Just a Security Blog

Case study: Ransomware CIRP

Case study: Ransomware CIRP

Akhere Sonny-Egbeahie's photo
Akhere Sonny-Egbeahie
·

4 min read

I recently applied for a Cybersecurity Internship and one of the pre-interview tasks was to prepare a Cyber Incident Response Plan for a Ransomware attack. I would be sharing my response with you.

CASE STUDY:

Since 10 am, your organization’s service desk has been dealing with calls from users who cannot access any templates on one file share. One hour ago, a call came in from a user stating that their workstation was displaying a message saying that “Your files have been encrypted” and a request for bitcoin to buy a key to decrypt the files. It also says that files have been copied and request further payment to destroy the copies. The user said that the message had been on screen for an hour before making the call. The IT team isolated the workstation from the network by disabling its network interfaces, taking a file image of the machine, and exporting the event logs and Windows Firewall log; these files are all on a USB drive. The affected workstation has been left powered on in a secure room, and the user has moved to another workstation.

IT identified that the malware accessed and encrypted files on two file servers. Most of the files were templates, but there was also one spreadsheet named “Customers-2017.xlsx”, which appears to be an export from the previous sales system. All workstations and servers have been checked, and no others are infected. There is evidence that several gigabytes of data were transmitted over HTTP to a C&C (Command & Control) server with a foreign IP address over the last week.

1) Develop a response plan that your organization will take to address the cyberattack (Including Identifying key stakeholders).

There are 4 major steps in the Cyber Security Incident Response Plan for a Ransomware attack, namely;

  • Investigate

  • Remediate

  • Notify key stakeholders

  • Recovery

From the case study provided, it is observed that the Investigate and Remediate (Contain) steps have been carried out.

Investigate:

  1. Capture and export file image of the infected system.

  2. Determine the type of Ransomware: Establish if it is a known variant of ransomware or from a known attacker. This can be accomplished by;

    • Analysing the messages, looking for clues to the ransomware type.

    • Analysing affected and/or new files created.

  3. Determine the scope of attack: Establish which systems were affected and what data was affected.

    • Scan for indicators of compromise (IOCs) such as files/hashes, processes, network connections, etc.

    • Check similar systems for infection.

    • Find external command and control servers, if present, find other systems connecting to them.

  4. Assess the impact: To prioritize resources;

    • Assess the impact on the business as regards how much money was lost and areas of the business degraded.

    • Assess the impact on data as regards the CIA triad, sensitivity of the data, and regulatory standards affected.

  5. Find the medium of infection: Some of the mediums could include;

    • Email phishing attachment.

    • Insecure Remote Desktop Protocol (RDP).

    • Infection via removable drives.

    • Delivered by another malware or attacker tool.

Remediate:

  1. Contain: In Ransomware situations, containment is critical. The way to achieve this is through quarantines. Physical and Logical quarantines prevent spread from infected systems and prevent spread to critical systems and data. Quarantines should be comprehensive:

    • Quarantine infected systems

    • Quarantine affected users.

    • Quarantine file shares (not just known-infected shares, protect uninfected shares too).

    • Quarantine shared databases (not just known-infected servers, protect uninfected databases too).

    • Quarantine backups, if not already secured.

    • Block command and control domains and addresses.

    • Remove vector emails from inboxes.

  2. Eradicate:

    • Rebuild infected systems from known-good media.

    • Restore from known-clean backups.

    • Confirm endpoint protection is up-to-date and enabled on all systems.

    • Confirm patches are deployed on all systems.

    • Deploy custom signatures to endpoint protection and network security tools based on discovered IOCs.

    • Watch for re-infection.

Notify key Stakeholders:

  • Communicate with internal and external legal counsel to determine legal requirements, including discussions of compliance, risk exposure, liability, law enforcement contact, etc.

  • Communicate with Internal users, Management, and C-level Executives.

  • Communicate with customers: Focus particularly on customers directly affected (in this case, customers included in the “Customers-2017.xlsx” file).

  • Notify law enforcement: Local police or law enforcement agencies familiar with investigating information compromises.

  • Notify regulators.

Recovery:

  • Check backups for IOCs and restore data from known clean backups.

  • In a case of no backups consider trying known decryptors for the variant discovered during the investigation stage.

2) Develop preventative measures to stop a ransomware attack going forward.

  1. Periodic Employee Security Awareness and Training.

  2. Endpoint Detection and Response solutions: An EDR continuously monitors all incoming and outgoing traffic on a network for potential threats. If a threat is detected, the solution isolates the affected machine so that the malware can’t spread.

  3. Email Security: Secure Email Gateways (SEGs) check for, identify threats, and prevent them from being delivered. This can stop ransomware from reaching its intended victim.

Conclusion

I hope you found this insightful and you can let me know what you think in the comments. Thank you and see you on the next one!!

thank-you-so-much-bow.gif

ransomwareSecurity