Few steps on 'How to Defeat Ransomware' when it comes as Incident on your infrastructure / data estate.
Isolate The Infection
Prevent the infection from spreading by separating all infected computers from each other, shared storage, and the network.
The rate and speed of ransomware detection is critical in combating fast moving attacks before they succeed in spreading across networks and encrypting vital data.
The first thing to do when a computer is suspected of being infected is to isolate it from other computers and storage devices. Disconnect it from the network (both wired and Wi-Fi) and from any external storage devices. Cryptoworms actively seek out connections and other computers, so you want to prevent that happening. You also don't want the ransomware communicating across the network with its command-and-control center.
Be aware that there may be more than just one patient zero, meaning that the ransomware may have entered your organization or home through multiple computers, or may be dormant and not yet shown itself on some systems. Treat all connected and networked computers with suspicion and apply measures to ensure that all systems are not infected.
Identify The Infection
From messages, evidence on the computer, and identification tools, determine which malware strain you are dealing with.
Most often the ransomware will identify itself when it asks for ransom. There are numerous sites that help you identify the ransomware, including ID Ransomware. The No More Ransomware! Project provides the Crypto Sheriff to help identify ransomware.
Identifying the ransomware will help you understand what type of ransomware you have, how it propagates, what types of files it encrypts, and maybe what your options are for removal and disinfection. It also will enable you to report the attack to the authorities, which is recommended.
Report
Report to the authorities to support and coordinate measures to counterattack.
You'll be doing everyone a favor by reporting all ransomware attacks to the authorities. The FBI urges ransomware victims to report ransomware incidents regardless of the outcome. Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. Knowing more about victims and their experiences with ransomware will help the FBI to determine who is behind the attacks and how they are identifying or targeting victims.
You can file a report with the FBI at the Internet Crime Complaint Center.
There are other ways to report ransomware, as well.
Determine You Option
You have a number of ways to deal with the infection. Determine which approach is best for you.
Your options when infected with ransomware are:
- Pay the ransom
- Try to remove the malware
- Wipe the system(s) and reinstall from scratch
It's generally considered a bad idea to pay the ransom. Paying the ransom encourages more ransomware, and in many cases the unlocking of the encrypted files is not successful.
In a recent survey, more than three-quarters of respondents said their organization is not at all likely to pay the ransom in order to recover their data (77%). Only a small minority said they were willing to pay some ransom (3% of companies have already set up a Bitcoin account in preparation).
Even if you decide to pay, it's very possible you won't get back your data.
That leaves two other options: removing the malware and selectively restoring your system or wiping everything and installing from scratch.
Restore And Refresh
Use safe backups and program and software sources to restore your computer or outfit a new platform.
You have the choice of trying to remove the malware from your systems or wiping your systems and reinstalling from safe backups and clean OS and application sources.
Get Rid of the Infection
There are internet sites and software packages that claim to be able to remove ransomware from systems. The No More Ransom! Project is one.Other options can be found, as well.
Whether you can successfully and completely remove an infection is up for debate. A working decryptor doesn't exist for every known ransomware, and unfortunately, it's true that the newer the ransomware, the more sophisticated it's likely to be and the less time the good guys have had to develop a decryptor.
It's Best to Wipe all Systems Completely
The surest way of being certain that malware or ransomware has been removed from a system is to do a complete wipe of all storage devices and reinstall everything from scratch. Formatting the hard disks in your system will ensure that no remnants of the malware remain.
If you've been following a sound backup strategy, you should have copies of all your documents, media, and important files right up to the time of the infection.
Be sure to determine the date of infection as well as you can from malware file dates, messages, and other information you have uncovered about how your particular malware operates. Consider that an infection might have been dormant in your system for a while before it activated and made significant changes to your system. Identifying and learning about the particular malware that attacked your systems will enable you to understand how that malware functions and what your best strategy should be for restoring your systems.
Select a backup or backups that was made prior to the date of the initial ransomware infection.
System restores are not the best strategy for dealing with ransomware and malware.
You might be tempted to use a System Restore point to get your system back up and running. System Restore is not a good solution for removing viruses or other malware. Since malicious software is typically buried within all kinds of places on a system, you can't rely on System Restore being able to root out all parts of the malware. Also, System Restore does not save old copies of your personal files as part of its snapshot. It also will not delete or replace any of your personal files when you perform a restoration, so don't count on System Restore as working like a backup. You should always have a good backup procedure in place for all your personal files.
Plan To prevent Reoccurrence.
Make an assessment of how the infection occurred and what you can do to put measures into place that will prevent it from happening again.
A ransomware attack can be devastating for a home or a business. Valuable and irreplaceable files can be lost and tens or even hundreds of hours of effort can be required to get rid of the infection and get systems working again.
Ransomware attacks continue to evolve and attack methods get more sophisticated all the time. You don't have to be part of the statistics. With good planning and smart practices, you can prevent ransomware from affecting your systems.
Know how Viruses enter your workplace and Computer.
To be prepared, you need to know how ransomware can enter your system. These methods of gaining access to your systems are known as attack vectors.
Attack vectors can be divided into two types: human attack vectors and machine attack vectors.