You’ve read our thousand and one articles on guarding your network from every threat under the sun. But sometimes, despite all precautions, an infection gets in. Now is the time for cool heads and quick, decisive actions. Your response will help determine whether the incident becomes a deadly headache for the company or a feather in your cap.
As you step through the recovery process, don’t forget to document all of your actions for transparency in the eyes of both employees and the wider world. And try to preserve any evidence you can of the ransomware for later efforts to locate any other malicious tools targeting your system. That means saving logs and other traces of malware that may come in handy during later investigation.
Part one: Locate and isolate
Your first step is to determine the extent of the intrusion. Has the malware spread through the entire network? To more than one office?
Start by looking for infected computers and network segments in the corporate infrastructure, and immediately isolate them from the rest of the network to limit contamination.
If we’re talking about lots of computers, you’ll want to analyze the events and logs in the SIEM system. That won’t eliminate all later legwork, but it’s a good start at sketching your big picture.
After isolating infected machines from the network, create disk images of them, and if possible leave these machines alone until the investigation is over. (If the company cannot afford the computer downtime, make images anyway — and save the memory dump for the investigation.)
Part two: Analyze and act
Having checked the perimeter, you now have a list of machines with disks full of encrypted files, plus images of those disks. They are all disconnected from the network and no longer pose a threat. You could start the recovery process right away, but first, see to the security of the rest of the network.
Now is the time to analyze the ransomware, figure out how it got in and what groups usually use it — that is, start the threat-hunting process. Ransomware doesn’t simply appear; a dropper, RAT, Trojan loader, or something of that ilk installed it. You need to root out that something.
To do so, conduct an internal investigation. Dig around in the logs to determine which computer was hit first and why that computer failed to halt the onslaught.
Based on the investigation results, rid the network of advanced stealthy malware and, if possible, restart business operations. Then, figure out what would have stopped it: What was missing in terms of security software? Plug those gaps.
Next, alert employees about what happened, brief them on spotting and avoiding such traps, and let them know training will follow.
Finally, from here on out, install updates and patches in good time. Updates and patch management are a critical priority for IT administrators; malware often creeps in through vulnerabilities for which patches are already available.
Part three: Clean up and restore
By this point, you’ve managed the threat to the network, as well as the hole it came through. Now, turn your attention to the computers that areContinue reading