Back to BlogIncident Response Guide For Ransomware Attacks
The ransomware threat has metastasized over the past five years into a national security crisis, economically impacting all US industry verticals.
This development is most readily seen in the emergence of Ransomware-as-a-Service (RaaS). Ransomware developers now offer their malware to an eager market of criminal operators and extortion artists as part of a complex and specialized underground marketplace. The newfound commercial availability implicit in RaaS has relaxed barriers to entry which has likely enticed new previously uncompetitive participants to join this criminal marketplace.
Victims of ransomware proliferation notably include Small-to-Medium (SMB) sized businesses with the average incident costing $141,000 worth of downtime in 2019, according to a Datto study.
Organizations can mitigate the damage of ransomware by developing an incident response plan for ransomware attacks.
Assumptions
This article assumes that you’ve done at least minimal security preparation in advance for a security incident; namely that you’ve aggregated all security tool logs in a security information event management (SIEM) tool such as Blumira for investigative purposes and you have a disaster recovery plan, practiced recovery policies, and the associated technology. Strict network segmentation is also critical.
These best practices are organized according to NIST’s Incident Response Lifecycle.
This article takes no formal position on whether or not to pay the extortion demand. There is no single universal answer to that question. Each business case is unique. Blumira’s recommendation is to invest the necessary resources for proper resiliency, such as reliable backup software, incident planning, and log aggregation.
Detection and Analysis
Increase endpoint visibility. A successful incident investigation of any kind depends directly on visibility into process-level monitoring, which you can achieve through an endpoint detection and response (EDR) product like Microsoft’s free utility, Sysmon. It’s ideal to deploy tools that facilitate visibility ahead of the investigation.
Compile Indicators of Compromise (IOC). Rather than simply amassing discrete atomic artifacts alone, like file hashes or IP addresses, EDR technology will allow you to also identify and signature endpoint behaviors (log metadata combinations) that will be useful in later stages of the investigation like scoping.
Scope affected systems. Successful containment and remediation later depend largely on the investigator’s ability to trace the attacker’s lateral movement within the victim network and identify user and/or service account credentials compromised along the way using IOCs. Privilege escalation is a critical step for the attacker to expand network access therefore it is a highly relevant consideration during scoping. Attackers commonly use remote services to perform lateral movement within the network, so be sure to pay close attention to the appropriate Mitre ATT&CK sub-techniques depending on the OSes found in the environment.
Identify ransomware family. While easily overlooked, this step is highly recommended. There’s a popular phrase in cybersecurity: “Attribution matters”. Use elements of the ransomware note to positively attribute the ransomware to a particular malware family.
Once you know the malware family, you can perform a Google search to yield additional public threat intelligence that will be useful to your investigation. On occasion, specific ransomware infections have been undone and the relevant decryption tools or keys are posted online by trusted industry vendors such as The No More Ransom Project or ID Ransomware.
Containment
Forensically preserve evidence. Cyber risk insurance providers and law enforcement will both want, if not require, forensic images of exploited systems. Be sure to securely maintain chain-of-custody of the physical evidence (packet logs, hardware), as an added precaution.
Eradication
Rebuild all directly affected client systems. Rebuild compromised systems from scratch or use a trusted gold image. You should also reset all credentials associated with those machines.
Recovery
Rebuild AD infrastructure. If the AD server is compromised in the course of the attack, consider rebuilding the infrastructure from a trusted backup or from scratch in a ‘secure enclave’ VLAN as described by Mandiant in the M-Trends 2021 report:
Post-Incident Activities
Employee education. Educating the employees about how to recognize social engineering, phishing emails, and how to report suspicious information security events can be a huge force multiplier for any security program. When end users know what to look out for, they’ll provide additional network visibility for your security program.
Consider cyber risk insurance. Weigh the pros and cons of purchasing a cyber risk insurance policy to financially backstop your organization in the event it experiences a future ransomware event.
How Blumira Can Help
Blumira’s cloud threat detection and response solution alerts your team about suspicious behavior that leads to security incidents, like ransomware infections — and provides recommendations on next steps. Test it out with a free trial.