There is often no easy way out of a ransomware attack, but how you respond can make a big difference in how much damage is done. This guide will show you some of the best practices for a ransomware response, and how to minimize damage and get your system back online as quickly and safely as possible.

 

Signs of a Ransomware Attack

If you notice files on your computer with strange names and extensions that will not open with any program, there is a good chance a ransomware attack is underway. Usually, the first sure sign of a ransomware attack is a screen announcing that your files have been encrypted. Your screen might look something like this:

Dharma Ransomware Recovery

“All your files have been encrypted!”

This is a terrible and increasingly common experience; ransomware attacks increased by over 700% in 2020. If you see a message like this and find that you can’t access your files, there is a high probability that your entire network is compromised. Ransomware is often programmed to infect as much of the network as it can before making itself known.

For most organizations, every minute of downtime translates to lost money. A survey showed that the average ransomware attack costs $133,000 USD including downtime, ransom payments, network costs, manpower, device costs, and lost opportunities. For 5% of respondents, the cost was in the range of $1.3  million to $6.6 million. Most ransomware victims were hit an average of two time, which points to the importance of an effective response. A good response can significantly lower your chances of getting hit again.

Many ransomware attacks have demands with short time limits, so you need to act fast to save your data. At the same time, it’s important to stay calm.

This guide will give you a general idea of what steps need to be taken in the event of a ransomware attack. The following steps are some best practices that our team has developed after helping numerous clients restore their operations after ransomware attacks.

 

1. Don’t panic.

It’s easy to get upset about business suddenly stopping, but it won’t help anything. Remember that many organizations have been hit by ransomware attacks and made it through okay. Staying in a calm frame of mind will make it easier to do what needs to be done. Taking all the appropriate steps rather than rushing a badly organized response can actually lower the overall cost of recovery and protect you from more attacks in the future.

 

2. Disconnect the infected devices.

Usually, a ransom demand will not appear until the ransomware has infected every device that it can possibly access. It’s still a good practice to disconnect infected computers, because the ransomware can potentially still spread based on network activity. If you notice the ransomware before the demand is made, it is even more important to act quickly to prevent it from spreading.

The moment you notice the malware, immediately:

  • Disconnect all your drives from the network.
  • Power off Wi-Fi, Bluetooth and disconnect ethernet cables.
  • If possible, power off the entire network.
  • Inform remote workers connected to the infected network, and ask them to disconnect and shut down their systems.

 

3. Notify your IT service provider and/or IT department.

Ransomware takes time to spread through a system, so if you detect an attack, you should act immediately to prevent the infection from getting worse. This step needs to be taken even before notifying your IT department, because every second counts.

You also need to notify your IT service provider as quickly as possible. If you have cloud backups, for example, the infection may have already spread to your backups. It will be up to the service provider to stop the attack. Acting fast may make the difference between being forced to pay a ransom or not.

If your organization has an IT department, it is best to let them handle the ransomware response as described in the following steps. They will need to access the system in a way that prevents the ransomware from spreading. If your organization does not have an IT department, it may be best to hire outside help. BeforeCrypt specializes in ransomware, many of our clients are small and medium companies without a dedicated IT department.

 

4. Document the attack.

Take a screenshot or photograph of any ransom message. Also, take a screenshot of the appearance of the encrypted files. Make sure to note the exact time the attack was discovered. If you can, download copies of your system logs and server logs.

There are several reasons you need to carefully document the attack. Firstly, it can help determine what type of ransomware has hit you. With some older ransomware versions, decryption tools are available which can help recover your data. In the vast majority of cases, however, there is no easy way out, but knowing the type of ransomware can help police to catch attackers later on. If your organization has a cyber attack insurance policy, complete documentation may be necessary to file a claim.

 

5. Notify the authorities.

You may or may not be legally required to report the attack. Depending on your country and the type of the data breach, you may be required to file reports with more than one governmental agency. For example, in the European Union, you may be required to file a report under the General Data Protection Regulations (GDPR). In the United States, the Health Insurance and Portability Accountability Act (HIPAA) requires companies in the health care sector to report all data breaches.

If the nature of the data is of private or personal, such as usernames and passwords, you are legally obliged under the GDPR for Europe and potentially US laws, to communicate the data breach in the form of a press release/email to your colleagues and customers, including, but not limited to:

  • The type of breach which occurred
  • A date and time of breach
  • A thorough damage assessment
  • Any actions you have taken (such as paying the ransom, restoring from backups, reporting to the law enforcement authorities, etc.)
  • Providing suggested actions to your clients (such as changing username/password, etc.)

Being transparent is important. While it is natural that your company will suffer due to the news of a data breach, the more proactive approach you take, the better it will be for your organization.

For a more complete discussion of this topic, along with the contact details of relevant offices, check out our Ransomware Compliance Guide.

 

6. Find out the type of ransomware.

Have you heard of WannaCry? It was one of the most dangerous ransomware attacks to date. By the time it was resolved, over 25% of the UK’s National Health Services (NHS) systems were compromised, from servers to ventilators!

Every variant of ransomware is programmed differently, and hence treated differently. While there are myriads of strains for any ransomware, the two most common types are:

  • Screen locking ransomware
  • File encrypting ransomware

The screen locking malware is marginally easier to resolve and recover from as compared to the latter.

Depending on the type of ransomware, you may have different options.

 

7. Check your backups.

The best possible scenario is restoring your system to a backup from before the infection occurred. To do this, you need to know when the infection happened so you don’t get infected again. This is where your system logs can come in handy. System Restore is generally not a good solution to ransomware, because you may restore to a disk image which has elements of the malware hidden deep in your file system.

In some cases, ransomware may also infect your backups. In this case, there is very little you can do besides give in to the attackers demands, or wipe your system and accept the loss of your data.

 

8. Find the root cause of the ransomware attack.

In either case, you need to know how the infection occurred. Whether you pay the ransom or restore your data with a backup, if you do not find the cause of the attack you are at risk of another infection.

Most ransomware attacks begin through either phishing or exploits.

Phishing attacks usually happen in the form of an email or website. Hackers may impersonate reputable businesses or government agencies by imitating the appearance of their emails or websites, and then trick employees into clicking a link or downloading an attachment containing the malware. There’s a good resource on phishing prevention here.

If the ransomware infection happened due to a vulnerability in your system, you will need to patch that vulnerability before restoring your data. Many vulnerabilities occur from using older versions of software, so you need to keep up to date with exploits and patches to minimize your risk.

 

9. Assess your options.

At this point, you have 4 options.

  1. Using a decryption tool. This option works in very few cases involving out-of-date ransomware. It’s still worth checking, but it’s unlikely that any such tool will work. If you know what ransomware version is affecting you, you can check if a free solution is available here.
  2. Restore from backup. If you have a recent backup, and your backup is clean, this is the best option.
  3. Pay the ransom. This is the worst option, but many organizations have no other choice.
  4. Accept the loss of your data. If you can avoid paying the ransom, it is better to do so. Giving in to attackers demands encourages them to attack others, and makes the problem worse. Many times, the decision comes down to a simple economic calculation; is the cost of losing the data greater than paying the ransom? If yes, many companies make the difficult decision to pay the attackers.

 

10. Back up encrypted files.

Backing up encrypted files is an extremely important part of the process, soon after isolating the incident and discovering the ransomware variant you are dealing with, your next course of action should be to create a backup of all encrypted files. In case something goes wrong during the decryption process, you will still have a copy of the files so you can try again.

 

11. Restore your data.

If you have a safe backup, after fixing the vulnerability that enabled the attack you can restore your data. Attackers are also aware of this, so many ransomware variants will prioritize encrypting backups first. Before using any backup to restore your system, make sure the backup does not contain any hidden ransomware.

If you have no other option, however, you may need to pay the attackers.

We don’t advise victims of ransomware attacks to deal directly with attackers. Attackers may try to take advantage of you and pressure you with empty threats. For example, attackers may claim that an ordinary ransomware attack is actually leakware attack (described in detail here) which can be more dangerous.

You need to have a good understanding of your position when dealing with attackers. Attackers may not actually know the value of the data. Inexperienced negotiators may accidentally divulge information that leads the attackers to increase their demands.

Teams of criminals conduct most ransomware attack. We collect data on hundreds of ransomware cases to understand the method of operation of different groups, and the best methods for dealing with them. In many cases, hiring professionals to handle communications and payments can be cheaper than dealing directly with the attackers yourself.

Another factor to consider is the time that it will take to restore a backup. In case there are terabytes of data to restore, it could take days to restore from backup. If your organization is losing a lot of money because of a suspension in operations, it could be cheaper to pay the attackers and decrypt the data than to wait for a full restoration.

If the backup is not up to date, you need to calculate the cost of data lost since the last backup.

 

12. Communicate with attackers.

Unfortunately, in many cases there is no other option but to communicate with the attackers. We recommend working with experienced professional negotiators to avoid complications.

There are a number of complications that can come up in the course of communications.

Attackers demand more payments.

Attackers sometimes simply don’t keep their word. An important part of negotiations is communicating in such a way that the attackers have the impression that you are willing to lose the data, or that you don’t have the budget to make additional payments.

Attackers using communications to find additional targets.

Attackers will sometimes use information gained through communications to target individuals for identity theft or more attacks. When communicating with the attackers to arrange payment, we use anonymous, disposable e-mail addresses to protect our clients.

Decryption tool does not work.

Sometimes, the decryption tool provided by the attackers will not function. In this case, you need to verify that the key is correct. In some cases, there may be multiple keys, which can complicate the decryption process.

The decryption tool is carrying a trojan.

Hackers will sometimes collect a ransom, but plant another virus in the decryption tool they provide. It’s a good practice to receive the decryption tool in a safe environment like an isolated virtual machine and check it thoroughly before deploying it.

Losing contact with the attackers.

Because the hackers are criminals, many are constantly on the run. Sometimes their email addresses may be shut down by law enforcement, leaving you unable to communicate with them. For this reason, we have compiled a database of specific groups based on their method of operation, and have alternate methods to get updated contact details.

The best negotiation strategy will depend on a number of factors, including:

  • What group you are dealing with.
  • What their behavior has been like in the past.
  • How much information they have about you.
  • How well they understand the value of the compromised data.

We keep records on publicly reported cases, as well as documenting all of our experiences with ransomware recovery cases. We then use this information to refine our negotiation strategies to get the best results for our clients.

Is paying the ransom legal?

In all jurisdictions we know of, paying the ransom is legal. The FBI is neither in favor nor against paying attackers. On their website, they state:

“Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”

The FBI IC3 Public Service Announcement

The FBI, recommends that the businesses should have a solid prevention plan (such as training employees and sturdy prevention control methods) and a business continuity plan in the event of catastrophic data loss.

13. Acquiring and transferring cryptocurrency.

Attackers demand ransoms in the form of Bitcoin or other cryptocurrencies. In order to obtain Bitcoin or another cryptocurrency, you will need an account at a cryptocurrency exchange or broker. This usually requires a know-your-customer/anti-money laundering (KYC/AML) verification process. This can take days, especially if you need a large sum.

Coinbase and BitPanda are the two of the most popular websites to buy and sell bitcoin. Some options exist to purchase Bitcoin by means of debit or credit cards and PayPal, but these options usually come with high fees attached. Another advantage of hiring a professional ransomware response team is that we already have Bitcoin reserves for this reason, so there are no delays or additional fees.

You should be aware when making cryptocurrency payments that transactions are absolutely irreversible. It’s important to be very careful to enter all data correctly, because if you make a mistake, the funds cannot be recovered. You should also be careful to use appropriate network fees. Failure to do so can result in delays or the transaction not going through. A complete guide to Bitcoin network fees can be found here.

When making payment, you should also take care to comply with the United States Office of Foreign Assets Control (OFAC) regulations. The OFAC is responsible for enforcing sanctions on criminal and terrorist organizations. If you make a transfer to an OFAC sanctioned entity and do not document it with law enforcement, you could face legal consequences. There is more on this in our Compliance Guide.

 

14. Take steps to improve security.

As the survey mentioned earlier in this guide showed, ransomware attacks hits most victims more than once. Part of the reason for this is due to improper handling of the first attack. It’s understandable to want to get back up and running as quickly as possible, but it is important to take some precautions to ensure you don’t get hit again.

First, it is important to completely remove all of the ransomware and malware. Secondly, it’s important to check all versions of your software for vulnerabilities and make sure everything is up to date.

In the aftermath of a ransomware attack, you may need to adjust your operating procedure. For example, you may want to make backups on an offline storage medium or server isolated from your network. Anti-virus screening during the process is also important. Here is a good guide on ransomware-proofing your backup procedures.

It’s also important to educate all employees on security practices for opening email attachments and external websites.

 

Life goes on.

Try to keep a positive attitude. Feeling desperate or depressed will not help anything. Look at it this way; a ransomware attack is an opportunity to improve your operating procedures and security. This could make your organization stronger in the long run. Although ransomware attacks have contributed to the bankruptcy of a few companies, most victims make it through just fine.

If you feel overwhelmed, you are welcome to contact us for a free consultation.