Ransomware attacks have increased in volume, morphing and evolving through the years, especially recently, into the debilitating attacks we see today. According to the 2H 2020 Global Threat Landscape Report from FortiGuard Labs, ransomware attacks increased sevenfold in the second half of 2020 and became even more disruptive. Tactics from threat actors continue to shift and defenders need to not only continue to get the “basics” of defensive strategies correct but continuously evaluate their own organization’s security policies to ensure they still provide adequate responses against today’s ransomware threat actors. CISOs are now faced with a harsh reality: it’s less a matter of if, but when they will be attacked. That said, it’s important to have a ransomware response plan in place if and when an attack occurs.
When a ransomware attack occurs, taking the right steps is essential to minimize the impact on you, your team, and your organization. Once an attack occurs, panic can spread through the organization and create bigger issues. CISOs know that surviving a ransomware attack requires a ransomware incident response plan, but the challenge is time to document a full plan and have the right resources to implement it when needed.
Preparedness is critical. You should already have a ransomware response plan in place before you’re impacted by a security incident or data breach. But what exactly goes into an effective response plan? We’ve put together an 11-step ransomware checklist so you know exactly what to do if your organization is targeted by a sophisticated threat actor.
FortiGuard Labs' research shows that almost all areas around the world are targets. For this reason, it is important to keep in mind that no sector is safe from ransomware. Organizations should consider this ransomware attack response checklist to effectively deal with an active ransomware attack:
Once you realize you’ve been targeted, you need to stay calm and act purposefully. If you couldn’t make a response plan or were caught off guard, reach out to your security vendor for help or report the incident to your insurance company; they may already have a list of expert security providers who can help you.
Many organizations will use incident response services such as the FortiGuard Responder Team. Further, consider the potential impact the security incident may have. Take into account not only the obviously compromised areas, such as data encryption and application removal but also additional areas of potential compromise. Try to get a running list of all possible areas that may be affected.
There are multiple techniques to isolate the threat and stop it from spreading. First, identify the range of the attack. If the incident is already known to be widespread, implement blocks at the network level (i.e., isolating traffic at the switch or the firewall edge) or consider temporarily taking down the internet connection. If the incident scope is confirmed to be more narrow, infecting only a few systems, isolate attackers at the device level by possibly pulling the Ethernet or disconnecting the Wi-Fi.
If available, endpoint detection and response (EDR) technology may block the ransomware attack at the process level, which would be the best immediate option with minimal business disruption. Most ransomware attackers find a vulnerability to get into your organization such as exposed RDP, phishing emails, or other types of similar methods.
Many of the tactics, techniques, and procedures (TTPs) of each ransomware variant are publicly documented. Determining which strain you are dealing with can give you clues on the location of the threat and how it is spreading. Depending on the variant, some decryption tools may already be available for you to decrypt your ransomed files.
Learn more about the latest ransomware variants and how to respond to them with our Threat Research blog.
Determining the initial access point, or patient zero will help identify and close the hole in your security. Common initial access vectors are phishing, exploits on your edge services (such as Remote Desktop services), and the unauthorized use of credentials. Determining the initial point of access is sometimes difficult, and may need the expertise of digital forensics teams and IR experts.
Identify any active malware or persistent leftovers on systems that are still communicating to the command-and-control (C2) server. Common persistence techniques include creating new processes running the malicious payload, using run registry keys, or creating new scheduled tasks.
Oftentimes, ransomware attacks not only encrypt your files but also exfiltrate your data. They will do this to increase the chances of ransom payment by threatening to post things like proprietary or embarrassing data online. They may even contact your business partners if they identify any of their data that was stolen and threaten them as well. Look for signs of data exfiltration, such as large data transfers, on your firewall edge devices. Search for odd communications from servers going to cloud storage applications.
A ransomware attack will attempt to wipe your online backups and volume shadow copies to decrease the chances of data recovery. Because of this, ensure your backup technology was not affected by the incident and is still operational. With many ransomware attacks, attackers have usually been in your network for days, if not weeks, before deciding to encrypt your files. This means that you may have backups that contain malicious payloads that you do not want to restore to a clean system. Scan your backups to determine their integrity.
If you feel confident in your ability to identify all of the active malware and incidents of persistence in your systems, then you may be able to save some time by not rebuilding. However, it may just be easier and safer to create new, clean systems. You may even consider building an entirely separate, clean environment that you can then migrate to. This should not take too long if you are running a virtual environment. When rebuilding or sanitizing your network, ensure the appropriate security controls are installed and are following best practices to ensure devices do not become reinfected.
It’s important to report the incident. You should also determine if reporting to law enforcement is needed and required. Your legal team can help address any legal obligations around regulated data, such as PCI, HIPAA, etc. Suppose the ransomware attack is severe, and your business spans multiple geographical regions. In that case, you may need to contact national law enforcement services instead of a local or regional-based law enforcement agency.
Law enforcement advises against paying the ransom. However, if you are considering it, you should hire a security company with specialized skills to help you. Additionally, paying the ransom or working out a settlement is not going to remediate the vulnerabilities that the attackers exploited, so it's still essential to ensure you have identified the initial access point and patched the vulnerabilities.
Review your ransomware incident response to understand what went right and to document opportunities for improvement. This ensures the continuous improvement of your response and recovery capabilities for the future. Consider simulating the technical and nontechnical details of the attack in the red team and table-top exercises so you can review your options. You can also consider doing proactive playbook building focused on different attack scenarios such as ransomware. If IT or security team staffing is limited, consider building a playbook using a service.
Require further assistance in developing an incident response plan or Ransomware Playbook? Learn more about Fortinet’s FortiGuard Incident Response Plan Service.