Containing a ransomware attack: Advice from Intermedia’s experts
When a computer gets infected with ransomware, it’s usually the ransom note that first alerts a user to the problem.
At that point, the initial damage has been done: files have been encrypted and the company is faced with having to pay the ransom or risk losing access to their files.
Could it get worse? Absolutely. You need to entertain the very distinct possibility that more than one user will get infected—either through the same attack vector that brought in the initial infection, or by one infection propagating itself across your network.
To learn how businesses can contain ransomware outbreaks, I sat down with two members of Intermedia’s Security team: IT Director Susan Tait and Security Engineer Ninad Bhamburdekar.
Q: How would you first find out that a laptop is infected with crypto-ransomware? Is there any way to detect it on the network?
Susan: On the network side, our anti-malware service catches the malware before it infects the user and notifies us, and then we reach out to the user to prevent them from launching the malware. Or, if there are no virus definitions for this particular piece of malware, then our first awareness of it would come from the user. With ransomware, they usually see that their file extensions have changed and they will see the notice about payment.
Q: Now that you’ve got the infected laptop, what’s the first step to containing the malware?
Susan: The first thing we do is get the machine off the network. We always have to assume that the malware could make use of an internet connection – that it’s sending information back to the criminals. While the malware is going to target the files stored locally, if the machine is connected to the cloud, those encrypted files will already be synced by the time we get the laptop.
Q: Once it’s unplugged from the network, how do you get rid of the malware?
Susan: Now, we give it to Security (Ninad’s group) in its current state, so they can perform forensics (find the source of the infection, type of infection, etc.) as required. After that, the drive can be wiped.
Some companies will just wipe the machine before they reimage, because you want to get rid of everything. The best way to do that would be to do a NIST secure wipe. In our case, we actually put a new hard drive in the machine and then install a fresh image of Windows.
Smaller companies may not have the resources to do a real wipe and reimage. So they delete the email, delete the files, use the Windows backup to restore, etc. But you don’t know how deep the malware has gone. Has it changed registry files? If you miss anything, it could re-infect the machine. So just cleaning it doesn’t do enough to wipe out the infection.
Q: What’s involved with the forensic analysis?
Ninad: We try to keep the computer running so we can take a memory image of the machine: memory dump, latest state of machine, which users are logged in, processes running, system parameters, etc. We also review the logs of the user’s activity on the network. Then we interview the user to understand their experience.
In some cases we might take the infection to a live sandbox environment to understand the behavior of the malware. The output of this is extracting Indicators of Compromise: what it is, what it does, what domains or IP addresses it tries to contact, what registry keys it creates, etc. Then we create a signature and push it back into our log correlation system to locate other machines that have been hit and to protect against future attacks.
This is the process we follow for any kind of malware, not just ransomware.
Q: Once you’ve reimaged the machine using a fresh hard drive, how do you restore the encrypted files?
Susan: After the reimage, we would go into SecuriSync and start the file restore process. For the sake of other people working on shared files, we would restore those first so that people aren’t stuck. Ideally, you would restore the files to a spare machine right away, while you rebuild the infected machine.
Q: Once everything is fixed, is there any follow-up?
Susan: After Security finishes their examination, we hold user education to make sure everyone understands what caused the infection and how to avoid having it happen again. With malware, especially ransomware, we clone the drive and then store both the original and the copy.
Ninad: Once we find the source of the infection, we identify other users who might also be hit by it. The most common source of infection tends to be an email from an outside source, but it could be an internally forwarded message. We want to find out who else got the email so we can notify IT of the recipients and email subject. That way, they can remove that email from everyone’s inbox. If one of those users also executed the malware, then their machine would need to be reimaged.
Depending on the nature of your business, or if there’s a regulatory compliance requirement, you may want to report the incident and give relevant data from the original hard drive to the FBI or local law enforcement, along with anything you discover about the source of the infection.