A user caught a ransomare infection and some of your Windows file shares have become encrypted. What do you do now?
- Shutdown infected devices. Determine which machines/users have become infected and shut the devices down. It might be necessary to turn off networking switches, wireless access points, or file servers while the infected machines are located.
- Reimage infected devices. (Alternatively disallow infected devices from the network and reimage infected devices after the restoration of file shares) (reimage means a full wipe usually a repartition or hard drive format and reinstall of the operating system)
- Restore normal network operations. If no further damage occurs then continue.
- Determine the scope of the damage to servers and file shares. Determine which users and shares have become compromised.
- Determine the strain of ransomware. Determine any additional steps needed by identified ransomware strain. https://www.nomoreransom.org/crypto-sheriff.php or https://www.bleepingcomputer.com
- Review your available backups.
- Determine your best course of action for restore of files that were corrupted.
- Determine attack vector used and add block lists, updates, or policies to stop the same attack vector from being used again. Train users on how to avoid the same scenario. Based on the time window and user that propogated the virus you can check your web filter logs to determine where the virus came from and block it.
- Setup Ransomware Detection Service to help with the windows shares auditing and cleanup. After the fact this service will add peace of mind with regards to knowing when your file shares are compromised. (Not knowing when a file share is corrupted can ruin your response time and available backups)
- Write a post-mortem report and recommend or make changes to further prevent the next ransomware attack. (See http://www.questiondriven.com/2016/03/07/how-to-prevent-ransomware-infections/ for further recommendations regarding prevention.)
Restore File Shares After a Ransomware Infection:
- Make note of the user that was infected by noting the file owner of ransomware created files. Shutdown the user’s computer as fast as possible to limit further file corruption. Reimage the computer or identify the virus and follow trusted instructions for removal of the virus. Do not turn the computer back on until the virus has been removed. The files created by the ransomware give you clues as to the type of ransomware infection.
- Check the created date of any ransomware created files to determine when the infection occurred.
- If previously setup Restore shadow copies to a point in time before the ransomware infection. http://www.howtogeek.com/howto/11130/restore-previous-versions-of-files-in-every-edition-of-windows-7/
- Determine the type of ransomware https://www.nomoreransom.org/crypto-sheriff.php
- Check Bleeping Computer website to see if the ransomware you caught can be decrypted without payment. http://www.bleepingcomputer.com/ The ransom note files created and file extensions created by the ransomware give you clues as to which ransomware encrypted your files. You can then research the ransomware and see if a decryption program has been created or other method has been determined to recover your files.
- Use your preexisting backup product or backup appliance to restore your file share files.
- Restore any manually created backups if any and if necessary.
- Setup Ransomware Detection Service https://github.com/prestoncooper/RansomwareDetectionService on your Windows File Server. This program will aide in the restore of files. It can compare file signatures and only restore the corrupted/encrypted files. Text files cannot be audited/validated, but binary files can be validated/audited. The Audit Files tab and Find Files tab will also make note of file owners and created date of corrupted/encrypted files. This service can also delete the ransom note files created by the infection using the Find Ransomware Files tab. Alternatively you can use the csv files created by the Ransomware Detection Service to help script the actions you want to take. The audit file shares tab will give you all of the information you need to know regarding what has happened to your file shares. You could also use the detection tab and compare a current back with the production share to get a list of files modified since the last backup (This works for all file types including text files).
- To restore terabytes of files from a restored backup folder use Fastcopy http://www.questiondriven.com/2014/04/03/fastcopy-command-line-examples/ Other file copy tools will crash or can’t handle long file paths. Make sure to use verify option and do not use Move command (0 byte files could occur.)
- Restore any cloud based files to local media if necessary.
- Drop Box restore previous versions. https://www.dropbox.com/en/help/8408 https://www.dropbox.com/en/help/11
- Office 365 Restore Previous Versions https://support.office.com/en-us/article/Restore-a-previous-version-of-a-document-in-OneDrive-for-Business-159cad6d-d76e-4981-88ef-de6e96c93893
- Microsoft OneDrive Restore Previous Versions https://blogs.technet.microsoft.com/office365security/how-to-deal-with-ransomware/
- Google Drive Restore Previous Versions https://support.google.com/drive/answer/2409045?hl=en https://support.google.com/docs/answer/190843?hl=en
- Don’t pay the ransom. (Paying the ransom will fund and set precedent for future ransomware attacks.) If you get hit and you don’t have backups then you might not have a choice. If you followed the recommendations in the article http://www.questiondriven.com/2016/03/07/how-to-prevent-ransomware-infections/ you will have options.