I'm currently facing my first ransomware attack at my organization. All our servers have been locked using BitLocker encryption, which is strange because they were never set up to use it. I'm particularly concerned because it seems like the attackers gained access through a remote user's computer. I'm struggling to understand how they managed to get admin access to implement BitLocker on the servers and the domain controller. If anyone has suggestions on troubleshooting or testing methods, I would really appreciate your input as I'm feeling a bit lost right now.
5 Answers
If you're contemplating how to handle BitLocker on a VMware machine, it’s best to wait for professionals to take over. BitLocker is tied to Windows OS and isn't related to VMware infrastructure directly.
You should definitely get an incident response company involved to assist you. Do you have cyber insurance? They can help coordinate a response.
Yes, we do have cyber insurance, and they're coming in at 7 PM. I just wanted to kickstart my troubleshooting before they arrive.
That's a good move. I went through something similar before, and it was exhausting for weeks.
Make sure you have reliable backups available. That can be a lifesaver in situations like these!
I hope so too! It’s crucial.
It’s really important to not try to restore anything on your own at this point, as it could destroy evidence or jeopardize your insurance coverage. Just take a deep breath and follow the guidance of your incident response team; it will be hectic, but they’ll help you navigate it all.
Disconnect all PCs and servers from the network immediately. Restore your servers from backups, and wipe or replace the drives of affected PCs before reconnecting them. It's better to take a total scorched earth approach with ransomware.
We had to do that too. It was a long process, and it took months to fully recover everything.
Thanks for clarifying that! I wasn't sure how it worked.