When a company is hit by ransomware, it can be challenging to determine the best course of action. Reporting it to law enforcement may be necessary depending on the attack and legal requirements.
Once the infection is identified, isolating the affected device from the network and storage is critical. This can help prevent the spread of the malware and provide a safe location for recovery.
If you’ve been following a solid backup strategy, your company should have plenty of time to recover from an attack before the malware encrypts files. Ideally, those backups will be immutable, so even if the malicious software manages to scramble a file in one of your backups, there won’t be any permanent data loss.
Once a ransomware infection is detected, it’s essential to act fast. The longer the malware remains in the network, the more files it will encrypt. If possible, disconnect the infected system from the web and all storage devices to contain the spread of the virus.
Using a built-in Windows feature called “System Restore” can help restore settings and programs to a point before the malware infection. However, this method will not remove more advanced ransomware variants, so a complete wipe is safer.
Once a clean-up has been completed, assess what data the ransomware managed to encrypt. This will give you a clear picture of the impact and allow you to determine how it entered your network (e.g., phishing email, a faulty port, vulnerable software, an insider threat, etc.). You can also use this assessment to create a security improvement plan for your organization. Creating an incident response plan will prepare you to respond quickly and efficiently should another ransomware attack occur.
Restore from Backups
The best way to deal with ransomware is through a well-established backup and restore process. Backups for ransomware removal must be created regularly and ideally backed up to a different device from where they are restoring (such as an external hard drive or remote/cloud storage). This prevents the ransomware from encrypting or using backup copies to spread the attack further.
When a backup is restored, the recovery team can examine the data in that backup to see if there are traces of the malware. This can help them determine which strain of ransomware struck and how to proceed.
Once a clean backup is restored, it’s essential to disconnect the infected computer. Ransomware can spread to other devices and computers in the network, so removing them as soon as possible can minimize the damage. It’s also worth checking all directly connected and network-attached storage devices for infection. The ransomware can encrypt these and hide malware that could re-launch the attack later.
In addition to backing up data, IT specialists can use virtual machine backups to restore apps and data to a different device, such as a Windows server. This approach can be more time-consuming and labor-intensive than other strategies. Still, it fully recovers all applications, hardware, data, operating systems, networking configurations, security tools, monitoring software, and more.
Restore from a Restore Point
The surest way to confirm malware or ransomware has been removed from a computer is to do a complete wipe and reinstall. This includes formatting the system’s hard disks to ensure no remnants are left behind. If you’ve enforced a robust backup policy, this will also provide you have copies of all files up to the time of the attack.
For the cases in which you didn’t do a backup, a tool designed to decrypt ransomware-encrypted files can help recover data without paying the ransom. These tools work by reverse-engineering the cryptographic code used to encrypt files and restore them to their original form.
Once the recovery process has been completed, you’ll need to perform a post-attack analysis of the incident to understand how and why the attack occurred to prevent it. Depending on your industry and legal requirements, you may be required to report the attack to the appropriate authorities. Regardless, this is an important step to prevent similar attacks in the future. It is also crucial to isolate all infected systems from the network and shared storage to prevent the infection from spreading. Check all directly attached storage devices, including external drives, for malware; ransomware will encrypt any storage it can find and possibly hide malware that can re-launch an attack later.
Ransomware is a severe threat to all types of businesses, including those in the public sector. But the most significant risk is aimed at small, privately-held companies with between 11 and 1,000 employees. According to Coveware’s recent report, they accounted for most attacks.
In many cases, recovering from an attack without ransom is possible. However, several factors influence the time it takes to recover. Outside influences like cybersecurity insurance providers and law enforcement may need to be involved, which can slow recovery processes. And internal payment and approval procedures can also cause delays if not designed in advance.
Restoring backups is one of the fastest ways to recover from a ransomware attack. Backups should be regularly created using an immutable system that follows backup best practices (the 3-2-1 rule). Backups of the operating system and installed software will help speed up recovery times for instances where APT actors corrupted local systems.
But, even with regularly-created backups, it’s only sometimes possible to recover from a ransomware attack. When it’s not, the most reliable option is to wipe completely and reinstall systems. This involves reformatting hard disks to ensure no remnants of the original malware remain. This is a big project, but it’s the surest way to remove ransomware.