There is that old saying that simply deleting files that simply deleting files from your hard drive does not mean that it is gone permanently. In fact, that file is still in there somewhere, and with the right recovery tools, there is almost a 100% chance that you can still recover it. No need to take to Geek Squad, you can find most of these tools online with a simple Google search.
Heck, even when you empty your Recycle Bin on your Windows Desktop, all those deleted files will still be in there somewhere in your hard drive. In fact, this lends itself to an error in thinking on part of the Cyber attacker. He or she may think that after launching an attack, all traces of their footsteps will disappear.
But, this is far from the truth. With even the most sophisticated Cyber attacker, there is always some sort of evidence left behind. It’s just up to the Forensics Investigator to find. To illustrate this point, I came across a news wire this morning saying that pieces of evidence of the Andromeda botnet can still be found in many devices that were infected by it.
This is despite the fact that it was taken down and dismantled by law enforcement authorities just last year.
For those of you know you who do not know what a “Botnet” is, refer back to one of my postings from a couple of days ago. I have described it in some detail there.
This botnet was so large that it was associated with 80 different malware families and had grown so large that it infected over 1,000,000 devices (both PCs and wireless devices a month). It was distributed via social media , sites, instant messaging tools, spam emails, exploit kits and much more.
In fact, it took the work of both the FBI and Europol’s European Cybercrime Centre (EC3) to find this horrible Botnet and shut it down, back in December of 2017. But even despite this, remnants of it are still found on literally thousands of devices.
To further substantiate this, Cyber security researchers at the firm Fortinet have confirmed that one in ten business organizations all over the word still have devices that contain this Botnet. Those business and corporations in Asia and the Middle East are still the most likely to be impacted by Andromeda.
It’s prevalence is eight times more in these geographic regions than it is in Europe or even the United States.
But another interesting find is that these devices that were infected could not do any more damage than simply out carry out the command to launch an attack when told to do so by the master Botnet device. In other words, these devices were just merely “Zombie Computers”.
My take on all of this?
Well first off, let’s go back to my original example. If you ever have to get rid of an old computer (like I will be soon once I get a tech writing job) try to manually take out the hard drive. Once again, there are tools out there that can completely wipe out all information and data.
From there, you can then put in the hard drive back again, and dispose if it how you feel necessary. Of course, if you are not comfortable enough, you can always take it to the Geek Squad and have them do it. Now, to the malware. Everybody will tell you that you should have some sort of “Cleanup Process” in your Backup and Recovery Plans in case you are hit by a Cyber attack.
But what exactly defines this Cleanup Process? True, you may have something written down on paper, but it is not set in stone. What I mean by this is that you will never know for sure what you will be hit with (if you ever do become a victim), and the Cleanup Process will vary greatly from malware to malware, as each of them will have their own varying degrees of impact.
My best advice would be is that if your organization is indeed a victim of a Cyber attack, and after all the smoke has cleared, then conduct a survey to see which devices have been impacted. If it is just a small number of them, then perhaps you should consider replacing them.
But if the number of infected devices is much larger, then you will probably want to hire a Cyber security firm to help out with the Cleanup Process in order to make sure that all remnants of whatever malware you have been hit with is totally gone.
But also, be on the alert for your network intrusion trigger alarms as well: “The first simple step is having somebody monitor your firewalls, your intrusion prevention system, look for different types of alerts that are triggering . . . that information is going to tell you what machines are triggering on those things, then you can do to those machines and start your cleanup process.” (SOURCE: https://cyware.com/news/traces-of-andromeda-botnet-still-exist-in-pcs-despite-it-being-shut-down-last-year-077723dd).