Ransomware Response: Time is More Than Just Money

November 18, 2020
|
co-authored by Mitch Mayne
|
6 min read

The initial actions an organization takes in the moments after discovering a ransomware attack can have profound implications on how the attack ends.

Virtually every security professional will tell you ransomware-based attacks are rapidly becoming the bane of the digital age, but that may not translate into chief information security officers (CISOs) being certain employees understand how to spot ransomware activity and where to report it if they do.

For any attack — and ransomware especially — only a methodical, pre-planned and ideally rehearsed response can make a difference in the final impact on the targeted organization and on its eventual recovery from the attack. That’s not to say that even with these measures in place, recovery is guaranteed. Ransomware attacks can be so damaging to business operations that in some cases companies go under after being hit by ransomware-wielding cybercriminals.

The Right Action, Taken Quickly

When a ransomware attack is discovered, every second counts. The more time passes, the more data and files are encrypted, the more devices are infected, and the greater the impact can be. Immediate action must be taken, and it must be the right action to find the source of the damaging process to begin containing it. That initial ransomware response is getting the IT security teams involved, allowing them to launch the incident response steps that they have prepared for in this sort of situation.

If the company has a contract with a third-party provider to get responders on-site, they should be contacted at this point.

Other parties to contact, depending on the situation, are federal law enforcement and regulators per requirements in the geographies in which your organization operates.

Don’t Reboot That Zombie!

Ransomware finds its way into organizations in a few ways: email, drive-by downloads and vulnerability exploitation. It is also typically discovered by employees on their own devices by people attempting to access files on shared locations or by company security operations center alerts that surface after file modification thresholds have been crossed.

Once discovered, security teams should identify the malware family, define the root cause of the attack and then begin listing the infected devices that are encrypting files locally and on shared network folders. Those devices will have to be quarantined.

If encrypted files have been detected, it is likely that a larger process is underway. One of the necessary actions is to cut networking ties between infected devices that are running the ransomware and the networks they can access.

Rebooting the infected system is a common first reaction by victims — but it is the wrong one. Rebooting an infected device will just reload the malware and enable encryption to continue. The preferred method is to quarantine systems using an endpoint detection and response (EDR) solution. If one is not deployed, an alternative is to hibernate the affected devices, which can both stop the malicious processes and conserve forensics for later examination. If a device is shut down, it should be cleaned outside of the network before being plugged back in.

Also, there is no need to delete files that are already encrypted. They may be salvaged later or provide more information to malware researchers on which ransomware hit the organization.

Patch, Restore and Recover

Now that the attack is contained, what’s next? Make sure the root cause of the infection has been remediated. If the cause was missing patches, apply them, because leaving them undeployed can enable another attack. If an actively exploited vulnerability was the cause and it cannot be patched, plan to run a new risk assessment to segregate the vulnerable systems and put compensating controls in place. Make plans to upgrade or move these applications to the cloud after returning to normal operations.

With data already encrypted, systems will need to be cleaned and recommissioned and data restored. Your IT department may have backups that can help restore files, but the process itself is not short or without potential issues. Beware of infected backups that can allow malware to come back to life and continue, causing sinister damage in different parts of the network.

Many infected devices could require a wipe and re-image, and so will storage that might have been affected. After restoring systems, test them before returning them to the network. Again, the process can be lengthy, but it is necessary to ensure any traces of the malware have been cleaned.

Some Data Can’t Be Restored; Should We Pay the Attackers?

Most incident response doctrines rely on, or are guided by, the National Institute of Standards and Technology (NIST) Incident Response Life Cycle. Within the scope of an active attack, steps to take include:

  • Preparation
  • Detection and analysis
  • Containment, eradication and recovery
  • Post-incident activities

Ultimately, some organizations feel compelled to make a decision about whether or not to pay a ransom. Factors that may force this decision more rapidly include a need to resume operations as quickly as possible or to regain access to important files that cannot be recovered by other methods. The main reasons to consider payment are the potential loss of lives or the potential for the company to collapse if operations are not restored immediately.

Paying a ransom carries consequences either way. Any decision to pay or forego paying a ransom is tightly linked with the organization’s risk management, business continuity goals, downtime costs, regulatory considerations, legal implications and the possibility that the criminals will not provide the means to decrypt all files or attempt to extort more money after they are paid.

Generally, any decision to pay a ransom must involve the relevant stakeholders from inside the company. At the same time, it is wise to seek counsel from incident response subject matter experts and understand the terms and services offered by the company’s cyber insurance provider. If ransom negotiators are going to be part of the process, they may be able to offer insights from previous cases with the same cybercriminal group.

Below are the main considerations companies should take into account if the decision to pay a ransom is being discussed.

Paying a Ransom Does Not Guarantee Recovery

Paying criminals is precisely what it sounds like — paying an untrusted party. Criminals may or may not fulfill their part of the deal after they have been paid, especially since they can disappear as soon as the (irreversible) payment is made. While not common, this is a possibility.

Paying a Ransom Does Not Equal Instant Recovery

Recovering with a decryption key is seldom instantaneous. Decrypting files is a manual task, and they must be decrypted individually, which can be a painstaking and time-consuming undertaking.

In most cases, even if the criminals are paid and do provide the decryption key, the recovery effort can be just as complex and strenuous as re-imaging machines. That means recovery efforts could be just as costly as if the adversaries had not been paid.

Paying a Ransom Can Be a Federal Offense

Some countries are under sanctions by the U.S. government, and as a result, paying the ransom to cybercriminals from those countries can be a federal offense. On Oct. 1, 2020, an advisory from the Treasury Department’s Office of Foreign Assets Control (OFAC) served notice about potential fines for all those involved in aiding payments to attackers from sanctioned countries, which include Russia, North Korea or Iran. Firms that offer ransomware negotiation services are not exempt from this advisory, nor are the organizations they represent.

While your organization may not be able to readily attribute the attack to a specific group or geography, you may still incur fines from the OFAC if you decide to pay a ransom.

Paying Cybercriminals Strengthens their Business Model

Paying cybercriminals reinforces their business model, encourages more criminals to take part in the same activity, and continually funds both cybercrime and other crimes that are supported by that ecosystem. Keep in mind that paying a ransom ultimately serves as motivation for adversaries to increase both the frequency of attacks and the price of the ransom itself.

Post-Incident Activity

Post-incident activity is an important part of the response plan and should not be skipped. After any incident, large or small, it is recommended that you meet with relevant stakeholders and discuss the elements that worked well and examine those that did not work. This ‘lessons learned’ analysis can help your organization improve processes over time and ensure that future incidents are handled more efficiently and thereby minimize potential impact.

Your analysis should also include technological controls being used to help detect and protect the infrastructure. Analyzing the effectiveness of your technology can clarify any needed architectural modifications, divestment or new investments in security technologies, which can keep the security maturity model evolving.

The recommendations presented here are general in nature. Each organization is different, and ransomware response depends on the sector and industry each company operates within. It affects regulatory requirements, notification timelines and collateral damage to other parties, to name a few.

Whether your incident response process is an in-house operation or one that you receive as a service, don’t delay in starting it. Time is much more than money when it comes to ransomware attacks, impacting operations, employees, reputation and customer good faith. Most are hard to earn and even harder to reestablish.

Ransomware: Guidance Before, During and After an Attack

The uptick in ransomware attacks combined with an already disruptive landscape can make ransomware attack preparation and defense seem like a daunting task. We have resources to help.

Learn more about how to protect your organization by attending our webcast at 11 a.m. ET on Dec 2, 2020, featuring X-Force agents with deep expertise in ransomware threat intelligence and incident response. For a more in-depth look at how you can defend against ransomware, download our latest paper, “The Definitive Guide to Ransomware: Readiness, Response, and Remediation.”

If you have experienced a ransomware attack and would like immediate assistance from IBM Security X-Force incident response, please call our hotline at 1-888-241-9812 (US) or +001-312-212-8034 (Global). Learn more about X-Force’s threat intelligence and incident response services.

Limor Kessem
Executive Security Advisor, IBM

Limor Kessem is an Executive Security Advisor at IBM Security. She is a widely sought-after security expert, speaker and author and a strong advocate for wom...
read more