Lazarus, Crysis/Dharma, and WannaCry. There were an estimated 638 million ransomware events in 2016, and these attacks are becoming more sophisticated frequent, and effective. Ransomware payments topped $1 billion last year. If ransomware can effectively shut down one of the world’s largest law firms for three days, is any organization safe?
We are frequently retained to perform Incident Response digital forensics in ransomware matters, and unfortunately, we often discover that the victim has already engaged in some form of remediation that actually made the event worse. Considering that, here are five things NOT to do if you believe you are the victim of a ransomware virus.
1. Don’t pay Bitcoin immediately.
First, make sure that your files are actually encrypted and that ransomware does, in fact, reside on your systems. Simple screen locking malware, for example, can sometimes be easily worked around. There are decryption tools available for certain strains of ransomware.
2. Don’t keep infected computers connected to your network.
If you believe one of your computers has been infected with malware of any type, disconnect it from your network to prevent spreading to other devices. Recent versions of ransomware contain a worm that can spread to other network connected devices.
3. Don’t run antivirus.
Wait until you have identified the malware before trying to remove it from your systems. Running AV prematurely can make identifying the malware (and engaging in discussions with the culprit or paying the ransom) more difficult. It may also impede your ability to decrypt any encrypted files.
4. Don’t assume your backups are good.
Test your systems regularly and verify the integrity of your backups. If your backups are connected to the network, they may also be targeted by ransomware.
5. Don’t go it alone.
You need outside expertise. Even the most talented internal IT professionals have limited experience with ransomware. This is a time to bring in trusted partners (forensic consultants, legal counsel, your insurance company, etc.). By negotiating directly with the bad guys, for example, you can inadvertently disclose information about you or your organization that will provide the criminal with an advantage or leverage for increasing the ransom demand.
For more information on our FREE one hour, ransomware CLE program click here.
