Getty Images/iStockphoto
How to stop ransomware: 4 steps to ransomware containment
Even with the best security efforts, ransomware sometimes breaches organizations' defenses -- but IT teams can prevent a ransomware attack from escalating with these four steps.
These days, getting hit with a ransomware attack isn't a question of if, but when. The ability to make anonymous online payments means that this type of attack isn't going away -- on the contrary, several new industries have spawned to deal with it.
While there's no easy answer on how to stop ransomware, taking the following steps for ransomware containment can prevent a bad situation from escalating.
Step 1. Perform strategic system shutdowns
Targets of a ransomware attack often try to stop the spread by shutting down the systems it's encrypting. However, IT teams should understand the difference between shutting down a system that has not been infected versus one in the process of being encrypted. A clean shutdown is always the best approach, but stopping the encryption process before it's complete can result in corrupted systems and data loss.
While it might sound counterintuitive to let ransomware finish encrypting a system, decrypting tools offered by hackers aren't enterprise-grade. Most ransomware decryptors are command-line tools or hashes that cannot recover corrupted data. Shutting down a system mid-encryption can lead to total data loss due to corruption, even if the organization pays the ransom.
Knowing which systems have -- and haven't -- been hit by ransomware is the real challenge. Start by looking for massive disk activity. This is normally the best indication that a disk is being encrypted, though it could also mean that attackers are stealing the data and encrypting it along the way.
Step 2. Analyze network traffic
The second step in ransomware containment is to look at network traffic. It's sometimes possible to disrupt internet access to prevent data theft and stop overall network traffic to limit the east-west spread of ransomware.
Unfortunately, this is often easier said than done: To pull it off, IT admins must be on top of the problem as it happens. In addition, hackers often trigger ransomware before or after normal working hours, when organizations tend to be lightly staffed.
Pulling a network connection carries a certain level of risk due to the possibility of data corruption. However, an organization might decide that the tradeoff is worth it if the alternative is an unacceptable risk. This is a business decision that requires insight from company leadership.
Isolation is many IT departments' first instinct for ransomware containment -- but in reality, ransomware might have been in the organization's systems for some time. Ransomware sometimes functions like a virus, moving through the organization and spreading in real time, but it can also work its way throughout the organization unnoticed before the attackers trigger it at a certain time.
IT and security teams must take precautions to isolate systems and devices when and where it makes sense to do so -- for example, unplugging a network cable to isolate a floor or key data center equipment. While this doesn't stop the encryption process, it can limit the ransomware's spread to other equipment.
Likewise, any equipment already offline or air gapped should not be brought in or powered on until the organization has a handle on the ransomware spread. The same applies to any vendor-supported PCs or equipment connected to the network.
Step 3. Maintain and manage backups
When ransomware hits, backups are often the first topic of discussion -- but IT teams shouldn't assume that all backups are good. A common knee-jerk reaction is to remove encrypted VMs and restore from backups. While this logic might seem sound, there are a couple key questions to ask first.
First, can IT personnel get to the backup server to perform the restoration? If the management console is an encrypted brick, this might not be possible. A crisis is easy to handle when all tools are available, but it can become a disaster when those tools are inaccessible. Before starting to make key decisions, take stock of which tools are still accessible.
Second -- and most important -- are the backups still there? Ransomware has a nasty habit of wiping out backups as a first step, so don't trust any backups until you've tested a few.
This brings up a key operational aspect when it comes to backups. IT personnel often remove encrypted VMs to make room for what they need to restore. But if the restore image has an issue or is encrypted, the encrypted VM that the organization must pay to unlock has just been deleted. It's not ideal to pay a ransomware fee, because there's no guarantee that data will be recovered even after paying the ransom -- but there's absolutely no chance of recovery if the data is gone.
Step 4. Review and plan communication paths
During any crisis, communication is key, but you can't hop into a group chat if the chat server is an encrypted brick. Lack of communication between personnel working on the issues and management can lead to devastating mistakes, so make plans for how to communicate when communication tools are unavailable.
Create an alternate plan for communication during a ransomware attack and ensure that everyone knows ahead of time what roles they will play. Especially if the organization brings in third-party consultants to help with ransomware containment, communications must be running smoothly to ensure timely and informed decision-making.