Ransomware attacks have taken the enterprise world by storm in the past few years. SMBs and high-profile corporations are on the receiving end of destructive cyber-raids orchestrated by the operators of REvil, Ryuk, Clop, Maze, SunCrypt, and a handful of other notorious strains.
With prosperous businesses being in the crosshairs of these crooks, the ultimatums have become truly shocking. In March 2021, multinational electronics maker Acer found itself faced with a $50-million ransom demand. Malefactors have learned to confuse the money trail and get away with their crimes even after receiving huge payouts from victims.
Now, imagine the following scenario: you discover that one of your servers is acting up, access the admin dashboard to find out what happened, and see a scary alert that says, “All your data has been encrypted!”
When hit by ransomware, most users and system admins try to sort things out on their own. They reboot the contaminated machine, terminate suspicious processes, try to eradicate the harmful program, and look for free decryption tools on the Internet. If the ransom is affordable, some victims choose to pay for data recovery.
However, this course of action might be risky business. Instead, it is recommended to stick with the following workflow:
Extortionists often target specific employees through spear-phishing attacks and then exploit the infected devices to extend their reach inside the network. Therefore, the role of a user in dodging the cyber-disaster is paramount. Here is a summary of the actions that the manipulated person should take immediately:
It is worth emphasizing that the organization’s security experts should maintain positive, non-threatening communication with the user who may have never encountered a predicament like this before. Otherwise, the employee may get confused and provide inaccurate answers, which will hamper the investigation.
Determining what family the ransomware represents is half the battle. It will provide the big picture regarding the most effective removal approach and the chances of data recovery. The following evidence will point you in the right direction:
There are specially crafted online portals such as ID Ransomware that will help identify the strain quickly. It is also a good idea to upload the sample to HybridAnalysis or VirusTotal for additional details.
Once you determine what type of ransomware you are dealing with, be sure to collect all indicators of compromise (IOCs) such as executables, file hashes, network connections, Command & Control (C2) server URLs, and email addresses the malefactors have used to contact you.
It is also important to amass details about the infection vectors that were used to gain a foothold in your organization’s network. This way, you can pull the plug on the further influx of threats. Here are the common catalysts for ransomware distribution:
In most scenarios, ransomware spreads autonomously according to a predefined logic in its code. However, sometimes threat actors implement the encryption routine and execute other modules of their predatory software manually. This happens when they establish remote access to the network and run arbitrary commands just like local users.
Another element of investigation is to assess the scale of the attack. Mainstream network monitoring and antivirus tools should allow you to figure out which servers and endpoints have been raided.
Firewalls, proxy servers, and DNS solutions will help you pinpoint the processes that attempt to set up connections with external C2 servers. Security information and event management (SIEM) systems are very helpful in this context. You can use them to sift through numerous events quickly and specify real-time monitoring rules to spot all infected devices.
The importance of classic antivirus software should not be underestimated. Most of these tools are potent enough to detect ransomware activity based on known signatures and behavior analysis.
One more step is to work out what data has been encrypted. Enterprise-focused ransomware typically zeroes in on user data, Database Management System (DBMS) records, and configuration files. The use of special applications that process metadata or control the integrity of operating systems will help you make an inventory of all affected assets.
Senior executives should evaluate the scope of impact incurred due to the attack. This will become a foundation for creating a roadmap for further recovery and other actions related to business continuity.
When the investigation is underway, you should do your best to foil the infection so that it does not cause further damage. This is a delicate matter because a wrong tactic can aggravate the situation. With that in mind, make sure you have a clear-cut emergency plan all employees are familiar with.
It is important to prioritize the tasks geared toward restraining ransomware propagation. This will allow you to allocate the resources wisely and keep other business processes up and running. There is no need to reinvent the wheel here – your number one objective is to separate the “toxic” systems from other areas of the network.
Before you start restoring your IT infrastructure, ascertain that the malicious code has no chance to spread further. Otherwise, all your efforts will be futile. For a seamless recovery process, make sure that the responsible staff members know the location of the latest backups and have all the necessary expertise and tools to reinstate the data. Also, double-check if the systems you are about to restore are no longer infected.
If data recovery from backups is impossible for whatever reason, you can try several alternative methods:
The following tips will help you minimize the risk of falling victim to ransomware and decrease the response time if an attack happens:
Bear in mind that there is no such thing as absolute security. No matter how hard you may try to avoid ransomware, threat actors who think outside the box will keep coming up with infection mechanisms that slip under the radar. Therefore, make sure you have a plan B that involves backups, prompt incident response, and well-thought-out system recovery techniques.
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.
Balaban - March 17, 2021
Alibaba Clouder - January 19, 2018
Alibaba Clouder - October 10, 2020
Alibaba Clouder - December 5, 2016
Alibaba Clouder - April 25, 2021
Alibaba Cloud Security - May 28, 2020
This solution helps you easily build a robust data security framework to safeguard your data assets throughout the data security lifecycle with ensured confidentiality, integrity, and availability of your data.Learn More
Deploy custom Alibaba Cloud solutions for business-critical scenarios with Quick Start templates.Learn More
Alibaba Cloud is committed to safeguarding the cloud security for every business.Learn More
Protect, backup, and restore your data assets on the cloud with Alibaba Cloud database services.Learn More