Incident Response for Ransomware

Muhammet Donmez
Posted:
September 23, 2024
Home
Posts
Incident Responder
Incident Response for Ransomware
Contents

Incident Response for Ransomware

Ransomware is malicious software that encrypts files and demands a ransom to restore them to their original state. Attackers frequently threaten to leak or sell the encrypted data. These attacks are typically executed through phishing, infected websites, or compromised accounts. To detect and prevent such attacks, you must use security products and effective incident response plans.

It is becoming increasingly common to hear about ransomware attacks targeting large companies, educational institutions, and local governments. These attacks can disrupt critical public services, such as hospitals, supply chains, and even critical gas pipelines. Effective incident response playbooks are crucial for taking the right and prompt actions during ransomware attacks.

TL;DR

Ransomware is malware that encrypts files on a device, rendering them unusable. Attackers leave notes on infected systems, demanding a ransom from users. These attacks must be detected and analyzed as quickly as possible, as incident responders often have to act within a very short timeframe. Detecting and analyzing ransomware variants that can spread across networks before the malware spreads is critical. This requires swift action and the implementation of temporary measures.

Once experts have contained the malware's spread across the network, they must decide whether to pay the ransom. Backups must be available at this stage. If the organization has an up-to-date or near-current backup, the team can avoid paying the ransom. However, if they don't have one, they have no choice but to pay ransom to get the decryption key. After that, you need to document the incident from start to finish. Include evidence in your report, like screenshots or logs.

To stop this from happening again, you must find the first place the hackers got in. Fix whatever's broken, apply the necessary fixes, and take the necessary measures to keep them out.

What is Ransomware?

Ransomware is malicious software that encrypts files on a device, rendering them inaccessible. Attackers demand a ransom in exchange for the decryption key. They frequently threaten to sell or leak the obtained data if the ransom remains unpaid, targeting companies, institutions, and governments. Ransomware has recently affected companies and critical infrastructure in countries across the globe.

Attackers infect target systems in three ways: through phishing attacks, infected websites, or compromised accounts. In some cases, ransomware exploits vulnerabilities in outdated software or operating systems to gain unauthorized access.

Once it has infected the victim's computer, the ransomware runs unnoticed in the background, using strong encryption algorithms to render files inaccessible. Some variants also spread across the network, infecting other computers and devices connected to the same network.

Detecting and Analyzing Ransomware Attacks

Detection and Diagnosis

You must quickly detect the affected systems to minimize damage from ransomware attacks. Monitor for anomalies in the network, file modifications, or encryption activities. It is essential to ensure that security products and detection rules can identify and diagnose ransomware variants.

Determine the Scope of the Attack

First, identify which systems and files the attackers have targeted. Then, review network traffic and logs to determine if the attacker has spread across the network.

Stop the Attack and Prevent Spreading

Take immediate action to isolate infected systems from the network to prevent the malware from spreading further. Next, you must start the recovery process by restoring the system from a backup made before the infection. This is a clear reminder of why you should make backups a regular part of your IT security routine.

Responding to Ransomware Attacks: Steps and Strategies

Decision on Ransom Payment

If restoring the system is not feasible or puts critical data at risk, institutions will inevitably decide to pay the ransom. However, you cannot guarantee that paying the ransom will recover the data or prevent the attackers from leaking it. Furthermore, paying the ransom will only encourage attackers to target the organization again in the future. If there are no other options for data recovery and the ransom is acceptable, this is the way forward. The fact is that in 2023, the amount paid in ransomware attacks reached a record $1.1 billion, up from $567 million in 2022. This significant market increase has attracted more attention from attackers, underscoring the serious threat ransomware poses and the need for organizations to invest in the right technologies, people, and processes.

Documentation and Reporting of the Incident

You must document all steps and findings of the attack in detail. The report must include all evidence of the attack. It is crucial to report the incident without delay to prevent similar attacks in the future. Based on the findings, you must take immediate action to prevent further attacks. This will involve applying patches for vulnerabilities, disabling compromised accounts, and resetting passwords for all users. Organizations must learn from ransomware attacks and review their cybersecurity measures and incident response processes without delay. Security products must be tightened immediately and staff must be provided with the necessary training.

Ransomware Playbook

Step One: Verify

Tier 1 analysts in the SOC team review alerts resulting from the attack. Smooth escalation processes from Tier 1 to Tier 2 ensure that alerts are handled correctly and are not incorrectly escalated, which could negatively impact the organization. Alerts from Tier 1 analysts must be verified as not all escalations are true positives. Technical and authority issues can sometimes lead to erroneous escalations, so it is vital to verify alerts to confirm that they involve attacker activities.

Step 2: Determine the Type of Ransomware

You must perform initial investigations based on alerts using security product logs and SIEM-style tools. If the alert involves an attacker, continue your investigations on the affected systems. Look for and find evidence such as text, HTML files, images, wallpapers, or pop-ups on the system. Attackers often leave notes for victims containing their contact information and Bitcoin wallet IDs for payment. These notes will help you identify the ransomware variant.

Furthermore, you should check for evidence such as contact emails, language, payment methods, payment addresses, and support chat/pages on the system to determine the variant. You will be able to identify the ransomware variant by analyzing the file extensions (e.g. .crypt, .cry, and .locked) and the file types and locations, as well as the encrypted file icons.

Step 3: Automated Categorization Services

You can use additional tools to identify the ransomware variant. Just upload the encrypted files to these tools. Examples include:

Step 4: Identify The Root Cause

It is essential to identify the root cause at the earliest possible stage of the incident response process. Block the route that the attacker used to gain access. The attacker might have gained access via an internet-facing service or phishing.

Step 5: Initial Access

Securing systems and preventing recurrence hinges on determining the technique used by the attacker for initial access. There are four main techniques that hackers use to access your system: exploiting public-facing applications, phishing, supply chain compromises, and using external remote services. Other techniques listed in Mitre may also be used, so review these as well.

Step 6: Determine the Scope of the Attack

You need to identify all the affected systems. Some ransomware variants can spread across the network, so it's crucial to act fast. Get the Indicators of Compromise (IOCs) from your analysis, note them down, and search the whole network to find the infected systems.

Final Step: Containment

Once you have identified all the affected systems, take immediate action. Before implementing permanent actions, isolate the malware immediately to prevent further spread to other systems on the network.

Practical Ransomware Analysis as an Incident Responder

You can find some hands-on courses for ransomware analysis on LetsDefend.

Conclusion

Ransomware attacks pose a serious and ongoing threat to organizations and require a robust cybersecurity strategy. These attacks may involve difficult decisions, such as whether to pay the ransom. It is crucial to have a swift response and an effective incident response plan in place. Your plan must include steps to detect attacks, prevent their spread, recover affected systems, and prevent future incidents.

Training, security software, and regular updates are key preventive measures that can help mitigate the impact of ransomware attacks. Technological solutions and incident response plans must be continuously updated to detect and respond to ransomware attacks. These steps are essential for protecting an organization's data and systems.

As ransomware attacks increase, collaboration and information sharing are vital. There is a pressing need for cooperation among industry stakeholders to combat cyber threats and create a more secure cyberspace. By working together, organizations and communities can more effectively address ransomware and other cyber threats.

The following ransomware playbook provides a useful source for those interested in learning more about ransomware response:

References

  • https://www.cisa.gov/stopransomware/ransomware-101
  • https://github.com/LetsDefend/incident-response-playbooks/tree/main/Ransomware
  • https://duo.com/decipher/ransomware-payments-hit-usd1-1b-record-in-2023
Share
letsdefend description card

You might also be interested in ...

Start learning cybersecurity today