Dealing With A Ransomware Attack

Written By: Tim Black

Date Published: 09 September 2022 00:00:00 EDT

Dealing With A Ransomware Attack

A ransomware attack is one of the biggest threats facing online users. In this article we cover a couple of points when dealing with Ransomware. In short:

What to do if you’ve been hit by ransomware?

  1. Remain calm. Any rash decisions could cause further data loss.

  2. Check your most recent set of backups.

  3. Do not pay the ransom as there is no guarantee you’ll get your data back.

  4. Contact us for advice and to explore data recovery options.

Some points we want to highlight:

Stay calm but speed is of the essence.

In these initial moments, adrenaline is likely to kick in, alongside feelings of shock, anger, and fear. It’s important not to panic and remain calm while assessing the situation. Once encryption begins, it’s a fast process it can take a couple of minutes to encrypt 100,000 files.

Stop further spreading! Close all (network) connections.

As soon as you know you have been hit by a ransomware attack – usually because a big notification will flash up on the screen – it’s essential to isolate the infected device(s). Remove network and data cables, USBs and dongles, and disable WiFi and Bluetooth to stop the device from making any connection that could cause the threat to spread. The network team need to know ASAP to limit access and take down these connections.

Seek legal advice and counsel immediately.

Is it an incident or a data breach that needs to be reported? Experienced legal counsel is needed to advise on if and how to inform authorities in a correct and timely manner to satisfy any governing regulations.

Communication.

It’s important that all communications are orchestrated by a central point within the organization to prevent any misinformation or confusion. This should include a directive to not speak to anyone in the media, or publish anything on social media. PR announcements need to be carefully prepared to avoid unsettling shareholders, stakeholders, and the wider market.

Once an attack is known, everyone in the business must be alerted to the threat. If anyone suspects their device is infected, they must take steps to isolate it from the network immediately.

In todays connected world it is also key to notify the business/contacts.

Reset credentials.

Best practices also say that users should reset all their credentials – especially for privileged accounts – to prevent the bad actor from harvesting valuable data that could be used to launch further attacks.

Check your most recent backups/ Recovering data from backups.

Maintaining an up-to-date backup is the most effective way of recovering from a ransomware attack. Especially if you followed the ‘3-2-1-1-0 rule’ – 3 copies of the data, stored on 2 different media, of which 1 is offline and 1 is offsite and verified that is has 0 errors. When it comes to restoring data, scan your data for malware first, and ensure backups are only connected to known clean devices to prevent re-infection.

Identify the type of ransomware.

If the organization already did receive a 'ransom note', using the 'ransom note' you can search the Internet to see what kind of Malware / Ransomware you have been affected by, to determine any potential counter actions. Some Threat Actors rename active files with an additional extension. Log down that extension and also search the Internet for more information.

Use the malware scanning tool on the device, or through the organization's Security Operations Centre, to help identify what ransomware was used, as this will help determine the remediation actions that need to be taken.

Log everything action.

Additionally, make notes about the attack including the date, time, file details, first signs of ransomware, affected devices, what you were doing immediately before the attack, and when your device was connected. Also, take photos and record suspicious programs, files, and pop-ups.

Paying the ransom (no guarantee you’ll get your data back)

Cyber security professionals and federal agencies agree: do not pay the ransom. Research indicates that only 3 in 5 organizations regained access to data/systems, so there’s no guarantee that you will get access to your data or computer. Also, even if you do get your data back, there’s no guarantee it’s safe - 18% of ransomware victims who paid the demand still had their sensitive data exposed by bad actors on the dark web.

Remove the ransomware from your devices

Unfortunately, removing ransomware from devices isn’t as simple as clicking ‘delete’. In many cases, it requires a complete factory reset, which is irreversible and runs the risk of data loss. Therefore, it’s always best to seek the support of a professional who can use appropriate decryption tools and safely restore you back to business-as-usual. It is always a  good practice to store up the encrypted data in case international police investigations hunt down criminals and gather specific insights and codes to program proper decryption tools.

Reporting the attack

This intelligence is invaluable to helping agencies track how ransomware attacks are developing to stop the cyber criminals, assist with remediation tools, and prevent the spread further.

Contact Ontrack for Ransomware Recovery

Contact us for advice and to explore data recovery options. Every ransomware attack is unique and varies in complexity, but data recovery is possible. At Ontrack, we have developed a specialized collection of proprietary tools to recover data. With labs located around the world, our specialists are available 24/7 to provide help and support in the event of a worst-case scenario.

More information:

Data Recovery from Ransomware Attack

Read our Ransomware guide

Subscribe

KLDiscovery Ontrack Limited, Nexus, 25 Farringdon Street, London, EC4A 4AB, United Kingdom (see all locations)