I can sit here and write until my fingers fall off and disintegrate into a billion pieces about all the best ways to prevent ransomware infections, but all of that doesn’t help you much right now if it’s gotten in.
For reference, here are a few articles we’ve written about the ransomware prevention methods you can employ:
- A Case for Using Group Policy to Prevent Ransomware from Running
- Guidelines for Providing Secure Remote Access
- Signs Your Network Security Needs Help
- Anti-Ransomware Armor: Prevention and Mitigation Tips and Strategies
- Tips for Preventing Ransomware Attacks
- Fight Phishing by Marking External Senders in Office 365
- The Lost Layer in Your Layered Cyber Security Strategy: End User Education
- Password Policy Guidelines
But first off: don’t be too hard on yourself. It is a challenging and constantly changing thing to block cyberattacks these days.
Here’s the highlight in case you’re panic-reading this mid-emergency: first, cut off all your connectivity to the internet, then quarantine the infected systems, and lastly verify and secure your critical servers.
There’s a ton of work to be done after you hit these three high points, but these are the first important actions you need to take to stop any data loss or the ransomware spreading further.
Stop Any Access to/from Outside
It’s common for ransomware and other malware to try to phone home. Viruses to do this for a variety of reasons, either to create botnets out of your systems, send sensitive data out to the bad actors, or to begin encrypting your systems.
We prefer to do this via the firewall generally – we revise policies to block all sources, all destinations, all services … deny, deny, deny.
You might be wondering: won’t this effectively create a systemwide outage? And yes, it will. This is going to take everyone down, and that might be a big fight you end up having with your CEO. Business operations have to stop while you mitigate this effectively.
Quarantine Systems
Malware spreads through your network, so it’s imperative that you also shut down interconnectivity inside your organization. The rudimentary way to stop the flow of data across your network is to unplug it. If your network is more sophisticated with segmented networks, you can use that to your advantage.
Begin identifying infected machines. We like to set up a temporary network to allow infected and questionable computers access to internet services. This allows us to observe the behavior and for antivirus services to get in and analyze it as well.
But here’s the bottom line: you should not have ANTHING on your production network that is not totally verified as clean.
Verify and Secure Critical Systems
If you call us and tell us you’ve got ransomware and you need help, the first question we ask you is if you have good backups and if they’re separated from the domain. If you have backups but they’re on the domain, stop reading this and get them off right now. This goes for anyone, not just people with ransomware right now. Backup server on your domain? Bye, go get it off. I’ll wait.
If you don’t have good backups, woah, Nelly. Go and check any of your line-of-business servers – your ERP, CRM, any databases, billing systems. Those servers hold your business in them and if they get encrypted, we have a long road ahead of us.
Once you’ve effectively walked through the above steps, it’s time to start bringing things slowly back online.
Then let’s talk about what systems we can set up to help block malware from your network in the future!