Malware found in my infrastructure!

Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Malware programs can range from being simple annoyances (pop-up advertising) to causing serious computer invasion and damage (e.g., stealing passwords and data or infecting other machines on the network).

Types of malware include viruses, worms, trojan horses, spyware, ransomware, etc. Viruses require the spreading of an infected host file and replicate themselves to cause havoc on a computer’s hard drive by deleting files or directory information. In contrast worms are standalone software and do not require a host program or human help to propagate. A trojan horse is any program that invites the user to run it, concealing harmful or malicious code. Spyware can gather data from a user’s system like the Web pages a user visits or personal information, such as credit card numbers without user knowledge. Ransomware is a type of malicious software installed by a cybercriminal that denies access to your files or system until you pay a ransom. Ransomware usually either encrypts your personal files/folders or locks the screen of your system.

Top Recovery Tips

1. First things first – Isolate the threat and notify relevant persons!

If anyone in your organization suspects a malware incident, first step is to isolate the threat by performing one of the following actions:

  • Disconnecting the individual system or portion of the network. (Recommended)
  • Switching off the system to prevent further spread of the malware. Note that using this method might make it harder to gather evidence.
  • Leaving the system switched on and connected to the network to allow help desk personnel to remotely troubleshoot the system. However, leaving the system connected might infect shares/other machines and upload data or download other malware.

Based on initial assessment, notify relevant persons of a possible malware incident.

2. Confirm the infection.

Gather all possible information to confirm whether the infection actually exists. The infection could be an isolated incident affecting a single system, an outbreak affecting multiple systems, or even a false alarm. Therefore, it is imperative that confirmation of infection is obtained before taking any further steps.

3. Clean, Restore or Rebuild the system.

Depending on the level of infection decide whether to clean, restore system state, or rebuild the system and perform the appropriate action. If performing a rebuild, determine the risk to the data stored and make a backup of the system to preserve a snapshot of the state prior to re-installation. This is useful in case you forget to copy something you later need, and for evidential purposes (please note, if backups are made with the infected operating system running, the malware may continue to infect or destroy the data). If performing cleaning, follow the steps below:

  • Identify and kill malicious processes.
  • Identify and delete malicious autorun entries.
  • Reboot and repeat the previous steps.
  • Delete associated files and folders.
  • Run a full scan with your installed antivirus product.
  • If disinfection is applied successfully, connect to the network again. If possible, connect to a separate network first to verify everything is indeed back to normal or not. Perform an online scan with another antivirus product than the one you have installed.

Malware may be a result of insider breach. If you are concerned that the malware is introduced by an insider, refer to the Insider Breach section.

Our Diamond Sponsors