On Monday morning, you log in to find all of your organization’s servers and workstations are infected with ransomware. What do you do? How do you handle ransomware recovery?
In an ideal world, your response is:
- Immediately activate your Incident Response (IR) plan (the one you’ve updated and practiced quarterly)
- Activate your IR team – using your planned notification tree
- Stop the spread by disconnecting every infected system from your network
- If the infection is widespread, you may even pull the plug on your connection to the outside world
At that point the real work begins. Simultaneously, you need to:
- Notify your executive team
- Forensically preserve all evidence – servers, workstations, network logs
- Get the network rebuilt, restored and ready to for business as usual
- Remember to retrieve the backups (that you test at least once a week)
- If the backups are not viable, decide if you are going to contact and negotiate with your attacker
- Figure out how to buy cryptocurrency
- Implement multi-factor authentication
- Reset passwords domain-wide
- Update your helpdesk with the needed info
- Set up new VPNs
- Set up logging server
- Identify and set up response tools
- Support users who are still able to work remotely
- Search the remaining uninfected systems for additional malware, like Emotet or Trickbot
- Find Patient Zero
- See if you have the decryption key from your attacker. If so, sandbox it, test it, and reverse engineer it to look for additional surprises like malware and trojans
- Decide if you are going to report the incident to law enforcement
- Discover if the attacker accessed or stole any of your data
- Bring in a cybersecurity attorney as well, to determine if this is also a data breach
Ransomware recovery seems impossible, doesn’t it? (Or did we lose you at IR team?) Who is going to do all this work, while you’re also fielding requests from management, users and more? How can you make sure everything is done efficiently? The fact is, when you’re hit with a cybersecurity incident, having a team of experts supporting you can make a huge difference. You may already know how to do most or all of the above (or have a team that does). Even if that is the case, during a cybersecurity incident there may not be “enough” of you to go around. Expert incident responders can also provide you with tools and techniques that can help you contain and eradicate attackers, so you can quickly get back to normal.
Experienced Ransomware Recovery Teams Makes A Huge Difference
Regardless of your knowledge and skill, it’s highly unlikely that you’ve faced more than 1-2 severe incidents in a given year. An experienced, professional IR team handles major incidents daily. Routinely. They understand the ransomware recovery process, know what to look for, and how to, well, respond. Little surprises them anymore, and they are generally calm by nature. (Who wants to work with IR professionals who panic in a crisis?) They’ve talked to executives, criminals, attorneys, insurance companies, and so on. They can be your data breach guides and your IR team to get you through ransomware recovery. Don’t try to go it alone.
Focus Your Time Where it Makes the Biggest Impact
Your primary focus is on getting your organization back up and running as quickly as possible. As it should be. After all, as a ransomer once told me in the middle of a negotiation “time=$$”. You know your network best, you know the workflows, the files, the structure – you know which files contain sensitive information and which need to be prioritized for recovery. Focus on that. Let the professionals worry about forensically preserving evidence, finding patient zero, negotiating ransoms, and testing decryptors. While evidence is being preserved, you may not be able to dig right in, but you can assist with ransomware recovery by getting access for your new IR team, purchasing hard drives to replace the encrypted drives, hunting down backups and so on so that you’re ready to go when you system is clean.
Ransom Negotiation is a Specialized Skill
“But I have thousands of computers infected!”
“I’m just a high school girl. This is my homework. It’s not valuable to anyone but me.”
Those are a couple of communications I’ve seen from inexperienced individuals who initially try to negotiate their own ransom. Ransomers love to hear the first one – knowing you have thousands of computers means you’re likely willing to pay more. Ransomers never believe the second one. They’ve heard it all, they don’t believe you, and even if they did, they don’t care. Playing to an attacker’s sympathies does not work – if they had a heart, they’d be in another line of work.
Cybersecurity professionals have special skillsets. IR specialists even more so. Take advantage of that. An experienced IR professional has very likely negotiated for decryption keys when no other means of recovery are available. Rather than contacting the attacker on your own, let an expert handle it. Since this is part of a normal ransomware recovery “routine”, they will know how and when to press for lower ransoms, how to purchase the cryptocurrency, and how to engage with the attacker in such a way that makes a positive outcome more likely. The last thing you want to do is make a critical mistake when someone is holding all your data hostage. (To learn more watch our ransomware negotiation video.)
It’s Not Just Ransomware
In one particular case, the victim reached out to the ransomer and was told the cost would be $300,000. The victim responded saying, “We can’t afford that.” To which the ransomer responded, “Not according to your latest financial reports.”
That statement is a red flag. The attackers not only locked up your data, they accessed it – and possibly stole it. Maybe they are still reviewing your data. Most ransomware infections are more than “just” ransomware. In most incidents, attackers have been in your systems for weeks, if not months. They’ve been busy reviewing files, helping themselves to data, and leaving behind data collection trojans (aka banking trojans) that collect usernames, passwords, banking credentials, account numbers, and so on, and pass them along to the attackers.
Professionals know what to look for, as well as the appropriate steps for completely and safely eradicating a variety of malware strains from your systems. Finding “Patient Zero” and additional infections is necessary for a complete ransomware recovery – and to avoid re-infection.
Incident Response Tools
Responding to and investigating incidents requires not only special skills, but special tools. During ransomware recovery, an IR team will use tools to actively threat hunt on your network looking for active connections or additional malware. Special software allows them to monitor your network throughout the ransomware recovery process.
If you do find yourself “purchasing” a decryptor, teams have labs where they can “sandbox” it to ensure that it works without damaging your files or leaving additional malware behind.
Once all of the evidence has been gathered, analysis tools and parsers allow the team to find unauthorized logins, data access and exfiltration, and lateral movement quickly. While analysis is on-going, you can focus on recovery. They’ll provide explanations of everything they find, and a written report for legal counsel.
Hope for the Best, Plan for the Worst
Incidents happen – but you don’t have to face them alone. Your ransomware recovery will be quicker and easier with an experienced team supporting you every step of the way. To learn about ransomware prevention watch our on-demand webinar. If you want to be proactively prepared for a data breach, contact us to find out about our zero upfront costs, zero monthly fees, and no annual charges incident response retainer. You pay only if you need help – with the paperwork done in advance, the incident response team can get started faster and get you back to normal sooner.