The main computer on your dispensary front counter has been acting funny all day, and suddenly your screen locks and a message pops up informing you that your files have all been encrypted and you must immediately pay a fee for your computer to work again. Perhaps an ominous countdown timer appears, threatening to wipe your entire computer if payment isn’t made with the hour. You’ve been hit with a ransomware attack, and what’s important right now is to take the correct first steps.
This is not the moment to swear, look for whom to blame, or check petty cash for the ransom amount. It’s the time to immediately and deliberately disconnect your infected computer from anything and everything. Unplug your Ethernet network connection. Turn off your wifi. Disable your Bluetooth. Detach any hard drives. Take a picture of your screen with the ransom note and/or an encrypted file to aid law enforcement in future identification. Then power down the computer. Repeat this process for any other infected machines that were also connected to your network.
The sooner you take such action, the better your chances of minimizing the damage. Ransomware usually crawls through a computer network, infecting every computer, drive or other device that’s connected, so if in doubt whether or not a desktop or laptop is on the network, turn it off.
Are you using the RDP protocol (discussed in Michael B’s opening article) for network connections? Close all RDP ports that are connected to the internet. You may think these ports are secure, but they are often taken over by cybercriminals as their entry point.
Next, reset everyone’s credentials. You can assume that the cybercriminals behind the attack have already compromised your administrator credentials, and some or all of your user credentials. Taking this step can also shut down any attacker that is still inside your system. Follow up by resetting passwords systemwide — every user, no exceptions.
What you’ve now done is prevented any more unauthorized access to your network, meaning there is no more immediate threat. However, you’re certainly not yet out of the woods. We trust that you have a complete set of backups — but before you rush to restore your system, make certain that your backups have not also been encrypted and made useless, which can be a casualty of not having properly isolated backups from the rest of your network.
If you don’t have backups, or what you have is incomplete, your only option may be to contact a data recovery firm that specializes in handling ransomware incidents — including negotiating with the criminals on your behalf. Contacting the criminals yourself is seldom a good idea. But of course, you do have proper backups — don’t you?