Shackleton's View: How We Deal with Malware

26
Feb
Chris Thornton

Written by Chris Thornton, 26 February 2016

Malware attacks can grind small businesses down, but don't despair: we're sharing the process we use to address infections in our clients networks...

Finding malware in your network is always bad news: dealing with the infection requires time and resources (both extremely valuable commodities for small businesses). With the risk of malware infection rising 17% in 2015, it's more important than ever that your organisation understands the threats it faces - and how to deal with them.

Shackletons Malware Plan

While our priority will always be to prevent cyber-attacks before they happen, having a plan to deal with an infection, should something penetrate your defences, is just as important. As part of Scotland's small business community, we believe there's an affordable, effective malware plan to suit every business. To help you get started, we're sharing the process we use to clean our system in the event of infections.

As soon as we are aware of an infection we follow a standard process to ensure that the impact is minimised.

Step 1: Identify the Infected Device or User

It may not be clear where an infection is initially – some malware symptoms are subtle.  In more extreme cases, you may suspect that more than one user has been accessing your online banking without permission, or even that money has been taken directly from your account. In any case, you need to identify which machine has been compromised – this signs might include suspicious browser activity or unauthorised software installations.  If your data is being encrypted, you need to know why each device is encrypting the data.

Step 2: Contain the Infection

Malware can spread through your network quickly, manipulating devices on it through their connections to the internet. Containing the infection can be relatively simple, and in some cases you can just shut down the computer or take out the network cable to stop any further damage.  If, however, the machine remains on your network the impact to the business may increase.

Step 3: Identify the Damage

Once you've prevented malware causing further damage, it's time to find out what you're dealing with.

Getting your business back up and running will be your biggest priority. For this to happen you need to know exactly what damage has been done in order to put in place a plan to recover. It is important to double check all business data, even if you think it has remained unaffected by the malware attack.  If data loss is discovered six months after the initial infection, you may not have a backup that goes back far enough to recover the data.

Step 4: Undoing the Damage

If you are dealing with data loss the simplest solution is to recover data from the last good backup before the infection. 

In some cases, malware infections are able to hold a small businesses data to ransom. We do not advise paying any money, as not only are you providing the creator with more opportunity to develop additional techniques you will also be providing them with more information about your company which may lead to further attacks.

If you are dealing with bank fraud your bank should be able to work with you to recover any losses.

Step 5: Confirming the Infection & Removing It

Now that your business is operational again it’s important to understand the type of infection and also to remove it.  The first step of this process is to identify the type of infection that your network received.  With the vast majority of malware, it will be possible to exactly identify what the type is, or was, and possibly even the variant.

Once you know the type and variant it will be relatively simple to find the removal process.  This can range from removing registry entries, files and folders from the infected machine but in extreme cases the only action to ensure there are not traces is to wipe the infected machine and start again.

Step 6: Confirming the Source & Addressing the Weakness

Once the infection has been recognised you can then investigate how it managed to bypass existing security measures.  With most viruses they will have a common source of infection, whether it be a compromised website or a suspect email.  

Knowing how the infection occurred allows you to address the weakness within your network.

This may be to add another service to your security strategy or may be something as simple as making a minor change to the access rights of certain end users.  Regardless of the steps you take, prevention is always better than cure and takes a lot less time and effort overall.


Do you need help dealing with malware? Is your IT infrastructure prepared to deal with an infection? Contact us for help...

Cyber Security Disasters: 5 Companies That Weren't Prepared

How do businesses become the victims of a cyber-attack? We explore high profile examples of what happens when businesses fail to prepare for an attack...

A World Class Company: Using Big Data

The key to success for any business, large or small, is not to rely on what you think you know. In the third of our World Class Company blogs, I take a look at how the power of “Big Data” can be harnessed by businesses of all sizes…