Disable automated maintenance tasks
Organizations should immediately disable automated maintenance tasks such as temporary file removal and log rotation on affected systems. These tasks can interfere with files that may be useful for investigators and forensics teams. For example, file logs may contain valuable clues regarding the initial point of infection, while some poorly programmed ransomware variants may store important information (such as encryption keys) inside temporary files.
Create backups of the infected systems
Victim businesses should create backups or images of the infected systems after isolating them from the network (see step 1). There are two main reasons for doing so:
- Prevent data loss – Some ransomware decryptors contain bugs that can damage data. For instance, the decryptor of Ryuk was known to truncate files, effectively cutting off one byte of each file during the decryption process. While this didn’t cause major issues for some file formats, other file types – like Oracle and MySQL database files – store important information in the last byte and were at risk of being corrupted after decryption. Having a backup of infected systems ensures data integrity. If something goes wrong during the decryption process, you can roll back your systems and try to repeat the decryption.
- Decrypt files for free in the future – If the encrypted data is not critical to an organization’s operations and does not need to be urgently recovered, it should be backed up and stored securely as there’s a chance that it may be able to be decrypted in the future. As law enforcement agencies bring down various ransomware operators, they release the decryption keys and victims can recover their data for free.
Quarantine the malware
Victims should never remove, delete, or reformat infected systems unless otherwise instructed. Instead, the malware should be quarantined, which allows investigators to analyze the infection and identify the exact strain of ransomware responsible for encrypting files. Removing the entire infection makes it extremely difficult for recovery teams to find the specific ransomware sample involved in the attack.
Identify and investigate patient zero
Identifying patient zero (i.e. the source of the infection) is crucial for understanding how attackers gained access to the system, what other actions they took while they were on the network and the extent of the infection. Detecting the source of the infection is useful for not only resolving the current incident but can also help organizations address vulnerabilities and reduce the risk of future compromise.
Don’t pay the ransom
While paying the ransom can help reduce disruption and may be cheaper than the overall cost of downtime, it is not a decision that should be taken lightly. In their advisory for protecting data from ransomware attacks, “CISA strongly discourages paying a ransom to criminal actors.”
However, if businesses are forced to pay the ransom, they should consider the following factors:
- There is a 1 in 20 chance that the ransomware authors will take the money but not provide a decryptor.
- The attacker-provided decryptor may not work properly.
- Ransom payments may be used to fund serious criminal activity, including human trafficking and terrorism.
- Paying the ransom substantiates the ransomware business model and perpetuates further attacks.
The don’ts of a ransomware attack
Incorrectly handling a ransomware incident can hinder recovery efforts, jeopardize data and result in victims paying ransoms unnecessarily. Here’s what you shouldn’t do in the event of a ransomware attack:
- Do not restart infected devices
- Do not connect external storage devices to infected systems
- Do not pay the ransom (we have said that before, but we should stress it)
- Do not communicate on the impacted network
- Do not delete files
- Do not trust ransomware gangs
ADACOM offers a holistic approach to mitigating the ransomware threat
This changing business landscape requires a holistic approach towards information resilience and security risk management to enable an organization to minimize the threat of ransomware attacks and maximize the trustworthiness of its information and the reliability of its automated processes.
ADACOM has established its own GRC & Assurance Services portfolio based on Information Resilience, which goes beyond the traditional Information & Digital Security models. Contact us to learn how we can help you.