Stop Any Access To/From Outside
It’s common for ransomware and other malware to try to phone home. Threat actors do this for a number of reasons, either to start encrypting your computers (if they have not already), transfer sensitive data offsite, or build botnets out of your systems. We normally prefer to accomplish this through the firewall, where we update the policies to restrict all sources, destinations, and services… deny, deny, deny. However it’s accomplished, the goal is to disrupt the attackers’ ability to have control of your systems.
You might be thinking, won’t this effectively create a systemwide outage? And yes, it will. This is going to take everyone off the Internet, and this can lead to a hard conversation with your company’s leadership. Business operations must halt while you adequately mitigate this. Trying to do business as usual can lead to even more damage. Remember, “Jaws” would have been 45 minutes long if they just closed the beaches.
Because malware spreads over your network, it’s crucial that you also disable connectivity within your company. The rudimentary way to stop the flow of data across your network is to unplug it. If your network is more sophisticated with segmented networks, you can use that to your advantage.
Start identifying infected machines. To give infected and dubious PCs access to internet services, we like to build up a temporary network. This enables us to monitor the behavior and also allows endpoint security services to assess and evaluate the systems. Additionally, it keeps them separated from the clean systems.
But here’s the bottom line: you should not have ANYTHING on your production network that is not totally verified as clean.
If there is any doubt about a system, listen to Ripley:
Verify and Secure Critical Systems
If you call us and tell us you have ransomware and need assistance, the first thing we’ll ask you is whether or not you have reliable backups that are isolated from the domain. If you have backups but they’re on the domain, stop reading this and remove them from the domain. Anyone, not just those currently affected by ransomware, is subject to this. Do you have a domain joined backup server? Go remove it from the domain, I’ll wait.
If you don’t have reliable backups, this is a problem. All your line-of-business servers, including your ERP, CRM, databases, and billing systems, should be checked. Your business is stored on those servers, so if they are encrypted, we have a long road ahead of us.
It crucial to being by validating which machines in the environment are NOT infected. Once this has been done, additional scans on those machines should be conducted to ensure this accuracy. Upon verification of this, you should move those machines to a “safe” network and establish specific connectivity for those business-critical machines.
If you have good backups that managed to survive the attack, resist any temptation to start immediate restores. There is no sense in restoring what is only going to get re-encrypted. Also, if the threat actors still have a foothold, starting restores can tip them off to the location of your backups. Restoring too soon puts your backup data at risk.
Begin by restoring your backups to a new/fenced environment, followed by performing an additional scan on the restore to validate that the backups do not contain malicious code. Following this, you’ll want to verify the functionality of said backups, and establish specific connectivity to restored servers for business-critical functions.
To begin the final stages of remediation, it’s important to work with insurance/law enforcement to remove old servers after forensics. You can now establish the root cause, as well as how you can better protect your organization from future attacks with environmental enhancements/re-architecture.