Here’s what to do (and not to do) immediately after getting hit by ransomware

Ransomware isn’t just a theoretical threat—it’s an increasingly ubiquitous one, which can be particularly costly for smaller organizations. The immediate seconds, minutes, and hours after an attack is detected are critical to minimizing damage and restricting an attacker’s leverage.

Here are some of the most important steps responders can take in that time, according to experts who spoke with IT Brew.

How to protect systems and limit spread. The exact steps an admin should take are situational and depend on factors like the scale of the compromise and whether encryption has already finished, Mandiant VP David Wong told IT Brew. He advised attempting to save any unencrypted domain controllers or backups by taking them offline, with preserving active directory databases being of particular importance.

“If all of them are encrypted, you’re gonna have a really hard time to recover [them],” Wong said. “So, if you find one that’s not encrypted already, take it offline. As long as you have one copy of the [flexible single master operations] databases and the active directory databases, you can recover from that.”

Any network bridges that may connect different business units or cloud systems can be severed, Wong added.

Disabling system maintenance tasks can also be helpful, as threat actors often hijack them to spread malware and it can be difficult to parse illegitimate activity from normal system behavior during an attack. The “last thing in the world [you] would want to be doing in certain circumstances is pushing malware out further in your environment,” Crowdstrike’s chief of global professional services, Thomas Etheridge, told IT Brew.

Etheridge added that responders shouldn’t attempt to remove malware from or interact with infected systems. They should also exercise caution when flipping power switches, he added, as that can “force the threat actor to pivot towards alternative infrastructure.”

Important investigative steps. Preservation of logs is a critical priority, Etheridge told IT Brew—responders should attempt to save records related to DHCP, multi-factor authentication, email, firewalls, VPN, switches, and cloud infrastructure.

Victims of a ransomware attack will also need to determine whether any data exfiltration has taken place, as ransomware gangs often engage in what the Center for Internet Security calls “double extortion.” Etheridge advises determining as quickly as possible what additional tools might be available to the attackers, such as GoToAssist, SFTP, or FTP (all tools that provide remote access or file transfer capability).

The ransom note itself may contain clues, such as how it’s written or who the point of contact for the gang is, to the identity of the threat actor, and files encrypted by the attackers may also shed light on the encryption utility used. Identifying the specific strain and version of ransomware involved can reveal whether that particular malware has a flaw or known key that can unlock impacted files.

Who should be in the room. Exactly who needs to be in the room making decisions about incident response depends on the size and structure of a company, according to experts.

The roster should typically include a who’s who of the C-suite, such as a CEO or managing director, CSO, CIO, and CFO. If sensitive data was exposed or the incident is likely to incur significant attention, a comms or PR team may be necessary. Any third-party incident response team brought in to handle the incident should be present.

In addition to those people, Etheridge said, CrowdStrike encourages important decisions to be made through “privileged engagement, which could be done through either inside legal counsel” (such as a chief legal officer) “or external counsel.”

Informing the FBI will be “looked favorably upon” if legal issues like dealing with a sanctioned gang arise, Wong said, and organizations should disclose the attack to relevant regulators like the SEC. He said many clients have started notifying insurance companies sooner rather than later to seek pre-approval for ransom payments, if it comes to that.

What not to do. Contacting the threat actor without authorization—let alone a plan, or an assemblage of the brass—can start the clock on cybercriminals issuing further threats, Wong told IT Brew.

“We’re not going to be sure what you’re gonna say or not say, and so I think you can really cause some problems,” Wong said. “We had one customer that literally got into a fight, with curse words, with a threat actor, and you know, that did not help the situation.”

Wong warned not to continue using any forms of communication that could be compromised, such as email or internal messaging tools. One client in negotiations with an attacker received a message saying “stop ignoring us” accompanied by screenshots of a team chat, Wong said. That attacker threatened to call a SWAT team to the CEO’s residence.

That was “very scary for the company,” Wong concluded.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.