Steps to Follow When Hit by Ransomware

We’re all familiar with the regularity and severity of ransomware attacks. Most of us are also fully cognizant of the consequences of such cyberattacks. But, many still do not know exactly what to do when hit by a ransomware attack to remedy their PCs and computer networks of this most egregious form of cyberattack. This is why we’ve provided some crucial information, both on how to better prevent ransomware attacks, and how to limit the damage of such violations.

Since this post is primarily addressing what to do once ransomware has struck, we will list those steps to follow in the wake of such an attack first, and follow it up by giving you things to boost your ransomware preparedness level.

1. You’ve determined that for sure you’ve (or your network has) suffered a ransomware attack. The clock is ticking on you to mitigate the damage. You’ll want to determine how many computers on your network have been infected, and isolate them from the rest of the network. Temporarily lock-down network sharing of multiple drives and check file servers to see how far the damage has spread. Look for files with newly-encrypted file extensions like .cry, .zepto, or .locky (or any out-of-the-ordinary file extension name) to know how many files, servers, and drives have been affected.
2. Find out who “patient zero” is (first one to report the infection) to possibly determine the source of the attack. Examine the properties of one of the infected files to see who is listed as the owner. This will at least allow you to know who was the original end-user target, or person who clicked on the ransomware link. Spiceworks has a nice thread on this ransomware-mitigation step, and mentions, among other things, taking infected servers offline and right-clicking on one of the infected files, going to Properties, and seeing who is listed as the encrypted file’s owner.
3. Get all impacted users off the network while you implement damage control. Now’s the time to get all of those users who are reporting trouble opening files, weird file names, etc. off of network sharing and isolated. This is usually the time when you determine the cause of the infection, and subsequently send out alerts with uninfected users to be on the lookout for whatever type of ransomware file encryption you’ve discovered. If there are other users or persons who need to know about the attack, now is the time to tell them as well.
4. If you can get to patient zero and mitigate the ransomware before it spreads, do it. Ransomware infections can lock files down on one PC completely within a few minutes, and spread to the entire network not long after that. If you have fast-reacting and reporting users, you can get to the end-user’s terminal and take actions that neutralize the attack.
5. Download and deploy one of the free decryption tools, if there is one available for your ransomware strain. If no free decryption tool is available for your variant, then your only other option is restoring your files from backup.

The Best Defense is Prevention

Businesses can often avoid ransomware demands by taking preventive measures. For example, companies have greatly benefited from employee training and tutorials designed to help them identify hazardous email attachments, harmful websites, phishing and even ransomware-delivery attempts.

Implement education and awareness in the workplace. It is a proven fact that a better educated and aware individual or office staff will be far less likely to click on questionable links such as those embedded in email phishing schemes. Having strong cybersecurity policies in the workplace will greatly reduce the chances of a ransomware attack.

Engage in frequent backups. Frequently backing-up your data is the best way to avoid ransomware and cryptoworm attacks. If you have solid enough backup measures in place, you can successfully ignore ransomware demands and encryptions. Always have offline backups in place, i.e. those that aren’t attached to PCs or networks. Viruses can even attack data that’s backed-up using cloud servers, so store at least one complete backup of your entire data network in a completely network-disconnected machine or device.

And here is some sage advice on preventing ransomware, courtesy of KirkHamSystems.com:

“Remember to remove unnecessary programs and update software whenever possible. Applications like Web browsers, PDF viewers, and video players frequently contain defects that make them vulnerable to these infections. Although hackers usually find more flaws to exploit, the latest updates can patch known security holes and minimize risks.

A network administrator should only permit each staff member to access the computers, drives, and directories that he or she truly needs to use. This will limit the ability of cryptoworms to spread throughout the network and infect every file. It also protects servers from any “rogue” employees.”

Get Professional IT Help for Ransomware

Many IT companies now offer a variety of free decryptor tools, and also know of tricks to neutralize and delete certain ransomware strains. If you need expert help with cyberattack prevention and cyber safety awareness and security, Raleigh IT Support Company and IT Services Provider | CSP Inc. is a proven leader in providing IT consulting and cybersecurity in Raleigh. Contact one of our friendly IT staff at (919) 424-2000 or send us an email at info@cspinc.com today, and we can help you with all of your cyber safety, defense, and security questions or needs.