Macrium company logo
A black and white photographic image of a hand about to hit a large emergency stop button, illustrating the title of the blog 'what to do after a ransomware attack'.

28 May 2024

What to do After a Ransomware Attack

Detecting ransomware in your systems can be a heart-stopping moment for any business. How your IT team responds in the immediate aftermath will impact how quickly your business can resume operations, how much of your data you get back, whether you can remove the malware from your systems and the success of your long-term recovery.

A Round-Up of Official Ransomware Advice

Bodies such as the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Agency (CISA) publish advice on what to do if your business is hit by ransomware. Below is a concise summary of these recommendations for your business.

1. Disconnect Affected Devices

Your first action must be to limit the spread of the ransomware infection. As soon as you identify a problem, disconnect any affected devices from your network connections. Ransomware can spread via LAN, WAN, WiFi and cellular connections. You must disconnect them all.

The US Cybersecurity and Infrastructure Agency (CISA) advises larger companies to take parts of the network offline at the switch level if multiple systems are compromised. Give priority to your critical business systems.

Don’t hesitate to physically unplug infected computers from the network if required. Be aware that bad actors may be monitoring your communications to assess whether their actions have been detected. Switch to ‘offline’ comms, like phone calls, to prevent them assessing and countering your response.

2. Consider Disabling the Internet

If you’re unsure of the infection’s extent, consider disabling the company internet connection. This will not only limit spread, but it will also help to counter any attempts at data exfiltration.

Although necessary, CISA warns that powering down may cause forensic data stored in volatile RAM to be lost. Bear in mind that data loss could compromise evidence that could be important to any follow-up investigations.

Once this is complete, you can prioritise system recovery in terms of strategic importance.

3. Hit the Reset Button

Reset credentials, including passwords, in case they’ve been compromised. This is particularly important for administrator and system accounts, as these may have been used by the ransomware to further its spread.

Don’t forget to confirm that your updated credentials work. It may sound fundamental, but its easier to make mistakes in an emergency. And this one may result in you accidentally locking yourself out of your network.

4. Reinstall Your OS

Secure wipe any infected devices. Your goal is to remove all trace of the ransomware. Wiping is essential to prevent this type of malware from reinstalling itself. Once complete, you can reinstall your operating system (OS).

5. Verify Your Latest Backup

Restoring from a backup is your most reliable and fastest way to recover from a ransomware attack. However, you must confirm that this is also free from infection.

Many businesses unwittingly reinfect their systems by restoring from compromised backups. Confirm that your backups’ source and destination systems are safe before proceeding.

6. Update your OS and Apps

Apply all the latest OS and application updates available for the newly restored systems. Patching these systems will help to reduce the risk of reinfection. You may need to connect to a clean network to complete this step.

7. Reactivate Your Antivirus Tools

Install, update and run antivirus software on your previously infected devices. This will verify that your systems are no longer harboring the malware. It will also help to guard them against future infections.

8. Reconnect to the Network

Once you’re confident that the infection has been removed, you can reconnect devices to the corporate network.

9. Monitor and Run Scans

Next, you should monitor network traffic and run regular antivirus scans to identify if any infection remains. Isolate any suspicious activities and perform threat-hunting exercises to help you locate the source of the ransomware.

Other Things to Consider

Once your systems have been reactivated, CISA recommends initiating threat-hunting routines. These include asking and exploring the following questions and points.

  • Credential Auditing - Have any new Active Directory (AD) or domain accounts been created? Have any accounts been assigned elevated permissions incorrectly?
  • Login Auditing - Is there any evidence of anomalous logins or suspicious VPN device connections?
  • Data Transfer Auditing - The unauthorised presence or use of tools like Rclone, Rsync or FTP can indicate that data is being exfiltrated from the network.
  • Service Auditing - Check for newly created services, any unexpected scheduled tasks or unexpected software installations.
  • Endpoint Modifications - Is there any evidence to suggest that your backup routines have been altered or disabled? Hackers may attempt to disrupt shadow copy operations to prevent your systems’ recovery after a ransomware attack.
  • Unauthorised RMM Tool Usage - Ransomware threat actors will often use remote monitoring and management (RMM) tools to maintain persistence and to trigger new infections.
  • Credential Dumping - Has there been any unauthorised use of NTDSUtil.exe etc to dump AD credentials? This may indicate that credential theft has taken place.

If your IT team is large enough, it may be able to conduct these threat-hunting activities alongside your recovery routine. Don’t hesitate to seek external expert advice if you don’t have the resource for these tasks in the aftermath of an attack.

Act Fast to Report the Attack

You should report any data breaches to relevant bodies to remain compliant with laws and regulations that apply to your business and industry. You should assess whether your business is legally required to report the attack. If personally identifiable data has been exposed, the incident will have to be reported according to data protection regulations.

Law enforcement agencies may also be able to point your IT team towards useful recovery resources, such as known decryption keys.

Your business’ leadership team will also have to make decisions around communicating the incident to stakeholders and customers. They may need to seek legal advice to balance the needs of the business with the rights of those affected.

Free Advice: How to Protect Your Backups from Ransomware

Take a deeper dive into the threats that ransomware may pose to your business - watch our webinar ‘How to Keep Your Backups Safe From Ransomware’ on demand.

Watch Now

Next Post

9 Reasons Why You Should Never Pay Ransomware Attackers

Blue and orange shapes in the background with black and white photographic images of currency in the foreground, including Bitcoin, Euro and US Dollars, to illustrate the blog title '9 Reasons Why You Should Never Pay Ransomware Attackers'