Responding To Ransomware

Ransomware has been one of the most prominent cybersecurity dangers of late, with an array of industries, including critical infrastructure, being targeted by ransomware attacks. Recent major incidents like the JBS Meat attack, Log4Shell, and Colonial Pipeline attack halted operations of the targeted companies and, in some instances, led to the payment of hefty ransom amounts. What’s more, according to a recent Footprint Research, ransom payment itself accounts for less than 20% of the total cost of a ransomware attack, with large US firms losing an average of $14.8 million every year. 

Besides disrupting operations, ransomware attacks can severely tarnish an organization’s reputation and put a dent in customer trust. It is crucial that a sound response strategy be put in place in case of a ransomware attack. With this in mind, we look at ways organizations can respond to such incidents in this post. 

9 Crucial Steps to Take Following a Ransomware Attack 

In the event that preventive measures fail, organizations should take the following measures following a ransomware attack: 

1. Isolate the Affected Systems 

Your number one priority should be to isolate the affected systems. In most instances, the ransomware program will scan the target network for vulnerabilities and try to laterally propagate to other parts of the network. To contain the infection and prevent it from spreading further, you should remove the infected system from your network as soon as possible. 

2. Report the Attack to Relevant Authorities 

As soon as you’ve isolated the affected systems, it’s recommended that you report the incident to the relevant authorities, as this may help them identify the threat actors. If you assist them in identifying the threat actors, they might be able to help you obtain the decryption key. 

Reporting the incident will also help the authorities identify which organizations are being targeted and warn the potential targets in advance. US-based organizations should report ransomware incidents to CISA (Cybersecurity and Infrastructure Security Agency). 

3. Identify and Investigate Patient Zero 

Patient zero refers to the source of the infection. Identifying patient zero is vital to understanding how the threat actors gained access to your system, what actions they took while on the network, and the extent of the infection. Identification of patient zero is not only useful for resolving the current incident, but can also help organizations address vulnerabilities and minimize the risk of future attacks. 

That said, identifying the original point of compromise can be challenging given that, in most cases, the attackers will have been in the system for weeks, if not months, prior to deploying the ransomware payload. Organizations that don’t have the expertise and resources to conduct thorough digital forensic analysis should consider outsourcing the services of a professional forensic company. 

4. Secure Your Backups 

While backups play a key role in the remediation of data loss events, you should keep in mind that they aren’t immune to ransomware. To derail recovery efforts, most modern ransomware strains often target a company’s backups and try to delete, encrypt, or override them. 

In case your company falls victim to a ransomware attack, you should secure your backups by disconnecting the backup storage from the network or by locking down access to backup systems until the infection is resolved. 

5. Disable Maintenance Tasks 

You should immediately disable your organization’s maintenance tasks, such as log rotation on affected systems or temporary file removal, given that these tasks can interfere with files that might be useful to forensic teams and investigators. 

For instance, file logs may have valuable clues on where the infection began. Also, the temporary files of a ransom variant that’s not well-programmed may contain vital information (like encryption keys). 

6. Create Backups to the Infected Systems 

Upon isolating the infected systems from your network, you should create backups or images for those systems. There are two major reasons for doing this: 

  • Data loss prevention: Having backups of the systems that were infected ensures data integrity. Suppose something goes wrong during the decryption process; you can roll back your systems and try to repeat the decryption. Alternatively, you can reach out to a ransomware recovery specialist for a custom-built, reliable decryption solution. 
  • There may be a possibility of free decryption in the future: Suppose the encrypted data isn’t essential to your organization’s operations and doesn’t need to be recovered urgently, it should be backed up and securely stored as there may be a chance that it will be able to be decrypted for free in the future. 

7. Quarantine the Malware 

In case you become a ransomware victim, you shouldn’t outrightly delete, remove, reimage, or reformat infected systems not unless you’re specifically instructed to do so by a ransomware removal specialist. You should instead quarantine the malware to allow the investigators to analyze the infection and determine the ransomware strain that’s responsible for the encryption. Entirely removing the infections makes it challenging for the recovery teams to find the specific sample of the ransomware strain involved in the attack. 

8. Identify the Strain 

To increase your chances of decrypting your files without paying the ransom, it’s an excellent idea to determine which strain of ransomware you’ve been infected with. You can use various online ransomware identification tools such as No Ransom and ID Ransomware. With these tools, you can either upload a sample encrypted file and/or a ransom note, and they will tell you which strain you’ve been infected with. 

9. Decide Whether or Not to Pay the Ransom 

Suppose all the above options fail; you may find yourself in a scenario where you may have to consider paying the ransom, more so if you urgently need to get your systems back online. 

That said, whereas paying the ransom may help minimize disruption and might be less costly than the overall cost of downtime, it’s a decision that you shouldn’t take lightly. As mentioned earlier, you should only consider paying the ransom if all other options have been exhausted, and the data loss may result in your company going out of business. 

You should consider the following factors: 

  • There is a high chance that the ransomware authors will take the ransom but fail to provide the decryptor 
  • The decryptors provided by the attackers may not work properly 
  • The ransomware payments may be used to fund criminal activities such as terrorism and human trafficking 
  • Paying the ransom encourages the threat actors to perpetrate further attacks 

Cyber Solutions Inc. Can Help You Prevent and Respond to Ransomware Attacks 

The threat of ransomware is showing no signs of waning any time soon. And while you may put up measures to prevent a ransomware attack, achieving this feat is easier said than done. 

Cyber Solutions Inc. can help you respond to ransomware attacks. We regularly respond to various ransomware attacks involving variants such as Conti and Maze. By partnering with us, you will have a trusted, reliable partner who will help with ransoms and decryptions and improve your security. We deploy responders within hours with an effective strategy that enables rapid identification, scoping, and containment of the ransomware. Contact us today for a network analysis scan.