4 steps to ransomware containment
Nowadays, being hit by a ransomware attack is no longer a question of if, but when. The ability to make anonymous online payments means that these types of attacks are not going away – on the contrary, several new industries have sprung up to deal with them.
While there is no simple answer to how to stop ransomware, the following ransomware containment steps can prevent a dire situation from escalating.
Step 1. Perform strategic system shutdowns
Targets of a ransomware attack often try to stop the spread by shutting down the systems that are being encrypted. However, IT teams should understand the difference between shutting down an uninfected system and a currently encrypted system. A clean shutdown is always the best approach, but stopping the encryption process before it’s complete can result in corrupted systems and data loss.
While it might sound counterintuitive to let ransomware complete the encryption of a system, the decryption tools offered by hackers are not enterprise-grade. Most ransomware decryptors are command-line tools or hashes that cannot recover corrupted data. Shutting down a system in the middle of encryption can result in complete data loss due to corruption, even if the organization pays the ransom.
Knowing which systems have been hit by ransomware – and which have not – is the real challenge. First, look for massive disk activity. This is usually the best indication that a hard drive is being encrypted, although it could also mean attackers are stealing the data and encrypting it in transit.
Step 2. Analyze network traffic
The second step in ransomware containment is to examine network traffic. It is sometimes possible to shut down Internet access to prevent data theft and halt all network traffic to limit the east-west spread of ransomware.
Unfortunately, this is often easier said than done: to pull it off, IT admins need to manage the problem as it arises. Additionally, hackers often unleash ransomware before or after normal working hours, when organizations are typically short-staffed.
Pulling a network connection carries some risk due to the possibility of data corruption. However, an organization may decide that the trade-off is worthwhile if the alternative poses an unacceptable risk. This is a business decision that requires insight from senior management.
Isolation is many IT departments’ first instinct to contain ransomware – but in reality, ransomware could have been present in the organization’s systems for some time. Ransomware sometimes works like a virus, moving through the organization and spreading in real-time, but it can also spread unnoticed throughout the organization before the attackers unleash it at a given point in time.
IT and security teams need to take precautions to isolate systems and devices when and where it makes sense—for example, unplugging a network cable to isolate a floor or critical data center equipment. While this doesn’t stop the encryption process, it can limit the spread of the ransomware to other devices.
Likewise, any devices that are already offline or air-gapped should not be brought in or turned on until the organization is on top of ransomware proliferation. The same applies to any manufacturer-supported PC or device connected to the network.
Step 3. Maintain and manage backups
When ransomware strikes, backups are often the first topic of discussion—but IT teams shouldn’t assume all backups are good. A common spontaneous response is to remove encrypted VMs and restore from backups. While this logic may seem reasonable, there are a few key questions to ask yourself first.
First, can IT staff get to the backup server to perform the restore? If the management console is an encrypted building block, this may not be possible. A crisis is easy to manage when all the tools are available, but it can be catastrophic when those tools are not. Before making any major decisions, take stock of what tools are still accessible.
Second – and most important – are the backups still there? Ransomware has a nasty habit of deleting backups as a first step, so don’t trust any backup until you’ve tested a few.
This raises an important operational consideration when it comes to backups. IT pros often remove encrypted VMs to make room for what they need to recover. However, if the recovery image has a problem or is encrypted, the encrypted VM that the organization has to pay to unlock has just been deleted. Paying a ransomware fee is not ideal as there is no guarantee that data will be recovered even after the ransom is paid – but there is absolutely no chance of recovery once the data is gone.
Step 4. Review and plan the lines of communication
During any crisis, communication is key, but you can’t break into a group chat if the chat server is an encrypted brick. A lack of communication between the staff working on the issues and management can lead to devastating mistakes. Therefore, plan how to communicate when communication tools are not available.
Create an alternate plan for communicating during a ransomware attack and make sure everyone knows in advance what their role will be. In particular, if the organization is hiring outside consultants to help with ransomware containment, communication must be seamless to ensure timely and informed decision-making.