How to Prevent & Respond to Ransomware Attacks

May 13, 2021 | By IANS Faculty

Previously, we outlined emerging ransomware trends and insight into how it can spread. This piece provides a step-by-step playbook to help ensure your organization is as well-positioned to both protect against potential ransomware attacks and better prepared to limit any damage should such an attack be successful.

Ransomware Prevention

Ransomware is here to stay, and its operators are getting better and bolder. Organizations should consider preventive measures, including:

Strong backup and disaster recovery plans: Organizations must have effective, tested disaster recovery plans with verified offline backups, especially with new ransomware variants in the wild that target and destroy an organization’s backup infrastructure – including Commvault, Tivoli Storage Manager (TSM) and many others.

Effective incident response: This requires proper planning, documentation and exercising to ensure organizations can recover from a security incident before it affects their business on a larger scale. For example, many organizations conduct tabletop exercises to validate their existing incident response plan works well and is understood.

Strong vulnerability management processes: Internet-facing vulnerabilities and misconfigurations are infection vectors of ransomware. To mitigate against such threats, consider conducting regular vulnerability scans, patch and updating software and operating systems regularly, ensuring proper and secure configurations of devices, securing remote desktop protocol (RDP) and other remote desktop services, and disabling the SMB protocol.

Phishing defenses: You don’t need to be a proficient hacker to gain access to a reasonably secure information system via a simple phishing email. However, there are many technical controls to prevent phishing, including: spam filters; Domain-based Message Authentication, Reporting and Conformance (DMARC); email signing; website certificates; micro-segmentation; single sign-on (SSO); multifactor authentication (MFA); principle of least privilege and others. But the most effective controls are non-technical, including awareness trainings, timely reporting and out-of-band verification.

Controlled folder access: Controlled folder access monitors all processes attempting to change data in defined folders. If a process tries to modify files in protected folders without being authorized to do so, the operation is blocked and an alert is generated – stopping ransomware and preventing malicious programs from making changes. When implementing controlled folder access, the user or the system administrator may add the necessary applications to a allow-list of applications that are then allowed to access and change the protected folders.

Zero-day detection capabilities: Signature-based technologies are not effective in detecting a majority of malware today due to the ease with which a given piece of malware can be camouflaged or “packed” to slip past traditional antivirus solutions. Ensure your network and endpoint protection can detect and defend against obfuscated malware or zero-day attacks. Furthermore, consider implementing network devices that can block by file type and provide application control to the endpoint device.

In addition, consider implementing other general cybersecurity best practices and hardening, such as:

  • Enabling security settings in cloud environments.
  • Developing and maintaining a comprehensive network diagram to help during incident response.
  • Employing asset management.
  • Restricting usage of PowerShell and enabling PowerShell logging.
  • Securing domain controllers.
  • Retaining and securing logs from both network devices and local hosts.
  • Determining normal network behavioral patterns to help detect anomalous activity.
  • Uninstalling non-essential applications.
  • Disabling non-essential services.
  • Using Secure Boot and a BIOS password.
  • Securing potentially vulnerable protocols.
  • Enforcing application allow-listing.

Ransomware Detection

Ransomware attacks can be detected in various ways. Possible scenarios include, but are not limited to:

  • Endpoint security software: This can be antivirus or a stronger endpoint detection and response (EDR) solution.
  • Threat intelligence: This includes solutions that can scan systems and networks for indicators of compromise (IoCs) and identify lateral movement by tracking network behavior and data flows.
  • Domain Name System (DNS) protecting solutions, such as OpenDNS and similar, to block malicious IP addresses and prevent ransomware from fetching its payload.
  • SIEM or log reviews: Execution of ransomware is often detected from a log analysis process.
  • Network detection sensors: Intrusion detection/prevention systems (IDS/IPS), unified threat management (UTM) firewalls or other network devices include tools and sensors that can detect propagation and lateral movement of ransomware.
  • Threat hunting: This is mostly leveraged by larger organizations and focused on forensic analysis of various artifacts.
  • Digital forensic investigation and incident response: If ransomware is suspected, forensic analysis can reveal potential compromise.

Ransomware Verification

When ransomware is suspected on a machine, it is critical to the security of the organization that certain verification steps be performed. However, it’s important to proceed with caution because more assets can easily become exposed.

What Not To-Do

  • Never connect to the machine from the network with a privileged account, such as:
    • Domain administrator/enterprise administrator accounts
    • Backup operator/backup administrator accounts
    • Any domain account with administrator rights on any other asset in the domain.
    • Local administrator account, if the account is used for administering multiple assets with the same account name and password.
  • Never run any files on the infected machine by double-clicking (even if a ransom note seems to be in TXT format, don’t open it by double-clicking).
  • Never connect external media, such as local USB sticks, external hard drives, etc.
  • Never connect any network drives.
  • Never provide your account password after logging in with the local administrator password. Log in to the machine with a user unprivileged account (e.g., let users who report ransomware log in to their account) or log in with the local administrator password locally (not from the network). If there is no possibility to log in, as previously stated, disconnect the machine from the network (unplug the cable, disable access of the machine on the switch or access point) and log in with the local administrator account.

What To-Do

Some steps to take to verify whether a machine is corrupted with ransomware include:

  • Check for the presence of a ransomware note (wallpaper, note on the desktop, note in the directory with encrypted files, etc.). If a ransomware note is present, open it by:
  • Opening Notepad by START-> Typing notepad and pressing ENTER.
  • Opening the ransomware note in Notepad.
  • If a ransomware note is not present, try to open the files by following similar steps using different extensions: pdf, docx, rtf and xlsx.
  • If the files are encrypted, notice the filename (e.g., Document.docx.locked).
  • If the ransomware presence is verified, disconnect the machine from the network, activate the incident response team and proceed with the containment.

Ransomware Containment

Malware is very harmful mainly because of its ability to spread throughout the network very quickly, causing damage in a very short period. The response strategy should be to isolate and contain the ransomware before it has a chance to proliferate. This can dramatically reduce potential damage.

Containment requires detection of all the infected hosts and/or hosts with ransomware-encrypted files. To do this:

  • Scan systems with a security software or EDR solution for the presence of ransomware and or encrypted files:
    • A company-wide antimalware scan should be initiated from a central anti-malware console.
    • An EDR scan on the infected machines should be initiated to detect the presence of encrypted files (if the encrypted files have extension .locked, then search for *.locked files).
  • Review the results of the anti-malware and EDR scans.
  • Quarantine each identified infected machine. Disconnect them from the network by either shutting down the system, disconnecting a network cable cord, turning off the system’s port at the switch, utilizing network access control (NAC) to isolate or by activating a quarantine feature of your EDR solution.
  • Re-scan the whole network periodically (at least every six hours) to uncover other infections.

Ransomware Eradication

Once the ransomware virus is detected and contained, the next step is to eradicate it from the network. Any affected machines should either be replaced or thoroughly cleaned and continuously monitored thereafter. To do this:

  • Ensure the system is clean and functional.
  • Restore the system, restore the backup, repair any damages and reinstall the OS if needed.
  • Verify operational systems, and if needed, replace damaged systems.

Ransomware Recovery

Regular backups are critical for recovering from a ransomware attack. As part of the recovery process, a forensic investigation should be conducted to further identify sources of potential vulnerabilities as well as processes and policies that may need revision to prevent future attacks. To get on the road to recovery, consider:

  • Securing evidence for forensic investigation.
  • Doing a forensic analysis of the root cause and initial vector of compromise.
  • Writing a forensic memorandum related to sensitive data manipulation and lessons learned.

Businesses can recover well if their technological maturity is matched by a strong cybersecurity posture. Without a fully operational technological skeleton, cybersecurity strategies do not have strong pillars to stand on. Securing the evidence for the forensics investigation should be done in a forensically sound manner that is acceptable by the law and gives reasonable assurance that it was not corrupted or destroyed during the investigative process. This is a very important component if legal proceedings are intended.

Ransomware Prevention Best Practices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint guide on defending against and responding to ransomware threats. We recommend reviewing this guide thoroughly, which consists of two main parts - ransomware response checklist and ransomware prevention.

Ransomware Prevention

US-CISA and MS-ISAC stress the urgency of being prepared for this type of threat by employing the following best practices to reduce the risk of ransomware and prepare for swift and efficient response:

  • Maintaining offline and encrypted backups that are regularly tested.
  • Creating and maintaining an incident response plan that is regularly exercised.

The guide also lists the best defenses against ransomware’s most common attack vectors, including:

  • Internet-facing vulnerabilities and misconfigurations, which can be mitigated by conducting regular vulnerability scans; patching and updating software and operating systems regularly; ensuring proper and secure configurations of devices; securing RDP and other remote desktop services; and disabling the SMB protocol.
  • Phishing, which can be mitigated by implementing a user awareness and training program; deploying email gateway filters; implementing DMARC; and disabling macros for Microsoft Office files.
  • Precursor malware infections, which can be mitigated by using an up-to-date anti-malware solution; deploying application allow-listing; implementing of IDS/IPS; and performing risk management of third parties.

Other general cybersecurity best practices and hardening guidance include:

  • Employing MFA.
  • Applying the principle of least privilege.
  • Enabling security settings in cloud environments.
  • Developing and maintaining a comprehensive network diagram to help during incident response.
  • Employing network segmentation.
  • Employing asset management.
  • Restricting usage of PowerShell.
  • Securing domain controllers.
  • Retaining and securing logs from both network devices and local hosts.
  • Determining normal network behavioral patterns to help detect anomalous activity.

Ransomware Response

The second part of the guide provides a ransomware response checklist. It includes steps for:

  • Detection and analysis, including determining and isolating impacted systems, powering down affected systems only if you are unable to disconnect them, triaging impacted systems, documenting an understanding of the situation and engaging internal and external teams.
  • Containment and eradication, including collecting system images, memory captures, logs, malware binaries and IoCs; consulting federal law enforcement agencies for possible decryptors; researching trusted guidance for your particular ransomware variant; identifying initially breached systems (patient zero); containing any associated systems; performing server-side data encryption identification; examining security devices and their logs; conducting extended analysis to identify persistence mechanisms; rebuilding systems; issuing password reset for all affected systems and patching associated security gaps; and declaring the end of the ransomware incident.
  • Recovery and post-incident activity, including reconnecting systems and restoring from backups; documenting lessons learned, and sharing lessons learned and IoCs with CISA and/or ISAC for the benefit of others.

Ransomware Guidance for InfoSec Teams

No information security team wants their organization to fall victim to ransomware. The following serve as guidance for InfoSec teams to help limit the damage.

Documented escalation procedures in place. Escalation procedures to higher technical experts or external digital forensics/incident response company should be mapped to at least critical categories of incidents. It should be clear which types of incidents can be handled by internal security capacities and which types of incidents and what thresholds trigger the escalation to technical experts or forensics specialists. Also, procedures for escalation to higher management should be established for instances when designated personnel do not respond to an alert within a certain timeframe.

A workable plan for incident communication. You should consider employing two separate roles: internal and external. Differentiation between incident response and incident handling should be made. Otherwise, it is possible too many responsibilities are assigned to a single incident manager to be handled effectively during a crisis. Ideally, internal communication within the IR team on the incident response efforts should have a technical leader (skilled in networking, log analysis, forensics, etc.) assigned who will be responsible for facilitating technical aspects of dealing with an incident and communication within the IR team. External communication on incident handling should have another leader assigned (skilled in communications and project management) who will be responsible for communication outside of the IR team (to executives, users, third parties, etc.) and taking notes.

Isolate suspected threats quickly. When a ransomware attack is suspected, don’t underestimate the severity of the attack. Contain the threat by either disconnecting the system from the network or powering off the system if disconnecting cannot be done. Powering off may hinder the investigation efforts, but it will stop the malware’s action and prevent further spread. You should disconnect the whole network segment of the affected machine, and never connect to the infected machine with a privileged account because that could let the malware spread further with elevated privileges.

Perform threat hunting after ransomware eradication and recovery. After an incident, a general good practice is to perform in-depth log analysis to detect ransomware IoCs and behavioral patterns in the infrastructure, mainly on your domain controllers, firewalls and security devices. In addition, endpoint and network threat hunting can be used to search for evidence of attacker tactics, techniques and procedures (TTPs) and IoCs. Also, consider performing targeted, clear dark web searches to uncover possible data leaks.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Looking for additional IANS Faculty insights and resources?

Learn how IANS can help you and your security team.