It was late on a Friday afternoon, just before a long holiday weekend. The attackers timed it perfectly — they knew most people would already be on vacation and wouldn’t be back to work until Tuesday. Fortunately, the attack was discovered pretty quickly.
The organization had been hit with a ransomware attack. One of TCT’s partners gave them our number and I got the emergency call right at the end of the day. I was on the phone all Friday night, through the weekend, and well into the following week.
Thankfully, this particular company already had a decent security stance, and they had good backups and disaster recovery for their servers. That alone put them in a position where they didn’t have to pay the ransom. Even so, it was incredibly disruptive to their business (not to mention their holiday weekend), and the mitigation and cleanup had costs of their own. This single event had impacted the vast majority of their workstations and servers for the company.
Ransomware attacks are the stuff nightmares are made of. It’s a sickening feeling to see it play out, because you’re forced to watch a wave of destruction seeping out across your network. But with the proper preparation and a good action plan, you can avoid paying a ransom and mitigate the damage.
Here’s how to protect yourself from ransomware.
What Is Ransomware?
Ransomware is a form of malware (malicious software) designed to encrypt files on a device. When a ransomware attack happens, the software starts encrypting the machine, locking out the user from the machine’s systems. The encryption algorithms are nearly impossible to crack.
At the same time, the malware starts looking for other connected systems. If you’re in a corporate environment then your workstation is likely connected to a corporate server, production servers, file servers. The attacker will use those connections to spread the malware onto those machines as well. And so on.
Before you know it, your entire network can be infected with ransomware encryption, locking you out of every machine that’s been hit. Usually a splash screen pops up that says you’ve been ransomwared. If you want the decryption key to unlock your machine, you’ll need to pay a certain amount per machine.
Because every machine has a unique encryption key, the cost of a ransomware attack can add up to tens or hundreds of thousands of dollars.
Ransomware can spread quickly through a network, so it is imperative to spot it and stop the spread, fast — and to have a plan in place in case you get hit with a ransomware attack.
Be Prepared Ahead of Time
What should you think about in advance to mitigate the risk of a ransomware attack? The most important thing you can do is to put forethought into the “what-if” scenarios. Do a risk assessment around the question, “What if we got ransomware?”
Look at all of your inventory, assets, devices, and machines. This includes:
- Desktops and laptops
- Corporate equipment
- Any other networked devices
Make sure you have good, active, regular backup and disaster recovery capability. Also make sure your backups are going to a location that isn’t directly connected to your corporate environment. If there’s a connection, the ransomware can hop over onto your backup server and lock you out of your backups as well.
As part of your security policy, desktops and laptops should never have files saved onto the local machine, on principle alone. If you do have local files to be concerned about, then you’ll need to think about whole disk encryption and backups for those too.
Identify the most critical workstations to your organization. If every machine in your company got hit with ransomware, which key personnel need to be back online within a day so that your company can continue to function? Consider moving these people to virtual machines. A virtual machine lets you connect into a server-based environment rather than the desktop or laptop computer itself. A virtual machine is a lot easier to fold into your normal backup routines and disaster recovery.
Implement antivirus software fully and properly on every networked device in your company. It’s not enough to simply have antivirus software — you’ll need to make sure it’s properly configured and frequently updated. If you have PCI-DSS certification, this will be business-as-usual for you.
Make sure you have contact information for professionals who can assist you with a forensics-style investigation. There’s always the possibility that the sensitive data on your machines was exfiltrated, and you’ll need someone who can determine the extent of the damage.
What to Do if You’re Attacked by Ransomware
The minute you discover that there’s ransomware in your network environment, disconnect all of your devices from the network. DO NOT SHUT DOWN ANY DEVICES — especially the devices you know to be infected. When you shut them down, you could clear local logs and you might lose important information that can assist your forensics investigator.
Act as fast as humanly possible. If you’ve discovered ransomware on one machine, you can bet that it’s already spread to other devices on the network. Ransomware flies across networks.
Get a forensics team involved to assess the situation and determine the extent of the damage. You’ll also need to get your company back up and running again as quickly as possible. Work on getting new workstations for the most critical people in your company — either from backup and recovery, or by completely rebuilding and deploying new machines.
Wipe your computers clean, then go to the most recent backup and reinstall. Restore from your last known good restore point, or build fresh.
One thing few people consider is that you’ll need to resume operations while you’re in the process of forensics and recovery. It can take weeks to complete the forensic investigation and restore with backups. Meanwhile there may be machines that don’t appear to be affected, but you won’t know until you investigate. It’s best to figure out the recovery process ahead of time.
What if you have to pay the ransom? Can you trust that the attackers will actually deliver the decryption key? It only behooves them to deliver what they promise. No one will pay them if they don’t hold up their end of the bargain. Word will get out fast that they aren’t releasing the decryption key, and they won’t get what they’re after.
Keep in mind that the forensics team will also be able to tell you about any evidence of data exfiltration from the impacted machines. This could require you to implement your data breach notification portion of your Incident Response Plan. It’s critical to have your forensics and legal team providing swift and solid guidance through this process.
Whatever route you take, be sure to consult your legal experts and forensics team for directional guidance. It’s usually a good idea to contact the FBI and get their help as well. I’ve interacted with the FBI multiple times and have always found them to be helpful, sympathetic, and informative.
What to Do After Recovery
Once you’ve recovered from the attack, reassess the maturity state of your security and compliance program. Take it seriously and put yourself up against industry standard certifications. Most companies don’t have the internal expertise within their IT departments, so lean on a company like TCT to assist with directional guidance and reliable software to manage your security program. At the end of the day, improving your security stance will drastically reduce the chances that you’ll get hit with another ransomware attack.
Ransomware attacks sound scary, and they are. It’s incredibly stressful, and you’re immediately racing against the clock to minimize the damage. But if you’re prepared ahead of time, you can dramatically improve your odds of avoiding a ransom payment and returning to normal operations much sooner.
Get equipped with insider expertise
Subscribe to the TCT blog