Ransomware Protection: Here Is The Ultimate Response Checklist

Ransomware Protection is more important than ever

By the end of Q3 2020, Ransomware Attacks have Increased by an alarming 715%. Cybercriminals have been successfully leveraging the pandemic and are launching ransom attacks with ever-increasing amounts. Cybercriminals much like regular people who run successful businesses have the same end goal – to increase revenue and profits. All their efforts are driven with one end goal in mind, and since more people are successfully falling victim of these attacks and are willing to pay the ransom – the price keeps going up and up.

We already have data for the first half of 2020 which revealed that there was a 7x increase when compared to 2019, and ransoms have jumped an average of 60% so far this year; proving that cybercriminals are experts at wreaking havoc within organizations that never even see it coming. The shift to remote work, is a contributor to this dilemma, and most users are simply unprepared and defenseless. There is a massive demand for end user training/awareness programs and being able to leverage your people as the first line of defense is one of the ways your business can defeat cyber threats when they pose a risk.

With all the available data, businesses should assume that ransomware attacks are inevitable, and cybercriminals are winning the game. It is almost unavoidable if your business doe does not have effective defenses that prevent these attacks from happening in the first place. Here is a response checklist that can help to guide you through the next steps you should take if you or your business ever gets hit by a ransomware attack.

Ransomware Attack Response Checklist

STEP 1: Disconnect Everything

  1. Unplug computer from network.
  2. Turn off any wireless functionality: Wi-Fi, Bluetooth, NFC.

STEP 2: Determine the Scope of the Infection, Check the Following for Signs of Encryption

  1. Mapped or shared drives
  2. Mapped or shared folders from other computers
  3. Network storage devices of any kind
  4. External Hard Drives
  5. USB storage devices of any kind (USB sticks, memory sticks, attached phones/cameras)
  6. Cloud-based storage: DropBox, Google Drive, OneDrive etc.

STEP 3: Determine if data or credentials have been stolen

  1. Check logs and DLP software for signs of data leaks.
  2. Look for unexpected large archival files (e.g., zip, arc, etc.) containing confidential data that could have been used as staging files.
  3. Look for malware, tools, and scripts which could have been used to look for and copy data.
  4. Of course, one of the most accurate signs of ransomware data theft is a notice from the involved ransomware gang announcing that your data and/or credentials have been stolen.

STEP 4: Determine Ransomware Strain

  1. What strain/type of ransomware? (For example: Ryuk, Dharma, SamSam, etc).

STEP 5: Determine Response

Now that you know the scope of the damage as well as the strain of ransomware you are dealing with, you can make a more informed decision as to what your next action will be.

Response 1: If Data or Credentials are Stolen

  1. Determine if ransom should be paid to prevent data or credentials from being released by hackers.
  2. If ransom is to be paid, you can skip steps #1 and #3 of Response 2 from recovery.

Response 2: If Ransom Is Not Paid and You Need to Restore Your Files From Backup

  1. Locate your backups
  2. Ensure all files you need are there.
  3. Verify integrity of backups (i.e. media not reading or corrupted files).
  4. Check for Shadow Copies if possible (may not be an option on newer ransomware).
  5. Check for any previous versions of files that may be stored on cloud storage

e.g. DropBox, Google Drive, OneDrive.

  1. Remove the ransomware from your infected system.
  2. Restore your files from backups.
  3. Determine infection vector & handle.

Response 3: Try to Decrypt

  1. Determine strain and version of the ransomware if possible
  2. Locate a decryptor, there may not be one for newer strains. If successful, continue steps…
  3. Attach any storage media that contains encrypted files (hard drives, USB sticks etc.)
  4. Decrypt files
  5. Determine the infection vector & handle

Response 4: Do Nothing (Lose Files)

  1. Remove the ransomware
  2. Backup your encrypted files for possible future decryption (optional)

Response 5: Negotiate and/or Pay the Ransom

  1. If possible, you may attempt to negotiate a lower ransom and/or longer payment period.
  2. Determine acceptable payment methods for the strain of ransomware: Bitcoin, Cash Card etc.
  3. Obtain payment, likely Bitcoin:
  4. Locate an exchange you wish to purchase a Bitcoin through (time is of the essence).
  5. Set up account/wallet and purchase the Bitcoin.
  6. Re-connect your encrypted computer to the internet.
  7. Install the TOR browser (optional).
  8. Determine the Bitcoin payment address. This is either located in the ransomware screen or on a TOR site that has been set up for this specific ransom case.
  9. Pay the ransom: Transfer the Bitcoin to the ransom wallet.
  10. Ensure all devices that have encrypted files are connected to your computer.
  11. File decryption should begin within 24 hours, but often within just a few hours.
  12. Determine infection vector and handle.

STEP 6: Protecting Yourself in the Future

  1. Implement Ransomware Prevention Checklist to prevent future attacks.

First Line of Defense: Software

  1. Ensure you have and are using a firewall.
  2. Implement anti-spam and/or anti-phishing. This can be done with software or through dedicated hardware such as SonicWALL or Barracuda devices.
  3. Ensure everyone in your organization is using the very latest generation endpoint protection, and/or combined with endpoint protection measures like whitelisting and/or real-time executable blocking.
  4. Implement a highly disciplined patch procedure that updates all applications and operating system components that have vulnerabilities.
  5. Make sure that everyone who works remotely logs in through a VPN.

Second Line of Defense: Backups

  1. Implement a backup solution: Software-based, hardware-based, or both.
  2. Ensure all possible data you need to access or save is backed up, including mobile/USB storage.
  3. Ensure your data is safe, redundant, and easily accessible once backed up.
  4. Regularly test the recovery function of your backup/restore procedure. Test the data

integrity of physical backups and ease-of-recovery for online/software-based backups for at least 3 or 4 months in the past. Bad guys lurk in your networks for months and compromise your backups.

Third Line of Defense: Data and Credential Theft Prevention

  1. Implement Data Leak Prevention (DLP) tools.
  2. Use least-permissive permissions to protect files, folders, and databases.
  3. Enable system logs to track data movements.
  4. Use network traffic analysis to note any unusual data movements across computers and networks.
  5. Encrypt data at rest to prevent easy unauthorized copying.

Fourth and Last Line of Defense: Users

  1. Implement new-school security awareness training to educate users on what to look for to

prevent criminal applications from being downloaded/executed.

  1. Your email filters miss between 5% and 10% of malicious emails, so conduct frequent

simulated phishing attacks to inoculate your users against current threats, best practice is

at least once a month.

Share on facebook
Share on google
Share on twitter
Share on linkedin

The PACE Difference – We’re in this business to help other small businesses grow and move forward. It’s as simple as that.

Toronto, Ontario’s IT Experts. Nestled smack in the middle of the thriving Technology sector of Markham, Ontario, PACE Technical Services Inc. is comprised of a dynamic group of professionals dedicated to bringing Fortune 500 I.T. solutions to small and mid-sized businesses in the Greater Toronto Area.


475 Cochrane Drive. Unit 4

Markham, Ontario L3R 9R5