Last Updated about a month ago
|Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. This could affect a single computer or spread network wide.|
|How does it infect its targets?|
It can be downloaded through malicious or compromised websites, through a payload delivered by other malware or through an attachment to an email.
|How can it be protected against?|
The latest variants (teslacrypt in particular) may not be picked up by anti-malware and anti-virus software, however please ensure that your virus definitions are up to date as all vendors will be urgently working on a resolution.
Keeping your plugins/software up to date is also important; the most recent attacks have been using vulnerabilities that exist in older versions of Adobe Flash Player but are fixed in the current version for example.
Keep privileged users/users with local administrator rights to a minimum - up to 90% of malware can be prevented if the user does not have local administrator rights. In addition, in unauthorised executables are blocked from running by software restrictions policies, however local administrators and privileged users are exempt from this policy making them vulnerable.
Ensure that your backups are up to date and verified; upon infection restoration of a backup is the only guaranteed method of getting your data back.
The most vulnerable route into a network is through the users so please educate them regarding safe Internet and email usage. These viruses are usually spread through emails. Users should report any suspicious emails and refrain from opening attachments, or clicking links in emails, unless they are certain they are authentic and are from someone they trust, while keeping in mind that the computer of even a trusted person may have been infected by a virus and be sending mail pretending to be them. So, if they are not expecting an attachment or link from someone, it is safer to contact them for assurance before opening or clicking.
Also see SMBV3 vulnerability from March 2020 - The Microsoft SMB v3 vulnerability, CVE-2020-0796, was disclosed and patched in March 2020Preventing SMB traffic from lateral connections and entering or leaving the network (microsoft.com)
|Detecting the root cause of Ransomware and Reporting|
These issues are relatively straight forward to deal with - provided that you have backups.
Ransomware works by working through the drives the user has mapped/local to encrypt the files. It then alerts the user (normally via a text file next to the encrypted documents such as "decryptme.txt" or similar) how to pay for the decryption instructions and keys.
The servers themselves are not usually infected - unless someone logged on to the server (console or RDP) and introduced the virus whilst logged on. It is highly likely that the Ransomware is resident on one or more computers on your network.
In the United Kingdom, go to the Action Fraud website. Report ASAP
Also log an insurance claim with our Cyber Security insurer - either the RPA/Hiscox policy as of March 2021.
- Check for the owner of the decryptme.txt (or similar) file via its properties - that's your infected user. You can also search home folders for the decryptme.txt (or similar file) to ensure that only one of your users is infected.
- Disable the user account to prevent further encryption. The encryption process takes time - if you have large data shares the user has access to, it may be several hours for it to work through all the files.
- Now track the infected machine down. The created date of the decryptme.txt file gives the date and time of infection, so ask the user which machine they were on if you don't have any method to track this. Disable the machine account if you cannot immediately get to it (via AD Users & Computers). (This will prevent other users logging on to the machine and possibly (variant dependent) kicking off more encryption.)
- Clean the computer - via a rebuild (one option is to use your AV solution if it is up to date, but a rebuild is far better and our recommended approach).
- Reset the user profile - check home folders/redirected folders for any temporary Internet files, etc. and delete these.
- Speak with the user to try and identify the file or email that started the infection. Has this file been stored anywhere where it can be relaunched - or has the email been forwarded on to anyone? Depending on the variant it may have been a file on a USB stick, or an attachment, or even a website visited. Try to determine the initial cause and delete where appropriate. You can scan suspicious files and URLs using https://www.virustotal.com.
- Do your restore - anything the user had access to will need to be checked (don't forget local MIS server shares - if it's a teacher then the MIS server will need to be checked as it likely has some report and document stores).
- Office 365 protection and OneDrive can also help restore following a Ransomware infection Ransomware detection and recovering your files - OneDrive (home or personal) (microsoft.com)
Some variants change the files - renaming to be MP3 files for example. In this case you can delete all the MP3 files modified from the infection date and then do your restore, ignoring any files that exist already (far quicker than restoring entire large volumes).
|Monitor the shares over the next couple of weeks to ensure nothing else gets encrypted.|