Can You Contain and Eradicate Ransomware in Your System?

While there are many different types of disasters that can strike your company’s IT network, nothing is as frightening as a ransomware attack. Ransomware is a general term used for any kind of malicious software, or malware, that disrupts key systems until you pay off a ransom.

Ransomware may prevent the use of certain services, copy or delete key data, or cause other critical failures to occur that will keep your company from performing at peak efficiency.

Ideally, taking preventative measures is the best way to guard yourself against ransomware attacks. That said, sometimes even the best IT security networks are bypassed and infected with malware. Here are the top ransomware disaster recovery suggestions you should take to contain and eradicate ransomware in your system:

Tip 1: Ransomware Detection and Analysis

Many IT management preventive measures will reduce the risk of a ransomware attack, but how do you know if your IT systems are already infected? Ransomware typically pops up with a ransom demand after it has infected your system, but through careful monitoring, you can ideally detect ransomware and minimize the damage it will cause.

Here are some common signs of ransomware you should keep in mind when trying to detect ransomware early:

• Pay attention to your IT firewall, anti-virus scanners, and other network defenses.

• Investigate sustained and unexplained sudden spikes in CPU, disk, and network activity.

• Regularly monitor network communications with new or unrecognized servers.

• Malware often renames files in deceptive ways. Maintain a rule set for naming files, and investigate when you find a file that doesn’t fit your rules.

• Ransomware commonly disguises itself as common and innocuous files, such as word or photo documents. Investigate files with file extensions that are rare or don’t match.

Tip 2: Contain Compromised and Breached Systems

Once you have detected ransomware, your goal should be to isolate compromised servers and systems as soon as possible. Depending on the level of infection, you may be able to isolate subnets at a switch level or power down through onboard software. For more serious infections, you may be forced to physically power down devices by unplugging equipment.

As you contain and shut down compromised systems, it is highly recommended that you do so in a calm and careful manner. Start by taking a system image to capture the memory of affected devices. You should also collect relevant logs, malware binary precursors, and other pertinent files to aid in recovery efforts. 

Ideally, you will want to avoid letting those who infected your systems know that you have detected their malware infestation as long as possible. Use in-person or other forms of communication that don’t involve your infected networks. By doing so, you give your IT team more time to counteract ransomware before the malware escalates.

Tip 3: Preserve Evidence and Contact Law Enforcement

As soon as possible, make sure you contact federal law enforcement agencies and share whatever information they ask for, along with key evidence such as your window security logs, firewall data logs, and other system memory data. Depending on the ransomware attack, federal consultants may be able to provide you with the software to combat or break through the ransomware malware that has infected your IT systems.

There are other reasons to report ransomware attacks to federal agencies beyond just getting help. If your company is protected by ransomware insurance, many insurance groups require you to make a report before you can file a claim. Additionally, the software used for ransomware attacks are rarely deployed just once. By reporting the attack on your network, you can do your part to help other companies from being targeted by similar software in the future.

Generally, a federal agent will ask you the sequence of events that led you to detect the ransomware attack. They may also ask for the following details, so have them ready before you contact the proper federal agency.

• Date and time of ransomware detection

• How do you believe the infection occurred

• The files and servers infected by the ransomware

• The amount demanded by the ransomware, along with any amount paid

• Identifying details about the ransomware, such as the malware name

• Potential losses or damages caused by the ransomware infection

• Suspected victims impacted by the ransomware attack

• Key details about your industry, such as business focus, size, and other relevant details

Tip 4: Delete Afflicted Files to Minimize Damage or Try to Recover Them

After you have followed through on all of the above suggestions, you can try to eradicate the malware from your infected IT systems. Depending on the type of malware, there may be a solution that can clear out the ransomware without being forced to delete the infected software, servers, and data. By working with federal authorities, they may be able to provide such solutions or work with you to create a ransomware solution for other companies. 

Unfortunately, not all ransomware has an easy solution. For new or especially aggressive ransomware, the best solution sometimes is to delete the afflicted data and restore your software. While significant data may be lost during deletion, it is better to rebuild systems, especially those that provide essential services, than risk leaving behind malware that can cause another ransomware attack and bring down your system again in the future.

Tip 5: Carefully Test Your Systems During Recovery

As you restore your systems and bring your servers back online, it is critical that you verify the complete eradication of the ransomware from your IT network. There are several ways to do this, including:

• Restore isolated segments of the network one at a time. Only reconnect these segments to the greater network after complete verification.

• Create a Virtual Local Area Network separate from your main network. This can help you confirm you have a clean IT network in a test environment before a full reboot.

• Compare your rebuilt system network to backups of your old system network prior to the malware infection. Your current network should be very similar to the old network.

You should also apply proper after-incident reporting of the steps you took during the ransomware attack, including how you detected the malware and what you did to eradicate it and restore your network. This record can give you something to refer to and help you and other members of your IT staff if any of you encounter additional issues after network restoration.

Improve Your Cyber Security Against Ransomware

These suggestions above will help you protect yourself against ransomware. However, there are many other suggestions to follow if you want to prevent ransomware attacks against your IT network. By reading our 10 Secrets to improving Cyber Security, you’ll significantly bolster your network defenses against ransomware and many other forms of destructive malware.

Download our free eBook today!