Ransomware is one of the major cyber threats in recent years. Ransomware targets enterprises and various organizations. Frequent incidents not only affect the daily operations of enterprises, but also cause huge losses.
Ransomware incidents should be handled through precise and appropriate response steps that will effectively assist enterprises and organizations in controlling damage and recovering back to normal operations as soon as possible.
The 9 key steps in the response to ransomware incidents are listed below.
Step 1: Quick Quarantine
- Determine which systems are infected with ransomware and quarantine them immediately.
- If there are machines that cannot be disconnected from the network, temporarily shut them down.
- In the Group Policy Object (GPO) setting, temporarily select "Block all connections" to block the spread
Step 2: Triage
- Restoration according to the Business Continuity Plan
- According to different situations, carry out corresponding treatment:
- If it is the worst scenario (dead device): recover as much as possible
- If it is moderate to severe: Priority recovery
- If it is mild: no special treatment
Step 3: Ask for assistance
- Initially understand and document the situation, contact internal and external teams to expedite return to normalcy
- Notify the competent authority and contact the judicial investigation unit according to the nature of the enterprise organization.If the enterprise organization has purchased relevant insurance, contact the insurance unit
Step 4: Evidence collection
- Collect memory dump, image, and logs for key machines (such as servers)
- Filter and collect suspicious commands and IP
Step 5: Find records
- Inventory of anti-virus software, endpoint protection tools (EDR), intrusion prevention tools (IPS), etc., trying to find signs of early attacks
Step 6: Handling general hosts
- If there are still hosts that have not been encrypted by ransomware, or hosts that have been encrypted by ransomware but have not yet been encrypted, disconnect it/them from the network immediately. After the company has clarified the infection process of the ransomware and removed the malicious programs, the host computer can be reconnected to the Internet.
- Use a different antivirus scan tool from the original one, and then check the system status again by using, e.g. Microsoft Safety Scanner, etc.
Step 7: Handle Domain Control
- Change the passwords for all domain administrators
- Change the Krbtgt password twice (change it a second time in another 10 hours)
- Check whether there are unknown accounts added under Domain administrators and other high-privilege groups
Step 8: Backup and Restore
- Restore data from offline backup
- Take a phased approach to service restoration, starting with essential services. Continue the process until data fully restored
- Back up the remaining data and rebuild the system
Step 9: Find out which ransomware family it belongs to
- Find out which ransomware family it belongs to by checking the file extensions and the ransom note
- Use this to find the corresponding decryption tool (but the chance of finding the tool is low)
- If the ransomware family has been mentioned before on reports or news by other units, we can get additional information on the intrusion methods and perhaps sources on relating attacker groups
With solid technical background and frontline expertise, TeamT5 provides an in-depth investigation and response to real-world cyber-attacks. We identify and research the intruder attacks, the impacts and technical causes of the incidents, and recommend solutions or workarounds to assist our clients in recovery and remediation.If you have needs for incident response, please contact us: https://teamt5.org/en/request-information/
*Image courtesy: Unsplash
Related Post
IR Service Resources
2022.11.22
[Incident Response] How to Deal with Ransomware Attacks?
ransomware, ransomware attack, incident response