Ransomware is a type of malicious software designed to deny access to a user’s systems or data by encrypting files. Once ransomware has infected a system, the attacker demands a ransom (usually in cryptocurrencies such as Bitcoin) to provide the decryption key and return access to the user.

Previous steps

The best prevention against ransomware is to have a robust backup policy, which will allow you not to lose the information and restore it even if you are a victim of these attacks. To do this, you should carry out an exercise to identify what information your company cannot afford to lose and take measures to prevent it from being lost. At the user level, an effective measure can be to work with documents online, using cloud solutions such as M365 or Google Workspace, and on the other hand, a good backup solution that takes care of safeguarding business information (servers, applications, databases, etc.).

Steps in case of compromise

Immediate Isolation

  • Disconnect the affected systems from the network to prevent the ransomware from spreading to other machines.
  • Disable network connectivity, network shares and cloud services that may be involved.

Isolation
Disconnect the affected systems from the network

Identification and analysis

  • Determine the specific type of ransomware by reading the ransomware note or through forensic analysis. This may include analysis of encrypted files, malware behavior, system logs and communications with the attacker’s command and control (C&C) server.
  • Identify the infection vector to prevent future intrusions.

Situation assessment

  • Verify whether you have up-to-date, intact backups that have not been compromised.
  • Assess the extent of the damage, how many systems are affected, whether sensitive data is involved, and whether the ransomware has exfiltrated data.

Remove malware and restore

  • Remove any traces of the ransomware from compromised systems using specialized removal tools.
  • Restore encrypted data from backups, ensuring that they are free of the infection.
  • If backups are not available, explore whether there are public or available decryption keys, or whether decryption via third parties is possible.

In case you do not have backups, it is possible that, depending on the ransomware that has infected the network, you may be able to recover the information. There are several websites and online services that provide tools to try to decrypt files encrypted by ransomware. These services are usually focused on the most common types of ransomware and provide decryption keys when they are known or if the attacker has made mistakes during the implementation of the encryption. Here are some of the most popular resources:

  1. No More Ransom (https://www.nomoreransom.org/)
  2. Emsisoft Decryptor (https://www.emsisoft.com/en/ransomware-decryption/)
  3. Malwarebytes Ransomware Decryptor (https://www.malwarebytes.com/ransomware)
  4. BitDefender (https://www.bitdefender.es/consumer/support/answer/14292/)
  5. Kaspersky (https://noransom.kaspersky.com/es/)

Risk mitigation

  • Change all passwords on compromised systems and networks to prevent unauthorized access.
  • Patch vulnerabilities and apply security updates to all affected systems.
  • Conduct a thorough review of security infrastructure, including firewalls, anti-virus and access policies.

Monitoring and tracking

  • Implement active monitoring to detect any possible ransomware reactivation or subsequent suspicious activity.
  • Ensure that there are no backdoors or residual malicious files that could allow the attack to restart.

Monitoring
Implement active monitoring

Notification and compliance

  • In the event that personal or confidential information has been exfiltrated, notify relevant regulatory authorities and affected users under privacy and data protection laws (e.g. GDPR).
  • Consider informing law enforcement, as they may have resources to track and apprehend attackers.

Long-term prevention

  • Implement stronger security measures, such as multi-factor authentication, network segmentation, and regular security training for employees.
  • Conduct attack simulations (such as penetration tests and phishing simulations) to assess future attack readiness.

Dont pay the ransom!

Be clear about two things, the cybercriminals who have attacked you are exclusively financially motivated and they are also very, very lazy. If you pay the ransom, you are demonstrating that you have the financial solvency to pay this reward and the subsequent ones, so you are going to be a clear target for them and for other cybercriminals. If, on the other hand, you do not pay but show that you can recover the information through backups or by improving the security of your infrastructure, cybercriminals will look for other victims willing to pay or with less security. In conclusion, do not pay for ransomware, you will discourage the attackers and you will probably not be a victim in the future.

Don’t pay
Never pay the ransom, best recovery is a strong backup policy