The following is an excerpt from the Ransomware Survival Guide, our free handbook on preventing, managing and recovering from ransomware threats at every stage of the attack chain. This blog post provides general tips—it is not a substitute for professional cybersecurity and incident response services.
The best ransomware strategy is to avoid it in the first place. But increasingly advanced attacks against the software supply chain and end users have shown that even the best-prepared companies can be caught out. Ransomware may not even be the first malware payload to infect your system, because many ransomware gangs now prefer to buy access to targets already infected with Trojans or loader malware.
During an attack, you have short-term problems to resolve, like getting computers, phones and networks back online and dealing with ransom demands.
But a panicked response won’t help—and may make things worse. Here are some general steps you can take to contain the threat and start on the road to recovery.
Questions to answer during a ransomware attack
Before you react to an attack, it’s important to take a step back and ask questions that will inform your response. Your answers should help network administrators scope the problem, devise an action plan and possibly curtail the spread.
- Who in your environment is compromised? How widespread are the infections? Is a threat actor actively scouting your environment, exfiltrating data or ready to drop ransomware on other devices?
- What network permissions do compromised accounts or devices have? Ransomware may have been installed only after attackers had already moved laterally within the network or stolen credentials and other data.
- What type of attack is it? Is this attack a secondary infection? Did it come from downloaders, remote access Trojans (RATs) or other malware installed on the infected machine or others on the network?
Keep in mind that ransomware spreads quickly and is often a byproduct of other threats. If you see one infection, there are probably others that you don’t see. Proactively look for other issues within your environment.
Now as you take action, there are three general step to follow:
Step 1: Isolate infected systems
The second employees see the ransomware demand or notice something's odd—such as suddenly losing access to their own files—they should disconnect from the network and take the infected machine to the IT department.
To prepare for this scenario, we recommend that you keep valuable data and systems separated so that a security issue on one system doesn't affect other systems. For example, your sensitive research or business data should not reside on the same server and network segment as your email environment.
We advise against having employees reboot their system. Only the IT security team should attempt a reboot, and even that will work only in the event that it is “scareware,” or fake ransomware.
"Scareware" is malware that appears to be ransomware but isn't. It may lock the user's screen with a ransom demand and payment instructions, but the data is not actually encrypted. In those scenarios, standard anti-malware tools can help.
Knowing the difference isn't always easy. Determine the scope of the problem using threat intelligence and external incident responders or forensic analysts when necessary. While all ransomware is bad, some attacks are worse than others. Your response—including whether to pay the ransom—hinges on several factors.
Step 2: Call law enforcement
Ransomware—like other forms of theft and extortion—is a crime. Nobody has the right to seize devices, networks or data—let alone demand a ransom in exchange for it. Notifying the proper authorities is a necessary first step.
Contact local or federal law enforcement right away. Special departments exist specifically to aid cyber crime victims, so do not be afraid to pick up your phone and call them. They are there to help you and may have access to decryption keys or information on payment recovery after the fact.
You should also contact your cyber insurance provider to see if you have ransomware coverage and under what conditions. They can help you coordinate your incident response and investigation.
Step 3: Deploy your response plan
Depending on network configuration, containing the spread to a single workstation might be possible.
- Best case scenario: A new computer is swapped out for the infected machine and a restore from backup is completed.
- Worst case: Every network machine is infected. This will require a cost-benefit calculation that weighs the time and resources needed to restore the data versus simply paying the ransom.
If the ransomware has already reached your servers, isolate affected systems—that’s where your network segmentation efforts can help contain the threat.
A big part of your response is deciding whether to pay the ransom. The answer is complicated and may require you to consult law enforcement and your legal counsel. For some victims, paying may be unavoidable.
Factors to consider when deciding whether to pay the ransom
Ransomware is bad enough in itself. But one of its especially loathsome aspects is that it forces victims to make a necessary but morally problematic choice. When you’re under the gun of a ransomware threat, you don’t often have the luxury of time to carefully weigh the moral nuances of paying up. The attack is here—now.
Paying up isn’t just a repugnant but necessary evil. It actively funds the attacker who has just broken into your network and stolen your data. It marks you as someone with a vulnerable network and incentive to pay. And it may even carry legal and regulatory implications.
But recent attacks highlight an uncomfortable fact: there isn’t always a clear-cut answer on whether to pay.
As we’ve seen in recent shifts toward extortion as a secondary attack tactic, there’s no guarantee that your sensitive information will be returned or kept private. Many organizations have paid a ransom only to discover their data permanently corrupted. The U.S. Department of the Treasury also reminds American citizens and businesses that paying a ransom could involve violating sanctions or other financial regulations. Other countries are considering even stronger incentives and even legal prohibitions against paying ransoms.
Here are some factors to consider when choosing the best course of action:
- Time and resources to get back online
- Safety of customers and employees
- Responsibilities to shareholders to keep the business up and running
- What criminal activity the payment will potentially fund
- Any regulatory liability that might ensue from providing money to a sanctioned individual or state
As with most complicated questions, no two organizations will answer them in the same way.
Don’t count on free ransomware decryption tools. Some security vendors offer free ransomware decryption programs. In some cases, they can help you to retrieve your data without paying the ransom. But most work for only a single strain of ransomware or even a single attack campaign. As attackers update their ransomware, the free tools fall out of date and likely won’t work for your strain of ransomware.
You may get lucky with a free decryption tool. Just don’t make it part of your incident response plan.
As long as cyber criminals can find a way to make money from it, ransomware will exist in one form or another. The easiest way to combat ransomware is to stop it at the gates.
That requires cyber defenses built to stop today’s threats at every step of the attack chain. To learn more about ransomware and how Proofpoint can help, download a full copy of our Ransomware Survival Guide.