Containment is critical in ransomware incidents, prioritize accordingly.
Tactic | Technique ID | Technique Name | Sub-Technique Name | Platforms | Permissions Required |
---|---|---|---|---|---|
Impact | T1486 | Data Encrypted for Impact | IaaS, Linux, Windows, macOS | Administrator, SYSTEM, User, root |
(P) Preparation
1. Patch asset vulnerabilities
2. Perform routine inspections of controls/weapons
3. Examine file shares for loose/open privileges
4. Maintain Antivirus/EDR application updates
5. Create network segmentation
6. Log traffic between network segments
7. Incorporate threat intelligence
8. Incorporate deception technology
9. Perform routine inspections of asset backups
10. Validate proper functionality
11. Confirm backups are free of malware
12. Establish ability to pay ransoms w/cryptocurrency
13. Obtain decryption keys for ransomware variants
14. Confirm cybersecurity insurance coverages
15. Conduct ransomware simulations
16. Conduct phishing simulations
17. Conduct user awareness training
18. Conduct response training (this PBC)
- Determine the type of ransomware (i.e., what is the family, variant, or flavor?)[1]
- Find any related messages. Check:
- graphical user interfaces (GUIs) for the malware itself
- text or html files, sometimes opened automatically after encryption
- image files, often as wallpaper on infected systems
- contact emails in encrypted file extensions
- pop-ups after trying to open an encrypted file
- voice messages
- Analyze the messages looking for clues to the ransomware type:
- ransomware name
- language, structure, phrases, artwork
- contact email
- format of the user id
- ransom demand specifics (e.g., digital currency, gift cards)
- payment address in case of digital currency
- support chat or support page
- Analyze affected and/or new files. Check:
- file renaming scheme of encrypted files including extension (e.g.,
.crypt
,.cry
,.locked
) and base name - file corruption vs encryption
- targeted file types and locations
- owning user/group of affected files
- icon for encrypted files
- file markers
- existence of file listings, key files or other data files
- file renaming scheme of encrypted files including extension (e.g.,
- Analyze affected software or system types. Some ransomware variants only affect certain tools (e.g., databases) or platforms (e.g., NAS products)
- Upload indicators to automated categorization services like Crypto Sheriff, ID Ransomware, or similar.
- Find any related messages. Check:
- Determine the scope:
- Which systems are affected?
TODO: Specify tool(s) and procedure
- Scan for concrete indicators of compromise (IOCs) such as files/hashes, processes, network connections, etc. Use endpoint protection/EDR, endpoint telemetry, system logs, etc.
- Check similar systems for infection (e.g., similar users, groups, data, tools, department,configuration, patch status): check IAM tools, permissions management tools, directory services, etc.
- Find external command and control (C2), if present, and find other systems connecting to it: check firewall or IDS logs, system logs/EDR, DNS logs, netflow or router logs, etc.
- What data is affected? (e.g., file types, department or group, affected software)
TODO: Specify tool(s) and procedure
- Find anomalous changes to file metadata such as mass changes to creation or modification times. Check file metadata search tools
- Find changes to normally-stable or critical data files. Check file integrity monitoring tools
- Which systems are affected?
- Assess the impact to prioritize and motivate resources
- Assess functional impact: impact to business or mission.
- How much money is lost or at risk?
- How many (and which) missions are degraded or at risk?
- Assess information impact: impact to confidentiality, integrity, and availability of data.
- How critical is the data to the business/mission?
- How sensitive is the data? (e.g., trade secrets)
- What is the regulatory status of data (e.g., PII, PHI)
- Assess functional impact: impact to business or mission.
- Find the infection vector. Check the tactics captured in the Initial Access tactic of MITRE ATT&CK[4]. Common specifics and data sources include:
- email attachment: check email logs, email security appliances and services, e-discovery tools, etc.
- insecure remote desktop protocol (RDP): check vulnerability scanning results, firewall configurations, etc.
- self-propagation (worm or virus) (check host telemetry/EDR, system logs, forensic analysis, etc.)
- infection via removable drives (worm or virus)
- delivered by other malware or attacker tool: expand investigation to include additional attacker tools or malware
- Plan remediation events where these steps are launched together (or in coordinated fashion), with appropriate teams ready to respond to any disruption.
- Consider the timing and tradeoffs of remediation actions: your response has consequences.
TODO: Customize containment steps, tactical and strategic, for ransomware.
TODO: Specify tools and procedures for each step, below.
In ransomware situations, containment is critical. Inform containment measures with facts from the investigation. Prioritize quarantines and other containment measures higher than during a typical response.
Quarantines (logical, physical, or both) prevent spread from infected systems and prevent spread to critical systems and data. Quarantines should be comprehensive: include cloud/SaaS access, single-sign-on, system access such as to ERP or other business tools, etc.
- Inventory (enumerate & assess)
- Detect | Deny | Disrupt | Degrade | Deceive | Destroy
- Observe -> Orient -> Decide -> Act
- Quarantine infected systems
- Quarantine affected users and groups.
- Quarantine file shares (not just known-infected shares; protect uninfected shares too)
- Quarantine shared databases (not just known-infected servers; protect uninfected databases too)
- Quarantine backups, if not already secured
- Block command and control domains and addresses
- Remove vector emails from inboxes
- Confirm endpoint protection (AV, NGAV, EDR, etc.) is up-to-date and enabled on all systems.
- Confirm patches are deployed on all systems (prioritizing targeted systems, OSes, software, etc.).
- Deploy custom signatures to endpoint protection and network security tools based on discovered IOCs
TODO: Consider automating containment measures using orchestration tools.
TODO: Customize eradication steps, tactical and strategic, for ransomware.
TODO: Specify tools and procedures for each step, below.
- Rebuild infected systems from known-good media
- Restore from known-clean backups
- Confirm endpoint protection (AV, NGAV, EDR, etc.) is up-to-date and enabled on all systems.
- Confirm patches are deployed on all systems (prioritizing targeted systems, OSes, software, etc.).
- Deploy custom signatures to endpoint protection and network security tools based on discovered IOCs
- Watch for re-infection: consider increased priority for alarms/alerts related to this incident.
TODO: Specify financial, personnel, and logistical resources to accomplish remediation.
- Escalate incident and communicate with leadership per procedure
- Document incident per procedure
- Communicate with internal and external legal counsel per procedure, including discussions of compliance, risk exposure, liability, law enforcement contact, etc.
- Communicate with users (internal)
- Communicate incident response updates per procedure
- Communicate impact of incident and incident response actions (e.g., containment: "why is the file share down?"), which can be more intrusive/disruptive during ransomware incidents
- Communicate requirements: "what should users do and not do?" See "Reference: User Actions for Suspected Ransomware," below
- Communicate with customers
- Focus particularly on those whose data was affected
- Generate required notifications based on applicable regulations (particularly those that may consider ransomware a data breach or otherwise requires notifications (e.g., HHS/HIPAA))
TODO: Expand notification requirements and procedures for applicable regulations
- Contact insurance provider(s)
- Discuss what resources they can make available, what tools and vendors they support and will pay for, etc.
- Comply with reporting and claims requirements to protect eligibility
- Communicate with regulators, including a discussion of what resources they can make available (not just boilerplate notification: many can actively assist)
- Consider notifying and involving law enforcement
- Communicate with security and IT vendors
- Notify and collaborate with managed providers per procedure
- Notify and collaborate with incident response consultants per procedure
- Launch business continuity/disaster recovery plan(s): e.g., consider migration to alternate operating locations, fail-over sites, backup systems.
- Recover data from known-clean backups to known-clean, patched, monitored systems (post-eradication), in accordance with our well-tested backup strategy.
- Check backups for indicators of compromise
- Consider partial recovery and backup integrity testing
- Find and try known decryptors for the variant(s) discovered using resources like the No More Ransom! Project's Decryption Tools page.
- Consider paying the ransom for irrecoverable critical assets/data, in accordance with policy
TODO: Expand and socialize this decision matrix
- Consider ramifications with appropriate stakeholders
- Understand finance implications and budget
- Understand legal, regulatory, and insurance implications
- Understand mechanisms (e.g., technologies, platforms, intermediate vendors/go-betweens)
- Perform routine cyber hygiene due diligence
- Engage external cybersecurity-as-a-service providers and response professionals
- Avoid opening email and attachments from unfamiliar senders
- Avoid opening email attachments from senders that do not normally include attachments
- Stay calm, take a deep breath.
- Disconnect your system from the network
TODO: include detailed steps with screenshots, a pre-installed tool or script to make this easy ("break in case of emergency"), consider hardware network cut-off switches
- Take pictures of your screen using your smartphone showing the things you noticed: ransom messages, encrypted files, system error messages, etc.
- Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper. Every little bit helps! Document the following:
- What did you notice?
- Why did you think it was a problem?
- What were you doing at the time you detected it?
- When did it first occur, and how often since?
- Where were you when it happened, and on what network? (office/home/shop, wired/wireless, with/without VPN, etc.)
- What systems are you using? (operating system, hostname, etc.)
- What account were you using?
- What data do you typically access?
- Who else have you contacted about this incident, and what did you tell them?
- Contact the help desk and be as helpful as possible
- Be patient: the response may be disruptive, but you are protecting your team and the organization! Thank you.
- Stay calm, take a deep breath.
- Open a ticket to document the incident, per procedure
TODO: Customize template with key questions (see below) and follow-on workflow
- Ask the user to take pictures of their screen using their smartphone showing the things they noticed: ransom messages, encrypted files, system error messages, etc. If this is something you noticed directly, do the same yourself.
- Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper. If this is a user report, ask detailed questions, including:
- What did you notice?
- Why did you think it was a problem?
- What were you doing at the time you detected it?
- When did it first occur, and how often since?
- What networks are involved? (office/home/shop, wired/wireless, with/without VPN, etc.)
- What systems are involved? (operating system, hostname, etc.)
- What data is involved? (paths, file types, file shares, databases, software, etc.)
- What users and accounts are involved? (active directory, SaaS, SSO, service accounts, etc.)
- What data do the involved users typically access?
- Who else have you contacted about this incident, and what did you tell them?
- Ask follow-up questions as necessary. You are an incident responder, we are counting on you.
- Get detailed contact information from the user (home, office, mobile), if applicable
- Record all information in the ticket, including hand-written and voice notes
- Quarantine affected users and systems
TODO: Customize containment steps, automate as much as possible
- Contact the security team and stand by to participate in the response as directed: investigation, remediation, communication, and recovery
- "Ransomware Identification for the Judicious Analyst", Hahn (12 Jun 2019)
- No More Ransom! Project, including their Crypto Sheriff service and their Q&A
- ID Ransomware service
- MITRE ATT&CK Matrix, including the Initial Access and Impact tactics