Community Blog Battle-Tested Ways to Respond to a Ransomware Attack

Battle-Tested Ways to Respond to a Ransomware Attack

Ransomware attacks have taken businesses by storm. Make sure you have an incident response plan that involves timely detection, backups, well-thought-out system recovery techniques, etc.

Ransomware attacks have taken the enterprise world by storm in the past few years. SMBs and high-profile corporations are on the receiving end of destructive cyber-raids orchestrated by the operators of REvil, Ryuk, Clop, Maze, SunCrypt, and a handful of other notorious strains.

With prosperous businesses being in the crosshairs of these crooks, the ultimatums have become truly shocking. In March 2021, multinational electronics maker Acer found itself faced with a $50-million ransom demand. Malefactors have learned to confuse the money trail and get away with their crimes even after receiving huge payouts from victims.

Now, imagine the following scenario: you discover that one of your servers is acting up, access the admin dashboard to find out what happened, and see a scary alert that says, “All your data has been encrypted!”

Early incident response done right

When hit by ransomware, most users and system admins try to sort things out on their own. They reboot the contaminated machine, terminate suspicious processes, try to eradicate the harmful program, and look for free decryption tools on the Internet. If the ransom is affordable, some victims choose to pay for data recovery.

However, this course of action might be risky business. Instead, it is recommended to stick with the following workflow:

  1. Detection. The employee who discovers the incident immediately reports it to the tech team.
  2. Investigation. At this point, security professionals identify the ransomware strain and determine the original entry point, the scope of affected digital assets, as well as the way the harmful code is spreading inside the enterprise network.
  3. Thwarting further propagation. IT staff isolates the breached workstations and servers from the rest of the network and hardens the protection of unaffected nodes by closing security gaps unveiled in the previous step.
  4. Recovery. This stage involves reinstating data from a backup and re-launching the compromised servers.
  5. Uninterrupted communication. The company needs to keep partners and customers informed about the risks in case the attack has impacted critical business processes and sensitive data.

What should a user do after spotting a ransomware onslaught?

Extortionists often target specific employees through spear-phishing attacks and then exploit the infected devices to extend their reach inside the network. Therefore, the role of a user in dodging the cyber-disaster is paramount. Here is a summary of the actions that the manipulated person should take immediately:

  1. Do not panic. Self-organization matters a lot because it is a prerequisite for curbing the rapid propagation of predatory code throughout the enterprise infrastructure.
  2. Bring the plagued computer offline. It is important to avoid turning off the machine. Just disconnect it from the network.
  3. Collect some evidence. Use your phone to take a picture of the ransom note, a few encrypted files, and any alerts displayed on the screen.
  4. Figure out how you slipped up. A great way to determine the infection vector is to answer the following questions:
  • Have you observed any anomalous behavior of the device or applications prior to the breach?
  • What were you doing right before the attack occurred? Perhaps you were working with Microsoft Office documents, removable storage devices, network directories, or emails.
  • What are the symptoms of the attack?
  • What networks was your computer connected to when ransomware struck? A few examples are public Wi-Fi, home network, corporate network, and VPN.
  • What operating system is your computer running? When was the last time you updated it?
  • Did any *.txt or *.html files automatically pop up on your screen once the data became scrambled with a cipher? What are the names of these files? This information helps identify the ransomware lineage.
  • What is the network name of your device?
  • What user account were you logged into at the time of infection?
  • What corporate data are you allowed to access?
  • Who did you report the attack to? How did you do it?
  1. Get in touch with the IT department. Provide all details about the incursion.
  2. Don’t be afraid to admit a mistake. Cooperate with colleagues from the tech support team by providing honest answers to all their questions. This is hugely important because relevant information will give them actionable insights into the source of the assault as well as the ways to prevent further damage and get the affected systems back on track.

It is worth emphasizing that the organization’s security experts should maintain positive, non-threatening communication with the user who may have never encountered a predicament like this before. Otherwise, the employee may get confused and provide inaccurate answers, which will hamper the investigation.

Case study

Determining what family the ransomware represents is half the battle. It will provide the big picture regarding the most effective removal approach and the chances of data recovery. The following evidence will point you in the right direction:

  • Screenshots of the alerts or warning desktop wallpapers shown to the victim.
  • Newly added files in plaintext or HTML formats that contain ransom instructions.
  • Error messages that pop up when you try to open encoded files.
  • Extortionists’ contact details (mostly email addresses) listed in the ransom notes, alerts, or other user interaction elements.
  • Cryptocurrencies accepted by the attackers (Bitcoin, Monero, Ethereum, etc.) and payment addresses.
  • Extensions appended to encrypted files (*.locked, *.encrypted, *.lockbit, etc.)
  • Formats of targeted files.
  • The type of the compromised user account (regular user, administrator, or service account).

There are specially crafted online portals such as ID Ransomware that will help identify the strain quickly. It is also a good idea to upload the sample to HybridAnalysis or VirusTotal for additional details.

Once you determine what type of ransomware you are dealing with, be sure to collect all indicators of compromise (IOCs) such as executables, file hashes, network connections, Command & Control (C2) server URLs, and email addresses the malefactors have used to contact you.

It is also important to amass details about the infection vectors that were used to gain a foothold in your organization’s network. This way, you can pull the plug on the further influx of threats. Here are the common catalysts for ransomware distribution:

  • Known or zero-day network vulnerabilities.
  • Unsecured remote desktop services.
  • Booby-trapped email attachments and hyperlinks.
  • Network folders with crudely implemented access restrictions.
  • Secondary payloads dropped by another malicious program such as an info-stealing Trojan or a malware downloader.

In most scenarios, ransomware spreads autonomously according to a predefined logic in its code. However, sometimes threat actors implement the encryption routine and execute other modules of their predatory software manually. This happens when they establish remote access to the network and run arbitrary commands just like local users.

Another element of investigation is to assess the scale of the attack. Mainstream network monitoring and antivirus tools should allow you to figure out which servers and endpoints have been raided.

Firewalls, proxy servers, and DNS solutions will help you pinpoint the processes that attempt to set up connections with external C2 servers. Security information and event management (SIEM) systems are very helpful in this context. You can use them to sift through numerous events quickly and specify real-time monitoring rules to spot all infected devices.

The importance of classic antivirus software should not be underestimated. Most of these tools are potent enough to detect ransomware activity based on known signatures and behavior analysis.

One more step is to work out what data has been encrypted. Enterprise-focused ransomware typically zeroes in on user data, Database Management System (DBMS) records, and configuration files. The use of special applications that process metadata or control the integrity of operating systems will help you make an inventory of all affected assets.

Senior executives should evaluate the scope of impact incurred due to the attack. This will become a foundation for creating a roadmap for further recovery and other actions related to business continuity.

Prevent ransomware from expanding the attack surface

When the investigation is underway, you should do your best to foil the infection so that it does not cause further damage. This is a delicate matter because a wrong tactic can aggravate the situation. With that in mind, make sure you have a clear-cut emergency plan all employees are familiar with.

It is important to prioritize the tasks geared toward restraining ransomware propagation. This will allow you to allocate the resources wisely and keep other business processes up and running. There is no need to reinvent the wheel here – your number one objective is to separate the “toxic” systems from other areas of the network.

Cleanup and recovery

Before you start restoring your IT infrastructure, ascertain that the malicious code has no chance to spread further. Otherwise, all your efforts will be futile. For a seamless recovery process, make sure that the responsible staff members know the location of the latest backups and have all the necessary expertise and tools to reinstate the data. Also, double-check if the systems you are about to restore are no longer infected.

If data recovery from backups is impossible for whatever reason, you can try several alternative methods:

  • Give forensic tools a shot. These applications may be able to retrieve previous versions of the files using the Volume Shadow Copy Service (VSS) or other resources.
  • Look for a decryptor. White hats have succeeded in cracking the ciphers applied by some ransomware samples. The above-mentioned ID Ransomware service will let you know if such free decryption software is available for the uploaded sample.
  • Submit your samples to security professionals. Experts will check the crypto implementation for flaws and might find a way to restore your files.
  • If nothing else helps, pay up. In case your data is too valuable to lose and the ransom isn’t high, this option could be worthwhile. Be advised, though, that you may never get your files back even after coughing up the money. Crooks may ask for more once they see that you are willing to cooperate. Furthermore, if the encryption is buggy, the decryption might be impossible. To top it off, trusting cybercriminals is a slippery slope.

How to stay safe?

The following tips will help you minimize the risk of falling victim to ransomware and decrease the response time if an attack happens:

  1. Make regular backups of the data that matters the most. Store them on hardware or cloud repositories separated from the main corporate infrastructure. It is hard to overestimate cloud protection today. Alibaba Cloud Security Center offers an anti-ransomware feature to help customers defend ransomware on the cloud.
  2. Create a list of employees responsible for cybersecurity.
  3. Enforce policies and procedures that ensure early detection and prevention of malware assaults.
  4. Set up a training program for IT personnel that covers techniques to gather comprehensive evidence about cybersecurity incidents.
  5. Conduct penetration tests to find weak links in your company’s security posture.
  6. Harden the protection of computers and servers on your network by applying security patches once they are available.
  7. Use trusted Internet security tools, including antivirus, VPN, antispam.
  8. Establish communication with companies specializing in cybercrime investigations.

Bear in mind that there is no such thing as absolute security. No matter how hard you may try to avoid ransomware, threat actors who think outside the box will keep coming up with infection mechanisms that slip under the radar. Therefore, make sure you have a plan B that involves backups, prompt incident response, and well-thought-out system recovery techniques.

About the Author

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.

0 0 0
Share on


4 posts | 0 followers

You may also like



4 posts | 0 followers

Related Products