Ransomware

The main aim of post-incident clean-ups is to find the infection route and prevent a new infection. Reinstall the affected systems and restore data using existing backups. If the necessary expertise is not available in your company, seek support from a specialised company.

For further information, see :
Encryption Malware - What next?

Regularly make a backup of your data. The backup should be stored offline, i.e. on an external medium such as an external hard drive. Therefore, make sure that the medium where the backup is saved is disconnected from the computer after the back-up procedure is complete. Otherwise, data on the back-up medium might be encrypted and rendered unusable in the event of a ransomware attack.

Provide employees with training on how to deal with email.

You can further strengthen your IT infrastructure's protection against malware (such as ransomware) by using Windows AppLocker, which allows you to define which programs can be run on the computers in your company.

Block the receipt of dangerous email attachments on your email gateway. A more detailed and updated list can be found on the GovCERT website at: https://www.govcert.ch/downloads/blocked-filetypes.txt

Make sure that dangerous email attachments like these are also blocked if they are sent to recipients in your company in archive files such as ZIP and RAR, or even in encrypted archive files (e.g. in a password-protected ZIP file).

In addition, all email attachments containing macros (e.g. Word, Excel or PowerPoint attachments that contain macros) should be blocked.

Rendering data unusable on the computer

Financial loss in the event of payment of the ransom

Existential threat to companies if the backup was also encrypted

For further information, see:
Encryption Malware - What next?