How to Recover From Ransomware Attack

HISTORY OF ATTACK

  • 1st Attack: 2019-Nov-20
  • 2nd Attack: 2020-Jan-9, encrypted file with “Harma” suffix
  • 3rd Attack: 2024-Feb-14, encrypted file with “.mkp” extension

 

RECOVERY

  1. Shut down all PCs on the network.
  2. Disconnect all LAN/ethernet cable and disable Wi-Fi connection from all PCs to prevent any LAN or internet connection.
  3. A PC is infected by ransomware if the files in the PC are encrypted and cannot be opened.
  4. One by one, connect each PC to internet, update virus definition of Windows Defender (or anti-virus software) and run full scan.
  5. Take note of the date and time the files are encrypted on all PCs.
  6. The PC having encrypted files with the earliest date & time is the 1st PC being infected.
  7. On another clean PC that is not connected to the LAN, run full scan on the back-up files and Windows system image that were created by Windows Backup.
    1. If you do not have any back-up of files and a recent copy Windows image file before the attack then recovering from ransomware attack is impossible.
  8. Once the back-up files are scanned and certified clean, then create another back-up copy of all back-up files and Windows system image onto a separate external hard disk.
    1. In case the back-up files and Windows system image are infected when doing restore, you still have a back-up copy.
  9. After all PCs are scanned and cleaned by Windows Defender (or any anti-virus software), one by one:-
    1. restore each PC using Windows system image that is dated earlier then the date of ransomware attack.;
    2. run Windows update to update all Windows securities (KB);
    3. using Windows Defender (or any anti-virus software) to run a full scan to ensure that there is no trace of ransomware after Windows has been restored;
    4. then finally restore all files that are encrypted by ransomware from Windows Backup and Restore or from File History.
  10. DO NOT connect all PCs to the LAN at the same time.
  11. One by one, connect PCs to LAN and internet, monitor if there are any files that are encrypted. If there are none, then connect another PC to the LAN. Repeat until all PCs are connected to LAN and internet.

 

PREVENTION

  1. Usually, ransomware is an attachment in e-mail and if e-mail has been identified has the entry of attack, then change the e-mail address.
  2. Enable e-mail redirection for non-spam mail to the new e-mail address.
  3. Delete the old e-mail address that is constantly being attacked by spammer when all customers, suppliers, etc. has been notified on the new e-mail address.
  4. Configure e-mail client, e.g. Thunderbird:-
    1. NOT to download or retrieve all contents of e-mail;
    2. set to download e-mail without any attachment or only the header of e-mail only;
    3. if the e-mail is from a known sender, then only download the full message with attachment.

 

SECURITY

  1. Create 2 user accounts in Windows of UBS-SERVER:-
    1. adminstrator account
      • only adminstrator can perform back-up and access to back-up files in external hard disk
    2. standard user account — log-into  this account to run 24 hours
  2. Run UBS-SERVER in 24 hours using standard user account (do NOT use administrator account).
  3. If possible, avoid running UBS-SERVER in 24 hours x 7 days, set UBS-SERVER to sleep or shut down at 10 pm every night and wake up at 8 am every morning:-
    1. use Task Scheduler to put PC to sleep at night;
    2. use BIOS setting to boot up PC in morning or use Task Scheduler to wake-up PC.
      1. if using Task Scheduler, ensure that  “Allow wake timers” is enabled
  4. Change the RDP port number after recover from a ransomware attack.
  5. Set anti-virus software to perform a full scan  everyday instead of quick scan on PC.
  6. Remove all user accounts of Windows and replace them with new user accounts as hacker may have obtain the Windows user account.
  7. Review Windows Firewall — remove any unused applications or ports.
  8. For external hard disk drive that is used for back-up, only allow 1 user that is “administrator”  to access the hard disk. Do not make folders and files available to “everyone”.
  9. For SERVERLINK:-
    1. configure Brute Force

    2. set time period to allow external RDP connection in Working Hours

    3. enable Ransomware feature
    4. set Homeland to only allow IP address from home country

 

BACK-UP PROCEDURE

  1. Create a back up policy that back up files and Windows image in these locations:-
    1. external hard disk that is connected on LAN;
    2. cloud or web hosting that is connected via internet;
    3. removable external hard disk that is NOT connected on LAN or internet.
  2. Back up all files using Windows Backup on daily basis to external hard disk that is connected on LAN.
  3. Save Windows Image using Windows Backup on weekly basis or daily basis to external hard disk that is connected on LAN.
  4. Back up all files in external hard disk to cloud (Drop Box, One Drive, etc.) or to web hosting server that is connected via internet.
  5. Back up all files in external hard disk that is connected on LAN to removable external hard disk that is disconnected from LAN and internet.
  6. Here is a list of useful back up softwares:-
    1. SyncBack
    2. File History by Windows
    3. Windows Backup & Restore