Responding to Ransomware

So you get to your desk, expecting a regular Monday morning, coffee in hand, anticipating the heap of emails that piled up over the weekend that need your response when you realize you can’t access your files, your background has changed, and suddenly you have the urge to lookup the Bitcoin to USD exchange rate. Yup, that’s about what you can expect from ransomware.

If you are not familiar with what ransomware is, here’s the brief rundown.

What is Ransomware?

It’s a form of malware that uses your data as leverage to get you to pay a sum of money. Hence the name ransomware. This malicious software encrypts all the files on your computer (well, not necessarily ALL the files, but definitely the ones you care about), leaves other files behind and/or changes your background with a ransom message containing instructions on how and where to send the ransom payment.

The bad guy hopes that you either open the file that says something like readme.txt, unlockme.txt, etc. or you notice the different background that has the message printed on it. The message will usually contain something about how the bad guy used some super complex algorithm to encrypt all of your data, how trying to recover any of the data will make him delete it, and a Bitcoin wallet address where you can send your life savings in order to get your data back. They will even offer to decrypt one or two of your files for free to prove that they really can do it. Wow, what customer service!

“Now I know what ransomware is, but what do I do about it, how did I get here, and why did it have to happen on a Monday?” First, let’s start off with how we got here, because the fact that it’s Monday is no coincidence.

Ransomware makes its way onto your system just like any other type of malware. It could be that you mistyped a URL, went to the wrong website, then clicked the wrong download link. It could be an email that had a malicious link in the message or a bad attachment, or it could be that your computer or server was exposed to the Internet in a way that it shouldn’t be. VPN credentials without multi-factor authentication, Remote Desktop Protocol (RDP) exposed to the Internet and other issues like these leave you open to password guessing by the bad guys that turns out to be successful all too often. All of these can be an entry point for the bad guys to infect you with ransomware.

“But why now? It was working just fine when I left the office on Friday!” The thing about ransomware, or any other time your computer is exposed to the bad guys, is they don’t always act right away. They know when business hours are, and they know that people aren’t likely in the office on nights, weekends and holidays. Hackers then take this opportunity to stay under the radar until the time is right. They need time to navigate the environment, learn what they can and can’t get into, and access as many systems as they can without a pesky administrator noticing strange RDP sessions. Encrypting a full server environment can also take a lot of time, and without anyone around to notice these things, they can inflict the maximum amount of damage.

If you haven’t figured it out yet, ransomware doesn’t necessarily stick to one computer. It likes to spread around and encrypt as much data as possible so that you have no other choice but to pay the ransom. If your computer is on the same network as other computers or the corporate servers, chances are you aren’t the only one infected. Ransomware uses multiple different methods to increase its footprint. Things like RDP, PowerShell, SMB file shares and more can help it increase its reach. Chances are, if attackers infected one machine, they can get the credentials of an administrator account and go wherever they please. This is why network segmentation is so important for a business. The city of Atlanta served as an unfortunate example of how an attack can spread and inflict catastrophic damage.

Well, Now What?

“So now what? My files are gone, and I have to pay thousands of dollars to get my data back. What do I do?”

The first thing you need to do is lock down the environment. Methods of doing so vary based on your environment and are a bit beyond the scope of this article, but a key thing to remember is to make sure that the ransomware can’t spread any further and that any infected machines have the network disconnected so that no more unwanted access can occur.

You also need to find out how the ransomware got there in the first place. This is by far the most important piece. If you work all night to restore all of your backups, get your systems back online and your users happy, the last thing you want is to have everything start over again before you’ve even put all the pieces back together. What exactly this entails will be different for everyone’s specific situation, but if you’ve read this far, odds are you have a clue as to what might be the breach point in your environment.

“We’re in lockdown mode. Now how do I get my data back?” The bad news is, most of the ransomware variants don’t have any known way to get your data back without paying the ransom, and even if you do decide to pay, there’s no guarantee of a successful outcome. With that being said, there are tools out there, depending on the type of ransomware that you have, that may be able to decrypt your data. Avast and Emsisoft both have libraries of decrypters that might be of help. If you are fortunate enough to be in that boat, that is your best bet for recovering your data, and you should celebrate.

If not, backups are your answer. More often than not, restoring from a clean backup is going to be the quickest, most efficient way to get up and running. If you’re reading this and you haven’t been infected yet, verify your backups and test them! Sure, the building getting struck by a tornado is unlikely to happen, but devastating malware like this happens all too often. Backups! Backups! Backups! Okay, you get the point. A basic “3-2-1” backup strategy is a great place to start. It’s a common strategy that means you have three copies of your data. Two copies are local to you and one copy is off site somewhere. It’s a great start to having a more robust plan that can allow you to sleep at night.

Now the key thing to remember here is that, if you have not pinpointed the source of the breach yet, you need to be careful about your backups. If the backups have the same backdoor installed that allowed an attacker into your system in the first place, you’re just getting ready for round two. It’s a good idea to keep a copy of your backups offline, just in case you need to start over. This is another reason why it is crucial to know where the security holes are that let this happen and to lock them down. Bleeping Computer wrote up a good example of a re-occurrence that was not nearly as devastating as it could have been because of backups in place.

Ransomware Prevention

So, you’ve restored your backups, tightened up security, and work can finally resume. How do you prevent this in the future? Well, we’ve hinted at it not so subtly already, but here’s a review:

  • Don’t fall for phishing attacks. Make certain all users on your network receive regular training on how to watch out for phishing and other social engineering attacks. Performing regular phishing exercises works well to educate employees on phishing. You can have a company like Sikich conduct a phishing attack or register for a phishing service, such as Phishline or Phishme, that you can configure and manage yourself.
  • Stop exposing RDP to the Internet. It’s not secure on its own, so hide it behind a VPN.
  • Make VPN users use multi-factor authentication. Again, exposing your network to the Internet with just a username and password doesn’t cut it. Add a second factor.
  • Implement log alerting. Generating alerts for administrator logins during strange hours, multiple failed passwords attempts, PowerShell starting, and service installations is a great place to start. There are plenty of other things to watch out for, but these alone will put you ahead of the game.
  • Increase logging retention periods. The default logging settings are NOT enough for a corporate network. Windows does not even hold enough log data to go through the weekend on some things and, as you’ve read, that’s where the action often is. Increase the logging data so that in a worst-case scenario you can still see what happened and how it all started.
  • Utilize password managers. Breaches occur everyday, whether you hear about them or not. If your corporate password is the same as all your other passwords, attackers have a way in. There are several password manager options out there. Do some research to determine which one fits you best and stick with it. Using one might seem inconvenient at first, but becomes second nature in no time.

Now you’ve learned what ransomware is, what it does, what it can do, and what you should do before and after it occurs. The specific steps that need to take place can sometimes be daunting. If you’re reading this as an administrator and know exactly what to do, that’s great. If you feel overwhelmed and don’t know where to start, you should strongly consider hiring a professional to assist you. You may not need someone to completely revamp your environment, but you don’t want to take the chance of leaving a security hole open that’s going to cost you big in the long run. Sikich’s cybersecurity services can help you every step of the way, or just where you think you need an outside set of eyes. Don’t run the risk when you don’t have to.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author