A step-by-step guide for IT leaders to cure a ransomware infection
"Why can't I open that file?" "My P drive is full of files with funny names." "Help!" It always starts out the same. Someone logged in and noticed strange file names or missing files. These are telltale signs of a ransomware attack, which means that your day just got a lot worse.
The good news: you’ve come to the right place. This video below gives you a 2 minute overview. The article will guide you step-by-step on your road to recovery.
Step 1: Understand Your Situation
You’ve been infected by malware. The malware has bypassed your antivirus and other defenses. It is likely the result of some user action (like clicking a link), but that’s not always the case these days. The virus is using the infected user’s permissions to access and encrypt files. Ransomware can encrypt operating system files, network shares and even cloud file systems.
There is a small chance you will be able to decrypt these files with a free tool, available online from several different security companies. This best-case-scenario will still result in hours of downtime and is effective only on specific ransomware variants. In most cases you will be forced to restore files from backup or pay the ransom. Recovery of large data sets can take from several hours to several days to complete. If you choose to pay the ransom expect to spend between several hundred and several thousand dollars.
Now is a good time to communicate to executives and staff that there is a problem. Critical systems will be down for an extended period of time. It’s going to be a long day for everyone.
Step 2: Lock It Down
At this time, all we know is that you’re infected. One or more users may be the source. The infection may be hours or days old. We need to stop the bleeding before we can treat this patient. You need to take the shares offline immediately.
Before you lock these shares, we might be able to save a lot of time in later steps. Look at the open files on the encrypted shares. This can help you identify the source of the infection, what we call Patient Zero. If you see one user with hundreds of open files, they are probably the source of the infection.
Which shares should you lock? All of them is the safest answer, but your situation will dictate which ones should be restricted. There are too many factors to include in this guide.
Locking the shares will stop the progress of the encryption, if it is still underway, and will prevent other shares from being encrypted until you remove the infection from the network.
Step 3: Shut Down Patient Zero
It is critical you identify and shut down the source of the infection. In larger organizations this can be very difficult. Here are some ideas:
Who is the owner of the new files (instructions for decryption)?
What permissions were needed to modify the encrypted files? Who has those permissions?
- View open files on the shares to find the infected users.
If you identify patient zero and act quickly it’s possible to limit the infection. In some cases the infection will not be noticed until whole shares are encrypted.
Turn all potentially infected machines off and disconnect them from the network for the duration. Until the machines are fully cleaned, they continue to pose a threat to network security and could cause re-infection.
Step 4: Identify the Infection
The next step is to identify the variant so you can plan the best recovery option for your situation. The infection already beat your antivirus and other defenses, so they won’t be of any help. Here is how we do it.
Browse the affected shares and you’ll quickly find a text file. It’s going to look like one of the files below.
Critical Note: Most of the ransomware variants have a timer that starts when you click the link in the instructions file. This timer has had two different outcomes. In some cases the ransom doubles when times is up. In other occasions the files have been encrypted forever. Do not click the links until you've read this guide and a have a plan.
These files are the key to working through this infection. By searching the web for the text in these files, you can usually determine the variant. Each variant has critical characteristics that you must research. For some variants there are decryption tools. Other variants may not even have encrypted the files, but are still demanding the ransom. Identifying the variant should only take a few minutes. Move quickly.
Step 5: Verify Your Backups
This is where you have to make a tough decision- to restore from backup or to pay the ransom. First, make sure the backups you have are good and current before attempting to use them as an alternative to paying the ransom. One of the worst outcomes would be to start a restore and watch it fail many hours later. You may have lost the ability to pay the ransom if the timer has expired.
We always perform a test restore. Ensure that a small but significant number of encrypted files are able to be restored successfully.
Calculate Restore Time: Everyone will want to know when the restore will be done. Restoring a few GBs will be fairly rapid if the backup is onsite. For offsite backups, TB+ datasets, or backups on slower media, the restore may take days. It’s hard to offer specific advice here so we’ll stick with an easy answer: start the restore and run it for 15 to 30 minutes. Estimate the full restore time from that experiment, then plan and communicate accordingly.
If the test restore worked and your restore time is reasonable, you have a good option to avoid paying the ransom. If it didn’t work, the most recent backup is too old, or you would rather not wait for the restore to complete, then you must pay the ransom and take your chances.
Step 6: Paying the Ransom
The FBI recommends that victims of ransomware do not pay the ransom. “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.” The FBI Blog
If you are going to pay the ransom, here is some information you will need.
Ransom is paid in Bitcoin. Unless you already own some, you’re going to have to buy them. In the US we have several methods available to buy Bitcoin. Buying Bitcoin is a similar process to starting a new bank account, as these firms are required by the US government to comply with the Know Your Customer regulations. Buying bitcoins can take time and there may be a limit to the number you can buy at one time.
Though many sites exist where you can buy bitcoin, the two most popular in the United States are:
Once you purchase the bitcoin you can use these sites to pay the attacker directly by transferring the bitcoin to their address. Once you send the bitcoins, there are no refunds.
Communication with the attackers is risky. Some variants require email communication to receive the decryption tool. It is not uncommon for a client to pay a ransom and then be immediately attacked again. After all you just proved the bad guys have a successful business model. Communication that discloses your identity should be avoided. Always communicate from a new, disposable email account such as a Gmail or Outlook.com account.
In GCS experience most communication requires waiting overnight. The attackers seem to have about a 12 hour time difference from us in Texas.
There is no guarantee the ransom will work. These guys are criminals. Trust them at your own risk. At GCS we usually request a proof of decryption by sending one of the unencryped files (non-sensitive data) to the attacker. If they can't decrypt that file, paying the ransom is probably a waste of money.
Step 7: Decrypting
Depending on the ethics and customer service of your attacker, you may receive a tool to decrypt the files once the ransom is paid. That's right - you have to use software provided BY THE ATTACKER to decrypt the files. If that doesn’t make you nervous, you haven’t been paying attention.
GCS recommends a one-time use virtual machine that is severely locked down and hardened for decryption. Once the decryption is complete, destroy the virtual machine. This will dramatically slow down the process of decryption, as opposed to running the tool directly on the file server/s.
Though anti-virus/malware solutions are not effective at preventing the infection, many are effective are identify the decryption tool as malware. This can complicate the decryption process and may require extra time to work through.
There are many details which could be added to this document. GCS has unfortunately become experts in the recovery from ransomware infections. We will commit to updating this document as our knowledge and the attacks evolve. GCS is available to assist with these recoveries for clients under agreement.
Our advice to prevent ransomware attacks from reoccurring is painfully plain: train employees to be careful and make sure you have good backups. Additional layers of security can help—consider adding a DNS filtering service such as OpenDNS. Improve your backup to include a business continuity component like Datto. Consider a thorough security audit to identify potential problems in your organization.
If you have comments or questions, please email us at email@example.com.