Sales: 833-641-1814 - Service: 585-582-1600


Current cybersecurity issues:

cybersecurity it company new york.jpg

Ryuk Ransomware

Responding to a Ryuk infection:
The first two steps listed below are especially important in preventing additional damage should you be infected:

  1. REMOVE or ISOLATE the infected machine(s) from the Network

  2. DO NOT LOG IN USING ANY CREDENTIALS, ESPECIALLY ANY ADMIN LEVEL CREDENTIALS.  Instead, restore any infected machines by following the Recovery steps listed below.

  3. Ensure Emotet/TrickBot is not on any remaining network machines.  Failure to eradicate and remediate Emotet/TrickBot will lead to re‐infection

  4. Decide whether to shut down the affected machine(s).  Shutting down a system will cause any artifacts in memory to be lost which will affect the usefulness of forensic analysis and reduce the likelihood that law  enforcement will be able to collect evidence for attribution and prosecution. But this is a business decision that must include evaluating the risk of leaving the machine powered on.

  5. Consider taking the entire network or segment offline to prevent any additional infections 

  6. Reach out to outside resources such as DHSES‐CIRT (1‐844‐OCT‐CIRT)

Recovering from Ryuk:

  1. The safest option is a full wipe and reinstallation from known good media for any infected systems.

  2. The second‐best option is to restore files from an offline backup after verifying integrity of the backup.

  3. As an alternative option, it may be possible to perform a system restoration using the Volume Shadow Copy  Service (VSS).

      1. The last two restoration options should be checked for indicators of Emotet and/or Trickbot to make  sure that stage of the infection was not part of the backup process.

  4. Issue password resets for all users, admins, and service accounts

      1. Verify that all domain accounts are valid

      2. Verify that all do main accounts have the appropriate privileges

      3. Reset passwords for all accounts that may have been accessed during the infection window. This includes personal/business email, financial accounts, etc.

        Full NYS DOH PDF