Previously, we outlined emerging ransomware trends and insight into how it can spread. This piece provides a step-by-step playbook to help ensure your organization is as well-positioned to both protect against potential ransomware attacks and better prepared
to limit any damage should such an attack be successful.
Ransomware is here to stay, and its operators are getting better and bolder. Organizations should consider preventive measures, including:
Strong backup and disaster recovery plans: Organizations must have effective, tested disaster recovery plans with verified offline backups, especially with new ransomware variants in the wild that target and destroy an organization’s backup infrastructure
– including Commvault, Tivoli Storage Manager (TSM) and many others.
Effective incident response: This requires proper planning, documentation and exercising to ensure organizations can recover from a security incident before it affects their business on a larger scale. For example, many organizations conduct tabletop
exercises to validate their existing incident response plan works well and is understood.
Strong vulnerability management processes: Internet-facing vulnerabilities and misconfigurations are infection vectors of ransomware. To mitigate against such threats, consider conducting regular vulnerability scans, patch and updating software and operating
systems regularly, ensuring proper and secure configurations of devices, securing remote desktop protocol (RDP) and other remote desktop services, and disabling the SMB protocol.
Phishing defenses: You don’t need to be a proficient hacker to gain access to a reasonably secure information system via a simple phishing email. However, there are many technical controls to prevent phishing, including: spam filters; Domain-based
Message Authentication, Reporting and Conformance (DMARC); email signing; website certificates; micro-segmentation; single sign-on (SSO); multifactor authentication (MFA); principle of least privilege and others. But the most effective controls are
non-technical, including awareness trainings, timely reporting and out-of-band verification.
Controlled folder access: Controlled folder access monitors all processes attempting to change data in defined folders. If a process tries to modify files in protected folders without being authorized to do so, the operation is blocked and an alert is
generated – stopping ransomware and preventing malicious programs from making changes. When implementing controlled folder access, the user or the system administrator may add the necessary applications to a allow-list of applications that are
then allowed to access and change the protected folders.
Zero-day detection capabilities: Signature-based technologies are not effective in detecting a majority of malware today due to the ease with which a given piece of malware can be camouflaged or “packed” to slip past traditional antivirus
solutions. Ensure your network and endpoint protection can detect and defend against obfuscated malware or zero-day attacks. Furthermore, consider implementing network devices that can block by file type and provide application control to the endpoint
In addition, consider implementing other general cybersecurity best practices and hardening, such as:
Ransomware attacks can be detected in various ways. Possible scenarios include, but are not limited to:
When ransomware is suspected on a machine, it is critical to the security of the organization that certain verification steps be performed. However, it’s important to proceed with caution because more assets can easily become exposed.
Some steps to take to verify whether a machine is corrupted with ransomware include:
Malware is very harmful mainly because of its ability to spread throughout the network very quickly, causing damage in a very short period. The response strategy should be to isolate and contain the ransomware before it has a chance to proliferate. This
can dramatically reduce potential damage.
Containment requires detection of all the infected hosts and/or hosts with ransomware-encrypted files. To do this:
Once the ransomware virus is detected and contained, the next step is to eradicate it from the network. Any affected machines should either be replaced or thoroughly cleaned and continuously monitored thereafter. To do this:
Regular backups are critical for recovering from a ransomware attack. As part of the recovery process, a forensic investigation should be conducted to further identify sources of potential vulnerabilities as well as processes and policies that may need
revision to prevent future attacks. To get on the road to recovery, consider:
Businesses can recover well if their technological maturity is matched by a strong cybersecurity posture. Without a fully operational technological skeleton, cybersecurity strategies do not have strong pillars to stand on. Securing the evidence for the
forensics investigation should be done in a forensically sound manner that is acceptable by the law and gives reasonable assurance that it was not corrupted or destroyed during the investigative process. This is a very important component if legal
proceedings are intended.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint guide on defending against and responding to ransomware
threats. We recommend reviewing this guide thoroughly, which consists of two main parts - ransomware response checklist and ransomware prevention.
US-CISA and MS-ISAC stress the urgency of being prepared for this type of threat by employing the following best practices to reduce the risk of ransomware and prepare for swift and efficient response:
The guide also lists the best defenses against ransomware’s most common attack vectors, including:
Other general cybersecurity best practices and hardening guidance include:
The second part of the guide provides a ransomware response checklist. It includes steps for:
No information security team wants their organization to fall victim to ransomware. The following serve as guidance for InfoSec teams to help limit the damage.
Documented escalation procedures in place. Escalation procedures to higher technical experts or external digital forensics/incident response company should be mapped to at least critical categories of incidents. It should be clear which types of incidents
can be handled by internal security capacities and which types of incidents and what thresholds trigger the escalation to technical experts or forensics specialists. Also, procedures for escalation to higher management should be established for instances
when designated personnel do not respond to an alert within a certain timeframe.
A workable plan for incident communication. You should consider employing two separate roles: internal and external. Differentiation between incident response and incident handling should be made. Otherwise, it is possible too many responsibilities are
assigned to a single incident manager to be handled effectively during a crisis. Ideally, internal communication within the IR team on the incident response efforts should have a technical leader (skilled in networking, log analysis, forensics, etc.)
assigned who will be responsible for facilitating technical aspects of dealing with an incident and communication within the IR team. External communication on incident handling should have another leader assigned (skilled in communications and project
management) who will be responsible for communication outside of the IR team (to executives, users, third parties, etc.) and taking notes.
Isolate suspected threats quickly. When a ransomware attack is suspected, don’t underestimate the severity of the attack. Contain the threat by either disconnecting the system from the network or powering off the system if disconnecting cannot be
done. Powering off may hinder the investigation efforts, but it will stop the malware’s action and prevent further spread. You should disconnect the whole network segment of the affected machine, and never connect to the infected machine with
a privileged account because that could let the malware spread further with elevated privileges.
Perform threat hunting after ransomware eradication and recovery. After an incident, a general good practice is to perform in-depth log analysis to detect ransomware IoCs and behavioral patterns in the infrastructure, mainly on your domain controllers,
firewalls and security devices. In addition, endpoint and network threat hunting can be used to search for evidence of attacker tactics, techniques and procedures (TTPs) and IoCs. Also, consider performing targeted, clear dark web searches to uncover
possible data leaks.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
June 10, 2021
By IANS Faculty
Identify the key features to look for in a SOAR solution and the top use cases for information security teams to consider.
June 8, 2021
Identify key steps security teams should take, and pain points to watch, when returning to the office working environment.
June 3, 2021
Explaining information security to the board of directors and aligning enterprise information security activities with board-level input can be challenging.