It’s 4:00 PM on Friday. Your IT director has just called to tell you that there appears to be a problem with key data on your system. A user of the network opened an attachment, and now her machine and the shared drive she accesses and uses routinely are encrypted. Worse, there is a demand note displayed on her system.
Your data is being held for ransom.
What do you do?
- Act quickly
- Many pieces of specialized malware known as ransomware have a time limit. Delay can cause the ransom costs to increase, allow for a deeper infection or lose access to the option to pay for the encryption key.
- Quarantine
- Disconnect the affected machine from the network
- Do not move data or remove the malware….yet!
- Determine exposure
- What storage devices were attached to the attacked machine?
- What network drives were mapped to it?
- What sensitive data is on the machine?
- Remember that many versions of this attack also include a download of hidden, credential-stealing malware or spam-based malware.
- Verify your backups and preserve logs
- Restore your data to a separate machine.
- Verify the copy before removing data from old machine.
- Keep all logs for the affected system and network – make sure that they are not rolling over or being open to encryption.
- If you can . . . wipe the old drive and rebuild.
- Call kroll cybersecurity for expert help (1-866-419-2052)
- Kroll will have the affected machine checked for malware.
- Kroll can install monitoring software to check to see if the attacker is really gone.
- Call the police/law enforcement
- Kroll will help you provide a copy of the attacking malware.
Watch Now
Kroll's Cyber Security Ransomware Webinar is available on demand.
