How to Build a 5-Step IR Process for Ransomware

Responding to ransomware requires a good deal of planning and hands-on expertise. This piece explains the main issues to address in responding to a ransomware incident and provides five key steps that can be customized to your specific environment and business.

Steps to Build an IR Process for Ransomware 

Below outlines the fundamental steps and process for responding to ransomware. However, many different ransomware malware samples are in use today, and specific responses should always take that, as well as your organization’s specific needs into account. This piece is intended to be used as a general starting point for any incident response team or security operations center team creating a formal incident response plan for a ransomware incident.

1. Prepare for a Ransomware Attack 

Preparing for a ransomware attack is key to a successful response. To ensure you are as prepared as possible for a potential ransomware incident, focus on:

• Backups: If your data gets wiped out by ransomware, nothing will save you like good backups. Specific to weathering a ransomware attack, backups should be isolated from the systems they back up. They should also be indexed over time so they can be restored from a specific date/time based on when a ransomware attack first compromised its target. It’s also a good idea to independently test the files being backed up from time to time. This helps ensure the files being backed up are not encrypted or otherwise unusable.
• Business continuity and disaster recovery (BCDR): Ensure all high-priority business applications are considered in a BCDR plan. If an application isn’t available, how can the business proceed?
• Threat intelligence: Maintain up-to-date threat intelligence information at all times. Many ransomware incidents can be thwarted simply through sharing decryption keys and tools among the information security community.
• Whether the threat intelligence function is internally staffed or outsourced, it is often helpful to have a deep technical understanding of:
  • Currently-in-use ransomware software tools and how they work.
  • How data can be decrypted.
  • Which industry sectors are being targeted.
  • What actions are common for any specific threat actor groups, and so on.
• Insurance: Cybersecurity insurance providers can be enormously helpful during ransomware incidents. Many are prepared and experienced at engaging with the threat actors, negotiating terms and conditions, and even decrypting affected data. As one might expect, there is a wide range of such capabilities among insurance providers, so finding the right provider prior to an actual incident is key to success.
  

2. Detect a Ransomware Attack 

Many early warning signs of ransomware attacks may be detected before widespread damage is done. Some items to assess include:

• Signature (or other) detection of ransomware: If your adversary is using “off the shelf” ransomware, it’s quite possible you’ll be able to identify the ransomware at the time of initial infection and before damage becomes more widespread. That comes down to keeping defenses up to date and monitoring those defense systems extensively.
• Anomalous file input/output (I/O) activity: Most ransomware damages the files available to affected users. The type of damage depends on the specific ransomware being used, but it is likely all files available for read and write to the user will be encrypted. This encryption takes time and requires a significant amount of file I/O. Behavioral monitoring tools that look for step changes in statistical usage patterns can be early warning systems for such activity. Depending on the number and size of the files, this step may only take an hour or so, so it is important to respond quickly. Of course, it is often the case that affected organizations miss these early signs and only realize they’ve been affected when the ransomware detonates.
• Isolate and contain: As soon as possible after a ransomware infection is confirmed, try to isolate and contain the affected systems. This may or may not be feasible, and it may be more complicated than just powering down or disconnecting a network cable. For example, if the ransomware itself is on a mail server, it is entirely possible that new infections will take place, especially if you haven’t yet determined the source of infection. Still, if possible:
  • Isolate the systems affected.
  • Prevent them from accessing backups, file servers and so on.

There will still be much work to be done, but this step may well reduce the amount of damage done.

3. Gather Critical Information and Do a Preliminary Analysis 

During the initial response process, numerous key pieces of information should be collected, if possible. They include:

• Date and time of initial infection: Scour all available system logs to find as precisely as possible the time and date of the infection. This single data point is vital in developing a course of action for restoring data. If in doubt, err on the safe side and assume the longest period supported by the available data.
• Method of infection: Do all you can to find out how the ransomware got through in the first place. Was it human error, where someone clicked on an attachment in an email or a link within a malicious website? Whatever the case, you’ll want to know what defense failed and what defense needs to be improved in the future.
• Scope and magnitude of the problem: Which systems are affected by the ransomware? Is it on file shares, laptops or other mobile devices, home computers, business applications, desktops, etc.? Strive to be as thorough in your damage assessment as you can.
• Business impact: Assuming some or all affected systems will be unavailable for the duration of your response operation, what is the business impact to the company?

DOWNLOAD: Ransomware Prep Toolkit 

4. Develop a Course of Action 

After collecting as much information as possible, the next thing to consider is the specific course of action to take. This includes:

• Business continuity: First and foremost, what steps should be taken to reduce the negative impact to the business?
• Insurance: If you have cybersecurity insurance, consider including the provider in your course of action. It may be able to help in significant ways. But, as above, that depends on your insurance provider and the services it offers.
• Threat intelligence: Your threat intelligence may be helpful in deciding your recovery plan. It could be the case, for example, the malware used to attack you or the people attacking you is known to the threat intelligence community. If there are feasible ways to decrypt your data without the need for even talking with your attackers, that’s a win for all.
• Community support: Consider talking with the incident response community, such as through the global Forum of Incident Response and Security Teams (FIRST) or through your industry's ISAC (Information Sharing and Analysis Center). In these communities, you may find other responders who have dealt with the same malware or threat actors and are willing to provide their insights and lessons learned.
• Pay or not: Last, but certainly not least, is the question of whether to pay your attackers. My advice is to not pay, unless all possible other options have been exhausted, and exhausted some more.
  

5. Restore Data and Return to the Production State 

The final stage of ransomware response is restoring the damaged data and getting all affected systems back into a production state. This includes:

• Getting sign-off from data owners: With luck, you’ll be restoring the data from your backups, based on the specific time and date the ransomware compromise first took place. You’ll then need to let the data owners know what was restored and from what time/date. There is always the possibility the data owners will have lost some amount of work. If your response has been successful, that loss of data will be minimal. But perhaps you’ll have to restore from older backups or your backups were also attacked by the ransomware; perhaps the data was stored on a device that wasn’t backed up at all. In any event, the data owners will need to explicitly know what has been restored and what has not. Before a system should be considered back in production, however, the business owners will need to sign off on the data to validate what has been restored and what has been lost.
• Fixing the underlying cause: Another vital part of the return to production should be to address the underlying means of infection the malware was able to exploit. Perhaps that was human error, or perhaps the ransomware was able to exploit a security defect to compromise some or all the impacted systems. Either way, take a critical view of the means of compromise and attempt to prevent recurrence or at least to be able to detect a recurrence more quickly.

Best Practices for Ransomware Preparation 

Preparing for handling a crisis is time-consuming, but worth the effort if/when disaster strikes. To ensure your plan is as successful as possible:

• Focus on learning how to handle a disaster like ransomware: After all, learning to do this during a disaster results in two disasters. The steps provided here are just the first steps to take. Fill in specific details regarding your own business computing environment, incident response plan, business continuity plan, cyber security insurance and so on.
• Drill, drill, drill: This means training to learn how to prepare and recover from ransomware, practicing that skill set to ensure you got it right and drill-drill-drilling that skill set to ensure you never get it wrong.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.