Containing a Ransomware Outbreak

Security from ransomware

After shutting down the computer of the affected user and taking her off the network, we determined she had been hit with the CryptoWall ransomware. We had 90 percent of our files be encrypted. This impacted every user in our whole company. – Luke Skibba, @Gigabitgeek

Ransomware is hard to spot while it’s encrypting user files. The user may notice his or her machine acting strange during the encryption process: file extensions will change, files won’t open, or the computer’s fan may whir loudly as the processor copes with the computing demands of encryption. But the average user may not recognize the danger until the ransom demand finally appears.

This means that IT typically doesn’t learn about the infection until after the damage has begun and the malware is already inside the network.

At this point, IT’s priority has to be to contain the virus and prevent if from spreading within the network. More sophisticated Ransomware variants may attempt to propagate. Malware of all forms has been observed to send malicious messages using the user’s email or chat clients, or even to deposit infected files in open shared folders on other users’ computers.

The first thing ACM would do is get the machine off the network. In the case of a hypothetical Ransomware attack, we always have to assume that the malware could make use of an internet connection – that it’s sending information back to the criminals, or spreading itself to other users. In the worst-case scenario, we may even temporarily turn off network access for the entire office until we get the outbreak under control.

Our three steps to Ransomware containment:
  1. Isolate the infection
    Our top priority is to keep the infection from spreading. Remove infected machines from the network. Shut down the network if you have to.
  2. Size up the outbreak
    Figure out the scope of the infection—the virus type, how many machines, how much data, etc. Consider contacting law enforcement.
  3. Find the attack entry point
    Identify the source of the virus so that you can patch any security weaknesses or holes. Otherwise, you may remain vulnerable to more outbreaks in the future.