Asurgent cybersecurity blog: Dealing with ransomware

Ransomware is a more widespread and devastating form of cybercrime. It doesn’t discriminate between large corporations, small businesses or home users. Anyone can be targeted. This malicious software encrypts your files and holds them hostage until a payment is made, usually in cryptocurrency such as Bitcoin to ensure the attacker’s anonymity. While the concept is simple, its implications are severe, often leaving victims struggling with operational paralysis, financial losses, and damaged reputations.

Even when the attack is simulated, the psychological impact can be profound. Some individuals (me?) or IT professionals test their defenses by deliberately simulating a ransomware attack in a controlled environment. Even knowing that you orchestrated the scenario yourself doesn’t lessen the reaction when you see the ransom note on your screen. The reality of having your data inaccessible, even for a test, is a chilling reminder of the consequences such an attack could bring if it were malicious. It drives home just how invasive and disruptive ransomware can be, reinforcing the importance of preparation and defense. 

Don't panic

The first rule when facing ransomware is to avoid panic. It is natural to feel a sense of urgency to resolve the situation, but impulsive actions often exaggerate the problem. Your initial response plays a crucial role in determining the outcome. This is not just a technical issue; it’s a strategic challenge that requires both level-headed thinking and informed decision-making.

The really first action is to isolate the affected system. Ransomware spreads quickly through networks, exploiting existing vulnerabilities and infecting connected systems. Disconnecting the compromised device from the internet and internal networks is essential to contain the attack. It can be thought of as cutting off oxygen to a fire - it doesn’t extinguish the flames, but it prevents the blaze from spreading. If you’re in a corporate environment, this step should be carried out under the guidance of your IT and security team to ensure minimal disruption.

Once the affected system is isolated, do not attempt to reboot or tamper with the device. Ransomware variants are designed to detect such actions, and many have mechanisms to delete files or escalate encryption when tampering is detected. Every step you take needs to be deliberate and informed by best practices, as your actions at this stage can significantly impact recovery efforts. 

Documentation, all the time, every time

Documentation is a vital next step. Take clear photographs of the ransom note, capturing any payment instructions or communication methods provided by the attacker. Retain emails or other correspondence that may shed light on how the ransomware was introduced into your system. This evidence not only aids law enforcement and cybersecurity professionals in understanding the scope of the attack but also contributes to broader efforts to combat ransomware at a global level.

Engaging with the attackers is strongly discouraged. Although it may feel tempting to negotiate for the decryption key, paying the ransom funds criminal enterprises and encourages further attacks. Worse, there is no guarantee that paying will result in the recovery of your data. In fact, many victims report receiving non-functional decryption tools or being asked for additional payments after the initial ransom. Avoid any direct communication unless instructed to do so by law enforcement or a cybersecurity expert.

Call a friend

At this stage, involving the right people becomes critical. If you’re a business, escalate the incident to your security operations team or a managed service provider such as Asurgent. Home users should reach out to reputable cybersecurity firms that specialize in ransomware recovery. Simultaneously, report the incident to the appropriate authorities, such as the MSB, Police or other suitable cybercrime units. Law enforcement agencies maintain repositories of ransomware strains and may have resources to help decrypt your files without paying the ransom.

The focus now shifts to assessing the extent of the damage. Identify which files and systems have been encrypted and determine whether the attack has reached critical assets or backups. For businesses, this process often involves consulting system logs and network monitoring tools to trace the ransomware’s entry point and propagation path. Knowing the scope of the attack is essential for effective containment and recovery. 

Backups

If you have backups in place, this is the moment when they prove their value. Restoring from a clean, recent backup can bypass the need to engage with attackers entirely. However, backups are not immune to ransomware. Many modern strains are designed to seek out and encrypt connected backup systems. For this reason, ensuring that your backups are stored offline or in immutable storage is critical. Before initiating a restoration, verify that the ransomware has been fully removed to prevent reinfection.

The situation becomes more challenging for organizations without accessible backups. Decrypting ransomware without the attacker’s key is a complex task that requires specialized expertise. Some cybersecurity firms and nonprofit organizations maintain databases of known ransomware strains and corresponding decryption tools. Consulting these resources can sometimes yield a solution, particularly if the cybersecurity community has previously analyzed the ransomware variant.

While the immediate priority is recovering data and resume operations, the long-term goal must be preventing future incidents. Ransomware thrives on exploiting vulnerabilities, both technological and human. Addressing these vulnerabilities is critical to fortifying your defenses against future attacks. 

One of the most common entry points for ransomware is phishing emails. These messages often contain malicious attachments or links designed to deceive recipients into unintentionally granting access to their systems. Training users to recognize the signs of phishing attempts is one of the most effective ways to reduce this risk. Look for subtle clues such as misspelled email addresses, urgent language or unexpected attachments.

Patch and update

Keeping software and systems up to date is another fundamental defense. Ransomware frequently exploits unpatched vulnerabilities in operating systems, applications, and network devices. Regularly applying security updates and patches ensures that attackers cannot exploit known weaknesses. For businesses, implementing a robust patch management policy is non-negotiable.

Technology also plays a critical role in mitigating ransomware risks. Endpoint protection software, firewalls, and intrusion detection systems provide layers of defense that can stop ransomware before it executes. Advanced solutions such as behavioral analysis can identify suspicious activity, such as the rapid encryption of files, and take automated action to halt the process. Network segmentation adds another layer of security by isolating critical systems and preventing the lateral movement of ransomware within an organization.

Implementing strong access controls and authentication mechanisms is equally important. Many ransomware attacks leverage compromised credentials to gain access to systems. Enforcing the use of multi-factor authentication and least-privilege access principles reduces the likelihood of unauthorized access. Regularly auditing user accounts and permissions ensures that only authorized personnel have access to sensitive systems and data.

For businesses, having an incident response plan for ransomware is crucial. This plan should outline the steps to take in the event of an attack, including who to notify, how to isolate affected systems, and the process for restoring operations. Regularly testing this plan through simulated attacks ensures that employees and stakeholders know their roles and responsibilities during a real incident.

Share knowledge

Despite best efforts, the emotional and operational impact of a ransomware attack can be devastating. Beyond the financial costs of recovery, the breach of trust and sense of vulnerability can prevail. For organizations, this often means reassessing not just their cybersecurity posture but also their broader risk management strategies. For individuals, it may serve as a wake up call to adopt better digital hygiene practices.

The fight against ransomware is a collective effort. All play a role in reducing its impact. Sharing knowledge, reporting incidents, and investing in cybersecurity are all essential components of this effort. As attackers evolve their tactics, defenders must innovate and adapt. Collaboration between the public and private sectors, alongside advances in technology, provides a path forward.

Ultimately, ransomware is a stark reminder of the interconnected nature of the digital world. While it poses significant challenges, it also offers opportunities for growth, resilience, and innovation. By staying informed, prepared, and vigilant, individuals and organizations can turn the tide against ransomware, protecting what matters most in an increasingly digital landscape. 

Ransomware typically follows a structured attack lifecycle

1. Initial Access: Delivered via phishing emails, malicious links, or exploits targeting vulnerabilities (e.g., RDP, SMB flaws).
2. Execution & Persistence: Once executed, the malware may escalate privileges (using tools like Mimikatz) and establish persistence through registry edits, scheduled tasks, or services
3. Discovery & Lateral Movement: Scans for connected drives and network shares, using tools like PsExec or PowerShell for propagation. 
4. File Encryption: Encrypts files with a symmetric key (e.g., AES-256), which is then encrypted with the attacker’s public key (e.g., RSA). This ensures only the attacker can provide decryption.
5. Ransom Note & C2 Communication: Drops a ransom note with payment instructions and reports victim details to a Command and Control (C2) server.

Advanced ransomware may also exfiltrate data (double extortion) or perform DDoS attacks (triple extortion). Prevention strategies include regular backups, patching, and implementing robust endpoint detection solutions.