You've read a thousand and one articles about how to protect your network from every threat imaginable. However, despite all precautions, an infection can still enter the body. It's time to keep your cool and take quick, decisive action. Whether the incident becomes a deadly headache for the company or a feather in your cap will depend on how you respond.
Remember to document all of your actions as you progress through the recovery process to ensure transparency in the eyes of both employees and the general public. Also, try to save any evidence of the ransomware you can in case there are any other malicious tools targeting your system later. This entails archiving logs and other malware traces that may be useful during a later investigation.
Locate and Isolate
The first move is to figure out how bad the invasion is. Has the malware infected the whole network? Is it possible to send a letter to more than one office?
To reduce contamination, start by searching for infected computers and network segments in the corporate infrastructure and isolating them from the rest of the network.
Start with antivirus, EDR, and firewall logs if the organisation has a small number of computers. Alternatively, physically walk from machine to machine and scan them for very small implementations.
If we're talking about a large number of machines, you'll want to look at the SIEM system's events and logs. Although this won't remove all future legwork, it's a good place to start when it comes to sketching out the big picture.
Create disc images of infected machines after isolating them from the network, and if necessary, leave them alone until the investigation is complete. (If the organisation can't afford the downtime, render photographs anyway — and keep the memory dump for the investigation.)
Analyze and Act
After you've tested the perimeter, you'll have a list of devices with encrypted file discs, as well as photos of those discs. They've all been disconnected from the network and are no longer a threat. You can begin the recovery process right away, but first make sure the rest of the network is safe.
Now is the time to investigate the malware, determine how it entered the system, and determine which groups typically use it — in other words, to begin the threat-hunting process. Ransomware doesn't just appear; it was installed by a dropper, RAT, Trojan loader, or something similar. You need to find out what it is.
Launch an independent audit to do this. Examine the logs to see which machine was hit first and why that computer was unable to stop the attack.
Remove sophisticated stealthy malware from the network and, if necessary, resume business operations based on the findings of the investigation. Then determine what could have prevented it: In terms of security applications, what was missing? Fill in the blanks.
After that, notify employees about what happened, brief them on how to spot and avoid similar traps, and inform them that training will be provided.
Finally, make sure to instal updates and patches on a regular basis from now on. IT administrators must prioritise updates and patch management because malware frequently infiltrates through vulnerabilities for which patches are already accessible.
Clean up and Restore
You've taken care of the network threat as well as the hole through which it entered. Now focus your attention on the machines that aren't working. Format the drives if they're no longer needed for the investigation, then restore data from the most recent clean backup.
If you don't have a backup copy, however, you'll have to decrypt whatever is on the drives. Start by visiting Kaspersky's No Ransom website, where a decryptor for the ransomware you encountered might already exist — and if it doesn't, contact your cybersecurity company to see if assistance is accessible. In any case, the encrypted files should not be deleted. New decryptors appear on a regular basis, and one might appear tomorrow; it wouldn't be the first time.
Don't pay up, regardless of the circumstances. You'd be supporting illegal activity, and the chances of your data being decrypted are slim to none. Ransomware attackers may have stolen your data for extortion purposes in addition to blocking it. Finally, rewarding opportunistic cybercriminals allows them to demand more. In some instances, the intruders returned a few months later to demand more money, threatening to publish anything until they received it.
In general, treat any leaked data as public information and be ready to deal with the fallout. You'll have to talk about the incident with staff, owners, government agencies, and, probably, journalists, sooner or later. Honesty and openness are critical and will be valued.
Take preventive measures
A major cyberattack still means big trouble, and the only cure is prevention. Prepare for what could go wrong in advance:
Secure all network endpoints (including smartphones) with dependable security.
Segment the network and instal well-configured firewalls; even better, use a next-generation firewall (NGFW) or a similar product that collects data about new threats automatically.
Look for effective threat-hunting software in addition to antivirus.
Install a SIEM system (for large businesses) to receive immediate alerts;
Daily interactive workshops can be used to educate staff about cybersecurity.