A ransomware incident stresses an IT organization to its very limits and brings a company to its knees. After the initial panic, there are steps you can take to resolve the situation as quickly as possible, avoid escalating the conflict, and prevent future successful infrastructure breaches.
The first article in this ransomware blog series, Hacker Procedure, described the three main phases of an attack. The second article, Exposing What's Under the Hood of Ransomware Attacks, examined important details about ransomware crime. This final installment walks through the experience of an actual ransomware incident. I’ll provide guidance for handling the different phases of this devastating experience in order to minimize long-term harm to the victim.
Once ransomers take control of an organization’s infrastructure, the victim typically goes through four phases of reaction:
The first three phases take an average of 23 days. The progression to normal operational mode can take many months, depending on the damage inflicted.
The initial reaction to the ransoming of a company’s infrastructure is the chaos phase. I like to call this phase headless chicken mode because there are a lot of frantic people running around without any understanding or purpose.
It’s full panic. The situation is unclear to anyone in the company. The CEO is upset. The CISO and IT manager are desperate and don't know what to do. No organization is ever prepared for this level of crisis.
Little, if anything, is accomplished during the chaos phase.
Once the initial panic recedes, the first productive step is to form a crisis team to assess the situation, identify the most important systems, and get them up and running again. Meanwhile, a team begins forensic activities. The constitutive phase also includes the negotiation with the ransomers and as much restoration of systems as possible.
For many companies who find their infrastructure in the grip of a cybercriminal, the best option is to hire an incident response consultant. These professionals are familiar with hacking and ransoming techniques and know how to minimize disruption and damage. Having played this role in ransomware events myself, I can share how a typical incident progresses.
|
When you first arrive on the scene as an incident response consultant, you need an overview of the situation. What have the attackers gained access to? Which systems have they shut down and which are still online? What backups are available? If no backups remain, then you must start the ransomware negotiation immediately.
Before you communicate, remember that these are hackers! Be sure that you don’t create an opportunity for them to commit more crimes against you. Prepare a new, isolated system and communication channels dedicated to the negotiation. For example, create a box with its own LTE connection.
Your main forensic objectives are to learn:
The legal authorities to involve depend on where the company is located. Generally you should contact the police, the local public prosecutor’s office, and your country’s office for information security. In the United States, you contact the FBI, who inform other federal agencies (CISA and NSA).
Don’t delay the effort to restore the IT infrastructure. If there’s no chance of restoring it, you should begin rebuilding it from the ground up.
All negotiation begins with the ransom note that the criminals leave for the victims. This is an example of an actual ransom note:
Typically a ransom note contains these elements:
=> To learn more about hacker groups, see Exposing What's Under the Hood of Ransomware Attacks.
The ransom note above had a link to a page on the darknet and instructions for authenticating on that page. The darknet page had information about the hacker group who was holding the company’s infrastructure for ransom, their demands, and a timeline.
The ransom demand was five million US dollars. A timer on the page indicated that the ransom amount would double if not received within seven days.
The darknet site also offered a chat function for communicating with the ransomers. This is a common practice. There needs to be a communication path between the victim and the hacker to discuss details, ask questions, and negotiate terms.
In this incident, we pursued three goals:
The communication with the hacker group is a typical negotiation in which one party has greater advantage. As you might guess, hacker groups don’t go out of their way to provide outstanding service to the companies they hold for ransom. Negotiations can be unpleasant and response times can be slow.
After we successfully transferred the ransom money, we asked for the universal decryptor to restore the system faster. Their answer demonstrated their mindset:
“I think it’ll be soon, we’re not robots. our employees need sleep as soon as someone shows up. They will make you uni_dec.exe”
After about three hours, we did receive the universal decryptor and were able to decrypt all of the customer’s data.
While negotiations are underway, the company is unable to conduct normal business. Yet there are customers who need products, services, or support. There are suppliers who require payment. There are deadlines to be met. Everyone in the organization needs the IT systems to do their jobs, but those systems aren’t running. The company may need to set up temporary systems to accomplish the most important tasks. The pressure on the IT team is enormous.
Reasonable resource planning is critical during this phase, so that employees can endure this exhausting time. Prioritization is also essential: What business functions are most important to get up and running? Internal communication must manage employees’ expectations and provide channels for questions and requests. Management must devise plans for communicating outside the organization as well—with suppliers, customers, partners, regulators, and so on.
The final phase of response to a ransomware attack is the return to normal operation. The ransom has been paid. The IT team is decrypting data and applications and restoring systems. During this phase, the company sets up projects to transition the infrastructure into normal operation.
One priority during this time is to improve the company's IT security posture. By this time, the forensic investigation has revealed the attackers’ access points, accounts used, lateral movement, and backdoors created. It’s urgent to eliminate these vulnerabilities to prevent another attack by the same hacker group or other criminals. But it’s important to assume that those aren’t the only vulnerabilities in the infrastructure.
In my career as a pentester and incident response consultant, I’ve identified two main reasons why attackers are so successful in compromising companies:
Most organizations are not aware of how vulnerable they are. Time and time again, when I’ve seen companies become victims due to one or both of these risks, it’s because the system versioning and configurations are not visible across their entire infrastructure. Without that visibility, they can’t perform an appropriate risk assessment.
That's why we founded Mondoo, to help companies see their vulnerabilities and to provide them with concrete recommendations for action.
Mondoo provides a risk score per system across your complete infrastructure (Windows, Linux, AWS, Azure, M365, GCP, Kubernetes, CI/CD, and more).
Identify which updates are missing on each system.
Receive clear instructions on how to fix individual problems.