What is ransomware?
Threat actors use a form of malware called Ransomware to infect computers and encrypt files until a ransom is paid by the victim. Ransomware sometimes attempts to spread to other connected systems, including storage drives.
How does ransomware work?
Ransomware encrypts files and generally adds an extension to each such as .encrypted, .locky, .crypt, .cryptolocker. Following the file encryption, a message is displayed containing instructions on how the victim can decrypt their files by paying a ransom. An affected organisation would then need to restore the encrypted data from backups. In the unfortunate incident of being affected by ransomware, the following process can be used as a general guideline.
The Ransomware Incident Response Process
- Incident Assessment and Specific Response Plan
Firstly, follow your Cyber Incident Response Plan or similar process to analyse your data, the urgency of your response effort, your budget, the ransomware variant and the threat actor (cyber-attacker). Cyber insurance providers may also require this information.
Your response team should be formed, including identifying authorised representatives. If required, external experts can assist you through the process. In the unfortunate event that backups can’t be restored or a decryption tool is not available, then payment of the Ransom may be required. There are however, a number of risk mitigation steps that will need to be taken first, including informing the authorities and conducting AML/CFT sanction checks.
Activities undertaken by your experts will involve discovering the scope of the cyber-attack by collecting all ransomware ID’s and notes and samples of encrypted files. Where required, forensic copies of affected computers will be created. Additionally, the state of your backups should be assessed, and mitigations completed to prevent further spread of the malware. If you can successfully restore from backup, you should conduct a post incident review. Stages two, three and four below may not be required.
- Risk Assessment
If you are unable to fully recover from backup, then you may need to pay the ransom. Expert assistance is recommended at this point. There are organisations who specialise solely in handling ransomware payments, where they will work with you to attempt to achieve the best outcome. Any known information about the threat actor will be reviewed including whether they have been involved in prior payments and whether any information about them can be obtained from their wallet address or other sources.
A risk assessment would be undertaken based on any insight found (e.g. how likely is settlement to be successful, is the technical likelihood of decryption high or low etc.). You will set a ransom budget. Negotiations may take time but can also lower the ransom demand.
You will then supply a sample of encrypted files to the threat actor who will then provide proof of decryption. It is preferable not to provide them with confidential information for this process, however bear in mind that the threat actors may have viewed or copied your data during the cyber-attack.
- Payment of the Ransom
Payment of the ransom to the threat actor may be in cryptocurrency or multiple payment forms. This is another reason why using an intermediary specialised in negotiation and ransom payment who maintains cryptocurrency accounts is advisable. If professional negotiators are engaged, an Anti-Money Laundering (AML) check is used before any money is transferred to ensure none of the parties involved in the transaction (including the threat actor’s wallet address) are on an OFAC Sanctions list. The negotiating entity then manages the financial exchange.
- Recovery
Once the decryption tool is received and run, troubleshooting of any failed files is undertaken and occasionally further communication with the threat actor is required. Any clean data is moved to clean environments and standard restoration services performed. A post-incident review should always be undertaken, and any lessons learned adopted into your incident response plan.
Recent Government and Industry Advisories
International Counter Ransomware Initiative 2023
The 2023 Counter Ransomware Initiative (CRI) was focused on developing capabilities to disrupt attackers and the infrastructure they use to conduct their attacks, improving cybersecurity through sharing information, and fighting back against ransomware actors.
StopRansomware Guide
On 23 May 2023, CISA release an updated ransomware guide which is a one-stop resource to help organisations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.
This publication was developed through the Joint Ransomware Task Force (JRTF), an interagency body established by Congress in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to ensure unity of effort in combating the growing threat of ransomware attacks.
Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches
On 18 August 2021, CISA released this fact sheet to address the increase in malicious cyber actors using ransomware to exfiltrate data and then threatening to sell or leak the exfiltrated data if the victim does not pay the ransom.
Ransomware: What board members should know and what they should be asking their technical experts
The impact of a ransomware attack on an organisation can be devastating. So what should board members be doing to ensure that their organisation is prepared for such a ransomware attack, and in the best possible place to respond quickly ? This blog, part of the Cyber Security Toolkit for Boards, explains the basics of ransomware, and suggests relevant questions that board members might want to ask their technical experts to help drive greater cyber resilience against these types of attack.
Ransomware: Your organisation should be both protected and prepared
Recent high-profile ransomware incidents, both in New Zealand and abroad, offer a timely reminder to all New Zealand organisations about the importance of information security and cyber resilience. Preparation is everything. Your organisation needs to practise defence in depth to protect your systems and people against malicious cyber activity, and to be prepared for an incident should one occur.
Combating Ransomware – A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force
This report outlines a comprehensive framework of actions (48 in total) that government and industry leaders can pursue to significantly disrupt the ransomware business model and mitigate the impact of these attacks in the immediate and longer terms. These recommendations were collaboratively developed by the Ransomware Task Force (RTF) — a broad coalition of volunteer experts from industry, government, law enforcement, civil society, cybersecurity insurers, and international organizations — to provide a strategic framework for a systemic, global approach to mitigating the ransomware problem.
Ransomware: Your organisation should be both protected and prepared
On 30 September 2020, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) published the CISA and MS-ISAC Release Ransomware Guide.
This joint Ransomware Guide that details practices that organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The in-depth guide provides actionable best practices for ransomware prevention as well as a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.
Fact Sheet: Rising Ransomware Threat to Operational Technology Assets
On 10 June 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Fact Sheet: Rising Ransomware Threat to Operational Technology Assets.
On June 9, 2021, CISA published Rising Ransomware Threat to Operational Technology Assets, a fact sheet for critical infrastructure owners and operators detailing the rising threat of ransomware to operational technology (OT) assets and control systems. The document includes several recommended actions and resources that critical infrastructure entities should implement to reduce the risk of this threat.
This Advisory is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Advisory. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Traffic Light Protocol = White
Incident Response Solutions 