How to #StopRansomware – Prevention & Mitigation best practice – part 3
In this How to #StopRansowmare mini-series, last week we covered the areas of General Best Practices and Hardening Guidance.
Today we continue with
Ransomware and Data Extortion Response Checklist
Should your organization be a victim of ransomware, follow your approved IRP. The authoring organizations strongly recommend responding by using the following checklist. Be sure to move through the first three steps in sequence.
Detection and Analysis
Utilize the recommended best practices and references provided below to effectively mitigate the risks associated with ransomware and facilitate a well-coordinated and efficient response to any ransomware incident within your organization. Apply these practices to the best of your ability, considering the availability of organizational resources.
- Identify the systems that have been affected and promptly isolate them from the network
- If multiple systems or subnets are suspected to be affected, consider disconnecting the entire network at the switch level. Disconnecting individual systems during an incident may not be practical or feasible.
- Give priority to isolating critical systems that are vital for the organization’s daily operations.
- If it is not immediately feasible to temporarily take the network offline, locate the network cable (such as Ethernet) and disconnect the affected devices from the network. Alternatively, remove the affected devices from Wi-Fi connectivity to contain the infection.
- For cloud resources, create a snapshot of volumes to obtain a point-in-time copy that can be reviewed later for forensic investigation purposes.
- After an initial breach, threat actors may actively monitor your organization’s activities and communications to assess if their actions have been detected. It is crucial to isolate systems in a coordinated manner and employ out-of-band communication methods, such as phone calls, to prevent alerting the actors to their discovery and mitigation efforts. Failing to do so could prompt the actors to expand their reach within the network or deploy ransomware more extensively before the networks are disconnected.
- If it is not possible to disconnect devices from the network, power them down to prevent the further spread of the ransomware infection.
Implement this step to avoid retaining ransomware infection artifacts and potential evidence stored in volatile memory. Only proceed with this action if temporarily shutting down the network or disconnecting affected hosts from the network through other methods is not feasible.
- Triage impacted systems for restoration and recovery.
- Identify and prioritize critical systems that require restoration on a clean network. Confirm the nature of the data stored on the affected systems.
- Monitor systems and devices that are deemed unaffected, allowing them to be prioritized for restoration and recovery at a later stage. This facilitates a streamlined resumption of business operations for your organization.
- Evaluate the current detection and prevention systems within your organization, such as antivirus software, Endpoint Detection and Response (EDR) solutions, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS), along with their corresponding logs.
- Search for indications of preliminary “dropper” malware, including Bumblebee, Dridex, Emotet, QakBot, or Anchor. The occurrence of a ransomware incident could be an indication of a prior network breach that was not adequately resolved.
- Collaborate with your team to establish and document an initial comprehension of the situation based on preliminary analysis.
- Initiate threat-hunting activities.
On enterprise networks
- Detect any recently established Active Directory (AD) accounts or accounts with elevated privileges, as well as recent activities involving privileged accounts like Domain Admins.
- Watch out for abnormal login activities on VPN devices or any suspicious logins.
- Monitor for modifications made to endpoints that could hinder backups, shadow copy, disk journaling, or boot configurations. Pay attention to unusual usage of built-in Windows tools such as bcdedit.exe, fsutil.exe (deletejournal), vssadmin.exe, wbadmin.exe, and wmic.exe (shadowcopy or shadowstorage). These tools are often misused by ransomware attackers to impede system recovery.
- Keep an eye out for indications of Cobalt Strike beacon/client presence. Cobalt Strike, a commercial penetration testing software suite, is commonly disguised with the same names as legitimate Windows processes by malicious actors to evade detection and complicate investigations.
- Look for any unexpected usage of remote monitoring and management (RMM) software, including the presence of portable executables that are not typically installed. Malicious actors frequently utilize RMM software to maintain persistence.
- Be vigilant for any unusual PowerShell executions or the utilization of the PsTools suite.
- Check for signs of Active Directory (AD) and/or LSASS credential enumeration or dumping, such as the use of tools like Mimikatz or NTDSutil.exe.
- Monitor for unexpected endpoint-to-endpoint communications, including with servers.
- Look for potential signs of data exfiltration from the network. Common tools employed for data exfiltration include Rclone, Rsync, various web-based file storage services (which are also utilized by threat actors to implant malware/tools on the compromised network), and FTP/SFTP.
- Take note of any newly created services, unexpected scheduled tasks, or unanticipated software installations.
In cloud environments
- Implement tools that can actively identify and prevent unauthorized modifications to Identity and Access Management (IAM), network security, and data protection resources.
- Utilize automation to promptly detect common issues, such as the disabling of security features or the introduction of new firewall rules and trigger automated actions in response. For instance, if a new firewall rule is established that permits unrestricted traffic (0.0.0.0/0), an automated action can be initiated to disable or delete the rule. Simultaneously, notifications can be sent to the user responsible for creating the rule, as well as the security team, to ensure awareness of the situation. This approach helps prevent alert fatigue and enables security personnel to concentrate on addressing critical matters effectively.
Reporting and Notification
Adhere to the notification procedures specified in your cyber incident response and communications plan. Engage both internal and external teams and stakeholders by effectively communicating the incident, providing them with a clear understanding of their respective roles in assisting with mitigation, response, and recovery efforts.
- Share the available information promptly to facilitate timely and pertinent assistance. Keep management and senior leaders informed through regular updates as the situation unfolds. Key stakeholders to involve may consist of your IT department, managed security service providers, cyber insurance company, as well as departmental or elected leaders. This collaborative approach ensures that relevant parties are well-informed and can contribute effectively towards mitigating, responding to, and recovering from the incident.
- Report the incident to the relevant regulatory body for your jurisdiction.
- As necessary, collaborate with communications and public information personnel to ensure the dissemination of accurate information both within your organization and to the public. This coordination aims to maintain consistent and reliable messaging during the incident, both internally and externally.
Containment and Eradication
If no initial mitigation actions appear possible
Perform system imaging and memory capture on a representative sample of affected devices, including workstations, servers (physical, virtual, and cloud-based). Additionally, gather relevant logs, along with samples of any suspected “precursor” malware binaries and related indicators of compromise or observables. These may include suspicious registry entries, suspected command and control IP addresses, or other pertinent files identified. The following contacts provided can potentially aid you in executing these tasks.
- Safeguard evidence that is highly volatile or has limited retention capacity to prevent any potential loss or tampering. This includes preserving system memory, Windows Security logs, and data stored in firewall log buffers. Taking appropriate measures to retain this critical evidence ensures its integrity and availability for further analysis and investigation.
Seek advice from ransomware specialist contractors and legal representatives, even if mitigation actions are feasible, to explore potential options like decryptors. Security researchers may have identified encryption vulnerabilities in certain ransomware variants and could have released decryption or other related tools. Consulting these experts will help determine the availability of such resources and guide appropriate decision-making in addressing the ransomware incident.
To continue taking steps to contain and mitigate the incident:
- Refer to reliable sources of guidance specific to the ransomware variant in question and adhere to any supplementary recommended measures for identifying and containing affected systems or networks.
- Terminate or disable the execution of recognized ransomware binaries to minimize the extent of damage and impact on your systems. Additionally, remove any other identified registry values and files associated with the ransomware to further mitigate its effects.
- Determine the systems and accounts implicated in the initial breach, which may encompass various types of accounts, including email accounts.
- Upon identifying the details of the breach or compromise mentioned earlier, isolate the associated systems that could be exploited for unauthorized access. Breaches commonly involve the extraction of numerous credentials. To safeguard networks and other information sources from ongoing unauthorized access reliant on compromised credentials, consider implementing the following measures:
- Deactivate virtual private networks, remote access servers, single sign-on resources, and any public-facing assets, such as cloud-based systems, to prevent further unauthorized access.
- In case server-side data encryption is being carried out by an infected workstation, follow the quick identification steps specific to server-side data encryption:
- Review the Sessions and Open Files lists in Computer Management on associated servers to determine the user or system accessing those files.
- Analyze the file properties of encrypted files or ransom notes to identify specific users potentially associated with file ownership.
- Check the TerminalServices-RemoteConnectionManager event log for any successful RDP network connections.
- Scrutinize the Windows Security log, SMB event logs, and other relevant logs that might contain significant authentication or access events.
- Utilize packet capture software, such as Wireshark, on the affected server, applying a filter to identify IP addresses engaged in actively writing or renaming files (e.g., using a filter like smb2.filename contains cryptxxx).
- Perform a thorough analysis to identify persistence mechanisms both from external sources (outside-in) and internal sources (inside-out):
- Outside-in persistence mechanisms may involve unauthorized access to external systems through rogue accounts, backdoors present in perimeter systems, exploitation of vulnerabilities in external-facing components, and similar methods.
- Inside-out persistence mechanisms could include the presence of malware implants within the internal network or the utilization of “living-off-the-land” techniques such as leveraging legitimate tools like Cobalt Strike (a commercial penetration testing tool), employing the PsTools suite (including PsExec) for remote installation and control of malware, and utilizing PowerShell scripts for various purposes.
- The identification process may involve implementing Endpoint Detection and Response (EDR) solutions, conducting audits of local and domain accounts, analyzing data collected from centralized logging systems, and conducting more in-depth forensic analysis of specific systems once the movement within the environment has been mapped out.
- Prioritize the rebuilding of systems based on the criticality of services, giving preference to those that are vital for health and safety or revenue generation. If available, utilize pre-configured standard images to expedite the rebuilding process. For cloud resources, leverage infrastructure as code templates to efficiently reconstruct the necessary infrastructure components.
- Initiate password resets for all affected systems and address any vulnerabilities and security gaps identified once the environment has been thoroughly cleaned and rebuilt. This includes addressing any impacted accounts and removing or remediating malicious persistence mechanisms. To ensure enhanced security and visibility, take necessary measures such as applying patches, upgrading software, and implementing other security precautions that may have been overlooked previously. Additionally, update customer-managed encryption keys as required to align with the improved security measures.
- The conclusion of the ransomware incident is determined by the designated IT or IT security authority, who assesses the situation based on predefined criteria. This assessment may involve considering the completion of the aforementioned steps or seeking external assistance if required. Once the established criteria are met, the designated authority declares the ransomware incident to be resolved.
Recovery and Post-Incident Activity
- Reestablish connectivity of systems and initiate the restoration process by retrieving data from offline backups that have been encrypted. Prioritize the restoration of data for critical services to ensure the timely recovery of essential functionalities.
- Exercise caution to prevent the re-infection of clean systems during the recovery phase. If a new Virtual Local Area Network (VLAN) has been established specifically for recovery purposes, ensure that only clean systems are added to this VLAN. This precautionary measure helps to maintain the integrity of the recovery environment and prevents any potential contamination from previously infected systems.
- Thoroughly document the lessons learned from the incident and the corresponding response activities. This documentation will serve as valuable feedback for updating, refining, and enhancing organizational policies, plans, and procedures. It will also provide valuable insights for future exercises and preparedness efforts related to similar incidents. By leveraging these lessons learned, the organization can improve its resilience and response capabilities in handling future incidents more effectively.