Incident response handling for ransomware

-


Welcome readers back to my blog.

Today we will have a run-through in terms of performing incident response on ransomware breaches.

Ransomware as we all know is becoming an increasing menace the world over, many firms keep getting compromised one way or another due to this specialized attack.

The most critical factor in handling incident response would range around how effective firms do tackle such incidents.

TL; DR:

  1. Validate the attack
  2. Gather the incident response team
  3. Analyze the incident and perform a thorough investigation
  4.  Contain the incident
  5. Eradicate the malware and its traces
  6. Perform post-incident analysis and monitoring
  7. Perform a post mortem analysis and prepare the lessons learned


 In this part, let’s focus majorly on validation, analysis, containment phases.

 Let’s take a look as a refresher for how best to handle such incidents (and also others similar in nature)

 1.    Initial Triaging

a.      Start with the aim to limit the infection, measures include such as: switching off or hibernating the infected system (in case ransomware has not already having encrypted all files on the system)

b.      In case the system cannot be turned off, it should be isolated from the network on priority or taken off the network

c.      Ransomware generally, scans the target network, encrypts files stored on network shares and tries to laterally move across the network. To contain the infection and prevent the ransomware from spreading, it is important to swiftly isolate the infected systems

d.     In case of a ransomware incident, organizations must secure their backups by disconnecting backup storage from the network or locking down access to backup systems until the infection is resolved.

2.    Attempt to identify the type of ransomware infection

a.      Try to identify the type of ransomware such as:

i.      Opportunistic Ransomware- Deployed through malicious emails. These normally don’t provide the attacker with interactive access to your network

ii.      Ransomware Worms- Targeted to have worm-like functionalities to spread quickly through networks.

iii.      Targeted Ransomware-Deployed by an attacker as part of the intrusion. The focus is across multiple systems with persistent access


3.    Approach note to detect the ransomware

a.      Comparing the ransomware note by searches on a search engine

b.      Identifying the ransomware executable and

c.      Identifying the initial infection vector

4.    Identifying the Ransomware Executable

Make sure to analyze the creation of executables from the initial compromise.

Compliment your search with both Anti-Virus signatures and YARA rules.

5.    Identify the Initial Compromise

Identifying the initial compromise is very important to protect other systems that could be vulnerable. This will help in detecting the source of the infection leading to resolving the current incident apart from helping reduce the risk of future compromise. Some of the important places to check for such compromises are temporary internet files, web-server logs, and application logs to review. Look for web-shells apart from using a combination of YARA and Anti-Virus signatures.

6.    Spear-phishing Attachment

It is important to look for a thorough analysis on Outlook web archives (PST files) using forensic tools such as Encase or pffexport (included with SIFT). Once extracted, attachments can be analyzed using YARA and Anti-virus. In addition, make sure to review- Outlooks temporary archive, and Temporary Internet Files for web-mail.

7.    Check for Lateral Movement

It is important to ensure that other systems have not been infected or obtained rogue access. Such indicators would include attacks such as:

·   Pass the hash (PtH)

·   Pass the ticket (PtT)

·   Exploitation of remote services

·   Internal spearphishing

·   SSH hijacking

·   Windows admin shares

 8.    Review Event logs to identify any potential lateral movement from the infected system

It is important to ensure having thorough in-depth logs from your endpoint security solution to validate and detect such attacks achieved via real-time monitoring.

9.    File Recovery

Ensure to use effective file recovery software to recover deleted files.

Reducing the risk of a ransomware infection:

·        Network segregation: Effective network segregation is crucial for containing incidents and minimizing disruption to the wider business Doing so limits the spread of infection across the enterprise

·        Use strong password policies – Helps greatly prevent brute force attacks, mitigate the effects of credential theft and reduce the risk of unauthorized network access along with the following principle of least privileges

·        Secure remote access: As RDP is an extremely popular attack vector, organizations must take steps to secure remote access (or disable it if it is not required). Remote access should only be provided via whitelisted networks or MFA-based VPN profiles, and limited only to users who require it for their work.

·        PowerShell: One of the most common tools used by ransomware criminals for lateral movement within a target network. It is recommended to disable PowerShell usage. In case needed, it must be closely monitored via endpoint detection and response systems.

Following parts will come up showing more approach wise techniques for each phase and methodology



Comments

  1. Unknown13 May 2021 at 15:57

    good and useful article i hope in the future you just came back with more practical analysis and show some real world examples with real ransomware attacks and show a full process with real world subject.and if i will happy if i can help for that.
    Good job .keep going

    ReplyDelete

Post a Comment

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this. Title of the Vulnerability:   Arbitrary File Upload Vulnerability Class: Security Misconfiguration Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover. CVE ID allocated :  CVE-2017-14521 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Ma
Read more

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

-
Image
By- Navina Asrani Hi Readers, Recently while tinkering with my wifi router, I was curious to find if it has possible loopholes and vulnerabilities. Curious to explore its functionalities, I started probing with the options. Title of the Vulnerability:   Cross Site Request Forgery Vulnerability Class: Code Execution/ Privilege Escalation Technical Details & Description: The firmware allows malicious request to be executed without verifying source of request. This leads to arbitrary execution with malicious request which will lead to the creation of a privileged user. CVE ID allocated: -  CVE-2018-12529 Product & Service Introduction: Intex Router Steps to Re-Produce – 1.        Visit the application 2.         Go to any router setting modification page and change the values, create a request and observe the lack of CSRF tokens. 3.        Craft an html page with all the details for the built-in admin user creation and host it on a server
Read more

Stored XSS in Wonder CMS- CVE-2017-14522

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of security mechanism to filter any user input and accepted and stored in blindly without any sort of input validation Title of the Vulnerability:   Stored XSS Common Vulnerability Scoring System:  7.0 Vulnerability Class:  Injection Technical Details & Description:  The application source code is coded in a way which allows user input values to be stored and processed by the application. CVE ID allocated :  CVE-2017-14522 Product & Service Introduction:  Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive). WonderCMS doesn't require any configuration and can be simply unzipped a
Read more