Categories: ChecklistRansomware

Ransomware Attack Response and Mitigation Checklist

Ransomware is one of the fast-growing threats worldwide and it’s considered as a leader of the Global cyberattack in recent days which cause some dangerous issues and losses in many organizations and individuals.

Here is the Ransomware response Checklist for Attack Response and Mitigation.

Ransomware is a turnkey business for some criminals, and victims still pay the ever-increasing demands for ransom, it’s become a billion-dollar industry that shows no signs of going away anytime soon.

The cost of Ransomware attacks Crossed more than $ 1 billion in a single year alone and day by day the number of Ransomware attacks is increasing and threatening around the world.

Here we will see the important ransomware response checklist and mitigation techniques for Sophisticated Ransomware attacks.

Common Factors:

A common factor of Ransomware is that very strong Encryption(2048 RSA key) methods are used for all the Ransomware variants which is estimated to take around 6.4 quadrillion years to crack an RSA 2048 key by an average desktop computer.

The wide availability of advanced encryption algorithms including RSA and AES ciphers made ransomware more robust.

Ransomware is using Bitcoin Payment that is untraceable and Every Ransomware variant is demanding a different bitcoin amount to get the decryption key.

Sometimes attackers can provide the decryption key time they won’t even if you paid. Instead of that, they force the victim to infect another Few People to get the decryption key.

To Maintain Anonymity, attackers always use the “Tor”(The Onion Router) to Establish the Communication to Victim which helps an attacker to hide their IP Address since the Tor network is created by thousands of nodes in different countries You cannot browse TOR sites using a regular Internet browser.

Also Read the List of Ransomware variants distributed

Symptoms of Infection – Ransomware Response Checklist

A window has opened that you can’t close that contains Ransomware Program and instructions. A warning countdown program instructs you how to pay to unlock your file and Device.

A Countdown program warns you that, there is a countdown to the Deadline to pay else you can no longer Decrypt the file or the Ransome amount will be increased.

Suddenly you can’t open the file or et errors such as the file is corrupted.

You can See Different Directories that say HOW TO DECRYPT FILES.TXT Or some related instruction.

Ransomware Entry Point and Infection Vector

Phishing Email:

A user will receive an email with a malicious Link in the body content. once you Click the link that will Download A File that Contains Ransomware.

Email Looks like from Major Brand, Social Engineering, or Seeking.

Email Attachments

A user will receive an email with an Attached Innocent file. once a user opens the file then it will be Triggered in the victim’s computer and finally, he will be victimized by Ra; ransomware.

Ex: urgent Requirement, Job offers, Common Zip file, Sense of Urgency to open Document, Money Transferred.

A Malicious Document Contains Embedded Hyperlink. when the user clicks the hyperlink then I will go out to the internet and download the Malicious File that contains the Ransomware variant.

Ex: normal Looking Document, Innocent Looking Hyperlink, linked to Ransomware.

Also Read No more ransom adds Immense Power to Globe against Ransomware Battle

Websites & Downloads

Users Browser the infected site and Compromised website and download software and they think it a genuine software but it actually contains a Ransomware variant.

Ex: General Browsing, Porn Websites, File Download from Bit Torrent, PC Downloads, Play Stores.

Drive by Infection

A User Browser with an old Browser, a Malicious plug-in, and an unpatched third-party application will infect the machine and spread via infected users within the organization and file-sharing platforms such as IRC, Skype, and other Social Media.

infected sites will redirect the user to the exploit kit and it will have a concern about ransomware exploits which will later download and exploit the ransomware.

Ex: No user interaction for some time, Malvertising.

Incident Response and Mitigation

Once you feel that you’re infected or you find some unusual activities occur in your network then the following Steps are urged to take for Mitigation.

Finding the Indicator of Compromise

File Extensions

During the Encryption Process, File Extention will be Changed with a new type of extension that you have not seen it before.

so collecting the Known Ransomware file Extention and monitoring the Extensions. This will help you to identify the Ransomware even before the incident will be occurred.

In this case, the existing file extension remains the same but a new file extension will be created during the encryption process and a new extension will be added next to the normal file extension of the infected file.

Check all unusual Ransomware related File Extention Types – Ransomware file Extention.

Bulk File Renamed

Monitoring a large number of Files being  Renamed with your network or your computer. It will be a good indicator of being compromised by ransomware.

Check whether any of the large-volume file names have changed with your Asset.

Using Behaviour analysis will help to identify you to find any number of files being changed or suddenly used in your network when compared to normal uses.

Security Tools

Security tools such as Endpoint Protection, Antivirus, and Web content filtering in your organization may allow you to filter the content that your access on the internet Analyzing the behavior of your network and your computer will help you to find the behaviourally based indications.

It will monitor the normal behavior of the user baseline and if there will be some unusual things that occur then it will intimate you to have a look at it.

The intrusion detection and prevention system that you have implemented into your network will prevent calling back unusual files and encrypting your file.

Also, it will prevent you from downloading an encryption key from the command and control server and stop being encrypted your files in your system.

Ransomware Notes

Ransomware notes are an Explicit indicator of compromise that popups into your screen and tell you to pay some demanding ransom amount to pay.

It’s one of the First indicators of a ransomware attack that most people should be aware of it.

User Reports

A report from the user to the help desk that they cannot open files or cannot find the files and also the PC is Running Slow.

Ensure that you’re organization’s help desk professionals are fully trained to Face the ransomware impact and take appropriate mitigation steps.

What next: if you’re Infected

Once you find and confirm that your computer or network has been infected then immediately take the following actions.

Disconnect  the Network – Ransomware Response Checklist

Completely Disconnected the infected computer from any network and isolate it completely.

Remove all the Storage Devices such as External Hard Drives, USB drives, and other Storage Devices.

Turn off Any Wireless Devices such as a router, WiFi, Bluetooth other wireless devices that you have in your organization.

Simply unplug the computer from the network and any other storage devices.

Don’t Try to Erase anything such as clean up your devices, format, etc. This is very important for the investigation process.

Determine the Scope

In this case,  you need to evaluate how much of your organization’s infrastructure has been compromised or Encrypted.

Find your First Infected machine and confirm the infected storage medium. It could be anyone following these.

  • USB memory sticks with some valuable information
  • shared or unshared Drives or folders
  • External hard drives
  • cloud-based storage (DropBox, Google Drive, Microsoft OneDrive/Skydrive, etc…)
  • Network storage

Check the above asset and confirm the sign of encryption. If it will be cloud storage then Try to revert the recent unencrypted version of your files.

If you have back available for the encrypted storage then identify the infected or encrypted part of files and which file you need to restore or what may not be backed up.

Finally, if you don’t have the option to proceed with the above possibility then reconnect the memory drive and check the other possibility for decryption.

Understand the version or Type of Ransomware

First Ransomware needs to know which files it needs to decrypt if you paid the ransom amount.

To determine the scope of the infection is to check for a registry or file listing that has been
created by the ransomware.

Each and every Ransomware are having different versions and types. It is recommended to do a bit of googling to determine the version of ransomware you have been hit with and do your research based on the right version of the ransomware.

Determine the Strains of Ransomware

In terms of strains, each and every ransomware-type are having a different method and function. so you have to make sure which type of ransomware you’re dealing with and what option you have in your hand.

If you feel that you are the first person who is infected with concern ransomware then try to consult with some for security experts to determine what kind of ransomware you are actually facing by providing information about various files and system information.

Most of the ransomware does not have a future self-spreading function to jump across the network unless you will directly share from the infected machine.

Generally, ransomware infects only a single machine or related shared network files and it won’t Encrypt the files that it has not direct control over for the concerned network or system.

So make sure you have checked with the above things in the infected ransomware strains.

Fast Emergency Response

Ransomware does not need any user interaction to perform its Task. so you have to have very concerned about the time to take the necessary steps.

You need to take a rapid response by calling the helpdesk and internal parties immediately to make them aware that a Ransomware attack has occurred.

Notify your company’s executive and other legal and emergency response teams.

Notify your regulatory agency and consult your law enforcement and also try to implement your communication plan as soon as possible.

You can also contact the industry’s Information Sharing and Analysis Center (ISAC) site to know about a similar attack.

Paying the Ransomware – Ransomware Response Checklist

Advantage: Paying

  • It gives a faster solution than restoring the data from Backup
  • It would be the cheapest solution in terms of the total cost of recovery
  • It helps to minimize the disruption to businesses and users.

Advantage: Not Paying

  • You can maintain the integrity of data by certain recovery of data.
  • Not paying criminals and supporting cybercrime.
  • You may protect yourself from targeting again and you can decrease the risk to attack you again.

Disadvantage: Paying

  • Supporting the crime and rewarding the crime
  • It would make you high risk in the future and you might be victimized again
  • There is no guarantee that you will be data recovery

Disadvantage: Not Paying – Ransomware mitigation Checklist

  • There will be a lot of time-consuming to restore the data
  • If you don’t have a proper backup it will lead to a critical situation.
  • It disturbs the business continuity and users and it will be cost-effective.

Getting Funds to Ready in Bitcoin – Ransomware Response Checklist

Before paying ransom to criminals you have to make your Bitcoin vault ready.

Its takes time to prepare the Bitcoin vault and you have to deposit the Bitcoin in the vault.

Even though you are paying the ransom about it doesn’t mean that your file is decrypted and available immediately.

Sometimes criminals may perform manual verification of the ransom amount that you have transferred.

It takes even more than 1 day to get your decryption key back. Sometimes you may receive unresponsive situations from criminals.

Defending the Ransomware Attack – Ransomware Response Checklist

Take regular backups of your data and test your Backups that are perfectly available for any time to be restored.

One of the main infection vectors is Microsoft Office documents so make sure your Microsoft Office Macros are disabled by default.

Use Strong Firewall to block the command & control server callbacks. It helps to prevent the malware from accessing the encryption key from the callback C&C Server.

Scan all your emails for malicious links, content, and attachments. Segregate the physical and logical network to minimize the infection vector.

Always use anti-malware and anti-virus protection. most current antivirus using behavior-based analysis that helps to minimize the unknown ransomware threats that take place in your network.

Don’t Provide local administrator rights to any user by default. Avoid high privilege by default.

Enforce access control permission for the concerned user and allow them to access the files which they actually needed to access for their work.

Provide proper training for your employees about ransomware attacks and its common function to attack the network and train users to handle the links.

Block the ads and unnecessary web content. It will download ransomware and other malicious content.

These Ransomware response Checklist considerations were applicable for both Windows and other platforms.

Ransomware Rescue Plan:

Also Read:

Web Server Penetration Testing Checklist

Advanced ATM penetration testing methods

Penetration testing with WordPress Website

Network Penetration Testing Checklist

Penetration testing Android Application checklist

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

2 days ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

2 days ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

2 days ago