8 things to do in case your systems have been breached
Finding out that your company has been the latest unwitting victim of a ransomware attack capable of restricting computer systems and encrypting data if a ransom is not paid to cybercriminals would be a nightmare for many corporations. There is no such thing as a magic wand that can make a ransomware assault disappear without some down time, sweating, and getting your IT team involved in restoring systems.
1. Do Not open the ransom note or click on any ransom dialogue popups
Understand that this triggers the timer on a lot of ransomware infections. These timers are designed with a self-detonation feature where if the ransom is not paid in allotted time frame (normally around 3-4 days), the data is permanently lost and cannot be recovered. It’s important to first develop a plan prior to clicking on anything. This crucial time period could make a huge difference in determining what to do next. This also lets the hackers know that the infection has been discovered and the victim is let aware of this.
2. Isolate impacted systems
The very first step is to quickly check all the systems, servers, network attached storages and isolate the infected devices. I would actually recommend completely and physically powering down the switches which would break all network connections and stop the spread of malware or upload of your sensitive information to the bad actors. This will be a call you will have to make, if there are only a few machines that have been affected removing those machines physically from the network would be the very first step.
3. Inform everyone in the company about the breach
In this step, it’s extremely important to refrain from using email, Slack, or any group chats, as those channels could have been compromised by bad actors. It’s important to let employees know right away of the breach so they don’t try logging into the system or fall prey to phishing attacks launched from within, through the use of email or company chat. Instead, use phone/text to communicate with your IT team and employees, in order to avoid tipping off the bad actors that the breach has been discovered. In some instances, they could spread the ransomware wider across the network prior to it being taken off-line.
4. Avoid powering down a few non-mission critical devices
It’s better to disconnect them from the network, as authorities like CISA and MS-ISAC may be able to gather a wide variety of information from these machines during the investigation, such as:
Random Access Memory (RAM) capture from systems such as tools used to exploit
Temporary Files
Recovered .exe files
Log Files
PowerShell scripts ran on the system
Email addresses and bitcoin wallets that have been used
In order to help catch the bad actors, it’s important to tamper as minimally as possible with these machines, in order to aid the investigators. This is equivalent to preserving the crime scene. However, obviously, no one is waiting on starting the restore efforts, so only leave machines not critical to business continuity running until authorities can get around to them.
5. If an active encryption is detected power the device down immediately.
If you check a machine and you are seeing unusually high disk activity in the task manager of a server, or a computer, and watching folders actively being encrypted, power down the device immediately. Don’t turn it back on, because it will resume the encryption process. If you’re trying to salvage remaining data off the machine, it’s better to remove the drives and plug them into a USB device to get the data off the drives. This ensures that the infection can’t spread and the encryption process can be stopped immediately. Having someone such as a Managed IT Services Provider (MSP) monitoring your systems would be able to detect things like this, because their monitoring tools would ring the alarms and provide early detection methods.
6. Avoid paying ransom if your backups have not been compromised
If you have cloud storage or a network device that has been isolated on the network prior to the attack, odds are you will be able to restore your systems back. Avoid paying ransom and keep it as the VERY last resort. If you aren’t sure if your backups would survive a cyber-attack, get a professional to assess your network. These assessments usually include doing Penetration testing (Pen test) inside and outside the network, checking your backups, and helping to develop a plan of action in case something like this happens. For starters, if you are using a Network Attached Storage, ensure that it is not accessible through your active directory. Here is an article on how to do this. Get with your MSP and ask them what they offer in terms of active ransomware protection and detection. If your IT provider only offers a basic antivirus program, look for another firm that specializes in cybersecurity or build your own security software to put on your network.
7. And when all fails, and paying ransom is the last resort…
Sometimes poor disaster planning, coupled with an elaborate attack, could result in having to fork up the ransom money. Keep in mind there is no guarantee that you will get your data back even if you pay the ransom. But at this point it’s clear that your back is against the wall and the only thing to do is take that chance.
All bad actors behind ransomware will take the payment in a form of Bitcoin or Ethereum. Go to coinbase.com or eToro.com
Create an account
Verify your identity
Link your debit card or bank account to your Coinbase or Etoro account. Once you have money in your wallet, search for Bitcoin (BTC) or Ethereum (ETH) to purchase the specified amount.
You will then go to send the crypto to a different wallet, the wallet address is provided in the ransom note. Be sure to copy and paste it in not make any errors entering it in. Take a copy of the transaction ID and provide this information to the email in the ransom note.
Then keep your fingers crossed that you will receive a decryptor tool back.
8. Invest in finding the vulnerability
Where did the exploit originated from? How did the bad actors get into your systems? The next step is to either hire a forensics expert or have your MSP examine everything to determine where the infection came from, how it traveled laterally across the network, what sort of infection it was, and what measures can be taken to ensure the exploit has been stopped. The MSP will need to look through logs of both systems and firewall as well as run pen testing internally and externally. Also a good place to look would be everyone’s mailboxes for phishing exploits.
If your business needs help recovering from a cyber-attack, AlphaCIS can help. We are located in Metro Atlanta area and specialize in Cybersecurity and recovering from attacks such as these. We can work along-side your current IT provider to aid them in recovering your systems. You can schedule a quick discovery call with us here.
Dmitriy Teplinskiy
I have worked in the IT industry for 15+ years. During this time I have consulted clients in accounting and finance, manufacturing, automotive and boating, retail and everything in between. My background is in Networking and Cybersecurity