Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we continue the series of TomCasts on Ransomware. This particular TomCast is going to focus on responding to a Ransomware attack or infection. There are helpful artifacts that can help you or your organization in the case of Ransomware infection; check out https://github.com/guardsight.
There is a repository on that site that contains playbook battle cards. These PBC’s (as they are known by) contain helpful steps to take that can assist in responding to these types of infections or attacks. The PBC for Ransomware specifically is GSPBC-1000 (which can be found on that site).
Throughout this TomCast we will be referring to that PBC as well as other helpful resources in an effort to guide you, the listener, through a response to a Ransomware attack or infection. As with most incidents, we will be following portions of the PICERL model (and if you are not familiar with that model, go to https://guardsight.com/tomcast and look for the very first TomCast we made; that outlines the PICERL model which stands for Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned (or opportunities for improvement)).
So, let’s jump in. You or your organization has been infected with Ransomware. What do you do? Well, let’s start quick with what NOT to do; do not shut down the system that has been infected or that is displaying the Ransomware messages or warnings. Also, during the response process make CERTAIN you document everything you can possibly document. More on what to document here in a few.
Isolate that infected system and the compromised section or sections of the network so no further spread of the infection can continue. Isolate any impacted file-sharing systems, fortify any non-impacted file sharing systems and other non-impacted critical assets.
Secure your backups by taking them offline; be certain they are not infected with malware prior to taking them offline! Use out-of-band communication methods; with a compromised network you do not want to risk spreading the infection through collaboration tools. Issue perimeter enforcement for known threat-actor locations, then deploy endpoint detection and response (otherwise known as EDR) agents that can terminate any infected/offending processes.
Remember a minute or so ago when I said document everything? Make sure to document the ransomware variant name/type, the systems that were impacted, any/all emails that came through the system along with their attachments if the source was a phish, copies of all files to include executables that may have been dropped onto the impacted systems, any domains or IP addresses that communications were open with immediately prior to the infection, any virtual currency (or cryptocurrency) addresses where payments were being requested, any/all forensic analysis or incident response reports that have been filled out, any memory captures taken during the execution of the malware, the status of the infection, and the network topology.
Quite a lot, yes? That is not even a complete list, but it is all necessary. Also, collect all available log information. Change the online accounts and network passwords once the impacted systems are removed from the network. All of that is part of identification and containment, the I and C of the PICERL model.
Moving forward to eradication, close the attack vector! Patch your vulnerable assets and re-image any impacted assets. Inspect all of your assets for any indicators of compromise that are consistent with the attack profile. Also, inspect all user activity for indicators of compromise that are consistent with the attack profile.
Remember a little bit ago when we mentioned securing your backups? Inspect those for indicators of compromise BEFORE you utilize them for system recovery. No one wants to restore a system only to find out you restored an infected system and have to go through the entire process all over again.
Make certain you implement newly-obtained threat signatures if your endpoint detection and response solution is signature-based. Eradication is the removal of the threat or infection from your environment, so each one of these steps is not only necessary, but vital to success.
Moving on to the recovery, restore from the inspected and clean backups. If they are not clean, do NOT restore them! Also address any collateral damage at this point. Recovery is the stage where you or the organization is trying to get back to business as usual.
So, as we move into the Lessons Learned part of the PICERL model, what do you think some valuable lessons are here? This has been a simulated response plan, so you haven’t actually been faced with this problem (or maybe you have).
Think about your specific scenario for a moment, or think about the security posture within your organization. Do you or your organization have a vulnerability management program or plan? Do you patch known vulnerabilities regularly, keeping your system or systems up to date? Or do you postpone those patches because you don’t think you can afford the downtime with all the work you have going on?
Have you or your organization gone through cyber awareness training? Could you, or members within your organization recognize a phishing attempt if presented with one in your inbox? Or do you rely on your IT department or internet service provider to filter out malicious emails and files? These questions need to be answered honestly and transparently so you or your organization can understand how to combat Ransomware.
Stay tuned; TomCast XXII will discuss how to do your part in the prevention of a Ransomware attack or infection!
We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!