Your Organization Is Infected–Now What?
These 10 tips from two renowned cyber-security pros offer help after your organization is hit with ransomware.
Immediately disconnect the infected computer from any network. Turn off all wireless capabilities (wi-fi or Bluetooth). Unplug storage devices, such as USB or external hard drives. Do not erase anything or clean up any files or antivirus.
To determine the extent of file infrastructure compromise, ask whether the infected machine had access to shared drives, folders, network storage, external hard drives, USB memory sticks for cloud-based storage (DropBox, Google Drive, Microsoft one Drive/Sky Drive, etc.)
Check for a registry of file listings that has been created by the ransomeware. There are tools specifically made to list encrypted files.
You must know which ransomware you’re dealing with. Each follows this basic pattern: encrypting your files and then asking for payment on deadline. However, knowing the version will help you make more informed decisions.
You have four options, from best to worst: Restore from a recent backup, Decryptor files using a third-party decryptor, Do nothing and lose your data, Negotiate/Pay the ransom
Secure your main layers of defense. Think of your network as a series of layers. The outermost layer is the user. Secondary and tertiary layers (firewalls and antivirus) kick in after a user has clicked or visited a malicious link. Software alone is not a catchall: train users to prevent such attacks.
Hackers and malware creators constantly change ways to trick users. Users need training on the basics of IT and email security and an awareness of the changing tactics of threat vectors.
Simulate phishing attacks to let your IT group know who is vulnerable and train them to avoid potential harm. When your group knows the organization’s phishing them, they’ll pay extra attention to what’s coming through their inboxes.
Software-based protection is vital. By isolating directories with a software restriction policy, you can cut down on your susceptibility to infections. You can also reduce the chance of ransomware infections by using specialized software that scans for these types of infections.
Regularly back up your files and use a regularly tested restore procedure. With all the onsite and cloud-based backups, there’s no excuse for not regularly backing up. Always have an offsite or redundant backup in place.