PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
This article describes what you should do if you are a victim of a ransomware attack. The following sections are covered:
If you are a victim of an active ransomware attack, where files on your network are still being encrypted, switch off the affected machines immediately to prevent further damage.
To identify if the attack has completed or is still active, look for new files getting encrypted or disappearing. Looking at the date modified times on them may indicate how long ago they were encrypted.
If you suspect that the ransomware originated from spam emails, advise your users to be extra vigilant against unsolicited emails that may already be in their inbox and to report anything suspicious.
Locating the source of the ransomware on your network will not only help you locate all the encrypted files but also give an insight to how this attack happened. This will help you to change your security settings appropriately to reduce the risk of this happening again.
Most successful ransomware attacks are identified based on the following symptoms:
Submit samples of spam emails containing suspicious attachments to Sophos for analysis:
If you don't have any information on how the ransomware got on your machines, locate the encrypted files. Most ransomware will have been run with the permission of the user. This is helpful if the encrypted files are located in directories only accessible to single users or small groups.
Quite often you can get the username of the person who encrypted the files by looking at the properties of the file. Do the following:
To identify owner details for all files in a folder, do the following:
If the owner details does not help, check which user had access to the locations where you found encrypted files. Looking at the date modified times of the encrypted files may provide information about when this attack started.
Once you have identified the users involved, obtain more information about opening suspicious emails around that time or the websites they were browsing. Look at their email inbox, deleted emails, and their browsing history for answers. This will help you understand your security weaknesses and to enhance security in those areas.
After a ransomware attack it is important to ensure that your security products are working correctly. Many variants of ransomware will encrypt files that are used by software in order to run. A good example of this is .xml files which are commonly used by software programs to store configuration settings. As a result of this type of damage, you may have to reinstall software that is no longer working correctly.
For Sophos products, check that they are updating correctly and reporting their status to your console. Resolve any errors and if a re-installation is required, do this as soon as possible. Make sure full scans are run on all affected machines.
Some ransomware include a secondary payload that will stay on a machine after the attack. If you are having trouble getting your security products to work or suspect there might still be something malicious on the machine, use Sophos Clean. This tool will detect and cleanup all other malware left on the machine.
Most modern ransomware use strong encryption methods such as RSA-2048 or AES-128. This makes it impossible to get your files back unless you restore from backups or pay the ransom. If you pay the ransom, there is no guarantee that you will get your files back, or that you won't be targeted again.
Most files encrypted by ransomware cannot be restored. However, occasionally there are some variants of ransomware that can be restored. This is possible if:
Unfortunately these scenarios are rare. If you are hit by ransomware, do a search on the internet for decryption tools. However, these tools do not restore the encrypted files but delete them and the ransom notes.
NOTE: If you do not have backups of the files that were encrypted, save them as a decryption tool might become available soon.
NOTE: If you are using Microsoft Shadow copies, most ransomware deletes the backups too unfortunately.
For advanced restore options, see: Got ransomware? What are your options?
It is important to understand that if you were a victim of ransomware and it was able to execute on your endpoint machines that means it got through all of your security not just the anti-virus on the machine. Ransomware is not a single file but a multi layered attack that touches several areas of your network. There is no security feature in the world that can protect against every possible threat by itself. Security is made up of layers, each layer has a specific area to protect. Many of these overlap and can communicate with each other for even more protection.
In the example of ransomware spread via spam email your first layer of protection is your email gateway. Securing this layer allows you to scan all emails for spam and malicious files, you could also combine this with a sandboxing product to execute the attachments in a safe environment so detailed analysis can be performed automatically. The Sophos products that can help you with this are:
For advice on how to prevent ransomware, please see this article: Ransomware: Information and prevention
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.