Removing ransomware and restoring the system to a previous state

Ransomware threats encrypt the content of the files found on workstations and servers, demanding a ransom from the targeted company to get the recovery key that allows access to the encrypted information upon payment. These threats are extremely dangerous because of the impact they can have on business operations. Advanced EDR implements multiple features to help organizations in both the attack detection and attack remediation phases.

Follow these steps if you detect a ransomware attack on your network:

Because the Shadow Copies feature makes a daily backup of computer files and keeps a maximum of seven copies, it is important that you recover a clean copy of the encrypted files within seven days after the attack takes place. Otherwise, all saved copies will be of encrypted files.

• Use the Isolate computers feature to isolate affected computers. Note that isolating a computer could affect the normal operation of the computer. In the case of servers, it may prevent other computers on the network from working correctly. For more information about how to configure this feature, see Computer isolation.

• Verify that the protection software is working on all computers:

  • To see the protection status of your computers, see the Protection status widget.

  • Reinstall the security software on computers where the protection status is Error.

  • Find computers without security software installed. For more information about how to configure this feature, see Viewing discovered computers.

• Configure advanced protection with the following settings (for more information, see Advanced protection).

  • Operating mode: Lock.

  • Enable and set advanced policies to Block.

  • Enable and set the Anti-exploit protection to Block.

  • Enable Advanced code injection.

• Configure anti-tamper protection. Set a password to prevent unauthorized uninstallation of the protection software. For more information about how to configure this feature, see Configuring security against protection tampering.

• Verify that the maximum space for Shadow Copies is between 10% and 20% to prevent copies from being deleted because of lack of space. For more information about how to configure this feature, see Configuring shadow copies.

• To remove ransomware, follow these steps:

  • Install at least the patches that fix the critical vulnerabilities detected. See Cytomic Patch (Updating vulnerable programs).

  • Run an on-demand scan. See On-demand computer scanning and disinfection.

  • Restart affected computers to close any remote connection in progress. For more information about how to configure this feature, see Computer restart.

  • If, after the affected computers are restarted, the ransomware is still active, contact Cytomic tech support.

• Restore encrypted files on each computer using Shadow Copies or the data recovery procedure in place in your company.

• Restore the security settings changed at the beginning of this procedure to their usual values.