If you got ransomware – now what? How can you recover and get back to normal?
Here are some images of ransomware from older posts on this blog:
Step-by-Step Schedule to Normality After a Confirmed Ransomware Attack
Recovering from a ransomware attack and ensuring no persistent hacker remains in your environment requires a structured, methodical approach. Here’s a recommended schedule to normality, focusing on both technical recovery and security assurance:
1. Immediate Containment and Isolation
- Disconnect affected systems from the network immediately to prevent further spread. (Me talking here – this advice is a bit polyannish, but yes if it is only one system disconnect — TZ)
- Isolate backups and critical infrastructure to protect them from compromise. (If you have a good backup – restore into separate network if possible at first –TZ)
2. Initial Assessment
- Identify the scope of the attack: Which systems, data, and accounts are affected? (This is one of the most important steps to be able to come back in a quick manner –TZ)
- Preserve evidence for forensic analysis (logs, memory dumps, etc.).
3. Eradication of Threats
- Remove ransomware and malicious files from all affected systems.( Each of these steps in 3. is important to complete efficiently — TZ)
- Scan for persistence mechanisms (e.g., scheduled tasks, new user accounts, registry changes) and remove them
- Check for lateral movement: Investigate if attackers moved to other systems or established backdoors.
4. Password and Credential Reset
- Reset passwords for all affected accounts, including privileged and service accounts, after the environment is cleaned and rebuilt (This may seem obvious, but is still good to mention –TZ)
- Review and revoke suspicious or unnecessary access. (I need to add check registries, hidden files and directories — TZ)
A standard search engine look uncovered an older Google Cloud post(Apr, 30, 2024):
Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities and Endpoints
the Webpage by Google Cloud points to this Report
From the report this is an interesting point or 2:
Organizations should proactively create isolated and segmented identities that are used for administrative access.
During an active incident, organizations should sever integrations between on-premises identity store (e.g., Active
Directory) and infrastructure platforms and services. Examples include:
1. Active Directory integration with VMware Virtualized Infrastructure (VCenter)
2. Active Directory integration with Privileged Access Management solution
3. Active Directory integration with Backup solution
4. Active Directory integration with Cloud IAM services
During an incident containment phase, access to the organizations infrastructure platforms and services should be
conducted using local administrator accounts (e.g., local VMware VCenter Admin account).
Local administrator accounts should adhere to the following principles:
1. Created with long and complex passwords
2. Passwords should not be stored within your password management or vault solution
3. Multi-Factor Authentication enforced
4. Create at least two distinct local accounts
Notice the old Google post (not that old is from last year) mentions to create local accounts which the hackers do not have access to in case they change the passwords or other problems arise. (is always good to have a backup procedure) If you need some specific advice contact me.