Everyone loves surprises, right? Yeah, I know, me neither. That, and clowns. I don’t like either one, and when my inbox contains a surprise, I automatically go into fight-or-flight mode, scared to death that it’s either malware, or a pale-faced guy with a red nose and big feet. Actually, that’s not true, because I honestly cannot remember the last time my email contained any malware, because I scan all inbound mail at the gateway to ensure no malware gets in. I’m still worried about clowns though.

But since no antimalware solution, or combination of solutions, can be absolutely 100.000% effective, and with so many malware campaigns active at any point in time, the odds are good that eventually, something is going to get into your inbox. When your inbox has a surprise and it’s called malware, there are several steps you can take to help protect yourself, and minimize the potential damage. Here’s what you need to know.

An ounce of prevention…

Again, nothing out there is absolutely and completely guaranteed to NEVER miss, so we’re going with the presumption that something has gotten in. This is where a number of preventative measures, collectively applies as defense in depth, help to keep you secure. If you are doing these in your organization (and at home!) then even when a piece of ransomware is delivered to your inbox, you should still be safe.

  1. Don’t open attachments or click on links you were not expecting to receive.
  2. Confirm anything you weren’t expecting with the sender.
  3. Do not run your email or your browser as an admin or using an account with admin rights.
  4. Ensure your antivirus software running, updated, and is configured to scan all files and all activity including email.
  5. Have backups of all critical files. If you are using cloud-based sync solutions like OneDrive for Business, Dropbox, Box, et al, make sure versioning is on.
  6. Use web filtering solutions to protect users from malware hosted on websites. If you don’t have that at home, search the URL or FQDN for any link you receive online before clicking on it. Many websites hosting malware can be identified by search engines like Bing and Google.
  7. Make sure your operating systems and applications are all fully patched and up to date.

Don’t panic

If you or one of your users (or family members) has accidentally clicked on a link or opened an attachment that is or may be ransomware, stay calm. If you panic, you give the ransomware time it needs to infect files and spread the damage. You need to act quickly, but also calmly, to minimize the damages.

Contain the threat

If the workstation is on the network, disconnect it from the network immediately. Remove any USB keys or external drives that are attached. If it is at home, disable its Wi-Fi card or remove the Ethernet cable so it cannot phone home, sync encrypted files to the cloud, or attempt to find other systems to infect. You may even want to power the system off, and keep it powered off, until you can address the issue. Personally, I would pull the plug, but there have been a couple of ransomware infections that had bugs that permitted easy recovery, as long as the keys used were still in memory. Pulling the plug wipes that, so at the least, take the system offline so it cannot spread.

Search and destroy

If you are at work, and the email reached one of your users, odds are very good it reached others. You want to run a search and destroy (or sweep and clear if you’re with the M.A.F.) to get it out of anyone else’s email before they too click it. You can do this in Exchange very easily if you are an admin. Here’s how to Search for and delete messages in Exchange 2016, 2013, and 2010.

Recover what you can

One of the great things about cloud based storage solutions is that they automatically sync data from your local machine to the cloud. Of course, they will also sync encrypted files, so make sure versioning is enabled, and if you do fall victim to ransomware, use the web interface (from another computer) to recover the versions of the files from BEFORE the ransomware executed.

And since the victim machine has been compromised, you do not want to use it to clean up, nor do you even want it to connect to the network. But it may have data on it that you need. There are several bootable CD/DVD images available that can boot a computer, access the hard drive, and enable you to copy files to USB. Use your favourite search engine to find a bootable Linux image, or to find steps to create a bootable Windows image with your version of choice, and then boot from that to copy off critical files. Check each to ensure it’s readable, and then keep it handy for after you reimage.

To pay or not to pay

This is a decision only your management can make (or you if it’s personal.) If you have good backups that you can rely upon to recover data, paying just doesn’t make sense. But if you don’t, and that data is worth more than the price of the ransom demanded, it may make business sense to pay up. But you should do research and engage law enforcement before you do, as some ransomware campaigns have extorted ransom but never followed through with the recovery keys. Don’t just blindly pay up and hope for the best, and take a serious look at whether it makes financial sense to give in or just move on.

Clean up

To quote one of my favourite movies of all times, when it comes to a compromised system, you need to “take off and nuke the entire site from orbit. It’s the only way to be sure.” Delete the partitions, do a full format, and reinstall from scratch. Restore only the files you are sure are clean and that you recovered either from the cloud or from the bootable disk, AFTER you have fully updated, and installed a current antivirus package.

Lessons learned

Fix the problem, not the blame. Make sure everybody knows what happened, not to single out the person who made a mistake, but to make sure everyone has awareness of how easy a mistake is to make, and what to watch out for to ensure it doesn’t happen again. It will, but even if only one user thinks twice before opening an attachment, or calls you the moment they do instead of waiting to see what happens, it’s worth the time to make sure everyone is aware. Look at your border protections, like email filtering, to see if there’s a way the infection could have been blocked. A number of vendors offer “sandboxing” of email attachments before delivery to users, analyzing attachments’ behaviours to detect malware. It would be great if you had that in place before the first infection, but it will be easier to justify the costs to management after the first and before the second. If you didn’t have backup methods in place to protect data, this is a really good time to reevaluate that. Odds are good the lost productivity, costs to recreate lost data, and potential for lost business is greater than the cost of the backup solution. Getting it in place before the next time may not be a great help today, but it will sure be appreciated tomorrow!

Ransomware is, like so many other threats online today, a simple but brutal facet of being online. You can take steps to protect yourself, but you also need to know what to do when those protections fail. Keeping calm, having a plan, and containing the infection as quickly and as effectively as possible help to ensure that you keep damage to a minimum, so you can get back up and running quickly.