Containing a ransomware outbreak
After shutting down the computer of the affected user and taking
her off the network, we determined she had been hit with the
CryptoWall ransomware. We had 90 percent of our files be
encrypted. This impacted every user in our whole company.
Luke Skibba, @Gigabitgeek
Ransomware is hard to spot while it's encrypting user files. The user may notice his or her machine acting strange during the encryption process: file extensions will change, files won’t open, or the computer’s fan may whir loudly as the processor copes with the computing demands of encryption. But the average user may not recognize the danger until the ransom demand finally appears.
This means that IT typically doesn’t learn about the infection until after the damage has begun and the malware is already inside the network.
At this point, IT’s priority has to be to contain the virus and prevent if from spreading within the network. More sophisticated ransomware variants may attempt to propagate. Malware of all forms has been observed to send malicious messages using the user's email or chat clients, or even to deposit infected files in open shared folders on other users' computers.
“The first thing we would do is get the machine off the network,” says Susan Tait, Intermedia’s Director of IT, describing our response to a hypothetical ransomware attack. “We always have to assume that the malware could make use of an internet connection – that it’s sending information back to the criminals, or spreading itself to other users. In the worst-case scenario, we may even temporarily turn off network access for the entire office until we get the outbreak under control.”
Top three ransomware containment tips: