What is ransomware?
Threat actors use a form of malware called Ransomware to infect computers and encrypt files until a ransom is paid by the victim.
Ransomware sometimes attempts to spread to other connected systems, including storage drives.
How does ransomware work?
Ransomware encrypts files and generally adds an extension to each such as .encrypted, .locky, .crypt, .cryptolocker.
Following the file encryption, a message is displayed containing instructions on how the victim can decrypt their files by paying a ransom. On payment, the victim receives a cryptographic key to unlock the files, making them accessible.
If a ransom demand is not met, the encrypted data will remain unavailable to the victim. Payment of a ransom does not necessarily unlock encrypted files as threat actors may demand additional payments or simply refuse to decrypt the data.
In the unfortunate incident of being affected by ransomware, the following process can be used as a general guideline.
The Ransomware Incident Response Process
- Incident Assessment and Specific Response Plan
Firstly, follow your Cyber Incident Response Plan or similar process to analyse your data, the urgency of your response effort, your budget, the ransomware variant and the threat actor (cyber-attacker). Cyber insurance providers may also require this information.
Your response team should be formed, including identifying authorised representatives. If required, external experts can assist you through the process. Recent variants of ransomware require additional technical steps to be undertaken by the victim, before the decryption keys are provided on payment of the demand. These steps further complicate the recovery process, which may increase the risk of not recovering data.
Activities undertaken by your experts will involve discovering the scope of the cyber-attack by collecting all ransomware ID’s and notes and samples of encrypted files. Where required, forensic copies of affected computers will be created. Additionally, the state of your backups should be assessed, and mitigations completed to prevent further spread of the malware. If you can successfully restore from backup, you should conduct a post incident review. Stages two, three and four below may not be required.
- Risk Assessment and Negotiation
If you are unable to fully recover from backup, then you may need to pay the ransom.
When conducting negotiations for ransomware payment, it is useful to have an expert who has dealt with this type of incident assist you. There are organisations who specialise solely in handling ransomware negotiations. They will work with you in this process to attempt to achieve the best outcome.
During this stage any known information about the threat actor will be reviewed including whether they have been involved in prior negotiations and whether any information about them can be obtained from their wallet address or other sources.
A risk assessment would be undertaken based on any insight found (e.g. how likely is settlement to be successful, is the technical likelihood of decryption high or low etc.). You will set a ransom budget. Negotiations may take time but can also lower the ransom demand.
You will then supply a sample of encrypted files to the threat actor who will then provide proof of decryption. It is preferable not to provide them with confidential information for this process, however bear in mind that the threat actors may have viewed or copied your data during the cyber-attack.
- Payment of the Ransom
Payment of the ransom to the threat actor may be in cryptocurrency or multiple payment forms. This is another reason why using an intermediary specialised in negotiation and ransom payment who maintains cryptocurrency accounts may be advised.
If professional negotiators are engaged, an Anti-Money Laundering (AML) check is used before any money is transferred to ensure none of the parties involved in the transaction (including the threat actor’s wallet address) are on an OFAC Sanctions list.
The negotiating entity then manages the financial exchange.
Once the decryption tool is received and run, troubleshooting of any failed files is undertaken and occasionally further communication with the threat actor is required. Any clean data is moved to clean environments and standard restoration services performed.
A post-incident review should always be undertaken, and any lessons learned adopted into your incident response plan.
Updated with Alert I-100219-PSA posted on 2 October 2019 at www.ic3.gov.
- Regularly back up data and verify its integrity. Ensure backups are not connected to the computers and networks they are backing up. For example, physically store them offline. Backups are critical in ransomware; if you are infected, backups may be the best way to recover your critical data.
- Focus on awareness and training. Since end users are targeted, employees should be made aware of the threat of ransomware and how it is delivered, and trained on information security principles and techniques.
- Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.
- Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
- Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Configure access controls with least privilege in mind.
- Disable macro scripts from Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.
- Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder.
- Employ best practices for use of RDP, including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
- Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.
- Use virtualized environments to execute operating system environments or specific programs.
- Categorize data based on organizational value, and implement physical and logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment.
- Require user interaction for end-user applications communicating with websites uncategorized by the network proxy or firewall. For example, require users to type information or enter a password when their system communicates with a website uncategorized by the proxy or firewall.