Ransomware is major pain in the ass, but if you have the right plan in place it doesn’t have to be the end of the world, and it doesn’t have to cost a king’s ransom.

Step One – Backup, backup, and backup.

I would recommend at least 2, if not 3 distinct and separate backups. I like Microsoft backup for any incidental file level recovery you might have to perform. I can recover a single lost file or folder in minutes. If you like an offsite cloud backup, that’s great. But both of these backups have been known to be targeted by certain ransomware variants. There can’t be much worse than having your backup encrypted at the same time your systems are encrypted. If you are running a physical server you might be stuck using backup that the system is aware of, but if you are running virtual servers you can back up the whole VM using a Synology device or a backup product like Unitrends.

I like the Synology’s Enterprise backup. It backs up the whole VM and your system is unaware of the backup so the ransomware is also unaware of the existence of the backup. (By the way, don’t turn on SMB on your Synology NAS. SMB will give the ransomware access to your Synology drives.) In a recent ransomware attack at one of my clients, we were able to recover 5 of their servers, with zero loss of data in just 11 hours. If you have a large amount of data, get 2 Synology devices, this will provide a second backup point, and double your recovery bandwidth. In most cases you can set up the enterprise backup program to backup hourly. Because the backup is incremental, after the first backup, subsequent backup should take very little time.

Step Two – Protect your workstations.

If you are like me and want to give your users the rights to install software and make changes on their own machine you might tempted to add “everyone” or “domain users” to the local administrators group. Don’t. That will give the ransomware the ability to encrypt every workstation on your network through the administrative share. That is the special share you can use to access remote disk drives. For the C: drive and administrative share is c$. You can give your users all the permission they need by adding “everyone” or “domain users” to the local Power Users group without giving them permission to the administrative share.

Step Three – Know how to shutdown access quickly.

If you see any sign of encryption, pull your internet connection immediately, pull the network connection out of your workstations, hard shutdown wireless laptops, power down all your switches. Once that is done you can start to assess the damage. In almost all cases the ransomware is going to be on one of your workstations or laptops, not on the servers. With all your endpoints off line you can start the recovery of your server and as that is happening try to figure out which endpoints are infected.

Step Four – Decide on your recovery workflow.

In most cases the first server need to recover is your Domain server. If your domain server is a dedicated domain server and not hosting any data it might have escaped undamaged. If you Domain server is a dedicated server, make sure there are no shares on the server, this is how the ransomware will get to it. Most of my domain servers are also fileservers, so they are on the top of my recover list. If you are using a Synology device you probably have a fairly large ISCSI drive hanging off of your VM host. My suggestion would be to recovery all your servers to a new locations, in other words, preserve the infected VM’s. Your lawyers, or somebody’s lawyers will want to see them later.

So here is my recovery list for most of my clients.

1. Domain server
2. Any mission critical application servers
3. Exchange server
4. Then RDP servers, web servers, and any other incidental server.

Once your servers are recovered, or during the recovery process, start to bring up each workstation off the network. If you are using laptops, turn off your wireless access points just to be absolutely sure they can’t re-infect the network. Bring each workstation up and look for any files that may have been encrypted. If there are any signs of encryption rebuild that machine from scratch. If there are no encrypted files on that workstation run a full virus scan. In most cases if the machine passes the scan it is clean, but of you are not 100% sure then rebuild that machine.

You are never going to be 100% protected against an attack, but if you have a recovery plan in place you should be able to get back up and running in days if not hours.