program to make sure that all compromised devices and systems are cleaned of ransomware.
If not, the malware will keep locking your computer and encrypting your information, which could damage your backup. You can restore your systems from this backup once all malware has been removed, and once you’ve verified that all data has been restored and all applications and processes are operating normally again, you can resume your regular operations.
Unfortunately, until they are needed and unavailable, many organizations fail to see the need of maintaining and making backups. Due to the increasing sophistication and resilience of current ransomware, some people who do make backups quickly discover that the ransomware has also corrupted or encrypted them, making them utterly unusable.
Examine your decryption options: in the event that you are unable to retrieve your data from a backup, there is still hope. At No More Ransom, there are an increasing number of free decryption keys available. You should be able to unlock your data using the decryption key if one is available for the type of ransomware you are dealing with (and presuming you have removed all malware from your machine by now). You still have to expect hours or days of downtime while you work on remediation, even if you’re lucky enough to find a decryptor.
Proceed: Regretfully, you might have to erase everything and start over if you don’t have any working backups or a decryption key. It’s the last resort after all other choices have been exhausted, therefore rebuilding won’t be an easy or cheap procedure.