How to Recover After a Ransomware Attack
It is a known fact that cyber criminals attack organizations in larger and larger numbers, and the malware they are employing to do their dirty work has become much better at hiding its tracks. You may think your company is safe, but even huge corporations such as Canon or Konica Minolta were hit with ransomware attacks and paid millions of dollars to regain access to their data.
Recently, a piece of ransomware called Ryuk, which has been built with the goal of attacking enterprise environments, has taken hostage several local governments, netting its makers millions of US dollars. Hackers send emails which contain an obfuscated PowerShell script to their victims, for example, and if an employee opens the attachment, the entire network will be compromised eventually.
Unfortunately, many institutions continue to run their software using outdated operating systems such as Windows 7, and sometimes even Windows 2000! This makes it easy for cyber criminals to use known vulnerabilities and execute their malicious scripts. The infection will often spread across the network using Microsoft's Remote Desktop Protocol (RDP).
So, it is clear that everyone is in danger. While the FBI and other agencies have asked companies to ignore the hackers' ransom demands, some victims choose to pay the money because they need to keep their clients' data confidential and/or protect their reputation. Here's what you should do if you have been hit by a ransomware attack.
One or more of your company's computers may display a splash screen which provides instructions on how to contact the hackers and/or ransom payment instructions. In this case, the damage is already done, so refer to the steps highlighted below. But maybe the malware hasn't affected the entire network yet, so you can start monitoring its behavior using a tool such as Nagios XI. And if you don't work with a computer security team, you can call us.
Try to open various files and see what happens; if the ransomware is already active, some of those files will be encrypted, and you won't be able to open them. While you are here, look for weird file extensions. You may discover that your report.docx has become report.crypted, or that it has lost its extension, so it asks which application to use when you double-click it.
Keep an eye on new software that has been installed on the computer - especially network-related applications. Windows' "Add or remove programs" gives you the option of sorting all the applications by their "Install date". Do that, and then see if you find unknown apps on the list. Google the ones you don't know to learn what they do and uninstall the ones you don't recognize/need right away.
Look for new administrator accounts which may have been created by hackers. Also, keep in mind that the attackers will try to disable domain controllers and delete any existing backups before activating the ransomware. Don't forget to look for network resources that are shared but shouldn't have been made accessible to others.
If you manage to detect an ongoing infection, the process can be contained, and the damage can be limited by stopping the rogue third-party application. Begin by disconnecting the affected computer(s) from the Internet; that will limit the infection. Then, contact a specialized IT security company.
Regardless of what happens, you should be able to restore the data by making use of its backed-up copies. We encourage our clients to use the 3-2-1 backup strategy, which consists of having at least three copies of the data, two of them being kept on different media, and one of them offsite (in the cloud).
Once that your computers are working properly again, run a deep network scan, looking for any signs of infection. The malware may have been planted several months ago, and the backup up data may still include it.
Discover the Intelligent Internet Data Solutions Provider. Our systems are easy to use, scalable and affordable.
