How to Respond to Ransomware Attacks

Despite the best defenses and ransomware prevention efforts, breaches are almost inevitable. As we all know, defenders have to be right 100% of the time, whereas attackers only have to be right once. It’s important to know how to detect and respond quickly to a ransomware attack to limit the damage and get back to business successfully.

Keys for information security teams to focus on here include:

1. Ransomware Detection

Ransomware attacks can be detected in various ways. Possible scenarios include, but are not limited to:

• Endpoint security software: This can be antivirus or a stronger endpoint detection and response (EDR) solution.
• Threat intelligence: This includes solutions that can scan systems and networks for indicators of compromise (IoCs) and identify lateral movement by tracking network behavior and data flows.
• DNS protecting solutions, such as OpenDNS and similar, to block malicious IP addresses and prevent ransomware from fetching its payload.
• SIEM or log reviews: Execution of ransomware is often detected from a log analysis process.
• Network detection sensors: Intrusion detection/prevention systems (IDS/IPS), unified threat management (UTM) firewalls or other network devices include tools and sensors that can detect propagation and lateral movement of ransomware.
• Threat hunting: This is mostly leveraged by larger organizations and focused on forensic analysis of various artifacts.
• Digital forensic investigation and incident response: If ransomware is suspected, forensic analysis can reveal potential compromise.

2. Ransomware Verification

When ransomware is suspected on a machine, it is critical to the security of the organization that certain verification steps be performed. However, it’s important to proceed with caution because more assets can easily become exposed.

WHAT NOT TO-DO

Never connect to the machine from the network with a privileged account, such as:

• Domain administrator/enterprise administrator accounts
• Backup operator/backup administrator accounts
• Any domain account with administrator rights on any other asset in the domain.
• Local administrator account, if the account is used for administering multiple assets with the same account name and password.
• Never run any files on the infected machine by double-clicking (even if a ransom note seems to be in TXT format, don’t open it by double-clicking).
• Never connect external media, such as local USB sticks, external hard drives, etc.
• Never connect any network drives.
• Never provide your account password after logging in with the local administrator password. Log in to the machine with a user unprivileged account (e.g., let users who report ransomware log in to their account) or log in with the local administrator password locally (not from the network). If there is no possibility to log in, as previously stated, disconnect the machine from the network (unplug the cable, disable access of the machine on the switch or access point) and log in with the local administrator account.

WHAT TO-DO

Some steps to take to verify whether a machine is corrupted with ransomware include:

Check for the presence of a ransomware note (wallpaper, note on the desktop, note in the directory with encrypted files, etc.). If a ransomware note is present, open it by:

• Opening Notepad by START-> Typing notepad and pressing ENTER.
• Opening the ransomware note in Notepad.
• If a ransomware note is not present, try to open the files by following similar steps using different extensions: pdf, docx, rtf and xlsx.
• If the files are encrypted, notice the filename (e.g., Document.docx.locked).
• If the ransomware presence is verified, disconnect the machine from the network, activate the incident response team and proceed with the containment.

3. Ransomware Containment

Malware is very harmful mainly because of its ability to spread throughout the network very quickly, causing damage in a very short period. The ransomware response strategy should be to isolate and contain the ransomware before it has a chance to proliferate. This can dramatically reduce potential damage.

Containment requires detection of all the infected hosts and/or hosts with ransomware-encrypted files. To do this:

• Scan systems with a security software or EDR solution for the presence of ransomware and or encrypted files:
• A company-wide antimalware scan should be initiated from a central anti-malware console.
• An EDR scan on the infected machines should be initiated to detect the presence of encrypted files (if the encrypted files have extension .locked, then search for *.locked files).
• Review the results of the anti-malware and EDR scans.
• Quarantine each identified infected machine. Disconnect them from the network by either shutting down the system, disconnecting a network cable cord, turning off the system’s port at the switch, utilizing network access control (NAC) to isolate or by activating a quarantine feature of your EDR solution.
• Re-scan the whole network periodically (at least every six hours) to uncover other infections.

4. Ransomware Eradication

Once the ransomware virus is detected and contained, the next step is to eradicate it from the network. Any affected machines should either be replaced or thoroughly cleaned and continuously monitored thereafter. To do this:

• Ensure the system is clean and functional.
• Restore the system, restore the backup, repair any damages and reinstall the OS if needed.
• Verify operational systems, and if needed, replace damaged systems.

5. Ransomware Recovery

Regular backups are critical for recovering from a ransomware attack. As part of the recovery process, a forensic investigation should be conducted to further identify sources of potential vulnerabilities as well as processes and policies that may need revision to prevent future attacks. To get on the road to recovery, consider:

• Securing evidence for forensic investigation.
• Doing a forensic analysis of the root cause and initial vector of compromise.
• Writing a forensic memorandum related to sensitive data manipulation and lessons learned.
• Securing the evidence for the forensics investigation should be done in a forensically sound manner that is acceptable by the law and gives reasonable assurance that it was not corrupted or destroyed during the investigative process. This is a very important component if legal proceedings are intended.

Ransomware Response Best Practices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint guide on defending against and responding to ransomware threats. It provides a ransomware response checklist that includes steps for:

• Detection and analysis, including determining and isolating impacted systems, powering down affected systems only if you are unable to disconnect them, triaging impacted systems, documenting an understanding of the situation and engaging internal and external teams.
• Containment and eradication, including collecting system images, memory captures, logs, malware binaries and IoCs; consulting federal law enforcement agencies for possible decryptors; researching trusted guidance for your particular ransomware variant; identifying initially breached systems (patient zero); containing any associated systems; performing server-side data encryption identification; examining security devices and their logs; conducting extended analysis to identify persistence mechanisms; rebuilding systems; issuing password reset for all affected systems and patching associated security gaps; and declaring the end of the ransomware incident.
• Recovery and post-incident activity, including reconnecting systems and restoring from backups; documenting lessons learned, and sharing lessons learned and IoCs with CISA and/or ISAC for the benefit of others.

Ransomware Guidance for InfoSec Teams

No information security team wants their organization to fall victim to ransomware. The following serve as guidance for InfoSec teams to help limit the damage.

• Documented escalation procedures in place. Escalation procedures to higher technical experts or external digital forensics/incident response company should be mapped to at least critical categories of incidents. It should be clear which types of incidents can be handled by internal security capacities and which types of incidents and what thresholds trigger the escalation to technical experts or forensics specialists. Also, procedures for escalation to higher management should be established for instances when designated personnel do not respond to an alert within a certain timeframe.
• A workable plan for incident communication. You should consider employing two separate roles: internal and external. Differentiation between incident response and incident handling should be made. Otherwise, it is possible too many responsibilities are assigned to a single incident manager to be handled effectively during a crisis. Ideally, internal communication within the IR team on the incident response efforts should have a technical leader (skilled in networking, log analysis, forensics, etc.) assigned who will be responsible for facilitating technical aspects of dealing with an incident and communication within the IR team. External communication on incident handling should have another leader assigned (skilled in communications and project management) who will be responsible for communication outside of the IR team (to executives, users, third parties, etc.) and taking notes.
• Isolate suspected threats quickly. When a ransomware attack is suspected, don’t underestimate the severity of the attack. Contain the threat by either disconnecting the system from the network or powering off the system if disconnecting cannot be done. Powering off may hinder the investigation efforts, but it will stop the malware’s action and prevent further spread. You should disconnect the whole network segment of the affected machine, and never connect to the infected machine with a privileged account because that could let the malware spread further with elevated privileges.
• Perform threat hunting after ransomware eradication and recovery. After an incident, a general good practice is to perform in-depth log analysis to detect ransomware IoCs and behavioral patterns in the infrastructure, mainly on your domain controllers, firewalls and security devices. In addition, endpoint and network threat hunting can be used to search for evidence of attacker tactics, techniques and procedures (TTPs) and IoCs. Also, consider performing targeted, clear dark web searches to uncover possible data leaks.

Businesses can recover well from ransomware or any other type of malicious attack if their technological maturity is matched by a strong cybersecurity posture. Without a fully operational technological skeleton, cybersecurity strategies do not have strong pillars to stand on. By following these response guidelines, your organization can both limit the damage of a ransomware attack and improve the chances of a fast recovery.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.