Ransomware: Prevention and Response Tactics

A good security program will not only have controls built in to prevent ransomware attacks, but also reactive controls in place to deal with ransomware after the fact. Security teams must have a solid plan in place that includes all stakeholders across the organization to be proactive in preventing and responding to today’s ransomware attacks. 

This piece explains some key preventive and detective controls for ransomware, as well as critical ransomware response techniques, financial considerations and stakeholder responsibilities necessary to mitigate ransomware’s effects across the organization. 

Preventive Controls for Ransomware Attacks 

This new age of ransomware attacks shines a light at a core, unsolved problem in many enterprises: unfettered lateral movement. To inject ransomware, attackers must know where critical resources are on the network. To know that, they have to map the network. This requires attackers to “move laterally” from one machine/server to another, often using different credentials they’ve stolen from various machines across the network or through phishing. This is why most ransomware and security strategies focus on curtailing lateral movement. 

Key controls to consider include: 

• Inter-virtual LAN access control lists: These are critical to preventing lateral movement. There is no reason for one workstation subnet to talk Server Message Block, Remote Procedure Call or Remote Desktop Protocol to another workstation subnet. Obviously, there are exceptions to this (like help desk support), but those are just that—exceptions. 
• Zero trust: This protects organizational assets and apps by eliminating transitive trust and continually identifying and authenticating every device, user and identity before granting access. Zero trust security architecture prevents lateral movement by preventing attackers from gaining access to systems and users that will help them advance, as well as cloaking the network to prevent mapping. 
• Domain controller logs: Ransomware threat actors often target domain controllers to deploy their payloads. Monitor all logs, but be especially concerned about domain controller logs. You should always have application control in lockdown mode on a domain controller. Then, you can alert on any exceptions to application control and take immediate action. 
• Backup system logging and alerting: Ransomware threat actors systematically search for and target online backups. Network segmentation will make getting there more difficult, but not impossible. Enable verbose monitoring and real-time alerting for any access that appears to be lateral movement. Just like domain controllers, backup systems are prime candidates for locked-down application control. 
• Endpoint detection and response (EDR)/next-gen AV: EDR can be an effective control, because some EDR tools journal file system changes for a short period of time. This puts the EDR between the ransomware and any file encryption. The encryption process uses a limited number of API patterns—file contents are completely replaced by encrypted versions. When EDR detects this behavior, it can terminate the ransomware threads and replace the file contents with the originals (effectively, a rollback). Next-generation AV systems can be effective in neutralizing most ransomware variants as well. 
• Phishing and social engineering prevention: Having an effective social engineering prevention program within the enterprise is important because many ransomware situations start with credentials compromised through phishing and social engineering.

Initial Signs of a Ransomware Attack 

Ransomware attacks often start with a phishing campaign. Attackers trick users into clicking malicious links or opening malware-laced attachments that enable them to compromise those users’ credentials and gain entry to the network. They then begin to search for ways to move laterally in the environment.  

Additional ransomware warning signs include: 

• Users complaining about inability to open files or stating that files have gibberish in them. 
• Discovery of network scanner software on your network that cannot be traced to security or infrastructure ownership. 
• Attacks indicating AD infiltration attempts. 
• Detection of applications used to discern credentials, e.g., Mimikatz. 
• Detection of anomalous activity on backup systems. 
• An application outage due to an inability to read data. 

These are serious warning signs that should kick off a security incident response team (SIRT) response.

Mitigate Ransomware Damage 

While it is impossible to define with precision the exact actions that must be taken in every situation, some activities can help reduce the attack footprint and/or minimize the damage of a ransomware attack (these are not necessarily in chronological order): 

• Validate the incident: Before you take corrective action, it is critical to validate that an incident is, indeed, in progress and what is being observed is not a result of other unrelated factors. 
• Activate the cyber insurance policy: Notify your cyber insurance provider and engage the services of an incident response firm (if that skill is not present in-house). Consider firming up these relationships in advance, so you have their full attention and are not dealing with contractual relationships in a moment of crisis. 
• Isolate affected systems: Once the incident is validated, isolate all affected systems as soon as possible. This helps prevent the spread of the ransomware to unaffected systems. Complete network isolation is the most effective way to prevent the spread. 
• Protect backup systems: For an attack like this to be fully effective, the attackers must encrypt the backups as well. It is critical to set your backup systems to read-only post-detection to prevent their encryption. 
• Identify patient zero: Identifying patient zero is crucial to determining the attackers’ entry point and the initial actions they took. This may entail working with a professional forensics firm if that skill is not present in-house. 
• Quarantine the malware: Quarantining of any detected malware is considered a better strategy than outright removal or deletion, because it preserves any forensic footprints for investigative purposes. If the malware is still running, take memory dumps prior to quarantine to create a full record of any malicious processes that may be running. 
• Disable maintenance tasks: Regular maintenance tasks may overwrite information, such as log files and audit data. Consequently, it’s important to disable such tasks to prevent erasure of critical information that may be necessary for investigations. 
• Identify the ransomware strain: Determining the specific strain of ransomware helps identify additional recovery options, such as whether it is possible to decrypt systems without paying the ransom. Your forensic or incident response investigator may offer some custom resources in this respect.

Financial Aspects of a Ransomware Attack 

At the center of every ransomware event is the question of whether to pay the ransom. The following questions can help guide the decision: 

• Is restoration of data possible without paying the ransom? 
• What is the cost of restoration? 
• When does restoration of data no longer matter? 
• How do we measure the impact of data release post-extortion? 
• How do we evaluate the potential implications (legal and reputational) of paying the ransom? 

READ: Ransomware Response: Data Protection Best Practices 

We advise partnership with your legal department and law enforcement. Any engagement with threat actors should be done in collaboration with them and your incident response firm. 

It’s important to note that recovering from ransomware requires additional investment beyond what the ransomware threat actor demands. You may need to rebuild systems and deploy additional security controls in the future. It is considered a best practice to rebuild, when possible, to ensure a malware-free system. 

Company Response to a Ransomware Attack 

Here is a list of key stakeholders and their respective responsibilities during a ransomware event. 

Executive team 

• Ensure resources, funding, budgeting and staffing for effective proactive and reactive controls 
• Participate in ransomware-focused tabletop exercises 

Security 

• SIRT ownership 
• Investigate attacks 
• Deploy proactive and reactive controls 
• Establish relationship with incident response firms 

Compliance and/or internal audit 

• Test ransomware-related controls 

Infrastructure 

• Manage backup systems 
• Restore from backups if it is helpful 
• Isolate affected systems and preserve evidence 
• Rebuild affected systems 

Legal 

• Manage cybersecurity insurance and policy limits 
• Hire external law firms that may aid in handling ransomware attacks 
• Coordinate with law enforcement 

Marketing 

• Manage external communications 
• Manage media 
• Hire crisis communications firms 

Responding to a Ransomware Attack 

Handling ransomware properly is a daunting challenge. To increase your chances of success, focus on the following: 

• Solve the problem before it happens by deploying proactive controls that protect your enterprise from ransomware. This includes controls that prevent lateral movement, training the enterprise on phishing and social engineering, and implementing zero trust. 
• Develop muscle memory through ransomware tabletop exercises for executives and the SIRT team. 
• Ensure you have the right skills and expertise to handle a ransomware attack in progress. Establish proactive partnerships with incident responders and ensure they are approved by your cybersecurity insurance. Also, establish proactive partnerships with all stakeholders in the enterprise needed to successfully handle a ransomware incident. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.