When you think about it, what is the single most terrifying thing about the ransomware epidemic? It’s not the encryption. Technically, that’s not any more dangerous than malware that simply deletes or corrupts your files.
When you think about it, what is the single most terrifying thing about the ransomware epidemic? It’s not the encryption. Technically, that’s not any more dangerous than malware that simply deletes or corrupts your files. It’s not even the weird threat/possibility to get your files back. The real thing that devastated companies and made the ransom attacks effective was the fact that most ransomware is designed to attack your entire network.
Network-Wide Malware Attacks
It doesn’t just take out a single mobile device or workstation, whatever is infected first. It spreads, using any wifi or network cable connection it can find, to other devices on the network. From one device, a ransomware attack can take down every server and workstation in your entire business. It can take out the mobile devices and laptops, even potentially getting to your smart-office gadgets.
The most insidious ransomware spreads before striking, creating a coordinated malware program on every device in the network it can find before locking down all the company’s files and computers at once. That is the most terrifying thing about ransomware.
But the ransom element isn’t actually the important part. And, unfortunately, ransomware is simply the most flashy variety of malware with this function. Network-wide malware attacks are one of the biggest risks to business network security. It can be devastating, and the best way to prevent widespread damage if one finds its way in is to know exactly what to do.
Recognize the Signs
First, you (and your entire staff) will need to know the signs of a malware attack just warming up. This isn’t always possible, because well-designed malware can be incredibly sneaky. In some cases, a phishing email or poisoned USB drive will even open legitimate files in order to cover the activity of malware downloading itself, but there are signs.
If, for instance, a pop-up appears and disappears too quickly to read. If your computer performance or — worse — internet speed suddenly takes a huge hit. If a program opens and then closes itself quickly. Or if opening a simple document requires more resources than seem necessary… then you’re probably dealing with malware.
There are also the more obvious signs, like pop-ups that stay up, an adware storm, or malicious icons that declare they are hacking your system. Hackers do occasionally go the blatant route and the same steps should be taken either way.
Unfortunately, there’s no way to tell if it is or is not the network-spreading variety. So your best bet is to respond to all signs of a malware attack with maximum security.
After recognizing the signs, the first action any employee should take is to disconnect the device or computer immediately. This is to stop the malware from spreading. It’s too early to tell if the initial device is savable or not. But if you cut off network connection immediately, there’s a fair chance you can prevent the malware from spreading to your internal network. You might even cut off its download onto the original device.
If there is a hardline network cable plugged in, pull it. If there is a wifi adapter, disable it as quickly as humanly possible. You may be tempted to turn off the computer, but this could potentially wipe critical information in the computer’s residing memory that could be used to catch the hacker.
Report The Attack
Now that you’ve done what you can to stop the malware from spreading, it’s time to report the attack. Every hacker who is caught and every piece of malware preserved in-action is another step closer to a safe world for business data. Think about your computer like a box-and-stick trap. Your data was the bait, but now you’ve pulled the string and the malware is ready to be collected and tracked back to its origin.
Start by contacting IT or, if you are IT, begin your malware response procedure. Ideally, this will include visiting IC3, the government’s channel for reporting malware attacks so that the hacker might potentially be found and forced to face consequences for their criminal activity.
If your business is subject to any compliance codes like GLBA, HIPAA, PCI, or SOX, you may need to report the attack through the proper channels as well. Particularly once you know whether there was any actual exposed data or just a scrap of malware caught before it finished setting up. If the breach meets certain standards you may need to report the breach to Health and Human Services Office of Civil Rights using this link.
If you can confirm that sensitive data was lost, especially banking or personal information, you will then need to contact law enforcement as well.
Factory Reset the Initial Device
The next step is to factory reset the device. If you feel up to it, you may be able to isolate the initial device from the network and then try to discover what kind of malware attacked. But only do this if you are already a malware expert and know how to disconnect from the network and handle malware in an infected computer.
Unless you are 100% certain the malware was eradicated from the initial device, factory reset it. Whether it is a desktop computer, laptop, or phone, only a full factory reset can guaranteeable scrub malware from a system. Otherwise, traces may lead to the malware respawning and renewing its attack undetected.
Check Network Activity
Unfortunately, your work is not yet done. The next step is to make sure that the malware that infected the first device did not, in fact, make it into the rest of your network. The best way to do this is not to start widely virus scanning. Instead, check your network activity. You can actually know — for sure — whether that one computer sent anything to your internal network between infection and disconnection.
Data is sent in packets, and each time a computer communicates over the internet or network, it sends and receives packets. So check and see if there are signs of malware trying to travel as data packets between the infected device and the internal network.
Virus Scan Entire Network
If the device did manage to communicate and sent something out to your network, you may or may not be in trouble. If that malware escaped, it is absolutely necessary to identify where it has gotten on your network and eradicate it before it ‘strikes’ in whatever way it is programmed to do. Whether it is ransomware, spyware, or something more insidious.
The best way to start is to virus-scan your entire network. Check every device, particularly if you can track connection to the original device. Every endpoint, and even intermediate devices like routers, should be suspected as they can hold and pass on malicious code. And assume if the malware got onto even one device undetected that your entire network is at risk.
Network Monitoring Catches Lurking Malware
If you can’t find anything, resort to deeper investigation using network monitoring tools. Network monitoring can show you almost every layer of data in your internal network, from the heat of your motherboards to the packets of data hitting each endpoint. But most importantly, it can show you what is and is not normal for the network.
Network monitoring can actually spot lurking malware by identifying the resources it uses and the network messages it sends. Anything that doesn’t fit with your normal work activity from business software and websites should be investigated and suspected of being hidden malware processes.
Update Your Reports
If your investigations reveal any more malware or breached data from the attack, it’s important to update your report to IC3, compliance channels, and the police depending on who should be involved in this breach. Don’t forget to keep everyone in the loop and allow their teams to help with the investigations before taking further action to irradicate the malware in your system. As this could lose valuable data on stopping the hacker or preventing this type of malware attack in the future.
Factory Reset Any Affected Devices
It goes without saying that any device you find that has been infected should be factory reset. This is the only sure way to get rid of malware, especially malware that is notorious for moving itself and spreading to new devices. Many companies will worry about factory resetting multiple devices, but if you’re prepared, this should be a minimal setback.
Restore from Comprehensive Backup
Finally, the best way to really thumb your company nose at a malicious hacker is to have a comprehensive disaster recovery solution with offsite image-based backups for all servers and applications.
This way, you could be recovering from a real network-wide malware attack in a matter of hours. What a hacker may have intended to devastate your company is no more than a minor setback. And with this approach, even a terrifying network-wide malware attack can be dealt with quickly, neatly, and with satisfying efficiency.
Take it from a healthcare company who has dealt with a fair share of attacks to their data. While the cause of this particular attack was not malware, the recovery method is similar. When their pharmacy fell victim to a destructive robbery, the team at Texas-based Complete Pharmacy Care was able to get back to business thanks to their business continuity solution. “Because of the physical damage, had we not been on the cloud we absolutely would have gone bankrupt because it would have taken us six weeks to rebuild all of the equipment. But because we could get on the cloud, we brought in laptops and dialed into the cloud and were able to start servicing patients by Tuesday. Had we not had a second copy of our data already up in the cloud, we would not be having this conversation.” Leonard Lynskey, CEO, Complete Care Pharmacy.
Here is an explainer video of our Total Data Protection solution:
How you can Help Prevent This From Happening in the First Place
One of the ways to help prevent a malware incident is to enforce a layered endpoint protection solution. KTG is proud to partner with ESET for endpoint security solutions. The fight against modern malware, which is dynamic and often targeted, requires a multi-layered approach. The more multi-layered your security, the fewer incidents you’ll need to resolve. ESET began incorporating proactive and smart technology into its scanning engine more than 20 years ago, and—thanks to the efforts of the global research labs—continues to add extra layers of protection.
Cloud Malware Protection System
The ESET Cloud Malware Protection System is one of several technologies based on ESET’s LiveGrid cloud system. Possible threats are monitored and submitted to the ESET cloud via the ESET LiveGrid Feedback System for automatic sandboxing and behavioral analysis.
Network Attack Protection
This extension of firewall technology improves detection of known vulnerabilities, for which a patch has not yet been deployed. It also allows for faster and more flexible detection of malicious traffic
While ESET’s scanning engine covers exploits that appear in malformed document files, and Network Attack Protection targets the communication level, our Exploit Blocker technology blocks the exploitation process itself. Exploit Blocker monitors typically exploitable applications (browsers, email clients, Flash, Java, and more) and focuses on exploitation techniques.
Advanced Memory Scanner
Advanced Memory Scanner is a unique ESET technology which effectively addresses an important issue of modern malware—heavy use of obfuscation and/or encryption. To tackle these issues, Advanced Memory Scanner monitors the behavior of a malicious process and scans it once it decloaks in memory.
Enhanced Botnet Protection
ESET Botnet Protection detects malicious communication used by botnets, and at the same time identifies the offending processes. Malicious communications are blocked and reported to the user.
Reputation & Cache
When inspecting a file or URL our products first check the local cache for known malicious or white-listed benign objects. This improves scanning performance. Afterwards, our ESET LiveGrid® Reputation System is queried for the object’s reputation.
DNA Signatures are complex definitions of malicious behavior and malware characteristics. While malicious code can be easily modified or obfuscated, object behavior cannot be changed so easily. Therefore DNA Signatures can identify even previously unseen malware which contains genes that indicate malicious behavior
For more network security insights or to create your own set of easy-recovery system backups, contact us today!
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.