Targeted Ransomware Has Changed the Face of Incident Response
By Christopher “Tophs” Elisan
It’s becoming increasingly rare to publicly learn about ransomware attacks carried out at any kind of scale. In two short years, we’ve gone from WannaCry and NotPetya piggybacking aboard NSA-built exploits in attacks hoping to hit many victims in many industries, to quieter and potentially more lucrative targeted attacks against individual organizations.
Ransoms have also morphed, largely going from demands for relatively short money—a few hundred dollars to a few Bitcoin, for example—to exorbitant asks of companies facing unacceptable downtime and operational interruptions that could lead to losses amounting to millions.
Complicating matters further is the overbearing truth that traditional incident response has never been applicable to ransomware attacks; the dynamic is that much different.
Traditional incident response is a predetermined path for addressing and managing a network breach or incident, with the aim of keeping damage and expenses in check, and reducing recovery time. Incidents are defined in advance, and triggers are determined as to when a plan should kick in. Roles and responsibilities of individual stakeholders are also spelled out, as are everyone’s responsibilities in the respective response phases, ranging from risk assessments, to detection, containment, forensics, mitigation, and recovery.
Ransomware, however, throws a nasty wrinkle into that methodology.
Coping with Unacceptable Losses
By their nature, ransomware attacks are potentially as destructive as they are disruptive. Once the malware is executed, depending on the particular family of ransomware, it will first encrypt local files or hard drives, and then seek out network shares to do the same to resources that the infected machine has access to. The malware also leaves behind the digital equivalent of a ransom note which explains how much it will cost the victim to recover their files and systems, and how to go about remitting payment to the attacker.
With more traditional incident response, once you’ve re-imaged the infected machine, cut off any lateral spreading of the malware, and patched a vulnerability possibly exploited in an attack, you might be close to being back in business. Not so with ransomware. Incident response in these cases is not about merely removing all traces of the malware and removing any persistence mechanisms. There remains the damage, which means for a business doesn’t mean just a crashed server, it means mission-critical files and systems that have been encrypted and potentially lost forever.
That’s an unacceptable loss for any company. The quickest path to recovery is a recent and secure backup that’s not connected to the network—yes ransomware can infect and encrypt your backups too. Frequent backups can mean the difference between losing a few hours or days’ worth of data versus weeks or months.
A New Layer of Response
Some companies aren’t as vigilant about backup and quickly run up against a new layer of incident response for them: the need to communicate and coordinate with a threat actor in order to recover files and pay the ransom if they so choose.
Part of this interaction is nuanced and requires intelligence about a threat actor as to whether the threat is a true ransomware or extortion situation, and whether the lost data may be recovered by other means. Intelligence can also assist in making a determination about the integrity of the attacker in such situations, and also learning more about the history of the wallet accepting the ransom payment.
Many times, that type of expertise isn’t in the wheelhouse of an enterprise’s incident response team, most of which are prepared for dealing with infections and lean on support from endpoint security vendors for updated signatures to assist in prevention and remediation. Few, however, know how to best interact with an adversary, acquire cryptocurrency, and successfully and safely move that money to an attacker’s wallet without putting the organization at further risk.
While incident response in the event of ransomware is a totally different animal from traditional IR, organizations should still adopt some facets of that approach. For example, infected machines should be isolated and disconnected from the network (keep them powered on to preserve forensic evidence). Communicate with the rest of the organization in order to inform them of the infection vector, especially the initial attack was carried out via a phishing email, in order to stave off further infections.
Security teams must also do their best to identify the ransomware strain—they’re usually named in the ransom note or in a file extension name—and it’s a best practice to create a backup of the infected machine in case the ransomware encryption is ever broken, all of the data can once again be recovered. Some ransomware encryption mechanisms are poorly written or implemented and researchers are able to develop decryptors for particular ransomware families; No More Ransom is one such resource. Finally, organizations may choose to notify law enforcement, either the FBI or Secret Service.
Given the challenges associated with preparing for and responding to increasingly targeted and complex ransomware threats, a growing number of defenders are seeking out external support. Contact us to learn how Flashpoint’s Threat Response & Readiness Subscription can help.
Christopher “Tophs” Elisan
Director of Intelligence
Christopher “Tophs” Elisan is a seasoned reverse engineer, malware researcher, and published author. He speaks at conferences around the world and frequently provides expert opinion about malware, botnets and advanced persistent threats for leading industry and mainstream publications. Elisan’s published works include Hacking Exposed: Malware and Rootkits, 2nd ed.