Ransomware response playbooks mistakes. Avoid these common mistakes to effectively combat cyber threats and protect your data.
As the number of ransomware attacks increases, cybersecurity leaders are scrambling to address the issue. AV and EDR are designed to block ransomware executable but this is often too late.
Attackers are operating with proven playbooks and tools that enable them to gain access and establish beach heads on networks. Developing good detection opportunities is key to stopping these attacks before they occur.
1. No Detection or Monitoring
Ransomware restricts access to important systems, services, files, backups, logs and more with the goal of forcing an organization to pay a ransom. Attackers typically provide payment instructions via a note on the desktop, in an email, or through other means.
Detecting ransomware is a complex task. Many of the latest ransomware variants have built-in obfuscation capabilities that make it challenging to spot them using traditional cybersecurity tools and methods. Furthermore, some ransomware is designed to execute and encrypt large amounts of data in short periods of time. As such, attempts to catch the encryption process post-execution will be too little, too late.
As a result, threat actors are able to hide ransomware within seemingly innocuous files and applications. For example, BlackCat used the Rust programming language to create its payload, a move designed to evade detection by modern security solutions and challenge defenders to reverse engineer it.
For these reasons, it is critical for organizations to have a robust ransomware incident response plan in place. Mandiant’s new #StopRansomware Guide provides ransomware preparation, prevention and mitigation best practices and a ransomware incident response checklist. It also updates recommendations on cloud backups, zero trust architecture and expands the ransomware response checklist with threat-hunting tips.
2. No Containment or Eradication
Ransomware is one of the most feared cybersecurity threats that any organization can face today. Getting that dreaded call from an end-user stating that they’ve seen a note with a ransom amount is not what anyone wants to happen.
Once an incident is detected and the investigation begins, there are many steps that must be taken to ensure that attackers can’t re-enter the network. Without feeling confident that the attack vector has been closed, it will be difficult to move on to other critical steps like recovery and eradication.
This is also where backups can be a lifeline, especially when compared to the original versions of files that existed before an infection. However, it’s important to ensure that the backups aren’t infected as well. Malwares such as REvil will use file-system modifications and other techniques like process complication to evade detection by traditional antivirus solutions.
Ultimately, it’s going to come down to whether or not the enterprise decides to pay the ransom amount. This is usually a complex discussion that takes into consideration several factors. It is essential to have legal present for this conversation to help provide guidance and to make sure that the financial decisions are legally sound.
3. No Recovery or Restore
In many cases, companies are forced to choose between paying a ransom or losing their data. And if they choose to pay, it’s not as easy as just turning back the clock. According to a recent study by cybersecurity vendor Cybereason, less than 60% of organizations that pay a ransom are ever able to recover their data.
This is especially true in the case of ransomware that uses a malicious binary to encrypt system apps, images, files, and databases. Typically, the analysis phase of an incident response plan will include a review of the owner of the encrypted file to determine which account was used for encryption.
This may require trial and error to discover a restore point that is clean, so having a robust backup solution in place is crucial. This is why a ransomware playbook should also provide the method for staging the recovery of data from a backup, which will be much quicker than the time lost in assessing and discovering clean restore points. Once this is complete, the final step of the playbook involves closing the attack vector and implementing new safeguards to prevent future attacks.
4. No Identifying the Specific Ransomware Type
The attack vectors for ransomware can be numerous, but the goal is always the same. Threat actors use ransomware to extort money and steal sensitive data for espionage, financial gain, or both. The attack tactics may vary, but they rely on organizations’ poor credential hygiene, legacy configurations, and misconfigured applications to succeed.
While attackers often target weak passwords, social engineering, and exploiting zero-day vulnerabilities, many ransomware variants are deployed through “malvertising.” This involves using a compromised advertising network to deliver malicious ads to websites that unsuspecting users click on. Businesses can protect against malvertising by installing ad blockers, keeping antivirus software up to date, and educating employees on the dangers of clicking on unknown links or ads.
In November 2021, the BlackCat ransomware family made headlines as one of the first to deploy the Rust programming language for its payload. This is a recent trend where threat actors use modern languages to evade detection by conventional security solutions and challenge defenders who attempt to reverse engineer or compare the binaries. BlackCat can target Windows and Linux devices as well as VMWare instances.
K-12 school districts were another popular SLTT target for BlackCat in 2020, which harvested data and exfiltrated it from the premise. This data was then posted to the dark web, potentially revealing grades, medical, and disciplinary information on students.
5. No Isolating and Disconnecting the Infected System
Ransomware is malware that encrypts files and systems, rendering them unusable and forcing victims to pay a ransom to regain access. Attackers have adapted their tactics over time, including pressuring victims into paying by threatening to sell or leak exfiltrated data and authentication information. Ransom payments perpetuate the problem, as they provide attackers with a steady stream of revenue.
Attackers can spread ransomware through phishing attacks or by injecting malicious code into compromised websites. Another popular method is malvertising, where attackers compromise ad networks to deliver ads that download and execute ransomware on unsuspecting users’ computers without their knowledge or consent. Businesses can protect themselves by using ad blockers, keeping antivirus software up to date, and educating employees about the risks of clicking unknown links or ads.
Ransomware can also move laterally across a network to infect other devices, encrypting data as it goes. It is important to isolate and disconnect systems immediately to prevent further infection and minimize downtime. This can be accomplished by updating all software and systems to the latest patches, implementing patch management, separating networks, and educating users on identifying suspicious links or attachments. Additionally, businesses should be conducting regular backups and storing offsite copies of critical data.
6. No Reporting the Ransomware to Relevant Authorities
Developing a ransomware response playbook is an important part of an organization’s cybersecurity strategy. With many threats threatening to breach and infiltrate systems, it is crucial to have a safety net in place to prevent a devastating loss of data.
The most effective way to prepare for a potential attack is by performing regular patching and updating of software vulnerabilities. These measures help mitigate attacks by eliminating known attack vectors and protecting against unforeseen weaknesses.
Additionally, companies should have a robust backup system in place to minimize the impact of an attack. Backup files that are kept off the centralized network are more likely to be unaffected by a ransomware infection. However, it is essential to check backup files regularly for any signs of ransomware.
Once a ransomware infection occurs, it is critical to isolate and disconnect all devices from the network. This can prevent the infection from spreading to other systems and encrypting more data. It is also critical to shut down all Internet and Bluetooth connectivity to the affected devices. Lastly, it is important to consider reporting the ransomware to relevant authorities. This may include federal law enforcement or the local police department depending on the attack’s severity.
7. No Training
The threat of ransomware is a serious one, and it’s vital that businesses understand how to prepare for attacks and mitigate the damage when they occur. While prevention is key, it’s also important to plan for the worst-case scenario by developing a ransomware response playbook tailored to the organization’s business context and legal requirements.
These playbooks provide step-by-step help in the event of a malware incident, whether it’s a ransomware attack or any other type of security incident that jeopardizes sensitive information. It can be challenging to think clearly and quickly during a crisis, so these playbooks can save time by providing pre-determined, detailed steps for dealing with the issue.
The FOR528: Ransomware for Incident Responders course, which is offered online and in-person, trains participants on how to prepare for, detect, hunt, respond to, and deal with human-operated ransomware. It also includes a hands-on Capture the Flag exercise so that learners can apply their knowledge to real-world data and build their skills in a controlled environment.
