What to do if you’re targeted?
Don’t Pay Ransoms
Ransomware attacks come with a demand to pay for a solution, often by bitcoin to ensure the transaction is untraceable. You have to assume paying a ransom will not get you out of the fix you find yourself in. There is no certainty that you will get your files back after paying the attackers. There have been cases where a ransom was paid and the attackers disappeared without supplying a decryption key. There are also cases where a key was supplied and it didn’t work. And you can’t expect a 30 day money back guarantee here!
You may also be at risk of further attacks if you’re seen as willing to pay. A better option is to bite the bullet and start your recovery efforts.
Responding to a ransomware attack
To combat a ransomware attack you must use an ordered approach to deal with the incident. This is generally done by following a cyber-response plan. The detailed plan should include every action that needs to be taken in situations where your systems have been infected. It should be wide ranging enough to cover anything from file hijacking by ransomware to less damaging malware. And don’t forget the humble nuisance virus – these still need to be dealt with sometimes.
The actions needed to respond to a ransomware attack will potentially involve lengthy activity, which may seem daunting. However, if you are well prepared it is possible to recover from this type of attack. Albeit with some impact due to the time needed to perform the recovery activities. In high level terms, the necessary actions are as follows:
- Isolate the affected system(s) – to prevent further spreading of the infection. This involves taking your devices/networks offline. The faster you do this, the more likely you will be able to contain the spread of the malicious software. You can do this by simply unplugging network cables from your workstations and disconnecting from the internet. Be mindful that other offices in your organisation could be infected by your systems. Make them aware of the attack and take steps to get them offline, or at least separated from the infected segment.
- Remove infection from systems – to stabilise the systems and allow recovery to begin with a relatively clean environment. This may need to be done by your IT team, or by third-party technology partners with relevant skills. In either case, it may be sensible to contact a specialist cyber-security service provider to help with the removal effort and to assist with further actions. Be prepared to check systems that were not infected when the incident first occurred. There may still be malicious software present outside of the primary area being worked on.
- Recover systems and data – to provide unlocked versions of both. This will involve restoration from backup and some reconfiguration of system parameters. Activities here will need specialist resources, in your own IT team or a third-party services provider (not necessarily the cyber-security team). There may also be a need to involve the ‘owners’ of systems and data to validate the recovery.
- Check the status of your systems post-recovery – to determine how effective the recovery has been. Also to investigate whether any malware remains on your computers. The attackers may have created other ways of accessing your systems/data at a later date. If multiple systems are involved in the incident, these validation efforts may be run in parallel with the recovery activity.
- Implement preventive measures – to avoid a repeat of the infections. The information acquired during identification of the infection will assist. Be prepared to research how to recover from the different situations to supplement your experience. The cyber-security team can compile information on the root cause and review the vulnerabilities that were exploited. They can advise what additional preventive measure are needed to avoid similar infections. They may also provide advice on a more comprehensive set of security measures, such as an ISMS.
- Advise others of the attack – to raise awareness and help other organisations. If you or your business experiences a ransomware attack or other cyber security issue, report it to CERT NZ. If the attack involves exposure of personal information belonging to your staff, customers or other business partners, you must also report the breach to the NZ Privacy Commissioner.
There may be additional actions associated with each of these activities, depending on how complex the infection is and how difficult it is to remove. Repeat actions may be needed if the removal/clean-up efforts are thwarted by other malware present on your systems. In a major incident and to avoid hindering the cyber-response team, consider having someone outside of the team deal with communications to interested parties, eg: company senior management or directors, staff, customers, government agencies.
More To Come...
Look out for the next instalment in this topic.
In the meantime, browse more Thistle Tech posts by clicking this button.
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.