There’s a lot of information on how to stop ransomware attacks. Ransomware is one of the most common forms of cyberattacks. Businesses, individual’s personal computers as well as critical systems are attacked and knocked out every year. The economic damage is unprecedented, and the personal damage is horrifying. It isn’t just the lost data or the hours lost to recovering. There is also a sense of dread that hits you when you learn that you’ve been hit by a ransomware attack.
Of course, stopping these attacks from happening in the first place is the best-case scenario. However, what if you weren’t or aren’t able to stop ransomware attacks from occurring? What are the steps you should be taking during the attack? That is the information we will be discussing here.
Steps to Take During Ransomware Attack
Evaluate and Recognize that an Attack is Underway.
The encryption or ‘locking’ phase of a ransomware attack takes a long time. This gives you a window of opportunity to mitigate the extent of the damage – if you recognize that you are under attack.
The slowness of the locking phase is because encrypting your files is a CPU-intensive operation. As a result, you may notice that your computer is slower than normal. Examining the CPU load in task manager will reveal a constant load, rather than the peaks and valleys that are typical of personal computer use.
One of the most common signs of a ransomware attack is the appearance of files with weird extensions. If you notice unusual files or the appearance of new files in folder locations where you are and are not working, then it is possible that you are under attack.
Examples of Past Ransomware Extensions:
ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters
Kill or Stop Ransomware Access to Your Files
Now, if you suspect that you are under attack then it is important to curtail access to your data and to isolate access as much as possible. Unplug any USB drives. It’s very important that you immediately isolate the infected machine from the network. Turn off wifi and/or unplug the Ethernet cable. Some ransomware also needs to call back home in order to get unique encryption keys or other instructions. Cutting off the network connection also stops that from happening. Removing network access also helps to keep it from spreading to other systems..
If you’re lucky the ransomware hasn’t jumped across to network share drives or other computers yet. This single action, if timely, can mitigate the extent of the infection and keep remediation focused on the single system that was isolated. Turn the system off and look for an offline malware scanner to clean the system.
If you are hit by ransomware, try to find out the name of the malware. Older versions of ransomware used to be less advanced, so if it is an earlier version, you may be able to restore the locked files by downloading one of the repair tools.
Determine the Scope of the Infection
Examine other connected systems for the same patterns, irregular CPU load, slower performance, and appearance of strange file extensions. It would also be a good practice to scan all suspected systems with an updated malware tool.
At this point, you need to determine exactly how much of your file infrastructure is compromised or encrypted. Did the first infected machine have access to any of the following:
- Shared or unshared drives or folders
- Network storage of any kind
- External hard drives
- USB memory sticks with valuable files
- Cloud-based storage (DropBox, Google Drive, Microsoft OneDrive/etc…)
Inventory the above and check them for signs of encryption. This is important for several reasons: First, in the case of cloud storage devices such as DropBox or Google Drive, you may be able to revert to recent, unencrypted versions of your files. Second, if you have a backup system in place you will need to know which files are backed up and which files need to be restored versus what may not be backed up. Lastly, if you end up being forced to pay the ransom, you will need to reconnect these drives to allow the ransomware to decrypt them!
Another way to determine the scope of the infection is to check for a registry or file listing that has been created by the ransomware, listing all the files it has encrypted. You see, the ransomware needs to know which files it encrypted. That way, if you pay the ransom, the software will know which files it needs to decrypt. Often this will be a file in your registry. Since every strain of ransomware is different, you should do a bit of googling to determine the version of ransomware you have been hit with and do your research based on the right version of the ransomware. Lastly, there are tools available that list out encrypted files on your system.”
Notify the Authorities
It’s important to notify the authorities if they can fully investigate the incident and help prevent other companies from suffering the same fate. The FBI strongly recommends reporting ransomware attacks, but many still go unreported. Reporting the incident to law enforcement may help you and other healthcare organizations avoid these attacks in the future. Plus, if law enforcement is able to locate your specific attacker, there is a higher chance your files can be decrypted and released without cost.
Finally, the most important thing you should know is that under no circumstances should the attackers get your money. Few attackers have been known to give you the key to recover your files after payment. Most, however, never respond after having received the ransom. Of the ones that do, rare is the case of full recovery. One of the biggest ways we can stop ransomware attacks from occurring is to stop paying the ransom. When businesses pay attackers, they leave set themselves up for future attacks. Actually paying ransomware attackers means they’ll keep doing it. In addition, the latest ransomware trends include legal consequences from paying attackers the ransom.
Ransomware attack causes many problems for organizations, and it is important to understand the steps you should take if your prevention methods don’t stop an attack.