In a recent survey by Knowbe4, ransomware has become one of the biggest concerns for business executives. In 2013, for example, $27 million was paid out when Cryptolocker began its life. Eighteen months later, that number jumped to $325 Million.
A single piece of ransomware that’s popular called the RSA 2048 would need an estimated 6 Quadrillion years to decrypt and remove without the ransom keys. The trick is to know how to limit the damage when you are infected.
- Identifying a Ransomware virus: Many ransomwares begin the same way. Through social engineering and phishing, they make an email look legitimate thus tricking users into clicking infected files. The ransomware, once open, infects the computer and makes files inaccessible before showing a sign they are locked down and encrypted. Emails, free downloads and infecting your remote desktop protocols are the easiest ways for this to occur. A ransomware virus will provide a popup screen with instructions on what to do in order to unlock your files including the amount you have to pay.
- Limiting the damage: Once infected, limit the scope. Disconnect your WIFI, Bluetooth and any network connections viruses like this can spread throughout other computers on your networks, including desktops and even your back-ups. Shutting down all your computers on your network just might be possible but your IT team should be notified immediately to determine the extent of the problem, and what files and users are infected. Part of the investigation (Forensics), will determine where the virus came through, such as emails, external drives, USB memory sticks and other storage devices. It will be necessary to determine what happened and the type of ransomware before you determine how to limit further damage and what to do next. Finally try and locate backups.
- First response- You have multiple options to consider when restoring functionality:
- Restore it from a backup: Using shadow files and restore it from a restore point. There is a danger in that ransomware might destroy these shadow copies then clean up your computer.
- Decrypting it: This involves getting an outside company to come in and find the right key to unlock it.
- Do Nothing: Essentially give up the computer in its current state. This involves running virus scans several times or wiping the hard drive and rebuilding. This could be a boon as your IT specialist could find the decryption key. Take the steps to prevent it, with new antivirus software and training your staff.
- Pay the ransom: Many security companies recommend against it, but if your desperate and you have the funds, pay it and the ransomware will go away. Even though this is what they want, this maybe your only recourse.
Ransomware is highly dangerous and ever changing. The best defense to be prepared for it. If you are breached take the steps necessary to limit the scope and scale of the attack.
 The Above is taken from the Knowbe4 Hostage Rescue Manual