Enterprise Malware Removal: 4 Steps to Take Once You’ve Been Compromised

The global threat of ransomware and other malware attacks shows no signs of stopping. Recent attacks have affected enterprises like Samsung, Toyota, and Nvidia, utilities and supply chains, and even healthcare organizations. Even with the most robust protections in place, the likelihood of a breach remains high and you need to have a contingency plan for when a breach does occur.

In this guide, we will discuss four steps for effective enterprise malware removal, mitigation, and remediation.

Jump to a section…

Steps for effective enterprise malware removal

Step 1: Assess the damage and contain the breach

Step 2: Document everything, contact law enforcement, and notify key stakeholders

Step 3: Mitigate damage and initiate recovery

Step 4: Review what went wrong and update internal processes

Prevent attacks before they happen, be prepared when they do

For more on ensuring your network security, check out our guide, Malware Protection: Everything IT Pros Need to Know.

Steps for effective enterprise malware removal

Step 1: Assess the damage and contain the breach

Once you have found initial Indicators of Compromise (IoCs) like attempted connections to potentially blocklisted URLs, potentially unwanted programs (PUPs) being downloaded or installed, or EDR tools alerting of potential malware or quarantine events, it’s important to enact your Incident Response plan and then begin determining which systems are affected.

Using a few malware mitigation techniques, it’s possible to isolate specific microsegments from the rest of your network, remove their access to the internet, and restrict their communications to only include specific ports and services in a controlled manner. This will help to keep the infected device operational, while removing the chances that the attacker can continue to spread through the network.

If your system is infected by ransomware, federal law enforcement recommends not paying the ransom, as there is no guarantee that your systems will be restored, or that future attacks will not take place upon payment.

During this phase, it’s important to use off-network communications while you’re investigating and containing the breach. Assume malicious actors have access to email and other internal communication tools and are monitoring them for any sign that their attack has been detected. Try to remain a step ahead by sticking to phone calls, and coordinate isolation of subsystems so actors won’t be tempted to start moving laterally through your network to maintain access.

Back to top

Step 2: Document everything, contact law enforcement, and notify key stakeholders

While you’re working to isolate network segments and prevent further malware spread, you should also be documenting the mitigation steps you’re taking, as well as any information you can glean from how the attack occurred, the affected systems, what steps the actor is taking to move through the network, and what data or services have been compromised.

You should also contact law enforcement agencies like the Federal Bureau of Investigation, the United States Secret Service, and local and state law enforcement. These organizations can help investigate the actors behind the attack, provide you with mitigation strategies or additional information on malware being used, and aid in recovery of data or funds stolen or ransom paid.

Once you’ve successfully isolated the attack, you can use the data you’ve gathered to finalize a document with your initial investigation. This document will help inform your discussions with key stakeholders within the company, external stakeholders such as public officials or shareholders, and the public.

In many ways, this step is one of the most important, as it will set the tone for how your company weathers this storm and comes out the other side. Failure to disclose important information to the public in a timely manner can lead to a loss of customer trust, a loss of future business, and can even lead to hefty fines and class action lawsuits. In the summer of 2017, Equifax experienced a data breach and waited nearly six weeks to inform the public that an attack had occurred, leading to a successful lawsuit by the U.S. Federal Trade Commission that required Equifax to pay $380.5 million in damages.

In contrast, Norsk Hydro, a renewable energy company based out of Norway, set the standard for stakeholder communication regarding cyber attacks. On March 19, 2019, their systems were compromised by a LockerGoga ransomware attack. Rather than hide the details regarding the intrusion, Norsk Hydro strove for transparency through press releases and social media updates, even documenting recovery efforts through video. Despite losing millions of dollars in revenue due to the breach, Norsk Hydro’s stock value increased as a result of their frank, direct, and honest approach.

Back to top

Step 3: Mitigate damage and initiate recovery

Once the threat is contained and the necessary stakeholders have been informed, you can mitigate the damage and begin restoring the network. Make backups of affected systems and gather appropriate logs from existing detection systems so law enforcement and other cybersecurity authorities can aid in forensic investigation of the breach.

Once you’ve identified any systems or accounts that have been affected, and any malware has been successfully quarantined, begin rebuilding the most critical systems on your network. Once systems are back up and running, start increasing security measures and fill in any gaps previously unaccounted for. This may include issuing password resets for internal systems and employee accounts, upgrading and patching software, or encrypting server-side data.

Back to top

Step 4: Review the anatomy of the breach and update internal processes

Once enterprise malware removal has been completed and the event is declared over, it’s critical that you regroup with your team and key internal stakeholders to go over the documentation gathered during the attack and improve your internal processes to prevent another breach from occurring. Many organizations will bring in third-party investigators at this point to independently assess where mistakes were made and evaluate where future pain points, like remote-access servers or personal devices, might be found.

It’s also important to discuss updated processes with employees, so the rest of the organization can be made aware of updated security procedures. Remind employees of email attachment policies and to regularly change passwords, and ensure they understand the severity of failing to follow protocols.

Back to top

Prevent attacks before they happen, be prepared when they do

While all of these steps will help guide you in the moment, the best way to navigate any cybersecurity event is to ensure you have an Incident Response plan prepared before a breach occurs. This will ensure everyone involved, from system administrators, to public relations, to executives, are working in concert to deal with malicious activity openly and efficiently.

Of course, prevention is the best medicine, and regular updates and maintenance of network security will go a long way to ensure an attack never gets that far. Byos has developed a technology that makes networks invisible to attackers trying to move laterally. This approach isolates devices from the network, protecting them from exploit and DDoS attacks, enumeration, and eavesdropping using edge microsegmentation. Ready to learn more? Get started here.

Malware Protection: Everything IT Pros Need to Know

Malware Protection: How to Build the Ideal Tech Stack in 2022