Home 0P3N Blog You Were the Victim of Ransonware. Now What?
Ready to Start Your Career?
Create Free Account
Erick Wellingtons profile image
By: Erick Wellington
August 8, 2016

You Were the Victim of Ransonware. Now What?

By: Erick Wellington
August 8, 2016
Erick Wellingtons profile image
By: Erick Wellington
August 8, 2016

You were the Victim of Ransonware. Now What? - Cybrary

You were the Victim of Ransonware. Now What?

The first step is to know some basic information, such as who was the first to arrive to answer the call. What information is visible the first time? Ransonware is usually quite flashy and noisy; it wants to seen. Moreover, one layperson can just pay a ransom if you do not find the account information and details about how it happened.But before answering these questions, we need to isolate the perimeter compromised. If a server or machine is suspected, it should be isolated immediately to be further analyzed and take appropriate action based on your device analysis.After isolating and identifying the infected device, there are paths to follow to identify the type of ransonware. Today, ransonware is sold freely on the Internet and black markets exploits. Specifying exactly the kind of malware that your system has been the victim becomes crucial for developing for cryptographic and security measures in key applications to mitigate the chances of others being the victim of the same type of ransonware.You can and should make the fastest possible analysis to indicate the following:
  1. Identify the process that's consuming more computing resources
  2. Look for information about the process involved in online repositories
  3. Identify the location where the process is hosted and store this information
  4. Kill the process
  5. Look for changes in the operating system registry that can be linked to the malware; remember most ransonware has some persistent system (usually by adding an entry in the operating system boot record)
  6. Write down everything that's done for later forensic analysis
  7. Look for a redemption request usually a txt or background
  8. Isolate the malware binary and bring itto a controlled environment (Sandbox)
  9. Submit the sample to antivirus services, such as virus-Total
  10. Submit the sample to other specific services for the analysis of malware behavior. You can find out a lot at this stage, including where they're getting cryptographic keys ransonware and on which servers it communicates
  11. Make a scan at the machine boot with a toolre remove already present malware. We recommend Kaspersky Rescue Disk, which can be downloaded for free from the manufacturer's website.
  12. After the malware removal, back up the files on a separate device from the network and in a controlled environment
After performing all the above steps, you must restore using a previous backup to the incident.What 's left to do now is look for a decryptor for this Ransonware, ff it already exists. If not, can wait for some new tool to appear.I don't recommend this ever! - If there's no backup, you can choose to pay the ransom. Remember, this will be contributing to the increase in these crimes in the future and there's the possibility of never receiving the key to your files.Finally, be proactive. Use tools for monitoring the web for news about ransonware. You may get lucky and see news that comes shortly after your incident, saying there's already a solution for you.Analysis of online malware:https://www.virustotal.com/https://malwr.com/Tools to decrypt some versions:https://noransom.kaspersky.com/Rescue Disk to disinfect the system:http://support.kaspersky.com/viruses/rescuediskNews alerts:https://www.google.com/alerts
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry