If you are a victim of an active ransomware attack where files on your network are still being encrypted, switch off the affected machines immediately to prevent further damage.
To identify if the attack has completed or is still active, look for new files getting encrypted or disappearing. Looking at the date modified times may indicate how long ago they were encrypted.
If you suspect that the ransomware originated from spam emails, advise your users to be extra vigilant against unsolicited emails that may already be in their inbox and to report anything suspicious.
Locate the source of the ransomware
Locating the source of the ransomware on your network will not only help you locate all the encrypted files but also give an insight to how this attack happened. This will help you to change your security settings appropriately to reduce the risk of this happening again.
Most successful ransomware attacks are identified based on the following symptoms:
IT Administrators notice files getting encrypted on their servers, with files no longer able to open and often having their file extensions changed.
Users reporting that they cannot open or find files they have previously been using.
Users reporting that they cannot open files on their machine and their desktop picture has changed to a ransom note.
Submit samples of spam emails containing suspicious attachments to Sophos for analysis:
For spam emails: How to submit spam and false positive spam samples to SophosLabs
For suspicious files: How to submit samples of suspicious files to Sophos
If you don't have any information on how the ransomware got into the machines, locate the encrypted files. Most ransomware have been run with the permission of the user. This is helpful if the encrypted files are located in directories only accessible to single users or small groups.
Quite often you can get the username of the person who encrypted the files by looking at the file properties. Do the following:
Locate an encrypted file.
Right-click on the file and select Properties.
Select the Details tab.
Look for the Owner information.
To identify owner details for all files in a folder, do the following:
In Windows Explorer go to a folder with encrypted files (network shares which are accessible to multiples users are best).
Switch to the Details view, which gives you different columns of information about the files.
Right-click on a column header and then select More.
Scroll-down and select Owner from the list and then click OK.
Note: Unfortunately, if the owner details show SYSTEM or Administrator, this does not help.
If the owner details does not help, check which user had access to the locations where you found encrypted files. Looking at the date modified times of the encrypted files may provide information about when this attack started.
Once the users involved have been identified, obtain more information, investigate and check if the users have opened suspicious emails around that time or the browsed websites. Look at their email inbox, deleted emails and their browsing history. This will help you understand your security weaknesses and to enhance security in those areas.
Protect and clean infected machines
After a ransomware attack it is important to ensure that your security products are working correctly. Many variants of ransomware will encrypt files that are used by software in order to run. A good example of this is .xml files which are commonly used by software programs to store configuration settings. As a result of this type of damage, you may have to reinstall software that is no longer working correctly.
For Sophos products, check that they are updating correctly and reporting their status to your console. Resolve any errors and if a re-installation is required, do this as soon as possible. Make sure full scans are run on all affected machines.
Restore data
Most modern ransomware use strong encryption methods such as RSA-2048 or AES-128. This makes it impossible to get your files back unless you restore from backups or pay the ransom. If you pay the ransom, there is no guarantee that you will get your files back, or that you won't be targeted again.
Most files encrypted by ransomware cannot be restored. However, occasionally there are some variants of ransomware that can be restored. This is possible if:
the used encryption method is weak
the ransomware criminals made a mistake in their code
the criminals were arrested and the authorities got the decryption keys
Unfortunately these scenarios are rare. If you are hit by ransomware, do a search on the internet for decryption tools. However, these tools do not restore the encrypted files but delete them and the ransom notes.
0 Comments