The following points are to be observed in the event of an incident involving ransomware:
Disconnect infected systems from the network immediately. To do this, disconnect the network cable from the computer and switch off any WLAN adapters you may have.
Caution: Never switch off infected devices until the malware has been analysed (e.g. by the police, NCSC or a specialised company).
Identifying infected systems
Log files can help identify affected systems, e.g. by using them to detect access to network drives. The metadata of encrypted files can also provide information about infected systems, e.g. which user accounts created the files. Back up your log files.
Using email server, proxy server and firewall logs and any other security software, the extent of an infection can be determined and the URL and IP addresses of the attackers can be detected. Block these URL and IP addresses on the internal proxy server or firewall. This prevents any connection to the attacker's infrastructure. In the case of an infection by email, certain links (URL and IP address) may be relatively easy to read either directly in the email (hyperlink) or in any attachment.
The NCSC recommends fillingcriminal charges in any case. Consider early on whether you want to take this step. The cantonal police at your place of business are responsible for this. You can find the police station for your area on the "Suisse ePolice" website.
The police will advise you on how to proceed, especially with regard to communication with the perpetrators and how to behave towards them. Discuss whether it is advisable for the police to be called out immediately to provide support.
Decide at an early stage whether a forensic investigation should be carried out. This is particularly important if you want to file criminal charges. In this case, inform the prosecution authorities at an early stage and discuss the next steps (monitoring the malware, countermeasures, etc.).
Cache data and hard disks should be properly backed up by a specialist employee or service provider before attempting further repairs or restarting the affected systems. Forensic investigations are almost impossible after this point.
Backing up encrypted data
If the backup was also encrypted, it is recommended to keep and back up the encrypted data so that it can be decrypted at a later time, should a solution be found. In some cases, security and prosecution authorities have been able to gain access to keys or decryption methods during their investigations.
Reinstalling affected systems
Before you start restoring the data, you must reinstall the infected systems. The operating system used should come from a trusted data storage device.
Under certain circumstances, a partial or complete recovery of the data is also possible without a backup of the data. Decryption may work under certain circumstances if:
- the ransomware did not encrypt or delete shadow copies in Windows;
- snapshots of virtual machines or previous file versions exist in cloud services;
- the forensic restoration of deleted files is possible;
- the ransomware contains errors in its encryption function or the decryption key is known.
Nomoreransom.org (https://www.nomoreransom.org/) offers tips on identifying malware and the possibility to download known keys. It is a joint project by the Dutch police and Europol, in which the Swiss Confederation also participates.
Advice on ransom payments
The NCSC recommends not paying a ransom. Once the ransom has been paid, there is no guarantee that the criminals will not publish the data anyway, or otherwise try to profit from it. Moreover, every successful ransom attempt motivates the attackers to continue, finances the further development of attacks and encourages their spread.
If you are still considering paying the ransom, the NCSC urgently recommends that you discuss this step with the cantonal police.