In the past few years, the number and complexity of ransomware attacks have increased significantly. More and more ransomware families including REvil, Sodinokibi, Maze attack big and small businesses. For example, Acer has recently faced a $50 million ransom demand. Hackers manage to remain anonymous and know how to minimize the risks of getting caught while receiving huge ransom payments.
Let us imagine there is a problem with one of your servers. You go to the management console and see: “Attention! All your files have been encrypted!”
What are your first steps in responding to an attack?
The first reaction of most users and sometimes even administrators is to try to figure it out by themselves.
They restart the workstation, try to remove the ransomware on their own, etc. If the ransom amount is small, then users or administrators try to pay the ransom, hoping they will be able to recover the data. However, such actions may lead to even greater problems.
Let us consider the main steps that need to be taken after detecting the ransomware attack.
- Detection of the virus. An employee of your organization or server administrator reports the problem to the technical support department.
- Investigation. It is necessary to determine the type of ransomware, the method of infection, and the scope of infection, as well as the speed and methods of its propagation within the network.
- Prevention of subsequent infection of other servers and workstations, isolation, and blocking of infected nodes.
- Recovering servers and data after infection.
- Constant communication with the business owners and the outside world in the event the problem is really serious and threatens the continuity of the business or user data.
What should a user do when he sees ransomware?
- Do not panic and do everything as quickly as possible.
2. Without turning off the computer, disconnect it from the network as soon as possible.
3. Take a picture of the screen using the phone, take a picture of the ransom note and encrypted files.
4. Put down all actions that could lead to infection, including answering the following questions:
- Have you noticed any oddities in the behavior of the computer or programs before the infection?
- What did you do before you discovered the infection? (Worked with files, external media, network folders, opened emails, clicked on attachments or links, etc.)
- What are the signs of the virus infection?
- What networks were you connected to at the time of infection? (home network, public Wi-Fi, VPN, etc.)
- What operating system is used on the computer, how long has it been since the last update?
- What text, HTML, or other files and pages get opened after data encryption?
- What is your computer’s network name?
- What user account were you using?
- What data do you have access to?
- To whom did you report the incident, and in what form?
5. Contact technical support department and transfer all information about the incident.
6. Help the technical support team with prompt and, most importantly, the most honest answers to questions. This will save time and effort in blocking malware and possibly make it easier to recover important data and systems.
The actions of the technical support team, in this case, include the collection of the most reliable information from the user who noticed the attack.
It is important to carry out adequate and positive communication with the user since the user is most likely to appear in such a situation for the first time. He is scared, confused, does not know what to do, and his wrong actions in some cases can aggravate the situation.
First, you need to identify the type of ransomware. For this, you need to collect as much information as possible:
- Screenshots of the graphical interfaces of malware.
- A list of text files and HTML pages that are opened after data encryption, graphic files, which in some cases are added to the desktop by the ransomware.
- Any alerts or messages that appear when you try to open encrypted files.
- Email addresses or other contact details located in encrypted files, messages, and ransom notes.
- Types of digital currencies required and payment addresses.
- The language used in the messages.
- Encrypted files extensions and renaming scheme (.cry, .crypted, .locked, etc.)
- Types of encrypted files.
- Which account type was used at the time of the attack: user, admin, service?
After identifying the type of malware, it is necessary to collect all possible technical signs of the virus (process names, established network connections, file names, and hashes, accounts, mail addresses from which letters were sent, C&C servers addresses, etc.). This information can be obtained either from the description of the ransomware and by a deeper analysis of its sample.
In the course of the analysis, the vectors of infection and “patient zero” should also be identified to promptly limit the further spread of the ransomware. The main vectors of propagation can be:
- The exploitation of network vulnerabilities.
- Remote access protocols (RDP and others.)
- Email attachments and links.
- Infection through files and documents (external devices, network folders.)
- Distribution as another malware payload, for example, through special rogue downloaders.
The spread of ransomware often occurs automatically, but there are situations of semi-manual data encryption and subsequent extortion. This happens when an attacker penetrates the network and launches the appropriate encryption program manually.
Next, it is necessary to determine the scope of infection. For this, you can use network protection tools, antivirus, or other tools for monitoring servers and workstations to determine on which nodes signs of compromise were detected.
With the help of firewalls, DNS, and proxy servers, you can see what processes or files tried to connect to external C&C servers or attempted to run a mass infection within the network. In this case, systems like SIEM are extremely useful. They allow you to quickly analyze a large number of events and create rules for monitoring and detecting newly infected nodes.
Antivirus tools should be used on workstations and servers. Most modern solutions allow you to quickly add rules for searching processes and hashes of executable files being launched.
It is also necessary to determine what data was affected by the infection – user data, data in the DBMS, configuration files, etc. To do this, you can analyze events of massive file changes on nodes or in network folders done by one process or one group of accounts. For this, you can use special utilities for working with file metadata or mechanisms for controlling the integrity of operating systems.
For business owners to decide on further actions, it is necessary to determine the degree of influence of the infection on business processes and data.
Containment and prevention of further propagation
It is important to try to contain the infection in parallel with running the investigation in order to reduce the possible consequences. However, it should be borne in mind that the wrong course of action can make the situation worse.
Therefore, it is advised to have a ready-made action plan for all employees of the organization in the event of a massive infection. The closest analogy is testing fire alarm evacuation procedures when all employees know what to do and where to run.
All tasks related to limiting the spread of malware should be processed according to their priority level since this part of the work allows you to reduce the number of resources.
The main protection mechanism, in this case, is the isolation of infected systems from critical systems.
Cleaning up and rebuilding infrastructure
Before carrying out operations to restore the infrastructure, you must make sure that the further spread of malware is impossible.
It is important to make sure in advance that the organization has effective procedures for data recovery and deployment of servers and workstations.
To efficiently restore all processes, you also need to check if responsible employees know where the recent backups are located, if they can restore data correctly, and have all the necessary knowledge and tools for this. When restoring data and systems from backups, it is worth making sure they are not infected.
In the case when data recovery from backups is impossible for several reasons, you can try to restore the system operation in other ways:
- Search for specialized utilities, ransomware decryptors.
- Send malware samples to security experts; perhaps specialists will be able to create a recovery program specifically for this ransomware.
- In exceptional cases, pay the ransom. However, it should be borne in mind that this does not guarantee a positive result as the attacker may no longer control a specific copy of the ransomware, encryption could occur with errors, or the attacker, even when receiving money, may raise the price.
What can be done to prevent or reduce the risks of ransomware infection, reduce the response time and restore the organization’s work after infection?
- Conduct regular backups of all important data. Use external media or servers or cloud storage systems that are isolated from the main infrastructure.
- Form a list of workers responsible for cybersecurity.
- Create procedures for the rapid detection and prevention of malware infections.
- Conduct training for technical specialists for the prompt collection of information about the infection.
- Conduct user training desirably simulating real attacks.
- Regularly install security updates on workstations and servers.
- Use security software that can prevent infection.
- Organize interaction with antivirus laboratories and companies involved in the investigation of incidents.
Have you ever had any experience in dealing with ransomware attacks? How was that? What did you do right, or wrong? (we can always learn from our mistakes!). Do you have any tips you’d like to share with the community? Or do you have specific questions related to ransomware attacks?
Let us know in the comments below! We’d love to hear from you!