Thursday, May 11, 2017

Am I Infected? RANSOMWARE | Incident Response



Am I Infected? RANSOMWARE | Incident Response                    Symptoms
The symptoms are as follows:
You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension.
An alarming message has been set to your desktop background with instructions on how to pay to unlock your files.
The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your files.
A window has opened to a ransomware program and you cannot close it.
You see files in all directories with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML.


Here is an example of a ransomware screen, the infamous Crypto Locker:



If Infected, immediately take below action.


1.   Disconnect:
·      Disconnect the infected computer from any network
·      Turn off any wireless capabilities such as Wi-Fi or Bluetooth.
·      Unplug any storage devices such as USB or external hard drives.
·      Do not erase anything or “clean up” any files or antivirus. (This is important for later steps.
Simply unplug the computer from the network and any other storage devices.)
2.   Determine the Scope:
Determine exactly how much of your file infrastructure is compromised or encrypted.
Did the infected machine have access to any of the following?
       Shared or unshared drives or folders
       Network storage of any kind
       External hard drives
       USB memory sticks with valuable files
      Cloud-based storage (Drobox, Google Drive, Microsoft OneDrive/SkyDrive etc…)
    tools available that have been specifically made to list out encrypted files
3.    Responses:

3 options, listed here from best to worst:
1.    Restore from a recent backup
2.    Decrypt your files using a 3rd party decryptor (this is a very slim chance)
3. Format the PC (lose your data)

RANSOMEWARE ATTACK CHECKLIST




STEP 1: Disconnect Everything

a.    Unplug computer from network

b.    Turn off any wireless functionality:  Wi-Fi, Bluetooth, NF


STEP 2: Determine the Scope of the Infection, Check the Following for Signs of Encryption a.        Mapped or shared drives
b.    Mapped or shared folders from other computers c.    Network storage devices of any kind
d.    External Hard Drives

e.    USB storage devices of any kind


f.     Cloud-based storage:  DropBox, Google Drive, OneDrive etc.


STEP 3: Determine Ransomware Strain

a.    What strain/type of ransomware? For example: CryptoWall, Teslacrypt etc.


STEP 4: Determine Response

Response 1: Restore Your Files From Backup

1.       Locate your backups

a.    Ensure all files you need are there

b.    Verify integrity of backups (i.e. media not reading or corrupted files)

c.     Check for Shadow Copies if possible (may not be an option on newer ransomware)
d.    Check for any previous versions of files that may be stored on cloud storage e.g. DropBox, Google Drive, OneDrive
2.  Remove the ransomware from your infected system

3.   Restore your files from backups

4.   Determine infection vector & handle




16

RESOURCES

Response 2: Try to Decrypt

      1.      Determine strain and version of the ransomware if possible

   2. Locate a decryptor, there may not be one for newer strains

If successful, continue steps...

 3.  Attach any storage media that contains encrypted files (hard drives, USB

sticks etc.)

 4. Decrypt files

 5.  Determine the infection vector & handle


Response 3: (Lose Files)

Format the infected Device

Backup your encrypted files in an External HDD for possible future decryption (optional)



No comments: