Ransomware is malware that encrypts files on a device To make files and the systems that rely on them useless. Malicious actors frequently demand a ransom in exchange for decryption.
Malicious actors have modified their ransomware strategies over time to be more damaging and effective. Malicious actors steal data more frequently, and if a ransom is not paid, they threaten to sell or leak it, including sensitive or private information. These data breaches could cost the victim company money and damage client confidence.
Most cyber security professionals strongly advise against paying ransom to criminal actors. Paying a ransom may encourage adversaries to target additional businesses, other criminals to spread ransomware, and/or provide money for illegal activities. Additionally, paying the ransom does not ensure that a victim’s files will be returned.
All organizations risk falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems. If your organization becomes a victim of a ransomware incident and associated data breach, we strongly recommend implementing your cyber incident response plan and taking the following actions.
1. Secure the network
Secure the network operations and stop additional data loss using the following checklist, moving through the first three steps.
Identify which systems were affected and isolate them right away. Consider taking the network offline at the switch level if multiple systems appear to be affected. To contain the infection, locate the network (e.g., Ethernet) cable and unplug the affected devices from the network or take them off of Wi-Fi if temporarily taking the network offline is not possible.
Power down infected devices to stop ransomware from spreading if—and only if—affected devices cannot be removed from the network or the network cannot be temporarily shut down. It should be noted that this step should only be taken if necessary since it may cause the loss of infection artifacts and possibly store evidence in volatile memory.
Prioritize impacted systems for recovery and restoration. Set priorities based on importance. Consult with your team to develop and record a preliminary understanding of what has happened based on preliminary analysis.
Engage your internal and external teams and stakeholders, and let them know how they can reduce the impact of the incident, deal with it, and recover from it. Consideration should be given to contacting a reputable incident response provider with knowledge of data breaches.
Take a system image and memory capture of a sample of the affected devices if it appears that no initial mitigation measures are possible. Additionally, gather pertinent logs, samples, associated observables, compromise indicators, and any “precursor” malware binaries. To prevent loss or tampering, preserve highly volatile evidence—or evidence with a limited retention period.
Time-sensitive reactive measures
• Immediately turn off infected systems.
• Remove infected systems from the network and isolate them.
• Reactive actions that are time-sensitive
• Immediately isolate your backups.
• Turn off any shared drives that contain important data.
• Use a backup to restore your files.
• Reactive business continuity measures
• Send out an alert about the attack to the entire organization.
• Report the assault to your local law enforcement agency.
When embarking on an analysis phase of an incident, it’s essential to identify the specific variant of ransomware that compromised the environment before advancing to the containment phase. For example, some versions of ransomware can use lateral movement features while others cannot. Knowing the specific ransomware code’s capability to infect an environment influences containment and eradication efforts.
An abridged root cause analysis (RCA) level should be performed to help the security team understand how the ransomware entered the digital environment. While a formal RCA can wait until the post-incident activity phase, an abridged RCA can help the organization plan for and enter the containment phase. Without an initial RCA, the infection cycle is likely to repeat itself. It’s also important to perform the initial RCA before the recovery phase. Otherwise, an organization could expend much time and effort recovering files only to see them re-encrypted.
3. Report the incident
Notify law enforcement, other impacted businesses, and affected individuals when your company suffers a data breach. Make an urgent call to the police in your area. Inform someone about your predicament and any possible identity theft. People can take action to lessen the likelihood that their personal information will be misused if you alert them as soon as possible that it has been compromised. To avoid impeding the investigation, discuss the timing of the notification with your law enforcement contact. Within your organization, designate a point person for information release. Provide the contact person with the most recent details regarding the breach, your response, and suggested responses from the public.
Clearly describe what you know about the compromise. This includes:
- How did it occur?
- What information was taken?
- How were the thieves using the information, if you know?
- What steps have you taken to correct the situation?
- What steps are you taking to protect people, like providing free credit monitoring services?
- How to get in touch with the appropriate people within your company
In the eradication phase, infected systems from the organization are cleaned of the ransomware. This process can take a while and may involve user devices in addition to more important machines and services that the attackers were able to affect, depending on the extent of the attack.
Any system that is infected needs to be rebuilt from a reliable source. Trusted templates and settings stored safely for situations like these infections should be used.
Furthermore, root cause analyses may show that the ransomware entered the company via email or other methods that other users could access. The following steps should be used to examine and manage those mechanisms:
- If the RCA found an email message was how the malware first entered the system, the company should look through and delete any pending emails from the mail store. Additionally, until you are certain that the ransomware was not executed on those systems, you should consider isolating any systems that received or opened the email.
- If the RCA showed that a web browser exploit was used to spread the ransomware, those websites should be blocked and closely watched. Then you should determine whether any vulnerable browser components need to be updated or eliminated.
- As a precaution, all impacted users’ passwords should be changed. This action should be carefully and strategically executed to prevent alerting the attackers. Attackers probably have multiple credential sets, and if their initial access is suddenly denied, they might try to use them and change the direction of the attack.
When starting the recovery phase after an organization has contained the ransomware and found the infection’s primary cause, there are several factors to consider. Before starting the recovery process, the organization must complete containment and pinpoint the infection’s primary cause.
- Patch vulnerabilities: To stop further attacks, vulnerable systems must be patched if the RCA finds that they were the cause of the attack. If those systems can’t be patched, isolate them and ensure compensating controls are in place to reduce the risk of exposure.
- Restoring data from backups: Organizations can rely on their internal backup infrastructure to restore affected files before pursuing other options. For the affected data, a backup procedure must already be in place. This procedure should also analyze the frequency and completeness of the backups to ensure complete data restoration.
It’s crucial to check the status of backups when a recovery is necessary. This situation may indicate that the backup option is no longer viable if the attackers have been encrypting the network backups for months. No backup option is applicable if files have been silently encrypted and backed up over time.
Long-term silent attackers on networks can also implant persistence mechanisms in the backups. This strategy ensures they can return and threaten the company if a ransom is not paid. Best backup practices are redundancy and keeping backups checked, segregated, or offline. This procedure can reduce the chance of manipulation. There’s still a chance that several of the most recent backups may contain partially encrypted files when malicious encryption affects a network share. Assume, for instance, that a file share within a company receives daily backups. Nevertheless, it takes a compromised employee’s device five days to encrypt all of the file share’s data before they become aware of the attack. Due to this circumstance, files that had been encrypted are probably still present in the last five backups.
You ought to have an effective backup procedure that adheres to industry standards. These techniques include making sure that local backups are maintained and archiving backups to cloud-based resources and removable media like tapes, optical disks, and removable hard disks.