This post contains general information only offered in good faith and cannot consider every customers’ environment or risk. Synergy Software Systems is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, consult a qualified professional advisor. You acknowledge that Synergy Software Systems shall not be responsible for any loss sustained by you or any person who relies on this publication.
If your network experiences a ransomware attack, then it is likely that your IT staff will want to immediately research and work to stop the attack before they get assistance from an outside incident response firm. This guidance is to help you to prepare your strategy, policies and and responses procedure and checklists to aid your first responders to identify important response priorities for containing a ransomware attack and to avoid common pitfalls that can hinder later investigation and recovery activities.
• Notify your incident response partner and cyber insurance agent (if you have these relationships in place).
• Be aware of any statutory and legal or contractual requirements e.g. to notify authorities, or trading partners relying on your services or integrated systems perhaps with SLAs and financial penalties, or perhaps GDPR related.
• Stop any malicious encryption software that may still be running.
• If you suspect servers and workstations are still encrypting data, power down as quickly as possible to reliably stop further encryption.
• If continued encryption is not a concern on a system, leave the system powered on but disconnect it from the network (as RAM may contain forensic data).
• Disconnect network attached storage (NAS) systems from the network immediately and until you can validate that all systems are free of ransomware.
• Isolate critical systems to prevent further spread of the malware.
• Isolate backups and backup servers.
• Shut down servers or disconnect them from networks.
• Shut down wide area network tunnels.
• Disable any employee remote access services that do not use multi-factor authentication (MFA).
• Disable VPNs or whitelist source IPs to known employees.
• Disable Remote Desktop Protocol (RDP) services or whitelist source IPs to known employees.
• Disable existing domain administrator accounts.
• Create new domain administrator accounts for critical IT staff.
• Disable all other domain administrator accounts (to prevent logins and use of issued Kerberos tickets).
• Disable malware command-and-control channels.
• Disable outbound web traffic.
• Disable all other outbound services/protocols through the firewall.
• Collect and retain logs that are not already in a centralized archive.
• As Windows security event logs can by default be overwritten within days, copy the folder c:\windows\system32\winevt\logs from any domain controllers, RDP servers and other key impacted servers to a safe place.
• Since many firewall logs and VPN are also overwritten quickly, work to export VPN access logs and firewall traffic logs to a safe place.
DEVELOP A RECOVERY STRATEGY
At this point evaluate and develop an investigation and recovery strategy. Examples of key next steps include:
• When needed, completing contracting with a legal firm and/or incident response firm
• Determining the state of storage systems and status of online and offline backups
• Creating an inventory of impacted systems
• Prioritizing applications for recovery
• Creating an inventory of sensitive or high-risk data that could have been stolen
• Evaluating potential risk to cloud email accounts or other cloud services
PITFALLS TO AVOID
In the case of an incident, your organization will want to avoid the following.
• DESTROYING CRITICAL DATA
Many times, IT staff may delete encrypted files or impacted virtual machines to free space for recovery, only to learn that the associated backups are missing or corrupt. Be sure to retain copies of all encrypted or impacted files and systems until after backups are validated and restores are complete, even if it means you have to slow down recovery to add temporary storage and copy potentially unneeded data.
• DESTROYING EVIDENCE
Deleting files or virtual machines, or performing other recovery activities before taking steps to preserve disk images, logs and other evidence, can destroy artifacts that could be used later to help tell the story of how the attacker got in and what data they stole.
• OPTIMISTIC ASSUMPTIONS
There is often a tendency to underestimate an attacker early on and to assume that it is unlikely that the attacker accessed some critical system or set of sensitive data. Perhaps because of a belief that the data would have been too hard to find or too difficult to extract. The organization, may then base its decisions about investigation and notification activities on these optimistic assumptions.
• LEAKING INFORMATION TO THE ATTACKER
Be aware that the attacker may be monitoring your communications during and after the attack. For example, don’t disclose your insurance policy’s ransom coverage limit in a public board meeting discussing the community’s response options, or the attacker will increase their demand to match the policy limit. Social media comments by staff may worry your customers. So, consider also how you will handle communications to your trading partners.
As cybercrime becomes ever more targeted and resourced ensure you have a strategy in place- just in case. Review the security tools you use. Define policies and ensure they are followed for example:
• use of secure regularly changed passwords, or dual authentication passwords
• back ups
• training of new users, and refresher training
Install and use security systems e.g.
• Physical access controls
• Firewalls,
• Anti-malware tools
Consider whether cloud migration or managed services are a better option.
