I vaguely remember the advice actually being to leave it running but disconnect it from the internet. Although maybe hard disconnect the backups if you can.
The advice I’ve always heard is disconnect network but leave powered for forensics/recovery. Some ransomware store the decryption key soley in memory, so it is lost upon power loss
That actually makes sense. We had a ransomware attack once. We also disconnected the device but I cant remember if we powered it off. At the time it stopped encrypting due to that since our network drives were not reachable anymore.
Is there actually a way to spread the encryption process to a server?
Best I understand the encryption key is needed to encrypt and decrypt, so if the malware isn’t written well enough it may well continue to store the encryption key in memory.
There’s some old malware on archive.org that just pulls the FAT off the filesystem into memory and offers a dice roll to restore it
Nah. Rip that shit right out of the chassis. Destroy that RJ45 port. Make it so the security audit team has to resolder a jack to the mobo before they can even ssh to the box.
Trust me I run a security company. If you need help with your security please feel free to contact me! We are the best in the business!
There could, in theory, be a malicious machine on the internal network that was previously infected, which is now acting as command and control. So if you didn’t know which one it was…
That’s generally a good idea, however, there can be reasons not to do it.
The device could be infected in a way that it won’t turn on again.
You might have an isolated management network that allows you to monitor the device and traffic (naturally ripping all cables also disconnects the management network).
You two are overlooking the most important thing. It might be fun to crazily rip out the cables then make a junior guy go trace and repatch it all. The opportunity to legitimately do that doesn’t come along often.
Depends. If you’re at home with a single endpoint, maybe.
But in cases like the image there’s a lot of internal traffic and you’d want to stop the malware spreading internally. There might not even be internet connection at all.
Most serious infections are able to work within isolated internal network. You can stop data breaches by cutting external traffic but if you have ransomware you might want to cut internal connections too.
You might be able to stop the ransomware from triggering on some devices. That of course depends on the type of ransomware and whether it’s triggered based on time, external command or something else.
I think that’s rather odd comment. Naturally nobody wants ransomware. And there are good reasons.
Backups may exist, but do they work properly? Or are the backups encrypted too?
How old are the backups? They might be less than a day old. But less than a day might still mean a lot of extra work and financial loss.
There might be a lot of work restoring the backups. You might have a lot of different systems.
In one of the largest ransomware cases in history, Maersk worked for months to get systems back up and running and data up to date. The insurance payout for it was 1,4 billions. Which is at least indicative of the cost.
Add comment