So, you get a call that a customer has been hit by Ransomware, what do you do? This post is designed to help you to create your own set of procedures so that you and your colleagues know what to do and in what order should a client get hit by Ransomware.
As MSPs and their customers have a plethora of different software solutions, server infrastrucutre and backup capabilities, I will try to take a broad overview of most of them. Feel free to get in touch if you’re looking for any advice on the solutions that I use.
Step 1 – The Call & Identification
Assuming that there are no proactive ransomware monitoring solutions in place, the customer is likely to call to inform you that they can’t open certain files (They don’t always know that it’s ransomware). Checking the file/folder location(s) described by the client, you can normally tell Ransomware from a mile away. Here are some of the main ways to detect the files are encrypted:
- email address inserted into every file name
- filename extension/icon unrecognizable
- ‘Open With’ dialog box showing up for client when trying to open files
Step 2 – Isolation & Remediation
Depending on you as an MSP and your client and their technology, Isolating the infected machine can vary in difficulty and time. Here are a few methods that you can use:
- Disconnect every PC/Laptop from the network (Wi-Fi and Cable)
- Check your AV logs for any devices showing Ransomware
- Disconnect the backup drives (if applicable) to stop drives from becoming encrypted
- VLAN Devices – You could isolate servers/workstations by using VLANs to segregate devices
One of the easiest things to do in this scenario is to just ask. Many times I’ve simply asked clients if anybody has found anything suspicious on their machines or clicked on any emails that they weren’t sure about. It can be important to explain that it’s not a blame game, it’s simply about clearing the infected machine to prevent the spread any further.
I use BitDefender and there are features such as EDR Sensor, Hyper-Detect and Sandboxing at an additional charge which will help to isolate machines, find the root cause of attacks and pre-screen them prior to execution. This is a great set of tools to have at your disposal.
I’ll normally make a judgement call based on the client, sometimes it can be as simple as unplugging everything from the network and running around with Malwarebytes on a USB stick to clear the Ransomware if the client is small enough.
Step 3 – Restore
Once you’re happy that the Ransomware has been cleared, it’s time to look at restoring data. In order to do this, we need to get a clear scope of what’s been hit. In Step 1, we look at finding files/extensions… I’d normally do a full network-wide search for a file extension that’s encrypted and restore their parent directories. Sometimes it’s a whole D:\ drive, other times the actual system files of servers/workstations are corrupt and you’ll possibly need to Bare-Metal Restore. It’s really a judgement call at this stage. Here are some restore methods:
- Local Backup (If not infected)
- Previous Versions/Shadow Copies
- Cloud Backup (Generally used if the local isn’t sufficient, cloud-based restores can take longer depending on the broadband speed of the client and the amount of data)
- BCDR is an option – Products like Datto/Acronis provide local and cloud-based virtualization in a matter of seconds prior to the Ransomware.
- Cloud Data – If OneDrive/SharePoint was hit, there is normally file-versioning and restore functionality that you can restore back from.
Step 4 – Learn & Improve
Following a Ransomware attack, I will research the strain of Ransomware to find it’s usual methods of entry. Bleeping Computer is a great resource for this. Things to look for to secure a network can include:
- Closing down open ports on the router (RDP is a classic. Set up an L2TP w/IPSec PSK VPN and then internally RDP if required)
- Introduce Hardware Firewall (WatchGuard, Cisco, Sophos XG to name a few)
- Implement Strong Password/2FA policies
- Check File/Folder permissions are strict to limit the impact of any future issues
There is a project called ‘No More Ransom‘ that allows you to upload an infected file and it will tell you if there are any solutions/decryptors and any steps to take.
I have personally had clients pay with BitCoins to get data back and they have received decryptors which have worked. Reading in other cases, I’m hearing that this is not the case as often lately. I wouldn’t recommend paying in any case now, It’s far less expensive to pay for a robust BCDR solution.
You or your clients can subscribe to simulated attacks that can be used to teach clients on what not to click on. It’s a controlled attack without the risk of actual infection.
If there are any breaches in GDPR or Data Protection, you may need to report this to the ICO. Check out this assessment tool to determine if you need to report the incident.