Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Malware Incident Response Steps

            Created by Cybersecurity Support, Modified on Wed, 07 Jun 2023 at 01:44 PM by Cybersecurity Support

            Step 1: Identify and Disconnect the Infected Device(s) 

            Identify and disconnect the infected device(s) immediately from your network, the internet, as well as any wired and wireless connected devices. This will isolate the infected device(s) and disrupt the malware’s ability to spread to other devices.

            1. Identify the infected device(s)

            2. Remove all network and data cables and unplug any devices connected to the infected device(s).

            3. Disable wireless connectivity, including Wi-Fi and Bluetooth on the infected device(s)

            4. Ensure that the infected device(s) is/are not able to access the internet.

            It is also important for organizations to identify the types of data affected by the malware infection. If the data consist of Personally Identifiable Information (PII), organizations should also refer to and proceed with Step 5 concurrently.

             

            Step 2: Acquire Evidence(s) for Investigation and Analysis 

            Use an unaffected device or camera to take images of important information, such as suspicious programs, any URLs/links, email addresses. In addition, take note of the date and time of the infection, as well as what the infected device(s) was doing right before the malware infection. Make a record of the time you disconnected the infected device, as well as any actions taken. This information may be important for investigation purposes later.

            Step 3: Scan and Disinfect Infected Devices 

            Perform a full anti-virus or anti-malware scan on infected device(s) and connected devices to detect and remove any malware found. Ensure that your anti-virus definitions are up to date. Please keep in mind to record and/or take images of any suspicious files, programs, or other events that may be significant while running the anti-virus scan and record any malware identified before removing them.

            Step 4: Recovery/Restoration

            Reset Credentials including Passwords.

            ● Change all affected account passwords (especially for administrator and other system accounts) immediately to a strong password of at least 12 characters which includes upper case, lower case, number and/or special characters. (This will vary in accordance with your organization’s existing password policy.) Ensure the Malware has been Removed.

            ● A factory reset, and a clean installation of the operating system and other software may be necessary to completely remove the malware from the device(s) as there are many types of malwares that may create some form of persistence in the infected device.

            ● You are advised to perform another full anti-virus or anti-malware scan with an updated anti-virus definition and monitor your network traffic after recovery. This is to ensure that there are no traces of malware left in the system. Restoring from an Unaffected Backup

            ● If you have a backup of your original files, it may be possible to restore your files from this backup. Please ensure that the backup is free from any malware before proceeding with the restoration.

            ● Before starting this process, ensure that backups are only connected to known clean devices. Scan backups for malware to ensure that the backup has not been infected with ransomware.

             

            Step 5: Notify and Report 

            • If you are an organization, notify your customers, clients, suppliers, as well as staff and employees about the attack as soon as possible so that they can take steps to protect themselves. Your legal team/provider may be able to assist you in the notification process.

            • Organizations may need to assume that data could have been exfiltrated if the threat actor successfully gained access to your infrastructure or systems. If your organization handles personally identifiable information (PII), you may be required to report the incident to the National Privacy Commission (NPC) by reporting to ITC through methods found below.

            • If you believe that financial information was compromised, contact your financial institution.

            • Please provide us with additional information (e.g., screenshots, photos from another device) for ITC review via the reporting form or thru email at csirt.uplb@up.edu.ph. This will enable us to understand the scope and nature of the incident, as well as alert and assist a broader range of individuals and organizations.

             

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0