Open in app

Sign in

Write

Sign in

Ransomware Protection: Here Is The Ultimate Response Checklist

Mary-Ellen Duncan
4 min readOct 27, 2020

Ransomware Protection is more important than ever

By the end of Q3 2020, Ransomware Attacks have Increased by an alarming 715%. Cybercriminals have been successfully leveraging the pandemic and are launching ransom attacks with ever-increasing amounts. Cybercriminals much like regular people who run successful businesses have the same end goal — to increase revenue and profits. All their efforts are driven with one end goal in mind, and since more people are successfully falling victim of these attacks and are willing to pay the ransom — the price keeps going up and up.

We already have data for the first half of 2020 which revealed that there was a 7x increase when compared to 2019, and ransoms have jumped an average of 60% so far this year; proving that cybercriminals are experts at wreaking havoc within organizations that never even see it coming. The shift to remote work, is a contributor to this dilemma, and most users are simply unprepared and defenseless. There is a massive demand for end user training/awareness programs and being able to leverage your people as the first line of defense is one of the ways your business can defeat cyber threats when they pose a risk.

With all the available data, businesses should assume that ransomware attacks are inevitable, and cybercriminals are winning the game. It is almost unavoidable if your business doe does not have effective defenses that prevent these attacks from happening in the first place. Here is a response checklist that can help to guide you through the next steps you should take if you or your business ever gets hit by a ransomware attack.

Ransomware Attack Response Checklist STEP 1: Disconnect Everything

  1. Unplug computer from network.
  2. Turn off any wireless functionality: Wi-Fi, Bluetooth, NFC.

STEP 2: Determine the Scope of the Infection, Check the Following for Signs of Encryption

  1. Mapped or shared drives
  2. Mapped or shared folders from other computers
  3. Network storage devices of any kind
  4. External Hard Drives
  5. USB storage devices of any kind (USB sticks, memory sticks, attached phones/cameras)
  6. Cloud-based storage: DropBox, Google Drive, OneDrive etc.

STEP 3: Determine if data or credentials have been stolen

  1. Check logs and DLP software for signs of data leaks.
  2. Look for unexpected large archival files (e.g., zip, arc, etc.) containing confidential data that could have been used as staging files.
  3. Look for malware, tools, and scripts which could have been used to look for and copy data.
  4. Of course, one of the most accurate signs of ransomware data theft is a notice from the involved ransomware gang announcing that your data and/or credentials have been stolen.

STEP 4: Determine Ransomware Strain

STEP 5: Determine Response

Now that you know the scope of the damage as well as the strain of ransomware you are dealing with, you can make a more informed decision as to what your next action will be.

Response 1: If Data or Credentials are Stolen

  1. Determine if ransom should be paid to prevent data or credentials from being released by hackers.
  2. If ransom is to be paid, you can skip steps #1 and #3 of Response 2 from recovery.

Response 2: If Ransom Is Not Paid and You Need to Restore Your Files From Backup

e.g. DropBox, Google Drive, OneDrive.

  1. Remove the ransomware from your infected system.
  2. Restore your files from backups.
  3. Determine infection vector & handle.

Response 3: Try to Decrypt Response 4: Do Nothing (Lose Files)

  1. Remove the ransomware
  2. Backup your encrypted files for possible future decryption (optional)

Response 5: Negotiate and/or Pay the Ransom

  1. If possible, you may attempt to negotiate a lower ransom and/or longer payment period.
  2. Determine acceptable payment methods for the strain of ransomware: Bitcoin, Cash Card etc.
  3. Obtain payment, likely Bitcoin:
  4. Locate an exchange you wish to purchase a Bitcoin through (time is of the essence).
  5. Set up account/wallet and purchase the Bitcoin.
  6. Re-connect your encrypted computer to the internet.
  7. Install the TOR browser (optional).
  8. Determine the Bitcoin payment address. This is either located in the ransomware screen or on a TOR site that has been set up for this specific ransom case.
  9. Pay the ransom: Transfer the Bitcoin to the ransom wallet.
  10. Ensure all devices that have encrypted files are connected to your computer.
  11. File decryption should begin within 24 hours, but often within just a few hours.
  12. Determine infection vector and handle.

STEP 6: Protecting Yourself in the Future

First Line of Defense: Software Second Line of Defense: Backups

  1. Implement a backup solution: Software-based, hardware-based, or both.
  2. Ensure all possible data you need to access or save is backed up, including mobile/USB storage.
  3. Ensure your data is safe, redundant, and easily accessible once backed up.
  4. Regularly test the recovery function of your backup/restore procedure. Test the data

integrity of physical backups and ease-of-recovery for online/software-based backups for at least 3 or 4 months in the past. Bad guys lurk in your networks for months and compromise your backups.

Third Line of Defense: Data and Credential Theft Prevention Fourth and Last Line of Defense: Users

prevent criminal applications from being downloaded/executed.

simulated phishing attacks to inoculate your users against current threats, best practice is

at least once a month.

Originally published at https://www.pacetechnical.com on October 27, 2020.

Ransomware Attack
Ransomware
Cybercrime
Cyber Attack Real Time

--

--

Mary-Ellen Duncan

Written by Mary-Ellen Duncan

0 Followers

I bring ideas to life pretty much all-day, everyday and I love it! I get my jollies by managing, editing and creating engaging content for PACE Technical.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams