What your firm should do after being hit by ransomware.
Welcome to Cyber Security Today. It’s Monday October 26th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the play arrow.
Your firm has been hit by ransomware. It may be a standard attack, with your files encrypted and the attackers demanding money for the decryption key, but your backup may also have been infected or restoration has failed. Or it may be one of the newer gangs that tries to make sure you can’t get around the encryption by resorting to a backup, so they copy some of your data in addition to scrambling it. Then they threaten to embarrass your firm by releasing the data unless you pay for the decryption key.
What do you do? At last week’s SecTor virtual conference Julian Pileggi, a technical manger of incident response at security firm Mandiant answered that question. Here’s a summary of what he said:
First, managers shouldn’t panic. That will likely lead to staff doing something they shouldn’t.
Second, while you should disconnect the IT network from the Internet so the attackers can’t use it for communications, don’t disable the internal network. Do that and IT staff can’t investigate. If you’re sure it’s safe a couple of IT staff might be allowed remote access to your IT systems with their computers to help repair or restore the system — if those PCs have multifactor authentication for safe login. Many organizations keep a spare computer or two that’s not online all the time but kept up to date with security patches for just this reason.
Third, IT staff should collect information on the ransom note and the encrypted file extensions. That information can be used to search through the Internet with a safe computer to learn what type of ransomware you’ve been hit with. That may help with remediation. Some strains of ransomware have been cracked by security companies and the free decryption keys can be used by skilled IT staff or consultants.
Don’t contact the hackers until getting advice from your company’s lawyer.
Fourth, preserve and protect your backups, if they’re available and unencrypted. If you’re lucky and backups aren’t encrypted you can prepare to use them. Remember, as soon as the incident is detected stop your normal backup processes to make sure they don’t become infected.
Fifth, block IT system-to-system communications at the network level. This stops the spread of the ransomware from computer to computer.
Don’t destroy evidence or wipe compromised systems. Make a copy if necessary — and if you’re sure it isn’t infected. Remember your forensics team, insurers or the police — if they’re brought in –want to see systems in their original state.
Finally, Resist the urge to turn computers and servers off. Power down only systems you’re sure haven’t been encrypted yet. Nothing will be gained by turning a system off. In fact it will cause problems if it is infected and you turn it back on.
For example, Pileggi said, a company hit with ransomware pulled the plug on everything and changed network interface cards. However, this particular strain of ransomware had replaced a Windows Service with itself. As a result, when staff turned systems back on 10 per cent of the computers couldn’t boot. And the other systems couldn’t make any network connections.
The only solution was to rebuild the network. A recovery that could have taken a few days ended up taking 12 weeks.
One other thing: If your firm decides to negotiate with the attackers to pay for a decryption key they may not honour a promise to destroy any data they’ve copied. Pileggi knows of at least one case where the attackers ‘forgot’ to return 20 Gigabytes of the 100 Gigs stolen.
All this shows the importance of having — and practicing — an incident response plan.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.