This is the first step and the least expensive in solving the problem.
- User education. This is first on the list because this type of software changes frequently to avoid detection from virus scanners. It does however most often require the user to take an action to get in to the system. This is usually clicking on something in an email or going to a malicious web page. Training the users to recognize the threat will go a long ways towards stopping the problem
- Virus scanner. It can take a day or two for a virus scanner to get definitions for the latest threats, but this does not make it useless. You certainly don’t want to get infected from an older copy of one of these bugs.
- Update software. Some malware can take advantage of vulnerabilities in your software or operating system. Keeping this software up to date can help prevent infection from a virus or worm.
- Backups. Make sure all your files are backed up on a regular basis and that there are multiple copies stored in a location that will not be over written by the malware.
- Intrusion detection system. Ransomware creates a large volume of unusual network activity while it is encrypting/deoying files, and an Intrusion detection system may pick this up.
- The first thing to do when a problem is discovered is to turn things off to prevent further damage.
- Get qualified help. The actions taken by Trojans, worms, viruses, and other malware can be quite complicated. Disinfection and data recovery is often beyond the scope of what a virus scanner or malware removal program can do.
- Isolate the infected systems and do offline scans and removal of the malicious software
- Restore backups of damaged files.
Many people feel that this is the cheapest way out of the problem. However, it must be stressed that the risks are SEVERE.
The first version of Ransomware, Cryptolocker, always returned your data when the ransom was paid. however many spin-offs, clones, and newly developed Ransomware packages exist.
The Cyber criminal is in no way obligated to give you your data after the ransom is paid. There no honor among thieves.
PAYING THE RANSOM MAY NOT RETURN YOUR DATA.
In addition the payment you give them will only further fund Cyber-criminal activities, real crimes, or in some cases, even real-life terrorism.
Ideally your backups are current and good enough to restore without paying the perpetrators.
The only time we recommend paying the ransom is when all other recovery has failed and the files in question cannot be discarded or recreated without causing serious harm to your organization.
If you MUST pay the ransom:
- Don’t give them a credit card. This will only be used to steal more funds from you, or as a leverage point to steal more of your identifying information.
- Most ransomware demands payment in Bitcoin, through a Bitcoin wallet. the most cautious thing to do is to create a wallet, and discard that wallet after the transaction is finished. do not use your primary wallet, if you routinely use Bitcoin, as this could be leveraged as a way to track your purchases.
- Isolate all affected systems from the rest of the network. At this point you are still running software that is under their control so precautions must be taken.
- After the data recovery, all the systems involved must go through disinfection procedure.
- Make sure all security procedures are taken to prevent this from happening again in the future.