Ransomware is malicious malware that encrypts a victim’s files and then demands a ransom to restore access to the files. These attacks have become more and more popular in the recent years and ransomware incident response is essential. There are several ways in which ransomware can gain access to a computer.
One of the most common ways is when the attacker sends phishing emails with a link or file attached to unknowing users. Many times, the emails look to be legitimate and from a trusted sender. When the user clicks on the link, the malware is downloaded and can then take over the victim’s computer.
More aggressive forms of ransomware, like Notpetyta or Ryuk, are rapidly propagating malware that exploits security holes to infect the computer without tricking the users, giving hackers free rein to remotely run their own code. Once the files are encrypted, they cannot be decrypted unless the attacker agrees to give the key in exchange for a ransom. Ryuk primarily targets enterprise environments with the signature on their ransoms “No system is safe” but universities, small businesses and non-profits are equally at risk as they often have smaller security teams and perhaps not as strong a defense.
All companies must be prepared to anticipate and defend against such attacks. We offer here our advice and guidance to help with that planning.
Step 1: Preparation
It is very important that systems are prepared in advance in anticipation of a malicious or ransomware attack. First, prioritize the most valuable data for the organization and assure it is stored in a trusted backup. Test and assure that the data can be re-installed from these backups which are often in the cloud, and that the backups are tested frequently. Early detection is a critical component, scan systems regularly to detect and vulnerabilities early. Plan for incident response support in advance by contacting reputable vendors.
Step 2: Detection
It is important to constantly monitor systems to determine if an attack has taken place. Poll employees to understand if any have received any unusual emails, in particular, a ransomware note from an unknown source. Be sure to monitor both automatic and manual detection channels, customer and staff channels, and social media for any indications of a data breach or compromise. If there has been indication of ransomware, try to identify the source of the ransomware email and extract all relevant information such as the source IP and the MD5 hash of any file present in the email. Forward the uncategorized malicious URL, hash, domain names and IP addresses to the perimetric security provider.
Step 3: Containment
To prevent any further malicious activity, affected systems should be quarantined and removed from the network where possible, or at a minimum, applying access controls to isolate them from production networks. Affected systems can be isolated by disabling the network switch port that the infected systems are connected to. Assure as well that the systems backups are well secured. Suspend the login credentials for the suspected login accounts. Block the sender and IP addresses of the malicious sender by marking it as spam to help contain the attack. Block access to any identified Remote Access Tools (RAT) to prevent communication with command and control servers, websites and exploited applications. If required, sinkhole the domain on internal DNS servers.
Step 4: Eradication
First, use a malware tool to remove the malware from the system. Next, complete an automated or manual removal process to eradicate any ransomware or compromised executables using appropriate tools. Any compromised account details must be changed immediately. Also, continue to monitor for signatures and other indicators of compromise to prevent the ransomware attack from re-emerging. Removing all ransomware related malicious software and tools installed by the attacker will be helpful in eradicating the ransomware.
Step 5: Recovery
For recovery, the first steps are to re-image the system from scratch and to recover the system from a trusted back up. Restore any of the suspended services in the system. If required, complete vulnerability scanning of all systems. Also, co-ordinate the implementation of any necessary patches or vulnerability remediation activities.
Step 6: Lessons Learned
Ensure that all of the files in the system are well protected and stored in a secure place. If ransomware was found coming from a phishing email, track the sender and message by marking the source as spam. Install anti-malware software to make sure that the malware is detected even before it affects the systems. Ensure that there are proper patch management and vulnerability policies in place and being practiced. If required, update the current incident response plan. Make sure that all the ports in the network are closed. Deploy a SIEM for critical subnets for detailed security analytics monitoring.
Free tools to Defend against ransomware attack
To quickly detect, analyze and respond to ransomware, DTonomy has collected a list of free tools to help you defend ransomware from five different aspects.
1. detect ransomware attack
2. decrypt ransomware
3. classify ransomware
4. clean up encrypted files and ransomware notes
5. monitor post-compromise ransomware activity.
Please visit here for more details.
Ransomware is increasing every day and the stakes are high. DTonomy’s AI-based security analysis platform, automated playbooks, and our deep security expertise can assist with incident response and remediation in the event of a ransomware attack. Request a demo today here or sign up for free.
