Ransomware incidents require customized response strategies that prioritize swift containment and data availability. Ransomware actors aim to encrypt as many critical systems as possible to maximize business disruption and increase the likelihood of ransom payment. Effective ransomware response demands ongoing training, testing, and adaptation to stay ahead of constantly evolving threats.
This article outlines ransomware-specific enhancements across the incident response lifecycle – empowering teams to complement foundational incident response procedures with ransomware-focused strategies. Adopting specialized procedures, customized to your environment and risk profile, strengthens resilience when responding to ransomware incidents.
The best practices in this article are organized according to guidelines set by the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide. Cybersecurity & Infrastructure Security Agency (CISA) resources were also used to guide recommendations towards building incident response procedures to protect and respond to ransomware incidents.
This article covers Incident Response techniques specific to Ransomware. It assumes you’ve established a basic security program including centralizing security logs in a security information event management (SIEM) tool like Blumira and defining an Incident Response Plan. To learn more about developing incident response procedures, read our article: Building Effective Incident Response Procedures.
Prepare against ransomware infections by building a security program aimed towards detecting early stages of ransomware activity. Endpoint Detection and Response (EDR) tools should be implemented to monitor for unauthorized encryption events across endpoints. Network security tools must also detect and alert on C2 beaconing in traffic logs. Backups of critical assets and data should be regularly tested and maintained for reliable restoration. Consider adding ransomware scenarios to table-top exercises for Incident Response training. Involving executive leadership during these exercises may help prepare them for situations where isolating critical assets may impose cost while recovering a severe compromise. A proactive security program focused on catching ransomware threats early, before encryption and extortion occurs, is key for minimizing business disruption.
Detection & Analysis
Once a ransomware incident has been detected, incident responders should review SIEM logs to determine which systems were impacted, and immediately isolate them. In the event that several systems and/or network segments were impacted, the network may need to be taken offline to prevent further infection spread.
Refer to internal incident response policy and procedures to action on the communication plan used in response to ransomware incidents. Engage the internal and external parties identified that should be informed when a ransomware incident has been identified. External parties may include third-party incident response providers, cybersecurity insurers, and/or law enforcement agencies.
Identify and isolate infected assets to prevent the spread of infection and beacon communication from the infected host to the threat actor’s command and control (C2) infrastructure. Consider disabling administrative and Server Message Block (SMB) shares, as ransomware often exploits these pathways to distribute malware across an environment.
If an intrusion is detected and malware associated with ransomware is identified but has not yet been executed, it is critical to coordinate response efforts to swiftly contain the affected endpoints. Threat actors may monitor compromised assets for signs that their activity has been detected, if incident response activity is suspected the threat actor may then attempt to quickly deploy and execute ransomware to maximize their impact.
Preserve forensic evidence for ongoing analysis that may occur after the initial containment and recovery stage. Volatile evidence should be collected first, as this evidence can be lost as memory is overwritten and when a machine is powered-off. Memory captures are the most effective way to identify C2 beacons, as modern beacons tend to run in-memory. System images of affected devices and malware artifacts should be collected for further analysis. Preserve as much evidence as possible to provide analysts with the data they need to understand the scope of the incident.
Detection & Analysis (Again)
Use the alerts generated by security tools to identify indicators of compromise that can be used to scope the affected systems and networks. Cross-reference unique identifying events in these alerts with system and network logs in the SIEM to help identify impacted assets.
The following assumptions can be made to help guide log review and analysis:
- A threat actor got into the environment.
- They established one or more persistence mechanisms.
- They conducted reconnaissance and discovery activities.
- They accessed sensitive credentials.
- They moved laterally.
- They distributed ransomware.
When the ransomware variant has been identified, conduct research into publicly available knowledge about that variant. A common pattern seen in ransomware incidents involves initial access via dropper malware variants like Bumblebee, IcedID, QakBot, and Dridex. Initial access groups often sell access to a compromised network. Ransomware groups then purchase access to these networks, exfiltrate data, and then extort victims into paying a ransom to prevent release of the data publicly and/or to unencrypt systems.
The following questions should be documented in the incident response report:
- What was the initial entry point and first compromised system?
- What tools and methods were used to gather system and network information? Where were they used and what was revealed?
- How did the attacker move between systems? What techniques and accounts were utilized?
- How was the ransomware distributed and executed?
- What systems were affected or at risk? Where was ransomware deployed and run?
- Did the ransomware successfully encrypt data on the host? If so, what was encrypted?
- Was any sensitive data accessed or exfiltrated?
- How long were attackers active in the environment undetected?
- At what point are backups verified safe for restoration?
Incident responders should utilize a SIEM to threat hunt activities. Here are a few suggestions on what to hunt for during the timeframe of the incident:
- New Active Directory accounts
- Activity by privileged accounts, such as Domain Admins
- Anomalous account logins
- Unauthorized RMM software
- Suspicious PowerShell use
- Enumeration of Active Directory
- Credential Dumping
- Potential data exfiltration like spikes in outbound transfers or unauthorized tools
- Unauthorized system changes like new scheduled tasks, registry values, or software installs
- Beaconing activity to disreputable IP addresses
Eradication & Recovery
Prioritize rebuilding systems based on the criticality of the asset to the business. In the event that an incident response team decides to revert impacted systems to backups, care must be taken to examine the backup to confirm it is clean from persistence mechanisms. For severely compromised environments, rebuilding Active Directory infrastructure may be necessary.
Password resets for all affected systems and accounts should be issued and communication to affected personnel should be sent. In some cases, data may be decrypted without paying the ransom. Decryptors for certain ransomware variants may be publically available or available from law enforcement agencies. Patch system and application vulnerabilities leveraged during the intrusion.
Caution must be exercised to ensure a ransomware incident has been fully remediated. Threat actors have been known to return to compromised environments several weeks or months later exploiting lingering persistence mechanisms or systems restored from unclean backups. Detection & analysis and the containment, eradication, & recovery phases will likely intersect with one another in an ongoing iterative process.
After an incident is resolved, conducting a post-mortem review is critical for organizations to improve security going forward. The post-mortem enables assessment of what transpired, the business impact, lessons learned, and actions to bolster defenses and response. Performing thorough post-mortems in a blameless manner is key to capitalizing on incidents to bolster an organization’s overall security posture for the future.
Harden infrastructure to mitigate the techniques identified during the analysis phase. This may include keeping systems, software, and applications up-to-date, regularly testing system backups, applying least privileges permissions, and enforcing multi-factor authentication.
How Blumira Can Help
Blumira’s cloud threat detection and response solution alerts your team about suspicious behavior that leads to security incidents, like ransomware incidents– and provides recommendations on next steps. Get started with Blumira by trying out our free SIEM.
Blumira can also help security teams detect malicious activity to reduce the impact of security incidents. Here are a few examples of Blumira detections on techniques mentioned in this article:
- Reconnaissance and Discovery Activity Detections
- Threat Feed Detections for Network Traffic to IPs associated with C2 Infrastructure
- PowerShell Detections for Suspicious Activity
- Dumped LSASS and Mimikatz Detections
- Rclone Execution via Command Line or PowerShell
- Remote Access Tools Detections including Splashtop, ScreenConnect, TeamViewer, and more.