Incident Response Playbook: Ransomware

Considered one of the most detrimental threats to businesses, government entities, and individuals, ransomware attacks have escalated significantly in both frequency and extortion money paid out over the recent years, making them a top challenge requiring continual vigilance.

Ransomware payments in 2023 surpassed the $1 billion mark, the highest ever observed - Chainanlysis

With headline-grabbing ransomware attacks targeting credit unions, insurance companies, and accounting firms in recent years, the importance of preparedness for such occurrences through a well-rehearsed and comprehensive incident response playbook cannot be overstated

What is a Ransomware attack?

CISA defines ransomware attacks as "an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable". What typically happens next is extortion from a malicious actor demanding a ransom in exchange for the decryption of those files. Sometimes these actors threaten to sell or leak the exfiltrated data if the ransomware isn't paid.

Over recent years, with the entrance of AI, ransomware has become more sophisticated, making it harder to spot, whether through a phishing attack using a well-constructed email or the use of voice and video alteration technology. These advancements have empowered cybercriminals to craft highly convincing messages to manipulate audiovisual content with unprecedented realism.

Additionally, RaaS otherwise known as Ransomware as a service marks a significant evolution in this area. Traditionally, developing and deploying ransomware required a high level of technical expertise, including proficiency in coding, encryption techniques, and network penetration. However, RaaS platforms have streamlined this process, providing aspiring cybercriminals with turnkey solutions for launching ransomware attacks, effectively lowering the barrier to entry, and enabling individuals with minimal technical skills to participate in cyber extortion schemes.

How To Prevent Ransomware Attacks:

Protecting against ransomware hinges on two crucial elements: maintaining consistent data backups and having a solid plan for handling data exfiltration. By having backups, you prevent being held hostage by extortionists since you possess duplicate copies of your data - the first part of the equation. Storing these backups offline or out-of-band is critical to preventing them from being targeted. The second part involves ensuring your organization has a predefined plan for addressing the release of sensitive data. The rule of thumb regarding ransomware is to NOT pay the extortion fee according to the FBI. 

Another method is to fortify your endpoints. Each remote endpoint presents a potential opening for criminals to breach private information, or worse, infiltrate the core network. Ensure your systems are set up using secure configuration settings which can effectively reduce your organization’s vulnerability. CIS benchmarks provide an excellent, cost-free option for organizations seeking to adopt industry-leading configurations developed through consensus.

Email phishing has always been the number one way malware and ransomware spread. A report by the FBI found that phishing scams were the most common cybercrime in 2023, causing over $2.9 billion in losses. Highlighting the importance of teaching your team about practicing proper email habits. Training them to spot sneaky phishing emails can make all the difference in keeping your organization safe and secure.

Real-world examples of Ransomware:

WannaCry explodes across the internet

Known for crippling Britain's healthcare system in 2017, WannaCry spread across the globe surfacing in nearly every country on earth - CSO

WannaCry, a highly sophisticated ransomware variant unleashed in 2017, propagated rapidly across the globe by exploiting vulnerabilities in unpatched Windows systems, encrypting data, and demanding ransom payments starting at $300 in Bitcoin for decryption.

Costa Rican Government Shutdown by Ransomware

In 2020, Conti ransomware hit the scene, quickly becoming infamous for its takedown of the Costa Rican government, which ended up declaring a state of emergency - BleepingComputer

President Rodrigo Chaves of Costa Rica declared a national emergency on May 8th, 2022, in response to an ongoing Conti ransomware campaign. The daily losses reached a staggering $30 million, forcing the government to halt operations in response to the extensive hack. The nation continues to grapple with the lasting repercussions of the incident to this day.

Attack on Colonial Pipelines IT Network

Following a ransomware attack, Colonial Pipeline was forced to halt its operations, leading to disruptions in fuel supply across the East Coast - CISA 

In May 2021, DarkSide hackers targeted Colonial Pipeline, exploiting IT vulnerabilities and prompting a shutdown that disrupted fuel supply across the East Coast. The company paid a $4.4 million Bitcoin ransom to regain control, marking a significant cyber-attack on US critical infrastructure that led to focused attention on ransomware on critical infrastructure.

Ransomware Incident Response Steps

In line with NIST's structured incident response approach as detailed in Special Publication 800-61, here are some general guidelines and steps we suggest integrating into your incident response plan to prepare for a potential Ransomware attack

1. Detect
   • Alert members in the Cybersecurity Incident Response Team (CSIRT)
   • Alert extended CSIRT members; Legal, Compliance, Public Relations, etc
   • Evaluate and confirm backups are secure and not impacted by the incident
   • Overall, primary steps include pinpointing malware origination and steps that lead to incidents
2. Analyze
   • Examine web proxy logs to detect any outbound command and control traffic
   • Gather and back up firewall, IDS, IPS, email gateway, system, and server logs
   • Conduct an IOC search across firewall, IDS, IPS, email gateway, system, and server logs
   • Document all connections from the impacted device(s) and the order in which the connections were disabled
   • When examining malware, seek support from local authorities (FBI)  possessing relevant expertise
   • This phase aims to understand the extent, origins, and recurring patterns of the ransomware, as well as assess factors like severity, source, and rate of spread
3. Contain
   • Isolate/disconnect the infected endpoint from the network ASAP
   • Isolate systems and subnets as needed (using your internal procedures)
   • DO NOT power off machines, as forensic artifacts may be lost
   • Deactivate accounts that were implicated or compromised
   • Generate OS-level images of any endpoints, servers, or storage arrays for preservation
   • Change passwords and other authentication methods for administrators 
   • Share the hash value of the malware with community sources to assist in future detection efforts
   • This stage aims to isolate and contain the infected devices, servers, and storage arrays, ensuring they are ad unable to affect other parts of your infrastructure via network
4. Eradicate 
   • Wipe servers and storage as needed
   • Once malware is removed, update all system passwords
   • Retain evidence to the best of your ability
   • Test to ensure the ransomware is completely eradicated
   • Run vulnerability assessments, antivirus, and anti-malware scans on endpoints and servers to confirm remediation
   • This phase focuses on eliminating malware and breached accounts while restoring endpoints, and servers. *Before bringing systems back online, thorough vetting and monitoring are crucial, including firmware checks.
5. Recover
   • Reset firmware using verified, reliable versions
   • Restore impacted systems from clean backup
   • If systems cannot be restored from backup, reconstruct machines using a known, reliable image or start from scratch
   • Assess organizational anti-malware defenses and controls to identify any shortcomings
   • Document incident thoroughly and retain evidence
   • If data theft and extortion were part of the attack, team up with legal advisors to figure out the next steps
   • This phase is focused on safely recovering the system to the pre-incident event while ensuring additional safeguards are put into place
6. Post-Incident
   • Keep an eye on your network well after the event to ensure the attacker has been removed and cannot re-enter
   • Hold a meeting to discuss the investigation's progress and shortcomings, address security vulnerabilities, and update ransomware incident response procedures
   • Share information about the attack with the appropriate parties and the security community at large
   • The overall focus of this phase is to conduct root-cause analysis and lessons-learned sessions with various stakeholders in the organization
     
     

The most effective defense against ransomware attacks is comprehensive training. By educating employees on common tactics used by cybercriminals, such as phishing and social engineering, they can quickly identify and report suspicious emails or uncommon computer activity. This proactive approach cultivates awareness, stopping attacks at the front line before they can wreak havoc. 

Simplifying Incident Response with Rivial

Rivial allows you to easily build, view, store, and maintain scenario-specific playbooks when general incident response procedures fall short.

Our incident response module consists of four sections, including a module dashboard where you can find a concise overview of relevant incident response systems, prioritized response action items, exercises, teams, incidents, and detections to ensure your organization is always prepared and every stakeholder knows their role with accessible, tested, and ready-to-go procedures and playbooks. Schedule a time to learn more about our platform today!