Ransomware is a form of malicious computer malware, that hijacks a device and blocks direct access to it until the victim decides to pay a certain amount of money (ransom) asked for by the creator. This type of attack has seen a huge spike in recent times, partially due to the huge impact ransomware has on people and corporations.
There are two main forms of Ransomware:
- Crypto: This type of attack encrypts the victim’s files but usually leaves the remaining computer resources untouched. The goal of the crypto strain is to block access to the victim’s data. This is a very serious type of attack due the mathematical nature of this process, which makes it impossible in practice to reverse.
- Locker: This type of attack tries to limit access to a device’s resources. As an example, by blocking access to your home directory or denying full use of keyboard and mouse. This attack, the opposite of the previous one, usually doesn’t encrypt files meaning it can be less hazardous.
The power of Ransomware is notable. In the news we have seen large corporations get taken down over night no matter where they are. All it takes is one person opening an invalid attachment.
Responding to Ransomware isn’t all that different from responding to a regular incident, except that an organization must react quicker to an infection of it. Every second that computers on the same network stay on means the cost of the incident goes higher and higher. The impact is longer and more widespread.
The incident response plan must be activated as soon as possible, and your organization must reach the containment phase within the next few hours. Ensure that a sample set of the infected computers remain so that you can investigate whether this was a targeted attack or a random mistake. This is crucial as you always want to determine where an attack is originating from so that you can mitigate and prevent it completely.
As soon as possible after the activation of your incident response plan, contact the local FBI and US Secret Service field offices nearest you. If your plan does not include this action, ensure that it is included. The agencies mentioned actively solicit organizations to contact them in the case of a ransomware infection. Should your organization have a substantial backup program, ensure that those backups are not infected. Otherwise you
risk propagating the malware again and spreading it through the network in another incident.
Steps to remember:
- Activate your incident response procedures immediately.
- Isolate all infected or not infected devices immediately. This is crucial. Physically disconnect non-crucial network devices if need be.
- Ensure your backup data is clean and isolated from infected devices. Again, ensure a physical disconnection if need be.
- Keep a sample set of the infection for investigation.
- Contact the FBI and USSS field offices near you.
- Change all credentials in the organization once the infection is contained.
Never make it a point to be reactive in incident response, make sure you are proactive and secure your networks accurately. Never pay a ransom as it is extremely risky. In fact, some victims have paid ransoms and never receive a decryption key for their files. With some even being asked for more funds to decrypt the files. They are then out of those funds and no closer to recuperating regular business operations. Should you pay a ransom, you’re also signaling to the attackers that you are a low hanging fruit, willing to pay for access to their files.
If you are a victim of Ransomware contact us today. LIFARS has conducted several Ransomware case in the past and delivers a high quality Incidente Response service.