Legal Field IT Specialists CEO, Robert Finley, answering some questions from firms regarding how to respond to a ransomware attack:

What steps are involved in responding to a ransomware attack against a business?

These steps that I'll be presenting are NOT all inclusive.  There will be additional steps which your firm will need to follow in order to adhere to your own individual needs.  Always consult with your insurance provider, law enforcement, and council before taking the advice of any outsider to your organization who is unfamiliar with your exact circumstances.


The first step is to confirm whether a reported ransomware infection is an actual infection. There are cases where a user reports what they think is ransomware, but it turns out to be adware, phishing, or some other virus. Validation is important because it keeps efforts focused on the important issues. But if you see a ransomware note demanding payment to unlock files, and your system or files are locked or frozen, chances are high that you have indeed been hit by an attacker.

After you have confirmed the reported incident, begin a response by declaring an incident, assembling the response team, and ultimately, take action. Call your organization's insurance company. They will explain their requirements and outline any steps that may need to be taken to protect forensic data or evidence. You will want to support, not hinder, your company's ability to collect on an insurance claim. Review your organizations business continuity or disaster recovery plan, as there may be specific requirements and action items mandated by certain policies.

Business owners should also communicate, or reiterate, the company's rules of disclosure to its employees, and to address what should or should not be communicated via public channels like social media, the press, and with clients. A standard recommendation is that nothing is permitted to be disclosed until the company releases a formal statement, generally after the facts of the event have been gathered and properly analyzed.

During this process, be sure to backup up everything - even on encrypted or infected computers - to create a recovery path if the containment or remediation steps destroy data, or in the event that decryption fails and a recovery key is discovered after the event has occurred. There are cases where law enforcement releases decryption keys months after an attack has stopped.


For containment, start by running a vulnerability scan, like Nessus, or NMAP/ZENMAP from the Internet against your firewall, looking for anything unusual that shouldn't be open. Then deny all international traffic in the firewall and deny all inbound traffic across your Remote Desktop Protocol, or other remote access tools to your network.

If necessary, enable VPN access first, then RDP across the VPN-protected connection. If possible, unplug your Internet connection at the router and firewall until you have regained control of the network. You can also unplug all switches on the network to help avoid lateral movement of the threat and isolate segments of the network as you work to contain the threat.

Next, you should check all of your security and system logs for any unusual activity. If you have a service to search the Dark Web for stolen credentials, like ID Agent or Spycloud, then you should do that then.

Check your local and domain account for any changes or new accounts you weren't expecting to see. Remove or disable any old accounts and verify new ones created recently. Remember that if you find any unexpected accounts these could be relevant, even if they weren’t recently created; the FBI estimates that most business take up to nine months to detect a breach in their network.

If not already in place, consider adding OpenDNS for DNS protection to prevent further command and control calls to infected websites and the bot network.

Leverage a tool like SentinelOne to help hunt for and isolate the threat, provide additional visibility, and help prevent further spread of the attack. Also, leverage a Security Information Event Manager, like EventTracker, to analyze and provide additional visibility into the activity going through the firewall, in Active Directory, and endpoints.

Finally, be sure to receive authorization in writing or email from your insurance provider before moving on to the next steps.


Before beginning these steps, unplug the Internet connection and either unplug the switches on the network or disconnect all computers, including your servers. Consider also removing the gateway IP address from DNS temporarily.

Then clean the domain controller of the infection. Disable Autorun on all systems on the network using the Group Policy Object in Windows. It is strongly recommended to disable the Autorun feature using Group Policy from the Domain Controller.

Next, disable Windows Task Scheduler on all systems on the network. Likewise, it is strongly recommended to disable the Windows Task Scheduler using Group Policy from the Domain Controller.

Now manually reset all user passwords to a default password and share that new password verbally around the office so users can reset their passwords. Do not email it out and be sure to force users to change from the new temporary password you set. If you only force password changes from the server, then there is a chance the threat will reset their compromised account and still have access to the network.

Reset all device passwords, including switches, routers, firewalls, VPNs, and IDS devices. Bring up one server at a time, clean it, and if it's not a required server shut it down until you have completed cleanup of the network. Bring up one workstation at a time, on the network, and clean as needed. Reboot several times looking for a return of the infection. Then check your backups again. Remember, you can never have enough good backups.


Only restore from clean backups. If clean backups do not exist, I cannot advise as to whether or not to pay the ransom. For some organizations, such as hospitals, the decision to pay ransomware is a life-or-death decision. For others, refusing to pay cybercriminals to unlock the encrypted data could result in millions of dollars lost, or worse.

The FBI has issued a statement, recommending that victims not pay the ransom and backup their files instead. That being said, the FBI's assistant special agent in charge of Cyber Intelligence Program, Joseph Bonavolonta, in a talk at the October 2017 Cyber Security Summit in Boston, suggested that in a majority of cases, companies that fall victim to ransomware attacks cannot recover their files, and he has recommended them to pay the ransom to regain access to their data. So really, this decision is entirely up to the insurance company or business owner.

Then scan your network one more time with relevant tools, such as SentinelOne, Hitman Pro, or other updated security scanning engine. Once the network is back up online, run a new backup job and backup all critical data before allowing users back onto the network. In some instances, this may be a time-consuming effort, but it is well worth it, especially when compared to running the risk of a second or repeat infection occurring.


The final step is to review and document the entire incident. Work to design and implement a security plan designed for your budget that will help defend against this type of attack in the future.

If you feel that your firm may have been breached call us today. Obviously, it's always best to prevent these incidents beforehand, but we will be glad to assist where-ever possible. Legal Field IT Specialists provides tailored IT support services to law firms to protect them from the dangers of online threats as well as working with you to ensure that your staff is highly productive & efficient which, in turn, increases your firm's profitability as a whole.

Phone: (678) 926-9192