Have you become infected with ransomware? And if so, what steps are you taking to contain the infection? Be aware, be prepared, and minimise damage to your organisation.
At AssureStor we have seen first-hand the damage that ransomware attacks can cause. Supporting organisations through the restoration process has given us a unique view of the entire ransomware attack story, from infection through to recovery. We’re using our experience to share a series of ransomware basics blog posts, giving you the knowledge you need to understand and defend your organisation against attack. In our previous ransomware basics post we took you through some well-known varieties of ransomware attack, and how businesses most commonly become infected.
In this second ransomware basics blog post, we’ll give you advice on how to check if you are infected, and explain what you can do to contain infections.
Ransomware Basics: Are You Infected?
A key element of IT security is people. Your users can be a security burden if they are unaware of the security risks that they face. However, they can also become a security asset if they are educated, diligent, and aware.
Your users should look out for the following four symptoms of ransomware attacks. If any of them arise, they should notify you immediately: –
- A user suddenly cannot open normal files, and receives errors such as that the file is corrupted or has the wrong extension.
- A window has opened to a ransomware program that cannot be closed. The program will often contain instructions for removing a ransomware infection, which invariably includes the payment of a ransom.
- A user is notified that there is a time limit for paying to recover encrypted files. At the end of this time limit, the ransom will increase or the files will become unrecoverable.
- You see files in all directories with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML.
These symptoms clearly suggest a ransomware attack. If you or one of your users see them, you will need to act quickly to contain the infection.
Containing a Ransomware Infection
If the worst case scenario happens and your organisation becomes infected with ransomware, there are five steps that you should take to contain the infection. Following these steps will help you to minimise the impact of the infection financially, operationally, and reputationally.
- Remove the virus from the network. You need to prevent the virus from spreading through the network, and the best way to achieve this is to remove it completely. You may even need to remove network access from the entire organisation until the virus is contained.
- Reset your BIOS time. If you set your BIOS time back, you can buy yourself time when dealing with ransomware that gives you a countdown timer before files will become unrecoverable, or the ransom increases.
- Recover previous versions from backups. Your key weapon against ransomware infections is backup or disaster recovery technology that offers you a recent roll-back point. Make sure that you roll-back to the most recent point before the files became infected; rolling back a week or more will obviously mean that you lose several days of work.
- Stay up-to-date with the latest ransomware threats. Ransomware varieties are evolving all the time. You need to stay up-to-date with the latest forms of ransomware to give yourself the best chance of fighting them.
- Don’t pay the ransom. Ransomware is serious crime, and by paying ransomware demands you can be unwittingly supporting other forms of organised crime. We would never advocate paying a ransomware demand.
Protect Yourself and Your Organisation
In this second ransomware basics blog post, we have given you a list of some of the key symptoms of a ransomware attack. We have also provided steps to contain a ransomware infection once it has been identified. If there are two key take homes, they are user education, and effective backup and disaster recovery. Ransomware attacks are often spread through phishing emails, and having security aware users will go a long way towards preventing infection in the first place.
But if you do become infected, having roll-back points through regular backups will allow you to minimise downtime and data loss, and avoid paying ransoms to cybercriminals. If you would like to discuss your organisation’s preparedness for ransomware attack, feel free to get in touch.