A Complete Roadmap for Tackling a Ransomware Incident
Blog Article Published: 05/09/2023
Written by David Balaban.
Ransomware continues to keep enterprises and governments on their toes. The unscrupulous operators of notorious strains such as LockBit, Clop, ALPHV/BlackCat, and Conti are increasingly adept at infiltrating networks and raiding them via two-step extortion that combines encryption and the theft of valuable files. Victims who refuse to buy a decryption key from crooks ultimately face the scourge of data leaks, which adds additional pressure to each predicament.
As this cybercrime model evolves, the ransoms are reaching jaw-dropping heights. Last year, the Russia-based Conti gang struck the Costa Rican government, locking down and exfiltrating about 850 gigabytes of confidential data. This disrupted the country’s tax and customs systems as well as foreign trade and civil servant payroll. The threat actors demanded a whopping $20 million for decryption and non-disclosure of the information. After Costa Rica rejected this ultimatum, Conti leaked half of the stolen data on their extortion site.
Incidents like this demonstrate how high the stakes are these days. Crude implementation of remote work, rudimentary data backup practices, and a lack of a clear-cut incident response plan – all these blunders are very likely to backfire on businesses at some point.
Let’s imagine you discover an issue with one of your servers, open up the admin pane to diagnose it, and see a terrifying message that says something along the lines of “Warning! Your data has been encrypted!” What are you going to do?
Early response best practices
Many network admins try to sort out the problem on their own. They reboot the affected device and run a virus scan to pinpoint and remove the malicious program. If the ransom is affordable, they may try their luck and pay it, anticipating prompt decryption. This tactic often complicates things instead of facilitating recovery, though. To minimize the damage or even emerge unscathed, it is recommended to stick to the following procedure:
- Detection. The staff member who spotted the attack reports it to the IT department at once.
- Analysis. Tech professionals determine what ransomware species they are dealing with, how it gained a foothold in the network, how many devices it has plagued, and what mechanisms it is using to propagate inside the corporate environment.
- Containment. Security employees isolate the infected machines from the rest of the infrastructure and step up the protection of untainted endpoints by patching vulnerabilities found during the initial investigation.
- Recovery. At this point, data is restored from backups, and the normal operation of servers is resumed.
- Keeping all parties informed. Technical personnel need to make sure that business stakeholders and partners are aware of the incident response progress and the possible risks to the company’s digital assets.
End-user’s course of action after identifying a ransomware incursion
Ransomware distributors often target specific employees via phishing emails that contain a dangerous payload. The details of the original infection can give tech experts actionable insights into the ways to safeguard unaffected devices.
Therefore, the user who was hoodwinked into making a mistake can provide valuable information to avert the further spread of the peril. The success of an organization’s recovery efforts is largely a matter of the following dos and don’ts on that person’s end.
- Stay calm. Don’t let panic throw a spanner in the works. Be organized and do everything quickly.
- Bring the contaminated endpoint offline. It is hugely important to disconnect it from the network, but without turning it off.
- Gather evidence. Take a picture of the ransom alert and several encrypted files using your smartphone.
- Determine how you made a mistake. Answer the following questions to find out what caused the infection:
- Did the computer or the running applications exhibit strange behavior before the attack?
- What were you doing prior to the onset of the first symptoms of compromise? Maybe you were working with external storage media or a Microsoft Office document, answering an email, or accessing network shares. Be sure to recall this information.
- How did the ransomware manifest itself from the get-go?
- What type of connection were you using at the time of infection – corporate network, public Wi-Fi, home network, or VPN?
- What version of the operating system is installed on your machine? When did the last OS update take place?
- What extensions have been appended to the scrambled files?
- Did any weird HTML or TXT files appear inside encrypted folders? If so, what are their names?
- What user account were you signed into?
- What data do you have permission to access?
- Whom did you notify about the incident and how?
- Reach out to the IT team. Tell your colleagues everything you know about what happened. Keep in mind that there is no harm in admitting a slip-up.
Security employees’ positive attitudes and friendly tone during the interrogation are important. Otherwise, the user may get nervous and give them inaccurate answers. This may eventually skew the big picture and obstruct the investigation.
Figuring out what ransomware strain hit your network is paramount. It will shine a light on the applicable data recovery techniques. The following information will help identify the lineage so that you can make informed decisions on what to do next:
- Screenshots of any pop-up alerts and the desktop background that conveys the ransom warning.
- Documents in HTML or TXT format that list the extortionists’ demands along with the steps to buy the decryption tool.
- Contact information, such as email addresses or messenger IDs that are mentioned in ransom notes.
- The type of cryptocurrency that the adversaries accept (Bitcoin, Ethereum, Monero, etc.) and the receiving wallet addresses.
- Extensions affixed to no-longer-accessible files (for instance, .djvu, .babyk, .7z, .makop, .prolock).
- The original formats of the files that underwent unauthorized encryption.
- The type of user account that was mishandled to execute the attack.
To take a shortcut, consider using the ID Ransomware service. It identifies the ransomware family based on a sample encrypted file or the ransom manual you upload to it. Well-known resources called Hybrid Analysis and VirusTotal can further refine the results of your research.
Having found out what ransomware has cropped up in your network, collect additional indicators of compromise (IOCs), including binaries, file hashes, suspicious network connections, as well as information about malicious actors’ Command and Control server.
As part of the investigation, figure out the original ransomware entry point. This will help you close security gaps on other devices on your network. The following attack vectors dominate the present-day threat landscape:
- Documented or zero-day software vulnerabilities.
- Inadequately secured RDP connections.
- Phishing emails with dangerous attachments and links.
- Unsecured network directories.
- The use of Trojans that open backdoors or download and execute second-stage payloads.
Once inside, some ransomware programs propagate across the target environment automatically, while some are deployed manually. The latter scenario occurs when crooks exploit an organization’s remote desktop services and execute commands as if they were local users.
One more stage of the research is to gauge the scope of the affected digital assets. Commonplace network monitoring solutions and antimalware tools can scan the network and pinpoint specific infected servers and computers.
By using proxy servers and firewalls, you can spot the processes that are trying to establish connections with attackers’ servers. A security information and event management (SIEM) platform can come in handy, too. It quickly examines a slew of events and allows you to set monitoring rules to identify all the infiltrated devices. Also, no matter what skeptics say, traditional antiviruses are fairly effective in detecting cyber threats through signature-based and behavioral analysis.
Determining what data has been crippled is on your to-do list as well. Ransom Trojans that target organizations usually affect user files, configuration files, and Database Management System (DBMS) items. Tools that control operating systems’ integrity or analyze metadata can automate the process of creating an inventory of all the mutilated information.
Importantly, company management should assess the financial losses caused by the incident. This is a prerequisite for making further decisions geared toward maintaining business continuity.
Minimizing the attack surface
When handling the aftermath of the breach, a priority task is to stop the lateral movement of harmful code to make sure that the predicament doesn’t get worse. A disaster recovery plan helps address this challenge. It specifies a well-balanced allocation of resources to keep critical business areas intact. In most cases, this activity boils down to isolating the ransomware-riddled devices from other segments of the network.
Getting back on track
Don’t begin restoring your IT ecosystem until you make doubly sure that the ransomware is no longer there. Otherwise, it may re-infect multiple computers and you will have to start over. IT folks need to know the location of the most recent data backups and have a complete toolkit plus enough expertise to recover the data.
In case backups are missing or inaccessible, a few alternative techniques are worth a shot:
- Try digital forensics tools. In some situations, such software can extract unencrypted versions of files by leveraging the Shadow Copy technology or more sophisticated recovery mechanisms.
- Search for a free decryption tool. Researchers have created decryptors for dozens of widespread ransomware lineages over the years. By uploading your sample to the ID Ransomware portal mentioned above, you can find out if its crypto can be cracked this way.
- Ask security experts to lend a hand. Post your issue on popular security forums and provide all the requested information. While scrutinizing the ransomware code and its crypto implementation, analysts may come across a loophole that will pave their way toward creating a decryptor.
- Pay the ransom (as a last resort). If the encrypted data is too critical for your company to lose and the ransom size is relatively low, this tactic might make sense. However, be prepared for silence from the attackers after they get your money. They may also demand more once they realize that you don’t mind cooperating. By and large, think twice before taking this route.
Nurture a proactive security posture
The following recommendations will help you significantly reduce the risk of ransomware infection down the line and mitigate the damage in the worst-case scenario:
- Keep the most important data backed up. Store backups separately from other digital assets.
- Create a ransomware response plan and implement policies to facilitate effective detection and prevention of cyber threats.
- Conduct regular training for IT staff to hone their skills in identifying cyberattacks and collecting exhaustive evidence about incidents.
- Use software backed by proper SecDevOps throughout the development life cycle, including support and maintenance stage. This will bridge the gap between software engineering and operations teams for higher quality and stability of an application, which in turn foils easy exploitation.
- Carry out penetration tests to probe your network for vulnerabilities.
- Make sure that security patches are installed on endpoints as soon as they are available.
- Run reliable antivirus software with the heuristic analysis feature on board.
- Enforce the principle of least privilege, where every user has a minimum scope of access that suffices them to do their work. This is an element of a Zero Trust strategy that should become a cornerstone of your digital architecture.
- Build and sustain relationships with a reputable organization that provides cyber investigation services.
Bulletproof protection is wishful thinking because ransomware operators are ingenious enough to bypass virtually any defenses nowadays. Therefore, consider making the proverb “Hope for the best and prepare for the worst” an element of your company’s security philosophy. Ransomware isn’t going anywhere anytime soon, so you should focus on being a moving target.
About the Author
David Balaban is a cybersecurity analyst with two decades of track record in malware research and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a solid malware troubleshooting background, with a recent focus on ransomware countermeasures.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.