Corporate Ransomware Response & Protection Best Practices
Table of Contents
Does the ransom need to be paid?
Make a copy of your encrypted data
Ransomware strikes a business every 10 seconds. If your business gets hit, knowing how to respond can minimize the costs and associated downtime. How should a company react when ransomware is first observed? What steps should be taken? This guide will cover every step a business should take when a ransomware infection occurs.
What is a Ransomware Attack?
At its most basic level, a Ransomware attack is the use encryption malware to first encrypt data, applications, and hardware, and then subsequently extort the owners of the encrypted assets for a financial payment. Only after the payment has been made to the Ransomware hackers is a decryption tool or key provided to the victim, who may then attempt to recover.
The ability for ransomware to propagate within a company's network can lead to catastrophic downtime, which can cripple an organization and can often lead to bankruptcy. The cost of downtime is often 10-100x the cost of an individual ransom amount demanded. After a machine or a network have been encrypted by Ransomware, ransom notices are left in prominent places so that the victims can spot them easily.
Most ransom notes pressure the victim to pay quickly by indicating that the ransom amount will escalate if the victim waits too long to pay. The average ransom is about $5,000, but they can be smaller for consumers or much larger for large enterprises. If a victim chooses to pay the ransom, they have to procure cryptocurrency, often Bitcoin. Procuring cryptocurrency is extremely time consuming and laborious for the average victim, so much so that the hackers leave advice in the ransom note on how to do it quickly.
How Ransomware Spreads
The hackers primarily use the following attack vectors to infect a machine: vulnerable ports, phishing emails, social engineering, unpatched software, compromised websites or advertising and free software downloads.
Ransomware can encrypt the files on an individual computer or be designed to move through connected drives and devices without outside instruction. When networks are breached by the hacker, the hacker often uses other malware to gain lateral access to different parts of a network to implant ransomware broadly. If a victim chooses to paying the ransom, they have to procure cryptocurrency, often Bitcoin. Procuring cryptocurrency is extremely time consuming and laborious for the average victim, so much so that the hackers leave advice in the ransom note on how to do it quickly.
How to Stop Ransomware from Spreading
An infected machine should be physically disconnected from any network it is attached or mapped to. This includes disconnecting any NAS storage devices, USBs or external hard drives. Wireless connectivity should also be turned off. Once a machine has been disconnected from the network it should be left alone. It should not be turned off or rebooted. Anti-virus scans should not be run. Making any additional changes to the files may modify the already encrypted files making them totally unrecoverable at a later date.
The Employees: If you see something, say something
Ransomware frequently spreads through a company’s network because employees are afraid to report it. An Intermedia report found that 59% of employees would pay a ransom out of their own pocket to avoid having to tell their employer. An employee who does not immediately inform IT of a possible ransomware attack is putting the fate of the entire company at risk. One of the most important variables in recovering from ransomware is responding to it quickly. Cultivating a culture where employees are not afraid to raise their hand when they notice something is key. Hiding a ransomware infection for too long could imperil the operability of the company and jeopardize its future. Encourage employees to notify IT the minute they see something suspicious.
Lock your network down - kick the hackers out and keep them out!
The vast majority of ransomware attacks today occur by hackers brute forcing remote services that utilize RDP ports. This means the hackers have gained access to your network and have likely harvested some administrative credentials. They have likely moved laterally around your network laying ransomware executables as they go. The hackers have probably tried to encrypt or wipe your backups in the process, in order to leave you with no options but to pay the ransom. All of this is time consuming for a hacker, so if you notice an attack early then you may be able to thwart their progress. If you notice suspicious activity first close all RDP ports. Network attached storage that is open to the internet should be closed. Next, admin credentials should be changed. If possible, change all user PW’s, just in case they elevated themselves after compromising a single employee. If your backups have not been compromised, put two-factor authentication on top of the admin credentials to ensure the hackers can’t get to your back ups.
Being confident that the hackers no longer have access to your data is important for peace of mind during the recovery and forensics process. Once you are confident your network is secure you should review log activity and user sessions to try and determine the time frame of the attack.
Inspect all machines and document the ransomware infection.
Every machine and data stores on the network should be surveyed for signs of encryption, this includes your backups. All cloud storage should be checked as well (AWS, DropBox, Google, Microsoft One...etc). Once every machine and data store is inspected, infected devices should be cataloged by name, type, size and extent of encryption. Any ransom notes, unique encrypted file extensions or ID’s should also be cataloged so that the extent of the attack can be readily understood by IT and management team. Written documentation, rather than an oral explanation, can shave hours off of a recovery and streamline engaging with an external team to assist in your recovery.
Catalog encrypted data vs available backups
Don’t have any backups? Well, then you can skip this step (and yes, you should feel ashamed at not having any backups). If you did have backups but they were encrypted as well, then there is a lesson to learn about properly isolating your backups. Either way, your list of encrypted machines should be cataloged against available backups. Be sure to record how recent the backups are, if they are complete or incremental, and which encrypted machines are without any back ups. It is important to complete the documentation as thoroughly, yet quickly, as possible.
Take a time-out and assess your operability
Now that you have a full inventory of your network you should have a fairly complete picture of the operability of your IT infrastructure. Be sure to contact all departments affected by the infection and discuss their operability. The questions below should be asked and discussed internally with executive stakeholders to determine the relative urgency of your unique situation:
Is each department able to conduct business?
Can the company get through a payroll?
Can customers receive orders and communicate with you?
Can you invoice customers and interact with your supply chain?
Are you in, or at risk of being in, violation of any service level agreements because of your impaired operations?
If the answers to the above point to a critical situation, then this is a good time for your IT team to call their families and prep them for the possibility of being at work for the next few days. Accordingly, keeping the IT team fed and rested through a ransomware incident is important. Sleep deprivation and dehydration are not conducive to good decision making so take the physical and mental health of these employees seriously. Bad or impulsive decisions can have permanent and catastrophic results.
Is there a chance the ransom will need to be paid?
If any critical data was encrypted and backups are unavailable then there is a chance engaging with the hacker and paying the ransom is necessary. Although a last resort, it is widely understood that if data loss is not an option, then negotiating for and paying a ransom is a necessary path to recovery.
If this is the case, a common mistake is to delay engaging with the hacker. Contact should be made soon so that parallel efforts can be under way simultaneously. Searching for viable backups for encrypted data while establishing contact and negotiating with the hacker means you’ll be exploring all options in parallel. If working backups are uncovered down the line, then communications with the hacker can be dropped.
However, if you wait to make contact then you risk making the worst case scenario even worse. The hacker may have abandoned his email, or you may be more desperate than you initially thought. If you do need to contact the hacker, don’t do it yourself. When your business is held hostage and emotions are running high a trained incident response professional can streamline and improve your recovery.
Determine the ransomware strain you have
There are several free resources available that can assist in the identification of the ransomware you have. There are also several bad resources that will take advantage of your situation.. Before contacting an outside resource, It is important that you know your rights as a victim of ransomware.
Resources to leverage:
NomoreRansomware.org and ID Ransomware are great resources that help identify ransomware. To use these resources be prepared with a copy of the ransom notice and a sample encrypted file. The sample encrypted file should be free of any PCI or confidential information. Don’t unintentionally turn a ransomware attack into a data breach as well!You may also submit your information to Coveware for a free, real time assessment.
Firms to be leery of:
There are dozens of dishonest data recovery firms that tell you they can decrypt variants of ransomware that cannot be decrypted. Some have been exposed through sting operations, while others are under investigation by law enforcement for their business practices. If Nomoreransomware.org or ID Ransomware report that the type of ransomware you have is not decryptable with a free tool, you should believe them. Finally, you should NOT send the ransom note or email address of the hacker to any firm that you have not signed a legal agreement with. Some data recovery firms will email the hacker without your consent, which can cause confusion and problems down the line.
Use the ransomware identification to inform your strategy
At any given time there are dozens of ransomware variations in circulation. Ransomware variants have unique attributes that inform how the decryption process works. The cyber criminals that distribute ransomware also have their own unique attributes on how they target companies, how they negotiate (or don’t), how technologically astute they are, and most importantly how economically rational they are. When combined with the desperation of a victim company, the permutations of these ransomware variants are dizzying. However, when you understand attributes of your ransomware and have identified the urgency of your situation then a strategy begins to unfold.
For example, if your company had no backups, a high budget and high urgency after being attacked by GandCrab, the decision to pay the ransom would be relatively straightforward given the high likelihood of recovering data. Conversely, a company with low urgency, minimal budget that was attacked by Ryuk, would likely opt not to engage with the hackers or bother paying (given historically high cost and low data recovery rate).
The Ransomware recovery stage: Making copies, killing malware, and decrypting data
Generally, ransomware recovery consist of a combination of backup restore, ransom payment and data loss. The proportions in each bucket will determine how successful the recovery will be.
Restoring from a backups
This guide more or less supposes you don’t have access to backups, or your backups have become compromised in the attack. We won’t lay more guilt on you than you are probably already feeling, but it worth reminding that a company without backups dances on the edge of a black hole. A ransomware attack can easily bankrupt a business.
If you do have complete, or partial backups, the first step is to ascertain the condition of your backups. Backups should be checked for age, and the process of restoring and manual verification on a clean environment. The other variable in the restore process is time. Restoring huge volumes of data can take a great deal of time. Prioritizing which portions should be restored first can have a material impact on restoring operability to your company (hence the importance of cataloging your critical systems up front).
It should be noted that shadow copies were traditionally relied upon as a source of restore. The vast majority of ransomware deletes shadow volume copies as a standard part of the attack.
How to Remove the Ransomware Executable
Most ransomware removes itself from once the encryption process completes. This is by design so that encryption can be controlled, and so samples are hard to find and thus analyze.
Yet sometimes ransomware remains on a machines. If that particular machine is to be restored by a decryption tool purchased by the hacker, the malware must be removed. AV can be used to find the executable, as can manually reviewing the processes running from the task manager.
Keep in mind that in the long term, any infected machine should be wiped and rebuilt, so don’t feel shy about killing any non-critical executable.
Make a copy of your encrypted data
Before we get into negotiating with cyber criminals and paying for decryption keys, the first step to take if you have decided you need to pay a ransom is to make a copy of all your encrypted data. Even if this seems unfeasible, it should be considered.
Even though paying for decryption keys has a relatively high success rate, there is always the risk of data loss or file corruption during the decryption process. It is worth having a copy of every thing just in case. Also, free decryption tools may be available in the future, and you want to use them.
Paying the ransom and receiving decryption keys
If you don’t have backups and data loss is not an option, your only option is to engage the hacker and try to safely negotiate the release of decryption keys. We do not recommend undertaking this option on your own. In an emergency situation, interacting with cyber criminals and fumbling with crypto currency is not a good idea.. The urgency of the situation is something that cyber criminals will take advantage of. Contacting an incident response firm can save time and money.. Similarly, it may also be worth bringing in extra sets of hands from a local managed service provider that has expertise in security. Business downtime is a business killer and the incremental expense of this professional help will be a fraction of the downtime cost it will save.
Procuring bitcoin in a hurry is extremely difficult. Most bitcoin exchanges take days or weeks to approve new accounts. Funding a new account can take time as well, as traditional banks can cause friction during the funding process. Additionally, most bitcoin exchanges take measures to prevent users from paying ransomware from their accounts. These measures include withdrawal speed bumps (you can buy, but can’t transfer), and blocking known hacker wallets. Meanwhile business downtime continues to accrue.
How to decrypt files encrypted by ransomware
Every type of ransomware has unique quirks and nuances. Experienced incident response firms will have updated documentation on most types of ransomware so you can prepare to run a purchased decryption tool. Despite their differences, a few best practices have emerged. Ensure that original external drives, shared or mapped drives, are remapped and reconnected in the way they were at the time of the original encryption. If any datastores are not reconnected the decryption tool will neither locate them nor decrypt the underlying data. Next, be patient. Recognize that it can take hours or days to decrypt data, even with a good functioning decryption tool. Budget this time into your original planning estimates. Paying the ransom is half the battle. Running a successful decryption process is the other half.
After the Attack is Over, How to Protect Against Ransomware
There will be lots of lessons learned and scar tissue created. Below is a short list of security and continuity tools every organization should implement after a ransomware attack. Never let a crisis go to waste. Learn how to better protect your business for the future.
Backups: Investing in bomb proof, properly partitioned backups can save your company from bankruptcy. It is just that simple. Make the investment, and keep the investment up to date.
Endpoint and AV: Invest in high quality endpoint and AV protection. Malware and ransomware WILL get in, endpoint and AV can limit the damage and maintain continuity. Ensure RDP ports are well secured.
Security Awareness Training: Your employees are the weakest link and always will be. Invest in security awareness training as you would in HR training. Create a culture that encourages employees to raise a red flag and report IT issues. It could save your company.
If you have further questions, or are experiencing a ransomware attack and need help, please contact us. We provide free, no commitment assessments based off our extensive database of ransomware cases.
Post last revised November 2021