Current cybersecurity issues:
Responding to a Ryuk infection:
The first two steps listed below are especially important in preventing additional damage should you be infected:
REMOVE or ISOLATE the infected machine(s) from the Network
DO NOT LOG IN USING ANY CREDENTIALS, ESPECIALLY ANY ADMIN LEVEL CREDENTIALS. Instead, restore any infected machines by following the Recovery steps listed below.
Ensure Emotet/TrickBot is not on any remaining network machines. Failure to eradicate and remediate Emotet/TrickBot will lead to re‐infection
Decide whether to shut down the affected machine(s). Shutting down a system will cause any artifacts in memory to be lost which will affect the usefulness of forensic analysis and reduce the likelihood that law enforcement will be able to collect evidence for attribution and prosecution. But this is a business decision that must include evaluating the risk of leaving the machine powered on.
Consider taking the entire network or segment offline to prevent any additional infections
Reach out to outside resources such as DHSES‐CIRT (1‐844‐OCT‐CIRT)
Recovering from Ryuk:
The safest option is a full wipe and reinstallation from known good media for any infected systems.
The second‐best option is to restore files from an offline backup after verifying integrity of the backup.
As an alternative option, it may be possible to perform a system restoration using the Volume Shadow Copy Service (VSS).
The last two restoration options should be checked for indicators of Emotet and/or Trickbot to make sure that stage of the infection was not part of the backup process.
Issue password resets for all users, admins, and service accounts
Verify that all domain accounts are valid
Verify that all do main accounts have the appropriate privileges
Reset passwords for all accounts that may have been accessed during the infection window. This includes personal/business email, financial accounts, etc.
Full NYS DOH PDF