Managing Ransomware Attacks Effectively
In recent years, we have witnessed an explosion of ransomware incidents. These incidents have severe impacts on organizations, such as financial losses or prolonged network unavailability. In many cases, organizations don’t have data backups and are forced to pay the ransom, often up to hundreds of thousands of dollars.
Also, since the end of 2019, it is possible to observe a change in ransomware behaviour. Before encrypting victims' computers, hackers systematically exfiltrate server data. This provides a second bargaining chip in case the victim refuses to pay the ransom when they have a backup. This additional leverage is quite persuasive as the exfiltered data can include trade secrets, personal information on employees and customers, credit card data, other sensitive information.
Managing Your Ransomware Incident Step-by-Step
1- Stay calm
In most cases, you will discover that you are infected with ransomware when a ransom demand message is displayed. If this is the first time this happens to you, it is the beginning of a period of serious stress for the IT (or cybersecurity) team and senior management. The more critical the infected machines are, the more stress will increase. The best attitude to adopt is to stay calm and prepare for the fight. Get ready for some long nights.
2- Recognize your limits and seek help - quickly
If you don't have the expertise to handle the incident, get outside help ASAP! In several cases we managed, internal IT teams spent between 1 and 3 days scrambling for a solution, before resigning themselves to getting external help. The more time passes, the greater the damage.
Establish a relationship with a cybersecurity firm specializing in incident response and always have their phone number handy. If you get hacked, you'll realize that this is one of the best cybersecurity tips you've ever received.
3- Manage communications proactively
It’s crucial to control communication and avoid rumours, misinformation and mixed messages. Designate one person to be responsible for for internal and external communications (partners and media). Keep your messaging clear, calm and consistent.
4- The first minutes are crucial
The more time passes, the more hackers have the opportunity to infect your computers. As soon as you see that a computer is infected, disconnect it from the network, but don’t shut it down. You’ll need the computer to determine how the ransomware got into your network. If you shut down the computer, you will lose this evidence.
For the hacker, infecting several computers improves his negotiating position when asking for ransom. Again and again we see that infections move from one computer/server to ten computers (or more) in less than an hour.
5- Total containment of the incident
Next step is to make sure that the ransomware hasn’t spread other computers. To do this, search for a copy of the ransomware on the infected computer. Then quickly scan it to identify its compromise indicators (IOC) or local presence indicators on the victim (e.g. ransomware hash, registry keys created/deleted/modified, processes started, etc.). Next, scan your entire network to identify and isolate any computers the ransomware IOCs are found on. Often, we find a copy of the ransomware on other servers, allowing us to quickly isolate them and prevent them from being infected.
If you don’t find a copy of the ransomware on the victim, here’s how you should proceed: plug the infected machine into a switch, capture and analyze its network traffic to identify network ransomware compromise indicators (network IOCs). At StreamScan, we subject the captured network traffic to our CDS Cyber Threat Detection technology, which generates security alerts by analyzing it. Based on these alerts, we go back up the chain and retrieve information about the ransomware, and in some cases, we can even retrieve a copy of the ransomware externally.
*SIEM is not suitable for this type of verification.
6- Make sure the hacker is out of your network
As soon as you disconnect an infected machine, if the hacker is still in your network, he may pick up the pace to maximize the damage. The best way to ensure that the hacker is out of your network is to plug an Intrusion Detection System (IDS/IPS like ourStreamScan CDS) into your network perimeter and observe suspicious behaviour. If you spot anything unexpected, block the appropriate network ports in your firewall. At that point the hacker will be cut-off from your network.
7- Rebuild and harden your systems
Computers infected with ransomware need to be rebuilt from scratch. Also, make sure you protect the rebuilt machines by applying system hardening measures (download free of charge from https://www.cisecurity.org/). After hardening, you must reinstall your applications, harden them too, and then apply all security patches. Then restore your data from backups if you have them. If not, we strongly advise you to not pay the ransom, but in the end, it remains a business decision.
Caution: Avoid creating unnecessary conflicts with the hacker. Be smooth, neutral, even conciliatory. Reprimands can lead to a higher ransom. If necessary, seek help. A good negotiation can significantly reduce the ransom amount.
In an upcoming post, we’ll discuss the art and science of negotiating ransom payments.
8- Check if the ransomware has exfiltered your data
An exfiltration check is an absolute must for any ransomware attack in 2021. Data exfiltration is part of the base functionality of the current generation of ransomware. Some organizations are tempted to bury their heads in the sand, but it is always better to know if the data has been stolen to prepare yourself to manage the situation (inform the authorities, users, etc.). Otherwise, if the hacker decides to make your data public, you risk making the headlines.
This verification is done by analyzing a copy of the ransomware in a lab environment. The analysis is carried out by infecting a new device and analyzing the network communications (traffic) it generates via tools such as Wireshark or Tshark. If it exfilters data, you’ll see it. But the fastest way is to use an IDS. At StreamScan, we do this by subjecting the network traffic to our CDS technology, which will generate the alerts and a network file (PCAP) that will contain the exfiltered traffic.
If the ransomware doesn’t exfiltrate any data, you’ll get a confirmation.
9- Post-Incident monitoring and return to normal operations
When your systems are repaired and data restored, you can return to normal operations. We strongly recommend you implement post-incident monitoring on repaired machines for at least a few days to ensure that they are no longer being targeted.
At StreamScan, we do post-incident monitoring with our CDS technology. In one fell swoop, it allows us to detect the intrusions that target you and, in the event of an incident, it serves to accelerate the investigation, find and remove the hacker from the network. It also allows you to monitor your rebuilt systems to ensure that they are secure.
10- The best solution: prepare upstream, shield your network and monitor it
Experiencing a security incident is not a pleasant situation. Some companies even have to deal with the damage associated with media coverage of their case. Ransomware is a major risk and will continue to claim victims in the years to come. Here are our top tips on how to protect yourself :
- Backups your data and verify those backups regularly
- Deploy a computer intrusion detection system such as Streamscan's CDS
- Monitor the security of your network. If you don't have an internal cybersecurity team, an outsourced monitoring service can help (Streamscan's MDR service). Security monitoring should be your top priority
- Reinforce the security of your network (system hardening)
- Manage security vulnerabilities in your network
- Educate your users on cybersecurity risks and good practices
- Define an incident response plan and test it at least once a year
One Final Piece of Advice
For those who still think they are safe from hackers and this is someone else’s problem, keep the StreamScan Incident Response Team's phone number handy: 1-877-208-9040. Just in case.