How to deal with a ransomware attack: a step-by-step guide.
With Ransomware attacks increasing in number and severity, we put together a quick guide, using free resources, that business owners can use to help deal with a ransomware attack on their own before having to seek professional assistance.
This guide will go through, step by step, what you need to do when you are attacked by ransomware
#1 LOCK DOWN YOUR NETWORK
The very first thing you need to do is isolate the infected computer(s) from your network, most ransomware will scan your network to find other data to attack, such as computers or shared drives, turning an attack one a single computer into an attack against your entire network.
The quickest way to isolate a computer from the network is to disconnect network cable or switching off its Wi-Fi connection, you could go old school and just yank the power from it, if you catch the ransomware early you could also prevent it from encrypting all of your files too. If you don’t have any advanced security tools at your disposal, do whatever you have to, to isolate the computer from the network.
“With our Managed:Security service we’re able to completely isolate a computer without the need for physical intervention, protecting your network and preserving data to help in the investigation into the attack.”
James Creese, Technical Director – itcent.re
#2 REMOVE THE RANSOMWARE
Most ransomware will continue to encrypt data in real time, so if you try to restore your data from backups without cleaning the infection from the computer, your restored data will also be encrypted.
You need to remove the ransomware executables from the system and ONLY the ransomware executables. Removing the executables will stop files being encrypted, however, ransomware leaves other files on the system such as the key file, which is necessary for decrypting your data, if you remove those additional files, you will never be able to decrypt your data.
You can use any second opinion scanners for this task however a good start are the FREE ones below
#3 DECRYPTION OPTIONS
A lot of ransomware software has already been broken in to by security researchers with decryption software available publicly for free, these tools can be used to restore your files without having to engage the cyber criminals who have attacked your system.
There is a fantastic website setup by MalwareHunterTeam that can be used to identify the ransomware used to attack your system and identify if your files are decryptable using one of the tools mentioned above.
ID-Ransomware website: https://id-ransomware.malwarehunterteam.com/
There are two options to help identify the ransomware used on your system, you can either upload a copy of the ransom note or one of your encrypted files. If there is a decryptor available, the website will let you know and give you a link where you can download the decryptor.
It’s worth noting that not all ransomware has been broken into by security researchers and finding a decryptor is a best-case scenario, if your files cannot be decrypted then you’ll need to restore your data from backups.
If you have no backups but would still like to decrypt your data, there is an option on ID-Ransomware to be notified if a decryptor becomes available, this is not a guarantee however, but if that’s the only option you have, you may as well use it.
#4 DO NOT PAY THE RANSOM
We highly recommend that you DO NOT pay the ransom to decrypt your data, if you have lost your data because you lacked anti-virus and did not have backups, suck it up and get on with it, not having anti-virus and backups for your data in this day is inexcusable, you wouldn’t leave your home or car unlocked, so why leave your data vulnerable to attack.
By paying a ransom you are encouraging the threat actors to continue, you also leave yourself open to further attacks by the same cyber criminals, if they managed to extort you once, what makes you think they will not try again? Furthermore, people paying ransoms is what is funding this type of attack. If no one pays the ransom, there is no financial incentive to continue these attacks.
There are also ransomware attacks that double encrypt your files, so after paying the first ransom you may still be unable to access your files. If you do not fix the point of entry into your network, an unaffiliated hacker may even use the same weakness in your network to encrypt your files.
However, if you’re left with no option at all and need your data restoring, then please consult with a cyber security firm first, they will likely have experience in dealing with the attackers and may be able to negotiate a discount on the decryption key.
#5 PROTECT YOUR SYSTEMS FROM FUTURE THREATS
Very few businesses (Micro and SMB), have the resources to create a formal cyber security policy, this is one area where an IT Service provider such as itcent.re can help, taking care of your IT and security needs, however, below are a few ways in which you can increase your cyber security posture to protect your data and your business:
- Control access to your computer – Ensure you’re using a policy of Least Privilege for accessing your systems, administrative permissions should be reserved for special users and should be assigned to a dedicated admin user account, your regular login account must not have admin privileges. You should also play close attention to any software on your system that allows remote control or remote access to your system.
- Install reputable Anti-Virus software – Do not rely on free Anti-Virus to protect your systems, security software for home users is extremely cheap these days, they lack the advanced features our Managed:Security solution has, however they will do a good job of protecting your system.
- Keep your system & software up to date – A lot of cyber-attacks take advantage of known vulnerabilities in operating systems, firmware, and software in order to compromise a system. Ensuring your operating system, firmware, and software are up to date is critical to protect your systems from cyber-attack.
- Backup your data – Keeping regular backups of your data is a critical step in protecting not only your own data but your customers data too. You should use a dedicated backup too and as a minimum schedule daily backup of your data, you must store those backups on two different media and two different locations too. You must also monitor your backup jobs to ensure they process successfully and regularly test your backups to ensure they are usable.
- Multi-factor Authentication – Always use multifactor authentication when this option is offered to you. Even if your password is compromised this gives you a second barrier of defence.
- Password Manager – Using a password manager allows you to use strong passwords, unique to each system you’re logging in, it also prevents you from losing your passwords, or a password you’ve used in multiple places being exposed in a previous data breach (Visit haveibeenpwned.com to check if your private data or passwords have been exposed by cyber criminals before).