Step 1: Identify Resources
The first step in any incident is to activate your incident response plan and identify necessary resources to manage the incident. Consult with internal groups such as legal and communications to determine if they can assist. Designate resources across the organization’s IT groups to assist in incident response, from networking, server administration, database administration, end user support, and so forth, to ensure that containment and recovery tasks can be coordinated quickly and efficiently. If you have an incident response retainer consider activating it to call in professional support to augment internal security staff and help guide your response efforts.
Step 2: Identify Affected Devices
Identifying affected devices may involve a broader scope than identifying infections. Often infected devices will encrypt other assets, such as shared files, over the network. Simply isolating assets hosting encrypted files may not be enough to stop the spread of infections.
Ransomware typically calls out to a remote command and control server to communicate encryption keys. Use network-based security appliances, such as firewalls and proxies, and network traffic analysis, such as netflows, to pinpoint the location of infected devices.
Ransomware often infects systems via phishing messages or malicious websites. Search email security appliances and email logs to find evidence of the ransomware’s entry into the organization. Search web proxy and firewall traffic logs for alerts of ransomware activity.
Use host based investigative tools, such as PowerShell and EDR technology, to identify artifacts of malware. This can include identifying file extensions associated with the ransomware or even the malware itself.
Ransomware often propagates over the network. Be sure to check VPN logs or other connections to remote sites. Contact vendors and partners to determine if they have been affected by ransomware and to look for clues about the ransomware’s introduction and propagation in the organization.
Look at the file permissions on infected files. Files that are encrypted may present user account details about the user who last accessed the file. Typically, ransomware will utilize the credentials of a user on the infected source machine to encrypt remote files. Identify user accounts associated with encrypted files and track assets used by those user accounts.
Try and identify the earliest evidence of the ransomware on your network. Identifying this information and creating a timeline of infection, combined with assets and user accounts affected, can assist in recovery and with later root cause analysis.
Step 3: Gather Intelligence
Once you have found malicious executables or other indicators of compromise (IoC) associated with the malware, research those IoC and reach out to trust communities to search for pre-existing analysis of the ransomware strain. Often times public analysis from anti-malware and security research companies is available and contains guidance and insight into recovery from particular strains of ransomware. In extreme cases a decryption key may be available for the ransomware.
Step 4: Contain the Outbreak
Disable user accounts associated with the ransomware. Adjust permissions on file shares to ensure that there are no openly writable shares accessible in the organization. Overly permissive permissions on file shares greatly increases the blast radius of ransomware.
Isolate systems that have been found to be infected with ransomware. This may not include all devices affected by the ransomware. For instance, file servers whose shared files have been encrypted may not actually be infected by the ransomware and will not propagate further attacks. Once infected systems have been identified, have them removed from the network.
Try to determine if ransomware exploited a known vulnerability. When re-imaging systems after isolation, ensure that the new image contains a patch for any vulnerability used to propagate the ransomware.
Update firewall and proxy filter rules to block IP addresses associated with the ransomware. This can help contain infection if any systems are not successfully identified. Create rules to alert security staff immediately if further systems are blocked attempting to access locations associated with the ransomware.
Update anti-malware software with definitions to identify the ransomware. Coordinate with your vendor to ensure that the ransomware can be detected and blocked.
Consider isolating portions of the network if possible, such as temporarily taking down VPN connections or severing links until the ransomware outbreak is contained. Ransomware spreads extremely quickly and it is unlikely that links can be severed to prevent an outbreak, but isolation will help prevent re-infection if containment is not complete.
Step 5: Recover
Once infected systems have been removed from the network begin recovery and restore encrypted files from backup. Be sure to perform this restoration incrementally and carefully monitor the restored systems. If newly restored files from backup become encrypted again then isolation efforts have not been successful. If this occurs return to the previous step.
Return re-imaged devices to the network. Again, perform this step in a measured, methodical, and monitored fashion. Ensure that newly redeployed assets aren’t re-infected or impacted by ransomware that might still be lurking on the network.
Step 6: Root Cause Analysis
Once you have recovered from a ransomware attack be sure to examine the root cause of the infection. Review security posture and adjust remote access policies, firewall and proxy settings, file share permissions, user access permissions, privileged accounts, anti-malware products, and security logging and alerting to ensure that future instances of ransomware can be identified and contained rapidly and effectively.
Evaluate the organizational security posture to identify gaps that could be exploited. Review cyber insurance to identify opportunities to mitigate future ransomware outbreaks. Evaluate any incident response retainers to ensure that professional help is readily available in a crisis where internal security staff might be overwhelmed.