Am I Infected? RANSOMWARE | Incident Response Symptoms
The symptoms
are as follows:
• You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension.
• An alarming message has been set
to
your desktop background with instructions on how to pay to unlock your files.
• The program warns you that there is a countdown until the ransom
increases or you will not
be
able to decrypt your files.
• A window has opened to a ransomware program
and you cannot close it.
• You see files in all directories with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML.
Here is an example of a ransomware screen, the infamous
Crypto
Locker:
If Infected,
immediately take below action.
1. Disconnect:
·
Disconnect
the infected computer from any network
·
Turn
off any wireless capabilities such as Wi-Fi or Bluetooth.
·
Unplug
any storage devices such as USB or external hard drives.
·
Do
not erase anything or “clean up” any files or antivirus. (This is important for
later steps.
Simply unplug the computer from the network and any other
storage devices.)
2.
Determine the Scope:
Determine exactly how
much of your file infrastructure is compromised or encrypted.
Did the infected
machine have access to any of the following?
• Shared or unshared
drives or folders
• Network storage of any
kind
• External hard drives
• USB memory sticks with
valuable files
• Cloud-based storage (Drobox, Google Drive, Microsoft
OneDrive/SkyDrive etc…)
tools
available that have been specifically made to list out encrypted files
3.
Responses:
3
options, listed here from best to worst:
1. Restore from a recent backup
2. Decrypt your files using a 3rd party
decryptor (this is a very slim chance)
3. Format
the PC (lose your data)
RANSOMEWARE ATTACK
CHECKLIST
STEP 1: Disconnect Everything
a. Unplug computer from network
b. Turn off any wireless functionality: Wi-Fi, Bluetooth, NF
STEP 2: Determine the Scope of the Infection, Check
the Following for Signs of Encryption
a. Mapped or shared drives
b. Mapped or shared folders from other computers c.
Network storage devices of any kind
d. External Hard Drives
e. USB storage devices of any kind
f. Cloud-based storage: DropBox, Google Drive, OneDrive etc.
STEP 3: Determine Ransomware Strain
a. What strain/type of ransomware? For example: CryptoWall, Teslacrypt etc.
STEP 4: Determine Response
Response 1: Restore Your Files From Backup
1.
Locate your backups
a. Ensure all files you need are there
b. Verify integrity of backups (i.e. media not reading or corrupted files)
c. Check for Shadow Copies if possible (may not be an option on newer ransomware)
d. Check for any previous versions of files that may be stored on cloud storage e.g. DropBox, Google Drive, OneDrive
2. Remove the ransomware from your infected system
3. Restore your files from backups
4. Determine infection vector & handle
16
Response 2: Try to Decrypt
1. Determine strain and version of the ransomware if possible
2. Locate a decryptor, there may not be one for newer strains
If successful, continue steps...
3. Attach any storage media that contains encrypted files (hard drives, USB
sticks etc.)
4. Decrypt files
5. Determine the infection vector & handle
Response 3: (Lose Files)
Format the infected Device
Backup your encrypted files in an External HDD for
possible future decryption (optional)
No comments:
Post a Comment