Ransomware Response Tips

To download this tip sheet as a PDF, click here: Ransomware Response Tips

Have You Been Hit with Ransomware?

Here’s What to Do Next

• Don’t panic.
• Assess the situation. Identify affected systems as quickly as possible and make a list.
• Quarantine affected systems if at all possible, to prevent the ransomware from spreading. If the computer is already encrypted, unplug it from the network and keep the power on. It may be possible for examiners to recover the key from memory if you keep it plugged in. If the ransomware is actively encrypting files but has not fully encrypted everything, the best course of action is typically to unplug the computer and remove battery backup. This will preserve any files that have not yet been encrypted. For Virtual Machines: take snapshots while running, then suspend the VM.
• Reset passwords for all cloud accounts and local domain services as quickly as possible.
• Check your backups and evaluate what data may be recoverable, and what has not been backed up. Determine the most recent viable backup date and time.
• Make sure you have an offline backup. If your backups are online, take them offline and make a copy immediately, to minimize the risk that they could be overwritten by ransomware (this happens frequently).
• Preserve evidence, including network logs, SIEM logs, antivirus alerts, IDS/IPS, malware and any other data that can help you identify the source of the compromise, determine precisely which systems are affected, and figure out what the attackers did while they were in your network. Make sure to save a copy of the malware itself. Often, logs are automatically deleted from systems after a certain amount of time, so it’s important to export this evidence quickly and save it offline.
• Proactively check for any other signs of suspicious activity, in order to identify any other infected systems.
• Do not respond to the criminals. Call a professional ransom negotiator for assistance.
• Activate your existing crisis management, disaster recovery or business continuity plans as needed. Be sure to address communications needs, as well as technical needs.
• Document, document, document. Write down details about what happened, including suspicious activity, and make sure to keep a record of all actions taken in response. In a ransomware case, things move quickly, and the triage stages can seem like a blur later. Having a written record will help you later on in your recovery process.
• Check your insurance coverage. You may have coverage for ransom payments, incident response services, public relations support, or other relevant services.
• Notify your insurer, if appropriate. In many cases, insurance will only cover ransom payments or support services if the insurer has been notified in accordance with your policy.
• Contact an experienced cyber attorney. Ransomware may trigger state or federal breach notification requirements. Ensure that you are meeting your obligations by involving a qualified attorney right away.
• Be aware that all of your written communications, including emails and text messages, may ultimately be discoverable if a lawsuit occurs.
• Use video, phone and in-person communication methods whenever practical. Attackers often monitor victims’ email.
• Communicate proactively – and carefully. When ransomware strikes, employees and other impacted parties often have questions and need guidance on what to share with others. Leverage an experienced public relations team whenever possible.

Common Questions at This Phase

• How did the attackers get in? You want to know this so that you can ensure that your environment is secure going forward.
• Are the attackers still in our environment?
• Did the attackers view or take any data? If so, precisely what data was at risk?

Your Next Steps

During the next days and weeks, you will need to clean the ransomware out of your network, restore your data, and resume operations. You should:

• Recover From Backups: If you have intact backups, you may be able to restore your data and remove the need to purchase a decryptor or attempt to bypass encryption. Consider calling a ransomware expert to assist with decryption and guide you through the ransomware recovery process.
• Assess Decryption Options: If you cannot restore all of your data from backups, you have two options: check for an available decryptor, or negotiate and pay the ransom.
  • Check for an Available Decryptor: Many ransomware strains have publicly available decryptors. Always use trusted sources, and beware fake decryptors that contain malware. If the decryptor for your strain is not available, you may be able to work with law enforcement or other parties to find a privately available decryptor.
  • Negotiate and Pay the Ransom: It is wise to involve an experienced ransom negotiator at this stage.
    • Proof of Life. Before paying any ransom, you should request “proof of life”—in other words, make sure that the criminal is capable of decrypting your files.
    • Payment. Typically the criminals will require payment in cryptocurrency. You can engage a ransom payment firm to handle payment logistics for you.
• Testing: If the criminals provide decryption utilities, it’s important to carefully check their software for additional malware in a laboratory environment.
• Restoration: The process of decrypting data can take days or weeks. The precise amount of time that it takes depends on the volume of data and the encryption methods used by the criminals. Once your data is decrypted, make sure to scan for malware prior to restoration in a production environment.

Remember that you are not alone. Ransomware is a challenge for every affected organization. If you need help planning for ransomware or conducting a tabletop exercise, please contact us, we can help.