I got infected by Ransomware, what should I do?
A recent study published by cyber security ventures projected that in 2019 there will a successful ransomware attack every 14 seconds, of course that is a general global figure based on cyber attacks trends for the past couple of years. If you're reading this post is because sadly you may have already become part of that statistic, by this time you already felt a punch to the gut and a huge feeling of anger and frustration. Now you're focusing on ways to undo the damage so business can continue as usual, most likely you've already read and tried many possible solutions you found online but nothing seems to working. My priority when dealing with ransomware is not so much recover the encrypted data but rather protecting what's not encrypted. I know, I know, you may be say saying: how do get my data back!. The answer, however, it's not that simple, and I feel really bad for breaking the news to you but chances are it's going to cost you $$$.
That being said do not throw in the towel, if you got infected by ransomware and can't access your files follow the steps below to prevent the malware from spreading and as importantly attempt to recover your data.
PHASE I - Protect Your Existing Working Data at all cost!
1. Isolate the systems. If yours one or many computers got infected turn them off, notice that I'm not just saying disconnect them from the network but turning them off. The reason for that is because you may have noticed that some files or directories are encrypted but perhaps not all the data in the system has been compromised, by turning them off you stop the malicious process from running could boot up using a portable media to access the hard drive.
2. Copy any uninfected data to an off-system location. If a system or systems were compromised in your office but yet that main system holding the data has not been infected make a copy of all important data, if you have a copy (or backup) even better, just verify the back up is safe and up-to-date. Ideally you'd like to do this by booting the system using a bootable drive and mounting the drive to be copied. The reason for that is because there could be a chance the malware is on that system and it hasn't fully kicked in yet.
3. Protect the backups. Make it a priority to protect your backups, I can't stress this enough. Remember, at this point all the encrypted may be gone forever, treat your backups as if you'll never see the other data again. Many organizations have local backups to a NAS or to a locally attached hard drive, this type of backup is venerable as any other system in the network. If you have local backups to network or local drives disconnect them from the system while you're troubleshooting. The last thing you want to happen to you is that after your systems and server get infected all your backups also get infected.
4. Do you have a server? This is what I referred to in step 1 but I'll expand a more using a server as an example, If it's possible to turn it off as well. This is mostly applicable to small or midsize businesses where all management and ownership concentrates in one place, if you're in larger corporations this may be applicable as the server may have services for required by other departments to work . Why turning off the server? Server are prize of the attack because usually that's where data in stored. Keep in mind that ransomware spreads like a worm, that fact that one system does not show signs of infected does not mean the malware isn't active in the background.
PHASE II - Start doing technical troubleshooting.
5. Scan the non-infected systems. You may say to me "why do I care about what's working, I need to recover my data", well the truth is that if you don't protect what hasn't been infected your problem is going to worst, besides if some of your systems are encrypted it does not matter how soon you address them, the damage is already done, you need to concentrate on protecting your systems. I recommend doing an off-line virus scan, a common way do it is by creating a bootable media of a reputable endpoint security solution and run the scan. I personally like Sophos, Kaspersky, even Windows Defender. The key is to bootup to the external device and have it scan the entire system for potential malware, keep in mind this process may take hours depending on the size of the drive.
6. Your system come out clear, install the latest OS and applications updates. Ok, let's say that after running virus scans on the systems that weren't infected no malware was found. That is great news but you still need to make sure the latest Operating System and Appliations updates are installed before you put that system back on the network. Many malware attacks exploit known system and application vulnerabilities to deploy the payload, patch those system as soon as you can.
7. Install a real antivirus solution. If you had an antivirus and still the virus got through there're a few possibilities, it was a zero day attack, that antivirus didn't have the latest signatures, it was not a reliable antivirus solution, etc. The point is that you need to have a real antivirus solutions in place as you bring all systems back online. Again I personally like Sophos, Kaspersky, and Symantec but choose whatever works for you.
All that sounds good, you may say, but what about my infected data? Remember that I told you at the beginning to concentrate protecting what's not infected, well there's a reason for that sometimes you won't get it back, that's not to say you won't get it back though. Let's do go over a few things.
PHASE III - Working with the infected data.
8. Bring in the cavalry, at this point you need a network and security experts to help you guide through the process, yes you can do many things yourself but when a security professional comes on site he\she can run other type of analysis and network traffic analysis that may be outside your area of expertise. This is specially true in businesses where with many computers and servers, usually that type of businesses have a more advanced network configuration, having an expert by your side will be advantageous. I titled this article "I got infected my ransomware, what should I do" so I'm going to keep my word and give you a couple of points you can try yourself.
9. Get a ransomware signature and submit it to ID Rasomware, you can do this by submitting an encrypted file or the ransomware note. They will help you identify the malware and guide you in the right direction, this website will not not help you recover any data but rather point you to places that may help you.
10. Contact your antivirus vendors. This is the beauty of having a real antivirus solution in place, you can call them and tell them about the attack. Similarly to ID Ransomware they'll ask you for an encrypted key and tell you where they stand regarding that virus, chances are you're not the first and only one infected with it it, perhaps they were already working on a solution to decrypt the algorithm. If you don't have a valid subscription with an antivirus vendor move to the next step then.
11. Try ransomware decryption tools, try the free tools before paying for a commercial service. Chances are that if you got infected with well known, old ransomware software there could be decryption key out there. Many companies offer decryption tools for various malware, Kaspersky, Avast, TrendMicro, Emsisoft, just to name a few. They will guide you how to run them but it usually a matter of cleaning the computer of malware, booting into safe mode, and running the utilities.
PHASE IV - Now what..
12. Consider paying for professional services. In this case I"m not talking about services from IT network professionals like like we do but rather those offered by companies that specialize in ransomware reverse engineering. Companies like McAfee, Kaspersky, and Sophos have dedicated departments of consultants for such a task. Usually enterprise businesses are the one able to afford their services.
13. Consider paying the ransom. This is something frown upon on by many people, especially by law enforcement because in a way you'll be incentifying more criminal activity, it's up to you to decide whether or not you want to follow that route. You can even negotiate the ransom, after all it is in hackers' interest to get paid something. Now keep in mind that if you do pay you're taking a big gamble, if the decryption key does not work you may lose the money you paid.
14. You recover your data - or not - dust it off and get your network in shape because they will come back if they can. Please make sure you address the issue that cause the problem in the first place, it's not only patching the systems and applications with the latest updates but also making sure you have a real firewall solution in place and that there are not open holes in your network, thus Bringing in the cavalry I mentioned in step 8. We have seen it many times where companies paid for the ransom, got their data back but because they didn't addressed the network vulnerabilities that caused the problem in the first place they get infected again, usually within one or two weeks.
15. Have a technical expert by your side. That is who we are and what we do, we look at your entire and make recommendations to minimize the likelihood of a compromised and to have protections in place in case a system is compromised. There's no silver bullet but there are principles and best practice procedures to ensure will be able to withstand an affect without business interruption.
I hope you found a way a way to recover you data without paying the ransom, sadly most organizations without a proper backup end up paying. Whether paid or not now is that time to implement a solid network security solution for your organization.
If you're located in NYC or Northern NJ we can assist you with the implementation, configuration, and management of your network solution. We specialized in Firewall Implementations, Windows Server Administration, Endpoint Security, and Ethical Hacking services. Contact us at 888-580-4450 for details about our solutions and services.