A quick guide from one of our forensic investigators.
Signs to Spot
Real Time Activity
Warning signs include suddenly not being able to access files, rapidly changing file-access timestamps, appended filename extensions and a surge in CPU activity. If you have clicked on something or are seeing suspicious activity on your computer – unplug it from the power and your network immediately.
Ransomware doesn’t always result from an employee clicking on suspicious email links. Attackers can breach an organisation’s network and plant the malware remotely. Once executed, the ransomware can present itself in many ways. It will be immediately obvious that you've been hit if the variant displays a lock screen. You may also see text files in your directories bearing a filename similar to the dreaded phrase: “YOUR FILES HAVE BEEN ENCRYPTED”.
If a user is reporting a potential attack, isolate the infected machine(s) from the network immediately. This means physically pulling the cable out of the computer, including servers. Photograph any ransom notes or screen locks presenting themselves. Take note of any author names, websites, emails, TOR links, crypto addresses that may be listed. This can be used to aide law enforcement investigations.
Check finance records, customer logs, backup directories, any documents or photo files and assess what you might have lost. Consider also that a copy of these files may have been stolen. Websites like 'Crypto Sheriff' and 'ID-Ransomware' will let you upload a sample encrypted file and cross check it against its databases. It’s important not to try to remove the malware or alter the state of any infected computers or files until you have decided on the next steps. Pulling the power plug out of the computer will kill any processes running and preserve the current state of the machine. Further work can then be done on the system later down the road. If you have no backup procedure in place, or your backups have been infected; this is your best chance of recovering any of your encrypted files.
Ideally, details from ‘patient zero’ should be gleaned as quickly as possible. Take a note of their recollection of the events - did they open any documents or click on any links in an email? This can identify potential vulnerabilities and help stop future attacks.
It’s imperative that other employees are aware of the situation. Emails, suspicious links, even anonymous phone calls can all leave you open to further spread of the malware. Verbal communication through management teams is best as it avoids email clients - Your exchange server may have even already been hit!
It may also be prudent to inform other clients or customers of the situation. Again, consider what data you might have lost and act accordingly. Finally, report the incident to Action Fraud (UK) and await contact from the relevant Cyber Crime department.
(Note: with GDPR regulations coming into play on the May 25th of this year, ransomware infections could constitute a data breach, leading to significant financial penalties)
Isolated, up-to- date backups will mitigate the vast majority of ransomware problems. If you’re confident that all your important data is backed up – then go ahead and rebuild the infected computers. Perform a full wipe down of all the drives using something like 'DBAN' to ensure the malware can leave absolutely no traces, then re-plan your files. You should consider that your backups are now no longer backed up! The integrity of this data is now of paramount importance. Check and double check before plugging your tape drives / external hard drives / USB keys into anything until you are plugging it into a safe, sanitized system. Mistakes can occur when people are under duress.
Unfortunately the truth is that, if done right, encryption (or encrypted files) can often be impregnable. The Algorithms can be calculated based on a number of variables that are unknown and cannot be replicated. Having said that, programmers are not perfect, not even criminal ones – and exploits can sometimes be found that will circumvent or reverse file damage.
Always research online for tools that can reverse the effects of the malware (NoMoreRansom is a good place to start). Ransomware decryption tools are rare, but progress is being made. Note that services offering malware removal are not the same as a file decryption tool. Removal tools will simply attempt to remove the malicious files remaining on the system, hopefully preventing them from re-offending. You will need to do this before using any decryption tools. Most anti-virus should be capable of this, so stick to well known brands, instead of unverified tools found online.
Other Methods of Recovery
With your machine powered down – remaining processes are frozen, and any files not yet completely deleted and overwritten can be recovered. Cloning these hard drives onto other drives will allow you to attempt many recovery options without damaging the original data. Always remember to perform recovery attempts on a stand-alone computer that can be sanitised afterwards.
Consider also ‘volume shadow copies’ and system restore points that may exist on your system. Older strains of ransomware often left these features alone, so they can provide easy ways of restoring your computer to a previous state. As above, use a cloned copy of the hard drive, keep it isolated from the network, boot it up and see what works. If anything listed is above your or your employees’ skill-set; professional data recovery companies will be able to explore these avenues for you, at a price. If you have exhausted all above options; it may be worth retaining infected hard drives, keeping them locked away in the hope that a decryption tool is one day released.
Don't Pay The Ransom
The official advice is not to pay the ransom. You have no idea who you are paying, there's no guarantee that your files will actually be freed, and you're supporting the criminals who are doing this. The choice is ultimately up to you or the organisation. Seek professional help if you're unfamiliar with cryptocurrency, TOR (Dark Web Browser), or the steps they're asking you to take. Inform law enforcement of any action you decide upon.
Learning from this, keeping regular backups that are separate from the production network is the only way to truly keep yourself secure against further attacks. Refer to this blog post if you're unsure on what constitutes a strong backup policy, providing you with the protection and resilience you need.
The South West Regional Cyber Crime Unit is comprised of dedicated individuals who investigate serious cybercrime, offer advice and guidance to small businesses, and work with a range of partners to prevent people from engaging in cybercrime. For more articles and case studies like this, follow us here, on LinkedIn and on Twitter (@swrccu).
We also have a node on the Cyber Security Information Sharing Partnership (CiSP), and we strongly encourage organisations to sign up for real time cyber threat information in a secure, confidential and dynamic environment https://www.ncsc.gov.uk/cisp.