Incident response handling for ransomware


Welcome readers back to my blog.

Today we will have a run-through in terms of performing incident response on ransomware breaches.

Ransomware as we all know is becoming an increasing menace the world over, many firms keep getting compromised one way or another due to this specialized attack.

The most critical factor in handling incident response would range around how effective firms do tackle such incidents.

TL; DR:

  1. Validate the attack
  2. Gather the incident response team
  3. Analyze the incident and perform a thorough investigation
  4.  Contain the incident
  5. Eradicate the malware and its traces
  6. Perform post-incident analysis and monitoring
  7. Perform a post mortem analysis and prepare the lessons learned


 In this part, let’s focus majorly on validation, analysis, containment phases.

 Let’s take a look as a refresher for how best to handle such incidents (and also others similar in nature)

 1.    Initial Triaging

a.      Start with the aim to limit the infection, measures include such as: switching off or hibernating the infected system (in case ransomware has not already having encrypted all files on the system)

b.      In case the system cannot be turned off, it should be isolated from the network on priority or taken off the network

c.      Ransomware generally, scans the target network, encrypts files stored on network shares and tries to laterally move across the network. To contain the infection and prevent the ransomware from spreading, it is important to swiftly isolate the infected systems

d.     In case of a ransomware incident, organizations must secure their backups by disconnecting backup storage from the network or locking down access to backup systems until the infection is resolved.

2.    Attempt to identify the type of ransomware infection

a.      Try to identify the type of ransomware such as:

i.      Opportunistic Ransomware- Deployed through malicious emails. These normally don’t provide the attacker with interactive access to your network

ii.      Ransomware Worms- Targeted to have worm-like functionalities to spread quickly through networks.

iii.      Targeted Ransomware-Deployed by an attacker as part of the intrusion. The focus is across multiple systems with persistent access


3.    Approach note to detect the ransomware

a.      Comparing the ransomware note by searches on a search engine

b.      Identifying the ransomware executable and

c.      Identifying the initial infection vector

4.    Identifying the Ransomware Executable

Make sure to analyze the creation of executables from the initial compromise.

Compliment your search with both Anti-Virus signatures and YARA rules.

5.    Identify the Initial Compromise

Identifying the initial compromise is very important to protect other systems that could be vulnerable. This will help in detecting the source of the infection leading to resolving the current incident apart from helping reduce the risk of future compromise. Some of the important places to check for such compromises are temporary internet files, web-server logs, and application logs to review. Look for web-shells apart from using a combination of YARA and Anti-Virus signatures.

6.    Spear-phishing Attachment

It is important to look for a thorough analysis on Outlook web archives (PST files) using forensic tools such as Encase or pffexport (included with SIFT). Once extracted, attachments can be analyzed using YARA and Anti-virus. In addition, make sure to review- Outlooks temporary archive, and Temporary Internet Files for web-mail.

7.    Check for Lateral Movement

It is important to ensure that other systems have not been infected or obtained rogue access. Such indicators would include attacks such as:

·   Pass the hash (PtH)

·   Pass the ticket (PtT)

·   Exploitation of remote services

·   Internal spearphishing

·   SSH hijacking

·   Windows admin shares

 8.    Review Event logs to identify any potential lateral movement from the infected system

It is important to ensure having thorough in-depth logs from your endpoint security solution to validate and detect such attacks achieved via real-time monitoring.

9.    File Recovery

Ensure to use effective file recovery software to recover deleted files.

Reducing the risk of a ransomware infection:

·        Network segregation: Effective network segregation is crucial for containing incidents and minimizing disruption to the wider business Doing so limits the spread of infection across the enterprise

·        Use strong password policies – Helps greatly prevent brute force attacks, mitigate the effects of credential theft and reduce the risk of unauthorized network access along with the following principle of least privileges

·        Secure remote access: As RDP is an extremely popular attack vector, organizations must take steps to secure remote access (or disable it if it is not required). Remote access should only be provided via whitelisted networks or MFA-based VPN profiles, and limited only to users who require it for their work.

·        PowerShell: One of the most common tools used by ransomware criminals for lateral movement within a target network. It is recommended to disable PowerShell usage. In case needed, it must be closely monitored via endpoint detection and response systems.

Following parts will come up showing more approach wise techniques for each phase and methodology



Comments

  1. good and useful article i hope in the future you just came back with more practical analysis and show some real world examples with real ransomware attacks and show a full process with real world subject.and if i will happy if i can help for that.
    Good job .keep going

    ReplyDelete

Post a Comment

Popular posts from this blog

Stored XSS in Wonder CMS- CVE-2017-14522

Host Header Injection In Wonder CMS - CVE-2017-14523

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529