Containment
The Containment phase is a critical part of the response plan. Once a system has been identified as potentially having ransomware, the suspected infected computer should be immediately removed from your networks (including WiFi connections), and either shut down, or ideally hibernated to assist in forensic and sample analysis while minimizing the risk of the ransomware continuing the encryption process. Failure to quickly isolate infected systems from the network may contribute to augmenting the incident by allowing the malware to continue to encrypt more files on the local system or network shares, thereby increasing recovery efforts.
The Imperative of Endpoint Detection and Response (EDR) Security Automation in Ransomware Defense
Run endpoint detection and response (EDR or MDR) Security automation is critical in any attack, especially in cases of a ransomware infection. Your organization should have an endpoint detection and response (EDR) solution in place beyond basic antivirus protection. An EDR solution is helpful in cases of malware attacks in a few ways: [Talk to your CITS representative about our EDR solution we automatically implement for all our clients]
Last Resort Containment Strategy: Termination of Access to Mitigate Ransomware Risk
Last resort containment — Terminate access If the organization cannot quickly determine the source of the ransomware infection and where the encryption process originated, as a last resort, the organization should consider taking the file share(s) offline to help minimize risk and impact to the business. The file server(s) do not need to be shut down, but all access to the file shares should be terminated (remove the share, restrict by network or host based firewall ACL, etc.).
It is not recommended to change permissions on the files within a shared location when restricting access. Depending on the number of files, permission propagation could take hours and would allow the encryption process to continue. If you use Microsoft’s Common Internet File System (CIFS) protocol/Server Message Block (SMB) protocol on other operating systems, including UNIX, Linux, etc. remember to protect these as well. This can help greatly reduce the chance of these shares being encrypted because ransomware can exploit these protocols to move through networks and find more places with data to encrypt.
We Provide Live Help
While many IT companies go out of their way to avoid live interactions, we encourage you to talk to us whenever you need. As a trusted Managed IT Service Provider for dental and health offices, we always answer our phones. It is very important to us that your call is answered by a live human being in our office and directed to the appropriate resource to resolve your issue. If you submit your request online, it will receive the same priority handling as calling us.