Ransomware Incident Response Plan – Part 2

Ransomware Incident Response Plan - Part 2

Ransomware was and still is one of the most dangerous attacks that can cause catastrophic consequences to the endpoint system if not responded properly. The following article is specially created for preparing incident response teams against this particular attack, but it is generally excellent guidance for everyone who would like to have clear and step-by-step approach on how to prepare, identify, contain, remediate and recover from the dangerous attacks of ransomware.

The following is part two of the overall incident response plan where we are going to discuss in our opinion the most important phases of the incident response plan, which are the containment and remediation phases. Before jumping into the phases and steps we would like to give brief recap about ransomware, to explain what it is and how does it work.

Ransomware is a type of malware from crypto virology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for an expert to reverse, more advanced malware uses a technique called crypto viral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.

In a properly implemented crypto viral extortion attack, recovering the files without the decryption key is an intractable problem and difficult to trace digital currencies such as Ukash or Bitcoin and other cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

3. Containment Overview

After the identification phase, if any malicious/suspicious activity was detected we can assume that there is a big chance that there is a presence of a malware on the endpoint, hence the endpoint must be quarantined and isolated from the network, to stop the spread to other endpoints and overall infrastructure.

As we are talking about the ransomware, we must be extremely careful in this case, because the process of system corruption and encryption will not take much time, hence the time is limited. Having an endpoint protection system that can look for the execution and kill the process is usually the best means of containment.

Carefully document and report the performed activities, this will help to detect the virus/malware on other IT systems as well. Examine all endpoints that may be vulnerable or exposed to that particular attack, perform identification phase on the endpoint and in case of anomaly detection isolate the system.

Ransomware Incident Response Plan - Containment

4. Remediation Overview

To eradicate the ransomware from IT environment, the ransomware must be identified by the anti-virus various malware removal tools, or manually through registries and by identifying abnormal file extensions, if the threat is advanced manual intervention may be needed to quarantine these files and clean from the system.

If the malicious file is not detected by signature-based detection, the file can be given to the sandbox for more effective detection as all ransomwares are malwares as well, but all of these can be done in case the ransomware was detected on the earliest phase. Usually, the recommend practice is to replace compromised machines rather than clean them.

The main reason for replacement is that it is difficult to know if residual files of the ransomware are still on the system and able to re-infect devices. If you choose to clean rather than replace, continue to monitor for signatures and other IOCs to prevent the attack from re-emerging.

Ransomware Incident Response Plan - Remediation

Click here to read our step-by-step hands-on approach on how to contain and remediate ransomware attacks.