Time is critical when responding to a ransomware attack. Being the first responder to an ongoing ransomware attack can be very stressful. Your first responders must know precisely what to do, so this post will walk through how to create a ransomware incident response plan.
A ransomware incident playbook is one of many playbooks you could create when setting up your SecOps incident response plan. You could also set up a SecOps phishing response plan, Malware playbook or a Failed Login playbook.
Scenario
You are a SOC analyst and have received an alert for a potential ransomware attack. The incident alerts indicate that active cryptographic operations are occurring on multiple devices on the network. You receive a call within a few seconds from a user, stating they have what appears to be a ransom notification on their screen and all of their files have been renamed, with file extensions ‘.loc’.
This scenario leaves little doubt that this is not a real attack, therefore
Your ultimate goal is to analyse, contain and eradicate the threat as quickly as possible. The following steps can be followed to ensure swift, effective action.
Ransomware Playbook
Containment
The first steps are to contain the threat:
- Raise the issue verbally within your team. Designate someone to assist you with all client communications.
- Instruct the user(s) to disconnect the network cable from their machine and instruct as many people as possible on the network to do the same.
- Raise a P1 case and invoke any major incident processes your company has.
- Identify the backup server and isolate it by removing it’s NIC. This could be virtual or physical.
- Identify the file server and isolate it by removing it’s NIC. This could be virtual or physical.
Next, you need to ensure that the encryption of files has stopped. Ransomware works by enumerating shared drives and encrypting them, often in random order. A quick way to identify if a server is being encrypted with ransomware is to look at the Resource Manager, and disk write statistics. If you see many write operations and open file threads to file shares (way more than usual), then the encryption is likely ongoing.
The process that encrypts files could be on any device, even the file server or the backup server, so even disconnecting them may not stop the infection from encrypting more files. Furthermore, many ransomware attackers actively aim to delete your backups before executing their attack.
The most important thing is to isolate your backups and file server as these are the targets.
Analysis
Next, we need to analyse the attack and ascertain the following information:
- Which device (or devices) are the source of the infection? AKA – (patient zero).
- What credentials have been compromised?
- What is the first date/time of infection?
- Which user account/accounts have been used to orchestrate the attack?
- How was the network compromised?
To answer these questions, you could do the following actions:
- Investigate your Anti-Virus logs. (Hopefully, you have some!)
- Investigate the firewall logs (also download them too if there are indicators of compromise).
- Export and analyse the Domain Controller security logs. (Or Search your SEIM solution).
- View the Domain Admins Active Directory group and confirm there are no accounts that should not be a member.
- If the ransomware created a txt file in each directory to leave a ransom note, use searchmyfiles to enumerate them all, and then sort in modified date/time order to find the time of initial infection.
- Check the owner of the .txt files. These files are often created using the compromised account. This will help you identify patient zero.
- If you use Office 365, you could analyse the Risky Sign-ins in Azure AD.
Eradication
Next, we must fully eradicate the infection. This is possibly the most challenging part because it’s likely that you can never have 100% confidence that your systems are clean unless you fully rebuild from scratch.
You can use tools like Norton Power Eraser to remove the infection. However, one tactic I see commonly is to rootkit one or more hosts on your network so that as soon as a host reboots, it starts encrypting files again.
Recovery
The recovery phase is where one wrong action can undo many hours of work to eradicate and clean the network.
The key to a clean recovery is to re-build a clean network. Start from the Firewall, outwards and only re-connect devices to the network once they have been scanned for malware and inspected for encrypted files.
Beware of devices that connect to Wi-Fi. I recommend that you disconnect all WAPs before you start the restoration. Remove all devices from all switches, and only re-connect hosts once you are 100% sure they are clean. The technique you can use for this is to provision a “provisioning VLAN” to move devices onto first; scan them, then finally re-assign the switch port to the correct VLAN.
If you are re-building, take the time to ‘build-back-better’ and improve on the security that was in place before. Use VLANs to segment your network.
Final thoughts
I hope some of the above helps build your ransomware response playbook. It would be best if you solidified these actions with your staff by doing a tabletop exercise regularly. This will allow your staff to react quickly and minimize impact.