Wednesday, March 22, 2017

Critical First Steps When you Think you've Been Infected with Ransomware

According to Malwarebytes, ransomware distribution increased 267% between June and November 2016. While this represents an increase in attacks, rather than infections, the greater the number of attacks the likelier an infection becomes. But why should we care, what is ransomware after all? 

Ransomware is a malicious software whose purpose is to encrypt all files on an infected device in hopes of getting the victim to purchase the decryption key so they can regain access to their files. As the number of threats increase, it is important to know the critical first steps to take if you think you have been infected with Ransomware as well as some basic information

Critical First Steps When you Think you've Been Infected with Ransomware

Some background info first

Ransomware works by infecting the local device using:
  • A link on a website or in an email
  • Through an attachment
  • An infected USB drive
  • Others
Ransomware is incredibly effective because it encrypts:
  • All the files on the local device AND
  • Locally attached drives/storage AND
  • Mapped network drives
What to do first if you think you have a machine that has been infected
  • Get the device off of the network
    • Unplug the Ethernet cable.
    • Disable the wireless.
    • NOTE: It is important to remove the device from the network even if it is powered off.
  • Power off the device
    • If it will not power down, press and hold the power button for 10 seconds or unplug the power cable.
  • Assess the damage
    • Check other machines on your network.
    • Check attached USB flash and external hard drives.
    • Check servers and network shares.
    • Isolate infected machines then:
      • Power machines on making sure they cannot gain access to your network
      • Check to see if files are actually encrypted or if some other type of malware infected the machine
        • If the malware is something other than Ransomware, investigate to see if the device can be recovered.
        • Add the device back into your network carefully, and only after being completely sure all infections have been removed.
      • Locate software installs for operating systems and other proprietary software needed
  • Plan your recovery
    • Check your backup solution.
      • At least one copy of data backed up should be rotated off-site to protect the data against localized infections
      • Test backups to verify files are intact and determine the recovery process
    • Pull in outside help as necessary.
    • Wipe infected machines.
      • Reinstall operating systems
      • Reinstall peripheral programs
      • Copy local user files
Ransomware is a malicious software that infects machines for the purpose of getting the victim to pay for the decryption key to regain access to their files and data. Everyone is a potential victim, and as such, we need to plan better so we are NOT forced to reward this bad behavior by paying the ransom! What makes Ransomware so effective is it encrypts locally attached and mapped network drives. What makes it dangerous is that it is working because victims are paying to get their data back. If people stop paying, Ransomware will be rendered ineffective and the level of distribution, and therefore infection, will drop.

As always, there will always be threats to our files and personal data. Our preparedness in dealing with these threats and how we respond to them is what is most important!

Enjoy this post? Subscribe to our Blog

No comments:

Post a Comment