A Surge in Ransomware Attacks
Originally, ransomware was malware pushed by a single threat group that encrypted files on a system and demanded a ransom for the decryption key. However, in the last few years, the face of the ransomware threat has changed dramatically.
One major change is the increasing escalation of these attacks. First, “double extortion” attacks stole sensitive data before encrypting it and threatened to leak the data if the ransom was not paid. Then, “triple extortion” groups began threatening and demanding ransoms from the customers of their victims as well. Now, some ransomware groups are either threatening or performing Distributed Denial of Service (DDoS) attacks to put additional leverage on victims to pay the ransom.
Another major evolution is the emergence of the Ransomware as a Service (RaaS) model, where one ransomware group develops malware and then distributes it to “affiliates” to use in their attacks. With RaaS, more groups have access to sophisticated malware, which means more ransomware attacks.
What to Do When Infected
If you’ve been infected, take these steps to manage the impact of the incident and prepare for ransomware recovery:
- Stay Calm: Ransomware attacks can be stressful, but rushing into things can mean making major mistakes. Keeping a cool head is essential to making the right decisions while recovering from ransomware.
- Quarantine Affected Systems: Ransomware commonly tries to spread through the network to infect as many systems as possible. Disconnecting infected systems from the rest of the network can help save other data from being encrypted as well.
- Disconnect Backups: Ransomware commonly targets backup systems because ransomware operators know that organizations will try to recover from backups instead of paying the ransom. Don’t connect any backups to the infected computer and monitor and quarantine any backups that may be infected.
- Make a Copy: Ransomware decryption doesn’t always work, and ransomware decryptors are under continuous development. Making a copy of encrypted data might allow it to be recovered later if something goes wrong.
- Keep Infected Systems Online: Some ransomware variants can make infected systems unstable, meaning that a reboot can leave them in an unrecoverable state. Don’t try to reboot systems or perform any updates on infected systems while working to remove the ransomware.
- Cooperate and Communicate: Reach out to law enforcement, regulators, and other stakeholders and consider contacting a reputable incident response team. They may have specialized knowledge or additional resources to help solve the problem.
- Identify the Variant: Many different ransomware variants are in circulation, and the list changes constantly. If the ransom note doesn’t name the author, check out the No More Ransom Project for more information and potentially a free decryptor.
- To Pay or Not: This question is a difficult one. On the one hand, paying the ransom may allow a faster and cheaper recovery. On the other hand, paying provides no guarantee of recovery and provides the attackers with the resources needed to continue their activities.
- Learn from the Incident: The ransomware gained access to your systems somehow. Identify the infection vector and close it to prevent future attackers from using the same techniques.
How to Recover from Ransomware
A successful ransomware attack encrypts data in a way that makes it impossible to decrypt without the proper decryption key. However, there are a few options for ransomware recovery:
- No More Ransom Project: As mentioned above, the first place to look for a solution is the No More Ransom Project. Free decryptors have been released for many ransomware variants, enabling recovery without paying the ransom. However, tools are typically not available for the most prevalent ransomware variants.
- Restore from Backups: Ransomware commonly tries to delete or encrypt backups, but it is possible that some remain untouched. if they are offline or read-only. After verifying that the backup is clean and completely wiping the computer including the Master Boot Record (MBR), it may be possible to perform a partial or full recovery from backups.
- Pay the Ransom: The goal of ransomware is to place victims in a position where paying the ransom is the “only available option.” The decision of whether or not to pay depends on an organization’s unique situation and carries significant risks.
In addition to restoring files, it is essential to ensure that attackers cannot immediately reencrypt files on infected computers. Engaging an incident response team (IRT) to identify and close the vulnerabilities used to gain access to the corporate environment and to detect and remove any backdoors and persistence mechanisms installed on infected systems is a vital step before restoring these systems.
Ransomware Recovery with Check Point
When it comes to ransomware, prevention is always the best option. Having an anti-ransomware solution in place before an attack occurs can save an organization a lot of time, money, and trouble. To learn more about anti-ransomware solutions, check out this Buyer’s Guide and request a free demo of Harmony Endpoint.
However, if you are the victim of a successful ransomware attack, it is a good idea to call in the experts. Check Point’s Managed Detection and Response (MDR) and Incident Response (IR) teams have extensive experience in detecting, investigating, and managing ransomware infections.
If you’re experiencing a cybersecurity incident, call our Emergency Response Hotline. For less urgent matters and to learn more about protecting yourself against future ransomware attacks, contact us.
Feedback