A routine email at Colonial Pipeline led to half the East Coast scrambling for gas. In Ireland, hospitals were forced to cancel cancer treatments as patient records vanished into the digital void. In Baltimore and Atlanta, entire city infrastructures buckled under the weight of a single encrypted keystroke.
It starts with a single click. Then your computer screen goes dark, followed by a message stating that all your data has been locked, and the only way to retrieve it is by paying a large sum of money to a faceless predator.
This is the reality of ransomware in today's world. From hospitals to city halls, no one is off limits. This article unpacks how to detect and recover from such attacks.
What is ransomware, and how do I recognize it?
What triggers a ransomware attack?
Should I pay the ransom?
How can I reduce the impact of a potential ransomware attack?
I've been hit by ransomware! What can I do?
How do I respond to a ransomware attack at work?
Sources
Ransomware is a type of malware that prevents access to a device and/or the data stored on it. The good news is that ransomware is generally more detectable than other malware attacks, producing distinct warning signs that include strange system behavior, the absence of key system or user files, and most notably, a message demanding a ransom to regain access to the infected device or data.
Ransomware attacks can be triggered by any of the following:
- Phishing Emails that contain malicious links or attachments.
- Exploit Kits that target known vulnerabilities in systems that have not been updated with the latest security patches.
- Remote Desktop Protocol (RDP) Exploits that allow attackers to gain remote access to a device using brute-force attacks or stolen credentials.
- Drive-by Downloading set up on a compromised website that will infect a user's device just by visiting it.
- Malvertising or advertisements that trick users into downloading malicious software.
- Social Engineering attacks that trick users into granting access to critical systems using manipulation tactics.
- Software Vulnerabilities exploited by attackers.
- Supply Chain Attacks that compromise a software provider or vendor, e.g. through a malicious update.
Law enforcement does NOT recommend giving into ransom payment demands. Paying a ransom doesn't guarantee that you will regain access to your data or computer. It does, however, increase the likelihood that you will be targeted again in the future.
To reduce the impact of a potential ransomware attack, one of the best steps you can take now is to back up your data, including important photos, documents, and other files that you value. A backup should be stored in a separate safe location, usually on the Internet (known as cloud storage) or on removable media such as an external hard drive. Once you have a backup, you can quickly restore a copy of any data that you lose as a result of ransomware or other attacks.
Uninstalling ransomware and retrieving your data can be difficult, but it is not impossible. The following steps can be taken to remove ransomware from your system:
- Isolate the infected system by disconnecting the infected device from the network to prevent the ransomware from spreading to other devices.
- Identify and remove the ransomware using reputable antivirus or anti-malware software to scan and repair your system.
- Consult with a professional computer security team if unable to remove ransomware using antivirus or anti-malware software.
- Restore your files from a backup made prior to your system being infected.
If you experience a ransomware attack that involves a Dartmouth device or institutional data, you should stop all work immediately and report the incident. This will trigger an alert to Dartmouth's Information Security team, who can help you take any necessary actions to mitigate the impact of the attack. These actions may include any of the following:
- Detection and Analysis
- Isolating affected system(s).
- Powering down affected devices to avoid further spread of the ransomware infection.
- Triaging impacted systems for restoration and recovery.
- Examining existing detection or prevention systems (e.g. antivirus software) and logs.
- Conducting an analysis to develop and document an initial understanding of what has occurred.
- Initiating threat hunting activities.
- Reporting and Notification
- Engaging internal and external teams and stakeholders
- Following notification requirements as outlined in cyber incident response and communications plans.
- Consulting federal law enforcement, if needed.
- Containment and Eradication
- Taking a system image and memory capture of a sample of affected devices
- Identifying systems and accounts involved in the initial breach.
- Containing associated systems that may be used for further or continued unauthorized access.
- Rebuilding systems based on prioritization of critical services.
- Issuing password resets for affected systems and address any associated vulnerabilities or gaps.
- Declaring the ransomware incident over.
- Recovery and Post Incident Activity
- Reconnecting systems and restore data from offline, encrypted backups based on prioritization of critical services.
- Documenting lessons learned from the incident.
- Planning and initiating associated response activities.