By now, you know the signs. Your computer suddenly shows a message, usually in red, letting you know that your files have been encrypted, and that you can get them back by paying a ransom, usually in Bitcoin. You're faced with a decision: Pay the ransom, or try to recover without paying. And if you decide to pay the ransom, you can only hope that it actually works.
Whichever way you decide to go, there are a couple of steps you need to take immediately. These will protect your network and perhaps other computers nearby.
- Disconnect the infected computer from the network and any external storage devices immediately. Unplug the Ethernet cable and any external hard drives. Flip the "Airplane Mode" switch on laptops, if there is one. If you can't disable WiFi, power down the computer.
- Check other computers and servers on your network for signs of encryption, such as altered data files. If you have any doubts, disconnect them from the network, as well. Scan each of these computers with an anti-ransomware package such as Bitdefender Total Security and remove any malware it finds, but don't connect them to the network again just yet.
- Avoid paying the ransom. Back in the early days of ransomware, paying the ransom usually worked. Things have changed, partly because the criminals deploying ransomware are doing it from a package that they don't understand, and partly because criminals are much less inclined to follow through once they get the money. They are criminals, after all. In addition, paying the ransom means you have cash, which means you're a prime target for another attack.
- Report the attack to law enforcement. This will include your local police department, and also the FBI's Internet Crime Complaint Center. Law enforcement may be able to help, and your insurance carrier probably requires that you make such a report. It may also help catch the bad guys, and if you paid a ransom, it may help you get the money back.
- Don't bother trying to recover the data that's on the infected computer. Even if you can manage to find a decryption package that will work, there will be other damage, and the original malware is likely hidden somewhere on your system. Instead, repartition and reformat the hard disk or install new hard disks. The latter approach might actually cost less than the labor required to really wipe a disk properly, and you know the new ones will be clean. Destroy the old hard disk/s if you decide to go that route.
- Rebuild your system. You can rebuild your operating system using Dell's SupportAssist OS Recovery, or, if you've created a system image that's stored off-site, you can use that. Restore your data using off-site or cloud backup files. If you didn't store a system image, you'll also need to reinstall your applications. While you're doing this, scan your backups for malware. It's very possible that your most recent backups included the malware or even some encrypted files. If that's the case, move to an earlier backup and check that, then restore using the earlier, uninfected backup. Make sure you restore everything, not just data. That will include any connections that were part of business processes.
- Check ALL directly attached and network-attached storage for infection. Ransomware goes after any storage devices it can find and encrypts them, plus it will hide malware that can re-launch the attack later. If in doubt, destroy the devices and replace them with new storage. This does not mean you have to trash your entire storage area network, but you should consider changing out the hard drives.
- Check to see if any data was exfiltrated. The ransomware note will likely say it was, and that the data will be sold on the dark web unless you pay extra. To confirm, check your firewall for signs of data exfiltration, which usually will look like large file transfers sent to someplace unusual. If it appears that data was taken, you'll need to note that in your breach report and, if you can find a destination address, you'll need to provide that to law enforcement.
- Warn your email contacts to be careful of email from your network, as it might be infected.
- Conduct an after-action study to determine how the breach and ransomware attack happened, so you can do a better job of prevention next time. A good place to start is with your staff and their training. Nearly all ransomware attacks are the result of a human-centered breach. This means that someone opened an infected email or clicked on a link in a phishing scam, or they visited an infected website. Constant, hands-on training is the only way to reduce this threat.
After you've done all of that, double-check that your local and cloud backups are working, and that you can restore your systems from those backups. Conducting these tests and drills will prepare your business for this type of attack and improve its resilience.
Of course, a comprehensive data protection solution helps prevent these attacks in the first place, and your business must have a resiliency plan in place before disaster strikes. Click here to learn more about Dell's comprehensive approach to endpoint security for small businesses.