If you suspect that your organization is dealing with an infostealer infection, it’s crucial to act quickly and decisively. Follow these steps to get the situation under control and prevent further damage.
- Identify the Infection
Start by determining which device and user may be affected. Use data such as compromised sessions (username), device-specific information (hostname, IP address, operating system), and other network data to trace the source of the infection. This can often be discovered through log files or monitoring tools that detect unusual activity. - Isolate the Infection
Invalidate all active sessions of the affected user and immediately force a password reset. This prevents attackers from exploiting stolen sessions or login credentials to access systems or data. - Remove the Infostealer
Use a professional malware removal solution to scan the infected device and remove the infostealer. It's important to choose a powerful tool that specializes in detecting advanced malware. For consumers, Sophos Home is a good option, as it can detect both known and new infostealer variants.
After removing the infostealer, the user must take several critical steps to minimize further risks:
- Change All Passwords
Assume that all your passwords, both business and personal, may have been stolen. Change each password, and choose strong, unique passwords for every account. Where possible, enable multi-factor authentication (MFA) for added security. A password manager can help securely store and generate unique passwords. - Log Out of All Sessions
Attackers may have already gained access to your accounts through stolen credentials. Therefore, use the option to ‘log out on all devices’ or ‘log out of all sessions’ for services like Google, Microsoft, and social media. This will ensure that all active sessions are terminated, preventing unauthorized access.
By following these steps, you can mitigate the damage from an infostealer infection and prevent further risks to your organization and personal data.