Reckoning with Ransomware - white paper - GuidePoint Security
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
w h i t e pa p e r Reckoning with Ransomware
Ransomware is no new
phenomenon—it’s been
making the rounds in
one form or another for
over 30 years. There are
many ways to prepare for
a ransomware incident,
but the foundation lies in
understanding the basic
steps to ransomware
incident response. This
paper will walk through
these steps to help you
better understand how How to Prepare Your
to structure your own
ransomware response. Organization for a
You will learn: Ransomware Incident
What steps your organization’s
ransomware response There are a myriad of intricate events and considerations
should include. that occur over the life of an incident and during the incident
response process. This paper will walk through the timeline of
Who needs to be included in
a hypothetical ransomware incident and examine the steps to
your organization’s ransomware
handle similar situations. It will also help you identify the roles,
response communications.
responsibilities, and people in your organization you may want to
What the recovery process involve in a similar scenario. These best practices can be broadly
can look like when a plan is applied to any organization of any size and offer a solid foundation
implemented and executed. to begin building your incident response plan.
From small- to medium-sized businesses to large corporations that may be the
target of nation-state actors, ransomware has quickly become one of the most
common attack types faced by organizations and businesses. With a potential
for massive impact on operations, brand, and budget, it’s critical to have a
well-thought-out response plan should your organization ever become the
victim of ransomware.
2After All Their Posturing, They’re Still Just
Common Thieves
Ransomware is far from being a recent phenomenon. to a difficult-to-trace address, but but it also laid
The first known ransomware attack took place in 1989 the foundation for the encrypted file technique. (In
and targeted the health care industry. (Some things 1996, security researchers Adam Young and “Moti”
never change, do they?) Yung published a paper on how a ransomware attack
could be successfully carried out using public-key
At the height of the AIDS pandemic, evolutionary
cryptography.)
biologist and AIDS researcher Joseph Popp, Ph.D.,
distributed 20,000 floppy discs to healthcare Since those humble beginnings in 1989, ransomware
professionals in over 90 countries, purportedly has only grown more prevalent and complex. In
containing a questionnaire that could identify the 2006, variants like Gpcode and Cryzip emerged, using
taker’s risk of contracting the deadly, new virus. increasingly complex encryption methods to lock files
However, it also contained a trojan that, once the away. Then, in 2013, CyrptoLocker burst onto the
computer had been rebooted 90 times, would hide scene and changed the game forever by demanding
the victims’ files and demand payment be sent to a payment via the still-nascent BitCoin (which at the
PO box in Panama in order to retrieve them. time was worth around $140 per coin).
While later analysis revealed that the malware was Today, it would be almost impossible to find average
deeply flawed–the encryption key could be easily person who hasn’t heard of ransomware, let alone find
extracted from the trojan file itself–it laid vital a cybersecurity professional who hasn’t (and if you do,
groundwork for the ransomware we know today. Not maybe give them a gentle nudge towards choosing a
only did it target a group that couldn’t afford to be new career).
without their files and demand that payment be sent
Ransomware has advanced dramatically in both form
and function over the last thirty years, even becoming
a tool for targeted attacks and disruption. However,
in the end, the core goal of ransomware is the same:
to extort as much money as possible from the victim.
For all the changes made in the ways ransomware
operates, the threat actors using it are still just
common thieves.
3In 2020, there were an estimated 304 million Typically, when dealing with ransomware, there are three
ransomware attacks worldwide, and the first months of possible avenues of recovery available to the victim:
2021 brought some of the most prominent and public accept the loss of the impacted systems and files and do
ransomware attacks in history. Ransomware continues the best to move forward, pay the ransom to receive the
to be an incredibly prevalent form of attack because it recovery key, or restore data from uncorrupted backups
offers a trifecta of advantages that attackers find hard if they’re available. While a small business may not offer
to ignore: as much potential profit as a Fortune 500 company,
• Universally dangerous: ransomware can impact they also typically lack the resources to recover files
any organization. on their own, so the likelihood of a small business
responding to a ransom request increases—if they can
• Highly available: Ransomware is increasingly easy
afford the ransom. In the case of large corporations,
to find and execute.
not only are they better equipped to restore operations
• Increasingly profitable: It’s incredibly lucrative
and files, but they are also more likely to have sizable
for attackers.
cybersecurity insurance policies in place. To exploit
this, attackers have adopted double-extortion methods
Whether it’s a small business or a Fortune 500
of not only encrypting but also stealing sensitive data
company, a critical infrastructure HQ or a hospital,
and threatening to release it to the public (or worse,
every organization and business has essential files
to competing companies), or threatening to publicly
stored on systems and networks, making every
disclose the name of the victim organization on a
organization and business a potential victim. When you
shaming website to impact brand image.
combine this abundance of victims with the emergence
of ransomware-as-a-service groups that significantly It’s clear to see from this game of ever-rising stakes
reduce the time and cost required to execute a large- that the threat of ransomware won’t be going away
scale ransomware campaign, the potential payout for anytime soon. That’s why you must have a detailed
an attacker far outweighs the effort and risk they face. response plan in place to reckon with ransomware
should it ever hit your environment.
Organizations Impacted by Ransomware
Ransomware on the Rise Globally, November 2020 - June 2021
600
400
200
0
20
20
21
1
1
1
1
21
-2
-2
r-2
-2
v-
c-
n-
n-
ar
ay
b
Ap
De
No
Ja
Ju
Fe
M
M
4“I’ve Got Some Bad News For You”
The attackers’ confidence is on full display in their unsettlingly accurate awareness of how it feels to open one of these notes.
It’s an all too common and frightening scenario: chain of command. In the meantime, she can hear
An employee of the Acme Corporation, we’ll call him more calls coming into the helpdesk office, with her
Harry from accounting, calls up the helpdesk and colleagues discussing the same problem with Acme
says he can’t access one of his files, even though he employees—all their files have been encrypted. Holly
was just able to open it a few hours ago. The support is pretty certain she knows what is going on. Acme
engineer named Holly who answers the call tells has suffered a ransomware attack.
Harry to jump on a remote session to sort the issue
Every day in offices worldwide, this exact scenario
out. As Holly and Harry run through the standard list
(or one exceptionally similar to it) plays out. So the
of support questions Holly notices that one of Harry’s
question is: if this were to happen in your office,
files has a random, six-character extension appended
what’s the first thing you would do first to mitigate and
to the file name. After more digging, she sees that all
respond to an active ransomware incident, and more
the files in the directory are inaccessible, and they
importantly, what would you do next?
all have the same six-character extension. And then
she sees a new file, with the same six characters When faced with a scenario like this, as the initial
followed by “README.TXT”. Holly is an experienced tsunami of anxiety comes bearing down on you it is
support engineer. She suspects that Harry is a victim entirely normal to feel an overwhelming urge to do
of malware—possibly a ransomware attack. Since something drastic, like rip the ethernet out of the wall
Acme has both a formal Incident Response Plan or dropkick the computer in the hopes that maybe
and a Continuity of Operations Plan, Holly’s team the ransomware will feel threatened by your surprise
has been briefed on what to do when they suspect display of mixed martial arts skills.
a cyberattack. Knowing that she shouldn’t open
the README.TXT file, Holly follows procedure and It is imperative that you don’t do either
immediately escalates the problem up her internal of those things.
5If you don’t have a plan in place, it’s too easy to make • Understanding your cyber insurance policy
snap decisions that seem logical and correct in the and knowing when to contact the cyber
moment, but that could, at best, hinder your chances insurance provider.
for successful mitigation and response efforts, and, These steps are critical to the response process and
at worst, send your efforts plummeting over a cliff. will provide key direction on next steps.
It’s important to remember that the first step in any
incident is to pause, take a deep breath, and follow an And just as important as knowing when and who to
established incident response plan. contact, is knowing how you will contact them. Having
established, external contact methods for all necessary
As you start forming your organization’s incident
parties is critical to any incident response, because
response plan, some important initial considerations
your network is compromised. From here on out, you
include:
have to assume the attacker can and is monitoring any
• Knowing when to reach out to your incident and all communications like Slack, email, ticketing
response provider. systems, or video calls.
• If you don’t have an incident response provider, With that established, there are four phases to an
being prepared to locate one that can provide you incident response plan for ransomware—or any major
with the assistance and support you will need. cyberattack, for that matter—and each step has its own
• Knowing when you should involve legal counsel. critical actions to take and questions to answer before
moving on to the next.
phase one phase two phase three phase four
Initial Discovery & Containment and Forensic Analysis Recovery
Preliminary Steps Initial Investigation and Determining
Response
The scene has been set, the scenario is in play. Moving forward, these four
phases and the considerations that will be taken into account at each stage
will be examined in a realistic context for response to the unfortunate
situation unfortunate situation the Acme Company finds itself in.
6phase one
“This Channel is Reserved for Emergency
Calls Only”
Holly has already escalated the problem up her chain of the plan and with the communications lead to
of command and her manager has alerted Jake, the confirm they’re on point to manage any future
Cybersecurity Team Director and the Team Lead public relations concerns. Jake also reaches out to
on the Incident Response Team. Jake follows the the HR representative to work with them to bring
Incident Response Plan protocol and notifies his the employees up to speed on what is happening.
technical response team, which includes a technical Finally, Jake and the CISO reach out to Acme’s cyber
lead investigator, security analysts, and threat insurance provider.
researchers.
Based on their research, the IR analysts and the
The first thing Jake and his technical team need to independent IR provider have confirmed that the
do is triage exactly who knows about the incident, attack impacting the network is a type of ransomware
what they know specifically, and whether any known as NetWalker. Even though the analysts were
helpdesk support staff, or other Acme employee has engaged quickly, they point out that NetWalker is
established any communications with the threat known to propagate and encrypt systems extremely
actors over the corporate network in the heat of the quickly (including backups). Worse still, the
moment, because that could cause issues down the ransomware criminal gang responsible for NetWalker
road if the attacker captured that information. is also known for stealing data.
For a large organization like Acme Corporation, this To sum up phase one, while supporting Harry in
would also be when Jake notifies the remainder of accounting, support engineer Holly discovered a
the Incident Response team—which includes key suspected ransomware incident in process on her
members that provide cross-functional support, company’s network. Holly kept her cool and followed
such as a management/executive leads (e.g., CISO), the incident response plan, alerting her manager,
a Communications Lead, a Legal Representative, who alerted Jake, the cybersecurity director and IR
and an HR Representative. The Acme Corporation’s team leader who then initiated the response based
Incident Response Plan includes work, mobile, and on the codified plan. This enabled the rest of the
home phone numbers for each member as well as IR team to begin their plan duties, which helped to
work and personal email addresses. Each member of quickly establish a preliminary attribution and set up
the Incident Response team knows their role and has the next phase of the investigation. It also enabled
been trained in the appropriate response protocol. communications, legal, and Acme’s cyber insurance
provider to get involved and begin planning for any
At this point, Jake also alerts the external Incident
future work they needed to contribute. This first
Response provider that Acme has retained and
incident-response phase is complete within hours
inform them of a likely incident.
of the initial breach.
With company leadership now aware of what is
happening, and the IR retainer engaged, Jake
checks in with the legal representative to ensure
they’re ready to guide Acme through the later phases
7phase two
“We Do NOT Alter the Plan!”
Moving into phase two, the IR team and the Acme During this phase, the IR analysts deploy an endpoint
Corporation can transition to solving the problem of detection and response (EDR) tool to gain visibility
containment, scoping the impact of the ransomware and containment capabilities in the environment.
and how many systems were encrypted, and The EDR tool helps the team see how deeply the
gathering options for recovery and restoration. At ransomware attack has propagated across the
this point, Jake and the external IR provider are network and helps to determine the full scope
getting pressure from some Acme executives to get of the incident. With an accurate picture of the
things back up and running as soon as possible, so impacted systems and networks, and prevalence in
business can get back on track. From both Jake’s and the organization, Jake and the IR team quarantine
the external IR provider’s perspective, the priority the impacted devices and networks to stop the
needs to be making sure this can’t happen again. For ransomware from further expansion. Unfortunately,
many companies, a common reaction to incidents like the analysts find that the attack has made its way
ransomware attacks is to try to bring those systems into the backups and encrypted them, severely
back online as fast as possible. Unfortunately, quickly limiting the Acme Corporation’s recovery options.
ramping back up without first conducting a thorough These findings are also passed on to the legal counsel
investigation could lead to Acme losing a significant so they can be advised of legal obligations they may
amount of evidence that could help the IR analysts have related to the business availability and the
establish root cause. Additionally, ransomware impacted data. The information is also shared with
could still be propagating throughout the network the communication lead so they can prepare any
and computing systems and networks could just be future statements that might need to be shared with
re-infected. With this in mind, the IR team and the customers or partners. The findings are also given
external IR provider remind Acme leadership that the to the insurance provider to keep them informed of
current focus needs to be on immediate containment. the potential for recovery and the likelihood that a
ransom may have to be paid.
Containment is also critical because it takes
some control away from the attackers. Had the As part of containing the breach in phase two, Jake
helpdesk team or another Acme employee already and his team checked to see if any remote users,
communicated with the cybercriminal gang, it is other than IT, were accessing the systems. During
possible that the attackers would know what Acme the examination, they find a legacy system that was
was planning to do. The attackers might then work to left online with open remote desktop protocol (RDP),
establish additional persistence within Acme systems and suspect this may have been the initial access
and networks or begin engaging in counter-incident point for the attacker. But, at this time, the only
response actions. confirmed details are the systems impacted and the
initial analysis of the attack. The focus has been on
containment to ensure the spread is stopped. By the
end of phase two, it’s been almost 48 hours since the
initial incident.
8phase three
“I Negotiate Million Dollar Deals for Breakfast”
Coming into phase three, most of the emergency work to take to meet disclosure requirements. (Smaller
should be done. The initial response and containment organizations may not have the same requirements.)
phases are the most intense, and now the focus This component of the IR process can be complicated,
shifts to in-depth investigation and management of and it may take some time to ascertain the full
the fallout. Right now, one of the most critical things extent of the leak (unless the company already had a
Jake and the IR response team need to think about is specific toolset in place to monitor data for copying
staff relief. Key IR team members have been working or exfiltration). Unfortunately, it is all too common
for almost 48 hours. Decision-making skills have to learn that the attacker has created a ‘name and
started to degrade, and tempers are becoming short. shame’ site and has already posted sensitive data to it.
Fortunately, Jake has built some back-up staff into the
If sensitive data has been stolen, the company
Incident Response plan, and these people are called in
must determine which regulatory agencies require
to take over for the exhausted team.
notification, and what kinds of information they need
The attention now shifts to three important questions: to share internally to employees and externally to
• Are all the external parties engaged properly? the public. Because the network is now restricted,
• Has data from the Acme Corporation been in order to quarantine the ransomware, Jake, the IR
exposed? team, and the HR representative need to determine
• Who needs to be notified of potential exposure how to contact employees to keep them informed or
or consequences of the breach? disclose PII leaks. The Jake, the IR team, and the
First, Jake needs to verify that the legal counsel, communications lead will also need to work together
communications lead, insurance provider, and IR to communicate to customers and partners the attack
team are all working together and sharing necessary status and whether the Acme systems will be shut
information, during a regular cadence of meetings. down for a while during the recovery process.
This is critical from two perspectives: first it ensures Ultimately, the decisions made during this time are
all key individuals know what is happening and can critical and missteps or inappropriate communications
institute their portion of the IR plan accordingly; can have more of an impact on the business in the
secondly, the cyber insurance policy may require each form of reputation damage than any financial burdens
team member to engage in certain actions during associated with paying a hefty ransom.
certain phases for the policy to be valid. Regular
communication with everyone involved is critical to Unfortunately for the Acme Corporation, the
the success of any IR engagement. cybercriminal is requesting $5 million in exchange
for decrypting their systems. They are claiming to
During this phase, Jake will also work with the have exfiltrated 100GB of information that they
IR analysts to determine whether sensitive data are threatening to release if the ransom is not paid
like personally identifiable information (PII) was within five days. Up to this point, the company
exfiltrated or leaked. If so, legal, communications, hasn’t made any public disclosure about the breach
and HR will need to determine the appropriate course since they haven’t been listed by the attacker on
of action when it comes to informing victims of the the ransomware’s name and shame site. But in a
exposure and take any necessary legal steps. turn for the worse, a security journalist posts a blog
Because Acme is a large corporation with offices and with general detail about the breach cited to an
customers nationwide, they will have additional steps “undisclosed source.”
9Phase three represents the transition from emergency arduous–phase three can last anywhere from days to
management to navigating the bureaucratic, legal, weeks or longer–but if the Acme Corporation sticks to
and reputational consequences of an attack like the plan and maintains engagement and contact with
ransomware, and is the first phase that stretches all the stakeholders in this process, they can avoid
beyond hours and into days and weeks. The process potential legal pitfalls and costly expenses due to
of managing the aftermath of a breach can be long and mishandling the situation.
phase four
“Making Fists with Your Toes”
Phase three has taken longer than anyone wanted as how many victims have already made ransom
and ended with the cybercriminal’s demand for $5 payments to these criminals and the amounts paid).
million in five days. The criminals have threatened When the payment terms have been negotiated, the
both permanent data loss and a leak of sensitive files ransom broker facilitates the payment, keeping records
to the public. The question the Acme Corporation must for any claims with the cyber insurance company.
answer now is do they need to consider paying the The ransom broker also serves another vital function:
ransom, or can they make the business work even if they perform the necessary checks with the Office of
they never get their data back and their data is leaked? Foreign Asset Control (OFAC) to ensure the payment
If they choose to pay, they will need to decide if they won’t be going to a person or group on a government
are going to call in a third party to broker ransom blacklist.
payments. They will also need to confirm the terms
Throughout this process, the investigation into exactly
of the insurance coverage, including the ransom, as
how this breach happened is still ongoing, and the IR
well as any costs associated with the investigation and
analysts have discovered that it wasn’t caused by open
attack clean up.
RDP but instead by a malicious email attachment.
Early in the investigation, the IR analysts confirmed It turns out that attachment arrived through an
that all of the Acme Corporation’s backups were fully employee’s personal email that he had been checking
encrypted. Based on this, Acme leadership determines at work, which is why the Acme Corporation’s email
that too much data vital to the survival of the business filters didn’t block it.
is encrypted, and they will have to pay the ransom. The
With the payment complete, the threat actor sends
attacker is demanding the ransom be paid in TheoCoin,
the decryption key to Jake and the IR team, but it’s not
a relatively obscure new cryptocurrency, so Acme
over yet. The decryption process can take a long time
needs to work with their external incident response
to complete, and the company must decide what data
provider to negotiate ransom payment.
to prioritize to get back up and running. And while they
As the ransom broker, the IR company will negotiate have the decryption key and the attacker’s guarantee
with the criminals to try to lower the payment, identify that the 100GB of stolen data has been deleted from
the cryptocurrency wallet where the funds need the attacker’s system, they can never be sure that
to be deposited, and determine information on the data is fully erased and won’t resurface later down the
cybercriminals based on wallet information (such road. It will likely take three to four weeks to get all
10of the systems restored and back online, and probably and security a list of recommendations and remediations
a few weeks more before Jake and his team feel like to implement. This continued engagement is critical,
they’ve caught up on their sleep. During this time, the IR because without this analysis, it’s entirely likely that
engagement team will continue to dig into the root cause there could be a series of ill-conceived sequels to
of this incident. Once identified, the IR team will give IT this event.
Do You Have a Plan?
If you’re curious how your organization might fare in this kind of situation, GuidePoint
Security’s experts can help you build plans for any situation and test your team’s capabilities
with similar scenarios in the form of custom-crafted tabletop exercises. Tabletop exercises
can encompass a multitude of situations and incidents, including insider threats, ransomware,
and supply chain attacks. Following an investigation of your environment and a review of your
current Incident Response plan, the scenario is customized to fit your organization, from your
architecture to your current security policies.
Tabletop exercises like the one covered in this paper are designed to help you think critically
about your policies and procedures so you can find and address gaps without any risk to your
environment. At the end of the exercise, our goal is to give you actionable insights into your
performance so you can improve your incident response planning.
about the authors
This whitepaper was a collaborative effort from
the GuidePoint Security Incident Response Team
The GuidePoint Security IR team is experienced with a wide variety of industry-standard tools and
solutions that provide the required visibility across your network, endpoints and other systems for an
efficient and comprehensive investigation of an incident.
Our team members originate from a variety of backgrounds with extensive industry experience and carry
numerous industry standard certifications from SANS, ISC2, Offensive Security, cloud service providers
and numerous other organizations. To help demonstrate our capabilities and experience, individual bios
are available for all of our resources.
112201 Cooperative Way, Suite 225, Herndon, VA 20171
guidepointsecurity.com • info@guidepointsecurity.com • (877) 889-0132
05.2021
12You can also read
