Mitigating malware and ransomware attacks
This article is to add to my previous guidance ono how organizations deal with the effects of a malware attacks, including ransomware. This article is about how to prepare for an incident and steps you should take to proactively be able to respond to such an attack.
Prepare for an incident
Malware attacks, in particular ransomware attacks, can be devastating for organizations because computer systems are no longer available to use, and in some cases, data may never be recovered. If recovery is possible, it can take several weeks, but your corporate reputation and brand value could take a lot longer to recover. The following will help to ensure your organization can recover quickly.
- Identify your critical assets and determine the impact to these if they were affected by a malware attack.
- Plan for an attack, even if you think it is unlikely. There are many examples of organizations that have been impacted by collateral malware, even though they were not the intended target.
- Develop an internal and external communication strategy. It is important that the right information reaches the right stakeholders in a timely fashion.
- Determine how you will respond to the ransom demand and the threat of your organization’s data being published.
- Ensure that incident management playbooks and supporting resources such as checklists and contact details are available if you do not have access to your computer systems.
- Identify your legal obligations regarding the reporting of incidents to regulators and understand how to approach this.
- Exercise your incident management plan. This helps clarify the roles and responsibilities of staff and third parties, and to prioritize system recovery. For example, if a widespread ransomware attack meant a complete shutdown of the network was necessary, you would have to consider:
- how long it would take to restore the minimum required number of devices from images and re-configure for use
- how you would rebuild any virtual environments and physical servers
- what processes need to be followed to restore servers and files from your backup solution
- what processes need to be followed if onsite systems and cloud backup servers are unusable, and you need to rebuild from offline backups
- how you would continue to operate critical business services
- After an incident, revise your incident management plan to include lessons learnt to ensure that the same event cannot occur in the same way again.
If your organization has already been infected with malware, these steps may help limit the impact:
- Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based but don’t turn off the computer as this might erase needed information about the attack.
- In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
- Reset credentials including passwords (especially for administrator and other system accounts) – but verify that you are not locking yourself out of systems that are needed for recovery.
- Safely wipe the infected devices and reinstall the OS.
- Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device, you’re connecting it to are clean.
- Connect devices to a clean network in order to download, install and update the OS and all other software.
- Install, update, and run antivirus software.
- Reconnect to your network.
- Monitor network traffic and run antivirus scans to identify if any infection remains.