Ransomware Response
Responding to ransomware, means following tried and tested incident response procedures. Incident response is usually broken down into 4 key stages.
STAGE 1 PREPARATION
This includes all the advice in last week’s security bulletin. The aim is to create defence in depth; training, least privilege, physical security, email filtering, patching, using antivirus or advanced ransomware protection, intrusion detections and prevention systems. This stage is also about having plans and documentation in place to help you deal with a ransomware attack - such as:
​
-
Who has responsibility for what
-
How will we classify the severity of the attack
-
What methodology will be used to deal with the incident (e.g. NIST.SP.800-61r2 or SANS Incident Handlers handbook)
-
What is the communication strategy to convey important messages internally and externally
-
What are our agreed procedures to keep the show on the road if we lose key systems
-
What systems need to be recovered first and how will we go about it
​​
If this sounds alien, please feel free to download our ‘Creating an Incident Response Policy’ document here.
​
Finally, it is about network managers getting to know how the network is configured and what normal network behaviour looks like. Without this baselining, it will be very hard to find anomalies activities and malicious alterations.
​
STEP 2: DETECTION & ANALYSIS
You will know that you’ve been hit with ransomware as soon as you fire up a computer and see a splash screen detailing how to pay a ransom. Alternatively, you might come across the encrypted files and payment instructions in every folder on your network.
It is important to make sure that staff report a ransomware attack as quickly as possible because time is of the essence, especially if the program or the attacker has not yet managed to compromise all your
critical systems. This means staff need to know how to report and must feel comfortable doing so, even if they have unintentionally facilitated the attack.
Determining the type of infection means uploading an infected sample. This can be done at nomoreransom and id-ransomware. You should also try and determine the scope of infection by looking at mapped drives and folders, shared storage devices and even connected online accounts – as some ransomware variants can spread to the cloud. Ransomware usually attacks backups first and then files with the most recent access dates.
Keep an eye out for any evidence on how the initial infection was caused - as we have already noted, this is usually because of a phishing email, an employee visiting a malicious website, an infected USB drive being plugged into the network, RDP and poor patch management of some public facing server.
Keep an eye out for rogue accounts and any amendments to auto-start configurations. Your anti-virus, firewall, DNS, IDS and Window Event Logs, are go-to sources. Police cyber teams can also help you identify the source of an infection, which is why it’s a good idea to call them and report problems to Action Fraud.
STEP 3: CONTAINMENT, ERADICATION & RECOVERY
Your initial investigations, will suggest what sort of containment strategies you should start implementing.
Containment usually means:
-
Restricting internet connections to critical devices.
-
Isolating infected systems from the network, by pulling cables or disconnecting the wireless
-
Taking shared drives offline, especially the backup which you should immediately isolate and scan.
-
You might have to purge the mail server or block access to a malicious website, so it is important to know how to do both in a heartbeat.
​
Surprisingly, one of the most important tasks to perform as soon as possible, is to start documenting actions that the organisation is taking. This documentation is useful because
​
-
It clarifies your thoughts and helps you to determine the most logical steps to take next
-
You may need such evidence for insurance purposes, criminal proceedings and to demonstrate due care and diligence
-
Critical activities - such as the post review - will be more effective if there is a chronological account of what happened.
-
It will serve as a useful guide when dealing with future attacks.
ERADICTION:
Solutions differ, for example, you might need to
-
Flatten and rebuild, or
-
Run systems in safe mode to roll back to a previous state (this will not decrypt files)
-
It might also involve running an updated antivirus package or even a completely different antivirus package to clean house.
-
Be sure to suspend until further review any applications or services which facilitated the infection in the first place
RECOVERY:
Solutions can also vary considerably. Screen locker ransomware can be removed by restarting in safe mode, running antimalware and then a product such as Trend Micro Screen Unlocker.
​
Solutions are harder for other ransomware types. Some network teams may be forced to use well known decryptors and free software for recovering deleted files. Two reputable sites to get you going include ‘No More Ransom’ and ‘KnowBe4’.
You should only restore from a backup if you are very confident that the backup and the device you're connecting it to are clean.
After that, start connecting devices in order to download, install and update the operating systems as well as other software. Then reconnect to your network and monitor network traffic - running antivirus scans periodically to identify if the infection is still there.
Hopefully, this is starting to highlight the importance of practicing different incident response scenarios. This can be done though table top exercising, where you simulate that the company is under attack.
These exercises are extremely effective and it will help the network team because they will have a much better idea of:
-
Where to look for problems
-
What actions will have to be taken, and in what order.
-
They will also start to develop check lists that can be used in a real crisis. Every checklist written is worth its weight in gold.
It’s not just the network team that need to put their thinking caps on either, C-Suite also have to figure out how to keep the business running when IT systems go down.
STEP 4: POST INCIDENT RECOVERY
Always take the time, to review what has happened and how the organisation responded. For example:
​
-
What went well and what can be improved upon?
-
How were we compromised?
-
Did we have visibility into the problem?
-
What unanticipated obstacles and issues were encountered?
-
How can we adapt and move forward?
​​
Such reflection is sure to improve your defences and response strategies against any future attack.