27363681109850116521312867

COMPUBC INFORMATION TECHNOLOGY SERVICES LTD. MANAGED IT SERVICES FOR BUSINESS & RESIDENTIAL. PC & MAC.
  • Services
    • Business >
      • Business Services & Managed IT
      • Canadian Based File Sharing & Syncing
      • Business Cybersecurity VPN
      • Help Desk Security Automation
      • Network Infrastructure & VoIP
      • Cloud Computing
    • Residential >
      • Residential IT Services
      • CompuBC TELUS Services
    • Data Recovery
  • Service Request
  • Service Cost
    • Business Service Cost >
      • Business Managed Services & Cost
      • Office 365 Business & Exchange Online
    • Residential Service Cost >
      • Residential Service Cost
      • Office 365 Residential plans
    • Data Recovery Service Cost
  • Remote Support
  • Self Service
  • About/T&C/Reviews/Blog
    • About us
    • Reviews
    • Social & Blog >
      • Facebook posts
      • Blog
    • Terms and Conditions

Ransomware response guide for businesses - Part 2: How NOT to respond to a ransomware attack.

9/30/2020

0 Comments

 

How NOT to respond to a ransomware attack

Picture
Incorrectly handling a ransomware incident can hinder recovery efforts, jeopardize data and result in victims paying ransoms unnecessarily. In the wake of a ransomware attack, organizations should avoid the following mistakes:

1. Do NOT restart impacted devices.
Organizations should avoid restarting devices that have been impacted by ransomware. Many ransomware strains will detect attempts to reboot and penalize victims by corrupting the device’s Windows installation so that the system will never boot up again, while others may begin to delete encrypted files at random. The infamous Jigsaw ransomware, which was prolific in 2016, randomly deleted 1,000 encrypted files each time an infected device was rebooted.
Restarting the system can also hinder forensics efforts. Rebooting clears the machine’s memory which, as noted earlier, may contain clues that can be useful for investigators. Instead, impacted systems should be put into hibernation, which writes all data in memory to a reference file on the device’s hard disk, which can then be used for future analysis.

2. Do NOT connect external storage devices to infected systems.
Many ransomware families intentionally target storage devices and backup systems. As such, external storage devices and backup systems must not be connected (physically or via network access) to infected systems until organizations are fully confident that the infection has been removed.
It is not always obvious that ransomware is running. Sadly, there have been many cases of businesses commencing the recovery process without realizing that ransomware is still present on their system, resulting in ransomware encrypting their backup systems and storage devices.

3. Do NOT pay the ransom immediately.
While the prospect of downtime and potential reputational loss can be daunting, organizations should not immediately pay the ransom. There are always other options, and these should be explored in full before resorting to paying the ransom.

4. Do NOT communicate on the impacted network.
During recovery, victims should assume that attackers still have access to the compromised network and therefore may be able to intercept any communications that are sent and received over the network. Organizations should establish secure out-of-band communication channels and prohibit users from communicating on the compromised network until remediation is complete and the network is clear of intruders.

5. Do NOT delete files.
Files should not be deleted from encrypted systems unless a ransomware recovery specialist has advised to do so. Not only are encrypted files useful for forensics, but some ransomware families store encryption keys within the encrypted files – if the files are deleted, the decryptor won’t work.
Similarly, ransom notes should never be deleted. Some ransomware families, such as DoppelPaymer and BitPaymer, create a ransom note for every file they encrypt, which contains the encoded and encrypted key necessary for decryption. If a ransom note is deleted, its corresponding file cannot be decrypted.

6. Do NOT trust ransomware authors.
Despite increasingly trying to adopt a facade of professionalism, ransomware authors are criminals who are not obligated to uphold any agreements or abide by any code of ethics. Organizations should not believe any information provided by ransomware groups, including information in the ransom note (such as the ransomware strain) nor trust that paying the ransom will lead to the recovery of encrypted data.

Victims should be mindful that attackers may not provide a decryptor after payment, and that attacker-provided decryption tools may be faulty and/or potentially damage encrypted data.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Archives

    November 2024
    August 2024
    November 2023
    June 2023
    April 2023
    January 2023
    December 2022
    November 2022
    September 2022
    August 2022
    June 2022
    October 2021
    August 2021
    July 2021
    May 2021
    April 2021
    March 2021
    January 2021
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    May 2020
    March 2020
    November 2019
    August 2019
    July 2019
    June 2019
    May 2019
    March 2019
    November 2018
    July 2018
    June 2018
    May 2018
    April 2018
    February 2018
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017


2951 Britannia crescent
Port Coquitlam BC, V3B 4V5
778-776-6222

​Hours of operation
Mon - Fri 9 a.m. - 6 p.m.
Sat 11 a.m. - 5 p.m. (by appointment only)
Sunday & Holidays - Closed

​Business Number 778569517BC0001 - © Copyright CompuBC, All Rights Reserved.

​Some icons made by 
Freepik, xnimrodx, Smashicons, itim2101, photo3idea_studio, and prettycons from Flat Icons.

  • Services
    • Business >
      • Business Services & Managed IT
      • Canadian Based File Sharing & Syncing
      • Business Cybersecurity VPN
      • Help Desk Security Automation
      • Network Infrastructure & VoIP
      • Cloud Computing
    • Residential >
      • Residential IT Services
      • CompuBC TELUS Services
    • Data Recovery
  • Service Request
  • Service Cost
    • Business Service Cost >
      • Business Managed Services & Cost
      • Office 365 Business & Exchange Online
    • Residential Service Cost >
      • Residential Service Cost
      • Office 365 Residential plans
    • Data Recovery Service Cost
  • Remote Support
  • Self Service
  • About/T&C/Reviews/Blog
    • About us
    • Reviews
    • Social & Blog >
      • Facebook posts
      • Blog
    • Terms and Conditions