Whilst the internet has created endless possibilities for businesses to engage with their customer base and facilitate commerce. It has also provided cyber criminals with a means to transact cyber-enabled and cyber dependant crimes. Ransomware or malware as a service (MaaS) is one of these operating models and it has become a highly productive revenue stream for criminals all over the world.
In recent years we have witnessed a series of highs and lows with the volume and complexity of crypto ransomware attacks in terms of frequency. However, just over the past couple of weeks some of our team have worked with several clients in the UK who fell victim of a Crypto-Ransomware attack. This experience compelled me to write a blog, in particular around useful steps to take and how the ‘Human Element’ of an attack can often be forgotten but is equally as important.
Technical elements of a crypto ransomware attack really fascinate me but they can also be terrifying for the victim. Clicking seemingly innocent links, leading to mass encryption of file shares without any understanding of what is happening and capability to change it creates panic. For a security manager or anyone who is responsible for managing this type of incident, it is essential that you know the basic steps to contain an incident but also how to handle the ‘people element’ and panic that can occur.
Although the strategy of keeping malware out of a network by focussing purely on prevention and perimeter defence still applies, organisations now need to consider detection, response and recovery controls as well as ensuring relevant staff and incident managers are aware of their own responsibilities when responding to a crypto ransomware attack.
This article covers some steps, it’s not intended to cover and protect against every scenario but provides a basic grounding in responding to a ransomware attack.
Organisations need to be prepared for a ransomware attack. Steps can be implemented such as addressing incidents within a security policy and having a strategy and plan for dealing with security incidents, including crypto ransomware. See our top mitigations towards the end of the article and select the appropriate methods to suit your organisation, regular backups are a must.
Effective risk management is a key factor in reducing the likelihood of a successful breach and also ensuring that organisations are aware of the threat posed by Ransomware. Performing an initial cyber security risk assessment enables organisations to implement safeguards as opposed to addressing security countermeasures after an incident has occurred.
Train your staff before it’s too late! Staff education and awareness of Ransomware and other malware variants should be high on the agenda. Being able to identify the initial indicators of an attack can help prevent or at least speed up the reporting process before it’s too late.
“Assume breach”. Take the stance that it’s “when” and not “if” we suffer an incident, develop a business continuity strategy and plan that fits your organisational needs. Key questions organisations should ask themselves are:
• What assets are key to the continuing operation of the organisation?
• Can we continue to sustain key business operations without access to them?
• How long can we operate without them?
• Have we tested this?
Remember when risk management fails, business continuity takes over!
A well-defined communication plan will help to ensure the correct people are informed without delay when an incident occurs. It can also provide reassurance to internal and external stakeholders that the incident is being managed appropriately.
It’s important to document everything to do with the incident, especially any actions taken. Incident forms or checklists can be extremely handy and allow a consistent approach to be taken.
If possible a team should be defined that will handle malware incidents. The team should include representation from different areas of the business to strike a balance between technical/legal/managerial/communications.
It’s essential that incident managers or responders have the necessary tools to do the job. Jump bags can be ready in the event of an incident. These can include items such as: notepads, contact lists (incident team, external contacts etc.) USB drives, bootable USB/live CD’s with anti-malware software utilities (usually Linux based), hard drive imagers, network toolkits.
Incident managers or responders need adequate training to be able to respond to an incident. They should be well versed in any incident response policies or procedures.
Employees should receive awareness training that includes phishing, safe browsing and use of removable media. The training should promote a culture of reporting incidents without fear of punishment. The quicker we can detect ransomware the sooner we can contain and prevent and restore normal operations.
Identify and Contain
Due to the destructive nature of crypto ransomware identification of the incident is a fairly swift in comparison to other types of security events.
Before being able to gather information about the incident and ensure that the required steps are taken to contain it, you may be presented with users that are emotional or panicking, particularly if they feel they may have been the cause of the infection.
This is made much harder if you are dealing with the incident remotely. In this situation it is paramount that you attempt to calm the user, especially if they are panicking.
Another issue you may get when dealing with an attack remotely is the person on the phone may be interrupted by their colleagues. Time is of the essence here, so it is key that you communicate firm and clearly, asking them to only respond and pay attention to you. Speaking clearly and in a calm but assertive manner, several questions should be answered below:
• Have you disconnected all the network cables in the office? Explain what a LAN cable is to the designated the person on the call and get them to confirm this has been done immediately. In a virtualised environment removing the network cable from their device may not be effective, this is where an IT administrator needs to be informed/available to disconnect hosts from the network.
• Turn off wireless connections if this applies to any devices potentially infected.
• Once you have removed LAN cables and disconnected from wireless to try and contain the virus it is essential that all user accounts in scope are disabled and any further access each user had is revoked.
• Ask if anyone has clicked any unusual links in emails, including attachments they may have opened or downloaded. Get them to provide a list of websites visited.
• Ask whether they have accessed files on removable media (personal or company owned)
• Obtain all asset numbers and users affected
• Ask them to provide a list file shares that each user has access to
• Ask them for the contact details of any internal or outsourced IT contacts.
• It is important at this stage for all relevant technical teams to be involved to support containment and remediation activity. This is essential as often each technical team/person can have an input.
It is then essential to collect and review user activity logs, key repositories such as SIEM’s, proxy gateways, firewall logs, mail filtering platforms, windows events and as much information as possible to understand the source.
Eradicate and Restore
After containment it’s important to ensure that the removal of malware is conducted effectively prior to any backup and system recovery. Incident response times, back up strategies and many actions take to prepare for ransomware attacks will determine how effectively an organisation can recover from an incident.
This should be done in a phased approach with quick wins being addressed immediately followed by larger scale corrections.
Here are some tips to help:
• Try to take the time to understand the root cause. Often this can be from crafted emails (consider blocking in email gateways) also via infected websites (block URLS’s).
• Conduct reviews of specific registries if needed and utilise tools such as process monitor, autoruns and process hacker. These can often identify unusual or malicious processes and show the locations within the operating system that can launch malware on start up or login.
• Make use of incident response checklists and other resources e.g. SANS incident response handbook, NIST Special Publication 800-61 Revision 2, windows and UNIX cheat sheets that contain useful commands that can be run to detect malware. These can help speed up the process.
• Test the machines whilst they remain isolated from the network. This is important as to understand how the malicious code operates and can then help to identify suitable countermeasures to help mitigate or prevent future attacks.
• Remediate obvious vulnerabilities e.g. patch management, changing passwords, tightening network perimeter security (e.g. firewall rulesets and perimeter router access control lists).
• If possible implement improved monitoring for ransomware some methods include: increased audit logging levels, Sysmon by sysinternals, file integrity monitoring and configuring audit capabilities for file servers, increasing scope of SIEM solutions and additional endpoint monitoring software.
• Each infected system should be restored from the latest backup. Ensure machines are subject to full anti-virus scans after restoration and use 2 different anti-virus products as a minimum.
Post Incident Activity
Hold a lessons learned meeting to discuss the incident with relevant stakeholders within the organisation. This should be as soon as possible, so that the subject and action is fresh within everyone’s mind. Post incident analysis can be invaluable to building resilience against a future attack, here are some points to consider in your review:
• Query what happened and when.
• How did staff deal with the incident, were procedures followed are there any opportunities to improve response capabilities?
• Did any response actions have adverse effects on handling the incident?
• Would staff involved do anything different in hindsight?
• Could we improve information sharing?
• Are there any corrective actions? Are there any indicators of compromise that could help detect or prevent future incidents?
Review of the attack and post incident activities can be used to educate users and the business. Report Ransomware incidents to the relevant police departments, they may be able to help with remediation activities and it can help build a picture of the regional and national threat landscape. Share intelligence with peer groups, CERT’s, WARP’s or other industry sector forums. The sharing of this intelligence is vital in the ongoing protection of organisations and their assets. When sharing intelligence be ensure vulnerabilities associated with the organisation are not disclosed inadvertently.
Ultimately these steps will provide assistance to detect and prevent a crypto ransomware attack and assist, should you be unfortunate enough to suffer an attack. However, there is no silver bullet, all measures taken should be balanced against the organisations risk appetite but taking these steps proactively will prove invaluable
Top Ransomware Mitigations:
We’ve also put together some useful mitigation strategies that can help enhance your capability to detect and protect against ransomware.
• Ensure email systems are appropriately secured. Sender identity and anti-spoofing techniques can be applied such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM). These email protections validate email against sender IP’s and domains and are usually applied to the organisations email gateways or external DNS. They provide protection against phishing and other spoofing threats. Block unnecessary file types at the email gateway including script extensions e.g. .exe, .scr, .vbs, .js, .jar, .bat, .pif, .rar, .zip, .7z and .cpl etc.
• Use virustotal.com to or other multiple antivirus engine tools to scan unexpected attachments or suspicious files that have not been flagged as malicious by email.
• Scan all stored, incoming and outgoing mail on servers to detect threats that may have got through email gateways or have originated internally.
• Use Ad Blocking technologies to protect online browsing from malvertising and watering hole attacks. Effective web filtering can also help here;
• File integrity monitoring (FIM), FIM can help identify file overwriting on file servers by looking at patterns.
• Have a response plan available? Time is of the essence when dealing with a ransomware attack, there is usually a specific time limit set by attackers. It’s critical that a response plan is present that addresses the steps needed to be taken during an attack. Ensure you have an inventory of critical data assets, including locations.
• Ensure email and web browsing accounts do not have administrative privileges and that shared local administrator accounts do not exist across multiple workstations.
• Maintain secure backups. In some ransomware cases restore from backup may be the only option. Ensure malware is eradicated from affected endpoints before recovery, this can be achieved by re-imaging or use of incident response and antimalware tools. Avoid using backup services that are effectively mapped drives on the endpoint. Ensure that backup servers or locations cannot be compromised if a privileged account is compromised, one way of achieving this is making sure your backups are separated or segmented from the devices and networks they are backing up. Have multiple copies of critical data and store one copy offsite. This should be in proportion to organisational risk appetite.
• Ensure your backups themselves are not at risk by ransomware. Implement a least privilege model for users, using separate accounts to perform administrative tasks and implementing separation of duties between administrator functions. These can help provide a layered defence for instance if a privileged domain account was compromised that also had access to the backup server or location of backups.
• Implementing network segmentation can help compartmentalise different groups of assets for example by sensitivity or criticality, in the event of a ransomware infection this can help to prevent propagation to other security zones or areas.
• Application whitelisting or software restriction policies can be used to define which programs, scripts or DLL’s can execute on a device. Rule conditions can include users, groups, locations, software signatures etc. ransomware can run from temporary folders that the user has write access to such as the %appdata% folder. If the operating system your using doesn’t have application whitelisting in windows you can use software restriction policies to achieve a similar goal.
• The Enhanced Mitigation Experience Toolkit (EMET) from Microsoft can be deployed. EMET creates another protection layer that when configured correctly can help prevent ransomware.
• Provide user awareness training that addresses cyber threats such as phishing, pharming, watering hole attacks, removable media, malvertising and malware in general.
• Disable macros, LOCKY ransomware actively exploits a vulnerability in office documents. Do not click yes if presented with a popup to enable macros for documents you only intend to read. By enabling macros this allows the ransomware to execute on the device. If you need to use macros use group policies to specify trusted paths on file servers that macros can run from.
• Use viewers to read files downloaded from the internet as opposed to full fat packages such as Office, OpenOffice or others.
• Be wary of enabling Active X controls, Active X controls can execute ransomware through office documents or webpages. Only enable controls when you understand and are authorised to use them.
• Vulnerability scanning. The key to preventing a ransomware breach is to know your assets and their associated vulnerabilities. One way of doing this is performing vulnerability scans of your internal and external IP address spaces. The vulnerabilities discovered can be fed into your existing patch management process. This can help provide visibility of what’s out there on your network both known and unknown.
• Penetration testing. Go one step further than performing a vulnerability assessment and get your networks and assets manually tested for vulnerabilities and whether they can be successfully exploited. Manual testing can help reduce false positives and negatives produced by vulnerability scans and also discover vulnerabilities that fall outside the scanning of systems, for example Social engineering attack types. Phishing assessments can be another good way of testing the “human firewall”.Patch Management. Ensure security patches are applied to software on all devices in a timely manner. This includes 3rd party software such as adobe, flash, java etc. Exploit kits actively scan endpoints for specific software versions when a user visits a compromised webpage, if it detects something it can exploit it will infect the device.
• Enabling windows firewall can help to prevent communications between the ransomware trojan and command and control servers.
• Use additional host based firewall protection, these tools can be run in conjunction with the native firewall to enhance protection.
• Ensure antivirus is installed is kept up to date and the security features are appropriately configured with vendor best practices.
• Setting the BIOS clock back to an earlier date in time can be used to trick some ransomware into giving you more time to respond to it. This circumvents ransomware that deletes the keys after a payment deadline has been reached.
• Disable windows powershell. If possible powershell should be disabled or restricted using application whitelisting. Powershell is often used to evade antimalware products and detection before downloading a malicious script from a remote server.
• Install a popup blocker
• Disable AutoPlay to prevent malware from running automatically
• Disable file sharing, this can help restrict the spread of ransomware to other shared network locations
• Study security forums, blogs, online resources etc. Decryption solutions have been found for some ransomware variants. Using the name associated with the ransomware you are affected by to find solutions.
We encourage organisations and you as the reader to change your approach to cyber security. It is not a case of if you suffer an attack it is when. The key questions you should be trying to answer moving forward is implementing effective identification and response capabilities, which combined with an appropriate security architecture will prove vital in isolating attacks and minimising the impact on the business.