Ransomware is one of the fast-growing threats worldwide and it’s considered as a leader of the Global cyberattack in recent days which cause some dangerous issues and losses in many organizations and individuals.
Here is the Ransomware response Checklist for Attack Response and Mitigation.
Ransomware is a turnkey business for some criminals, and victims still pay the ever-increasing demands for ransom, it’s become a billion-dollar industry that shows no signs of going away anytime soon.
The cost of Ransomware attacks Crossed more than $ 1 billion in a single year alone and day by day the number of Ransomware attacks is increasing and threatening around the world.
Here we will see the important ransomware response checklist and mitigation techniques for Sophisticated Ransomware attacks.
A common factor of Ransomware is that very strong Encryption(2048 RSA key) methods are used for all the Ransomware variants which is estimated to take around 6.4 quadrillion years to crack an RSA 2048 key by an average desktop computer.
The wide availability of advanced encryption algorithms including RSA and AES ciphers made ransomware more robust.
Ransomware is using Bitcoin Payment that is untraceable and Every Ransomware variant is demanding a different bitcoin amount to get the decryption key.
Sometimes attackers can provide the decryption key time they won’t even if you paid. Instead of that, they force the victim to infect another Few People to get the decryption key.
To Maintain Anonymity, attackers always use the “Tor”(The Onion Router) to Establish the Communication to Victim which helps an attacker to hide their IP Address since the Tor network is created by thousands of nodes in different countries You cannot browse TOR sites using a regular Internet browser.
Also Read the List of Ransomware variants distributed
Symptoms of Infection – Ransomware Response Checklist
A window has opened that you can’t close that contains Ransomware Program and instructions. A warning countdown program instructs you how to pay to unlock your file and Device.
A Countdown program warns you that, there is a countdown to the Deadline to pay else you can no longer Decrypt the file or the Ransome amount will be increased.
Suddenly you can’t open the file or et errors such as the file is corrupted.
You can See Different Directories that say HOW TO DECRYPT FILES.TXT Or some related instruction.
Ransomware Entry Point and Infection Vector
A user will receive an email with a malicious Link in the body content. once you Click the link that will Download A File that Contains Ransomware.
Email Looks like from Major Brand, Social Engineering, or Seeking.
A user will receive an email with an Attached Innocent file. once a user opens the file then it will be Triggered in the victim’s computer and finally, he will be victimized by Ra; ransomware.
Ex: urgent Requirement, Job offers, Common Zip file, Sense of Urgency to open Document, Money Transferred.
A Malicious Document Contains Embedded Hyperlink. when the user clicks the hyperlink then I will go out to the internet and download the Malicious File that contains the Ransomware variant.
Ex: normal Looking Document, Innocent Looking Hyperlink, linked to Ransomware.
Websites & Downloads
Users Browser the infected site and Compromised website and download software and they think it a genuine software but it actually contains a Ransomware variant.
Ex: General Browsing, Porn Websites, File Download from Bit Torrent, PC Downloads, Play Stores.
Drive by Infection
A User Browser with an old Browser, a Malicious plug-in, and an unpatched third-party application will infect the machine and spread via infected users within the organization and file-sharing platforms such as IRC, Skype, and other Social Media.
infected sites will redirect the user to the exploit kit and it will have a concern about ransomware exploits which will later download and exploit the ransomware.
Ex: No user interaction for some time, Malvertising.
Incident Response and Mitigation
Once you feel that you’re infected or you find some unusual activities occur in your network then the following Steps are urged to take for Mitigation.
Finding the Indicator of Compromise
During the Encryption Process, File Extention will be Changed with a new type of extension that you have not seen it before.
so collecting the Known Ransomware file Extention and monitoring the Extensions. This will help you to identify the Ransomware even before the incident will be occurred.
In this case, the existing file extension remains the same but a new file extension will be created during the encryption process and a new extension will be added next to the normal file extension of the infected file.
Check all unusual Ransomware related File Extention Types – Ransomware file Extention.
Bulk File Renamed
Monitoring a large number of Files being Renamed with your network or your computer. It will be a good indicator of being compromised by ransomware.
Check whether any of the large-volume file names have changed with your Asset.
Using Behaviour analysis will help to identify you to find any number of files being changed or suddenly used in your network when compared to normal uses.
Security tools such as Endpoint Protection, Antivirus, and Web content filtering in your organization may allow you to filter the content that your access on the internet Analyzing the behavior of your network and your computer will help you to find the behaviourally based indications.
It will monitor the normal behavior of the user baseline and if there will be some unusual things that occur then it will intimate you to have a look at it.
The intrusion detection and prevention system that you have implemented into your network will prevent calling back unusual files and encrypting your file.
Also, it will prevent you from downloading an encryption key from the command and control server and stop being encrypted your files in your system.
Ransomware notes are an Explicit indicator of compromise that popups into your screen and tell you to pay some demanding ransom amount to pay.
It’s one of the First indicators of a ransomware attack that most people should be aware of it.
A report from the user to the help desk that they cannot open files or cannot find the files and also the PC is Running Slow.
Ensure that you’re organization’s help desk professionals are fully trained to Face the ransomware impact and take appropriate mitigation steps.
What next: if you’re Infected
Once you find and confirm that your computer or network has been infected then immediately take the following actions.
Disconnect the Network – Ransomware Response Checklist
Completely Disconnected the infected computer from any network and isolate it completely.
Remove all the Storage Devices such as External Hard Drives, USB drives, and other Storage Devices.
Turn off Any Wireless Devices such as a router, WiFi, Bluetooth other wireless devices that you have in your organization.
Simply unplug the computer from the network and any other storage devices.
Don’t Try to Erase anything such as clean up your devices, format, etc. This is very important for the investigation process.
Determine the Scope
In this case, you need to evaluate how much of your organization’s infrastructure has been compromised or Encrypted.
Find your First Infected machine and confirm the infected storage medium. It could be anyone following these.
- USB memory sticks with some valuable information
- shared or unshared Drives or folders
- External hard drives
- cloud-based storage (DropBox, Google Drive, Microsoft OneDrive/Skydrive, etc…)
- Network storage
Check the above asset and confirm the sign of encryption. If it will be cloud storage then Try to revert the recent unencrypted version of your files.
If you have back available for the encrypted storage then identify the infected or encrypted part of files and which file you need to restore or what may not be backed up.
Finally, if you don’t have the option to proceed with the above possibility then reconnect the memory drive and check the other possibility for decryption.
Understand the version or Type of Ransomware
First Ransomware needs to know which files it needs to decrypt if you paid the ransom amount.
To determine the scope of the infection is to check for a registry or file listing that has been
created by the ransomware.
Each and every Ransomware are having different versions and types. It is recommended to do a bit of googling to determine the version of ransomware you have been hit with and do your research based on the right version of the ransomware.
Determine the Strains of Ransomware
In terms of strains, each and every ransomware-type are having a different method and function. so you have to make sure which type of ransomware you’re dealing with and what option you have in your hand.
If you feel that you are the first person who is infected with concern ransomware then try to consult with some for security experts to determine what kind of ransomware you are actually facing by providing information about various files and system information.
Most of the ransomware does not have a future self-spreading function to jump across the network unless you will directly share from the infected machine.
Generally, ransomware infects only a single machine or related shared network files and it won’t Encrypt the files that it has not direct control over for the concerned network or system.
So make sure you have checked with the above things in the infected ransomware strains.
Fast Emergency Response
Ransomware does not need any user interaction to perform its Task. so you have to have very concerned about the time to take the necessary steps.
You need to take a rapid response by calling the helpdesk and internal parties immediately to make them aware that a Ransomware attack has occurred.
Notify your company’s executive and other legal and emergency response teams.
Notify your regulatory agency and consult your law enforcement and also try to implement your communication plan as soon as possible.
You can also contact the industry’s Information Sharing and Analysis Center (ISAC) site to know about a similar attack.
Paying the Ransomware – Ransomware Response Checklist
- It gives a faster solution than restoring the data from Backup
- It would be the cheapest solution in terms of the total cost of recovery
- It helps to minimize the disruption to businesses and users.
Advantage: Not Paying
- You can maintain the integrity of data by certain recovery of data.
- Not paying criminals and supporting cybercrime.
- You may protect yourself from targeting again and you can decrease the risk to attack you again.
- Supporting the crime and rewarding the crime
- It would make you high risk in the future and you might be victimized again
- There is no guarantee that you will be data recovery
Disadvantage: Not Paying – Ransomware mitigation Checklist
- There will be a lot of time-consuming to restore the data
- If you don’t have a proper backup it will lead to a critical situation.
- It disturbs the business continuity and users and it will be cost-effective.
Getting Funds to Ready in Bitcoin – Ransomware Response Checklist
Before paying ransom to criminals you have to make your Bitcoin vault ready.
Its takes time to prepare the Bitcoin vault and you have to deposit the Bitcoin in the vault.
Even though you are paying the ransom about it doesn’t mean that your file is decrypted and available immediately.
Sometimes criminals may perform manual verification of the ransom amount that you have transferred.
It takes even more than 1 day to get your decryption key back. Sometimes you may receive unresponsive situations from criminals.
Defending the Ransomware Attack – Ransomware Response Checklist
Take regular backups of your data and test your Backups that are perfectly available for any time to be restored.
One of the main infection vectors is Microsoft Office documents so make sure your Microsoft Office Macros are disabled by default.
Use Strong Firewall to block the command & control server callbacks. It helps to prevent the malware from accessing the encryption key from the callback C&C Server.
Scan all your emails for malicious links, content, and attachments. Segregate the physical and logical network to minimize the infection vector.
Always use anti-malware and anti-virus protection. most current antivirus using behavior-based analysis that helps to minimize the unknown ransomware threats that take place in your network.
Don’t Provide local administrator rights to any user by default. Avoid high privilege by default.
Enforce access control permission for the concerned user and allow them to access the files which they actually needed to access for their work.
Provide proper training for your employees about ransomware attacks and its common function to attack the network and train users to handle the links.
Block the ads and unnecessary web content. It will download ransomware and other malicious content.
These Ransomware response Checklist considerations were applicable for both Windows and other platforms.