To bring to a close the series of articles dedicated to ransomware; which covered preventive measures (parts I and II) and various detection techniques, this new blog article will explain the actions to take to respond to a ransomware infection.
After a ransomware infection, computer files, USB sticks and shared network folders usually become encrypted. This process is generally not known about until it has been completed, although it is possible to detect it earlier, allowing more effective action to be taken and possibly minimising the consequences of the infection.
In response to detecting ransomware, the following steps should be followed, in order.
- Disconnect network interfaces For a wired network, the most efficient way of doing this is to disconnect the RJ-45 network. For a wireless network, the Wi-Fi should be disabled. This will prevent the ransomware from spreading and affecting other computers on the same network.
If it is not possible to physically disconnect network interfaces, this can be done by disabling the network interfaces on the computer or using anti-virus software functionalities, which allow communications to be blocked.
If this is not possible either, then all communication with other computers should be limited at the security perimeter.
- Check if the process is still being executed. To do this, we can use tools such as Sysinternals’ Process Explorer.
- Terminate the execution of the malicious process. If the process has been identified as indicated in the previous section, its execution must be terminated.
- Start the computer in Safe Mode. This will disable any component that is not part of the operating system, thus preventing the malware from running again.
- Backup the computer. This should be a complete copy of the computer, including encrypted and non-encrypted data and should be made on to a storage device completely separate from the computer. This may be useful in the future if the encryption key is released.
In any case, it is recommended to work on the initial backup copy of the computer
- Report the security incident to the appropriate team or person. In this case, one option is to report it to INCIBE–CERT, providing the necessary information according to the section “Reporting the incident”.
- Assess the scenario. The situation and the scope of the infection should be analysed to determine the best method to follow when it comes to restoring normality to the affected systems.
Figure 1. Diagram of assessing the scene
In all situations, it is advisable to collect any evidence that may be useful before tampering with the computer, such as strange files found, tools used by the malware, strange network communications detected.
Reporting the incident
When it comes to notifying the appropriate authorities of a ransomware incident, the following information should be provided:
- Backup status. The best scenario, in terms of backups, is to have one that contains the data affected by the ransomware. Firstly, a backup of the encrypted files should be made to secure the data in case the restoration fails. Then, the affected systems should be cleaned or replatformed, and finally, the original data should be restored.
- Scope of the infection. To determine the scope of the infection, it is necessary to carry out the actions described in the “General procedure” section on every one of the computers in the network to determine if they are infected or not.
- Scope for devices that are not computers. Many companies’ most important files are stored in network drives, so these should also be examined to see if they have been affected by the ransomware.
It is essential to isolate these assets as soon as possible, irrespective of whether infection has occurred.
- Scope of the encryption in computers. This data can determine which family of ransomware is being dealt with, as not all of them encrypt the entire computer. Some, for example, only encrypt personal files.
- File extension that has been used for encryption.
- Ransom note. When the encryption of the computer has been completed, some sort of ransom note will appear for payment. This could be useful to identify the type of malware and could be presented as a text file on the desktop or directly as a wallpaper.
- Start of the infection. This information, which also contributes to the classification and identification of the ransomware can be found by following the guidelines described in the article on detection.
- Procedure followed until the moment of notification. Sometimes, depending on the type of ransomware that caused the infection, it is possible to recover the information using shadow copies.
- All the information gathered on the malware in question. Memory dump, running process, strange files found, tools used by the malware, strange network communications detected, sample of encrypted data...
- Any other information that could be of interest.
Assessment of scenarios
After carrying out the steps described in the section “General procedure” it is highly recommended to carry out an internal evaluation, considering the effect of the ransomware on different fields, such as such as assets and productivity, with the next goal always being to regain access to the lost data.
Below, all of the possible scenarios are shown, ordered from the most favourable (where the computer is backed up) to the least favourable (where the computer is not backed up and the data cannot be recovered in any other way):
- The computer is fully backed up. This is the best scenario, in which the computer will be wiped clean and then the latest backup restored.
- There is a decryption tool available. This scenario usually occurs when the ransomware is not very recent and has been previously analysed along with its code. Due to this there is a tool that allows the data to be decrypted.
- There are Shadow Copies available. In this case, to get back to normal, it would only be necessary to restore the backup copies that Windows automatically makes of the files, using Shadow Explorer, for example. However, the ransomware often makes this action impossible.
- Files can be recovered using forensic software. It is most likely that 100% of the data will not recovered, but this could be an effective way of recovering important data.
- If none of the above are possible, the only remaining option is to preserve the encrypted files to be decrypted in the future. It is possible that in the future the files can be decrypted with a specific tool. If so, this scenario would bring us back to the scenario described in section one.
To continue using the affected computer in this scenario, it is recommended to take the following actions:
- Firstly, clone the computer to preserve the encrypted information, always in isolation.
- Secondly, evaluate the computer's security to find out how it was infected.
- Finally, replatform the computer and change all passwords that may be saved on it as a security measure.
Figure 2. Diagram of the general response procedure
If replatforming is not possible, the computer should be cleaned as far as possible, paying special attention to any executables that may have originated the malware processes or services so the computer does not become re-encrypted.
Regardless of the scenario an option that should never be considered it to pay the ransom to rescue the computer, given that there is no guarantee that attackers will respond with the code or tool to decrypt the computer; they may ask for more money or the victim could become a target for future attacks.
According to Symantec, in 2017 one in five companies did not recover their data after paying the ransom. This is why it is never recommended to pay the ransom. In addition, the decrypting tools provided by cybercriminals are often manual and require a great deal of time and human resources to restore a computer to normality.
After the attack, there should be retrospective analysis of the incident, irrespective of its severity and the disruptions caused. This task should involve all relevant parties in the company who will review which factors, due to malfunctioning or misconfiguration, have allowed the attack to occur, as well as those that have worked correctly and prevented it from having a greater impact. In this way the vector of entry can be identified and corrected.
The aim of this type of analysis is to improve response and reduce the possible entry routes for future attacks, thus reducing response time and correcting errors in the organisation's structure, such as the habitual misuse of firewalls, vulnerable open ports or outdated equipment.
Through these lessons learned, a more structured protocol can be created to help improve the response to a future attack, thus avoiding previous procedures that have slowed down management.
This type of protocol should be periodically reviewed to ensure a correct response and include training days focused on cybersecurity for users
The most important point in the response to a ransomware attack is not to give in to the threats of cybercriminals by paying the ransom. There is no guarantee that they won’t ask for a further sum of money or that they will actually provide the decryption key after the ransom has been paid. What's more, the company could become a target for future attacks, as the attackers think that an organisation that has already “given in” once might do so again. The ransom money paid could also encourage the continuation of their criminal activity by funding their activities and infrastructure