Ransomware Survival - Part 2

WARNING: Due the seriousness of the material, stickers have been added to lighten the mood.

The phone rings on Saturday morning. Why, it’s Marvin from the office, and he sounds nervous. He reports that a computer has a ransomware message on the screen and unconfirmed reports of several more. You are hit with a 2 by 4 square across your overly confident security strategy. It is the nightmare you cannot wake from. You were enjoying your coffee. Your stomach sinks. All the precautions. All that training. All those expensive boxes. Now what?

“DON’T PANIC!” – Douglas Adams, Hitchhiker’s Guide to the Galaxy

Quarantine – I know, it’s the last word you want to hear now. Yet, the primary concerns are isolation and containment. This is the Zombie apocalypse in real life! Any infected device will encrypt all others on the network. To be safe, power off all computers, servers, and even network equipment that connects them, especially wireless Access Points and remote access! The sooner this can be done, the better your chances of saving devices.

Paper Bag Ready! – Remember, an attacker uses your victim status against you. They are sure the fear and shame will keep you quiet. “It can be our little secret” if you just pay the ransom. Ewww, I think I need a shower! Psychological victimization is part of the pressure, just like a sleazy used car salesperson. Breathe…in a bag, if necessary, but no rash decisions. Don’t be like the Atlanta city government, which spent $17 million to avoid paying a $52,000 ransom. Ransomware happens, and many cities have paid $300,000 or more.

Communicate – Next, inform management of the situation. You’d rather not admit to your pregnant wife that you ate all the chocolate in the house, but this is important! If your industry requires disclosure of incidents, management needs to tell people. File an insurance claim, call your attorney and contact your IT Security Provider. There is no shame in asking for help. You are probably not an attorney or cybersecurity expert. Let the experts do their jobs so you can get back to yours. 

Gag Order – If an email or other collaboration tools were disrupted, you may require temporary email addresses from a Cloud provider. Communication with clients, customers, vendors, employees, or those attempting to help is critical! Now would be a great time to alert everyone to reach you on a pre-planned secondary email or mobile. Did you print that paper list of emergency contacts? 

NDAs FIRST! – Force any new vendor, no matter how dire your situation, to sign a Non-Disclosure Agreement approved by your legal counsel. Don’t add the insult of having your dirty laundry aired to the injury of a ransomware victim. You can’t have support that will kiss and tell.

DO NOT TRY TO CLEAN THE SYSTEM YOURSELF! Expert IT staff have infected their home networks, customers, and partners by trying to tackle the problem like any other malware or virus. Once you connect a USB device, it, too, becomes encrypted and infected. If you are given a tool or update to install, write-blocked and read-only media should be used, as well as booting into secure partitions.

Test for Infection – Turn each computer on with no network connection. As mentioned previously, ensure ALL network connections are off or disconnected, including wired, wireless, Bluetooth, Near Field (NFC), and cellular. Besides the ransom note, you may notice screen icons are “broken.” Any infected computer, like that poor guy bit by a zombie, must be put down. Well, the hard drive was wiped and installed from scratch, not necessarily shot.

Word of advice – When recovering computers from any breach, malware, virus, or ransomware, you MUST completely wipe the drive. Do NOT reinstall over the existing drive hoping to regain access to your files because that alien egg will be waiting to latch onto your face. Some have even opted to completely replace the drive or computer. By all means, do NOT donate your infected computers. That’s just wrong!

Double Tap – The party isn’t over until all the Zombies are gone, and the chemical/nuclear waste/virus that turned them has been eradicated. In some cases, there is no way to know how it came in. Who is going to admit to wiping out all the organization’s data and single-handedly destroying all IT assets

And Then? – If insurance is involved, they will tell you what to do and when. They may decide to bring in a forensic team or negotiate with the hackers. Too many companies and municipalities have paid the ransom in the hopes of decrypting their files and going back to “normal.” However, there isn’t a Better Business Bureau to report hackers to if they take your money and run without releasing your files.

Did I Mention Backups? – This brings us back to the most important lesson, reiterated in Part 1. Always confirm your backups are running and can be properly restored. Best case scenario, you tell the hacker to pound sand while you wipe everything and start fresh from offsite backups. You lose hours, maybe days, of work and the disruption time, but you are back online without paying a ransom. 

The final part will look at moving forward after the attack.