It’s 4:00 PM on Friday. Your IT director has just called to tell you that there appears to be a problem with key data on your system. A user of the network opened an attachment, and now her machine and the shared drive she accesses and uses routinely are encrypted. Worse, there is a demand note displayed on her system.
Your data is being held for ransom.
What do you do?
- Act quickly
Many pieces of specialized malware known as ransomware have a time limit. Delay can cause the ransom costs to increase, allow for a deeper infection or lose access to the option to pay for the encryption key.
Disconnect the affected machine from the network
DO NOT MOVE DATA or remove the malware….yet!
- Determine exposure
What storage devices were attached to the attacked machine?
What network drives were mapped to it?
What sensitive data is on the machine?
Remember that many versions of this attack also include a download of hidden, credential-stealing malware or spam-based malware.
- Verify your backups and preserve logs
Restore your data to a separate machine.
Verify the copy before removing data from old machine.
Keep all logs for the affected system and network – make sure that they are not rolling over or being open to encryption.
If you can . . . wipe the old drive and rebuild.
- Call Kroll cybersecurity for expert help (1-866-419-2052)
Kroll will have the affected machine checked for malware.
Kroll can install monitoring software to check to see if the attacker is really gone.
- Call the police/law enforcement
Kroll will help you provide a copy of the attacking malware.
Kroll's Cyber Security Ransomware Webinar is available on demand.