This report provides high-level guidance to business leaders on how to detect the signs of a ransomware attack and the preventative measures currently available.
Seven stages of a typical ransomware attack
How ransomware might be found in your estate
The first steps to take if you detect ransomware
Understanding ransomware attacks
Depending on your cyber security posture, and the cyber tools that you have within your organisation the detection of a ransomware attack can occur at numerous stages throughout the attack lifecycle. The earlier the point of detection, the greater the chance of mitigating the damage – and ultimately rescuing your organisation. It is important to highlight that the most damaging part of any ransomware attack (the encryption of files) typically takes place at a later stage. At this point, your organisation may have unknowingly been exposed for days or even weeks before noticing any symptoms, the point of encryption exponentially decreases the chances that any organisation has of mitigating material loss. This article will discuss the typical stages of a ransomware attack and the available mitigation steps at each stage.
STAGES OF A RANSOMWARE ATTACK
Attackers will enter the estate typically through remote access points with stolen credentials, via a brute force attack or through exploitable vulnerabilities. Alternatively, a payload may have been dropped onto an employee’s device from a phishing email attack with an aim of spreading into the network.
Attackers will deploy vulnerability detection sensors (Cobalt Strike Beacons) onto servers and lateral movement will occur where more Cobalt Strike Beacons will be deployed across the estate. Available exploits in servers are often used to laterally move around the server estate.
Attackers will analyse the estate to determine what is available to them and what are the most critical servers. The attackers will look to uninstall or alter the anti-virus products. They will also look to inhibit any other security solutions within the estate. Any backups that are not sitting within a storage repository off the corporate domain and network (air gapped) could be deleted, encrypted or tampered with to prevent business recovery
Tools will be deployed into the estate and these tools will be used to collect and then extract data from your organisation. A common tool that was used in 2021 is rclone.exe. These tools are used to extract data outwards usually to common sharing sites like MEGA.NZ.
Once all your data has been extracted and Cobalt Strike Beacons have been deployed across the entire estate the ransomware will begin. Servers will begin to be encrypted and files with be renamed with encryption extensions. Servers will become unresponsive and ransomware notes will be installed so that they can easily be found. All endpoints connected to the network at the point of encryption may also be affected and at risk of encryption.
Emails will arrive into the organisation usually from free mail accounts (e.g. Proton, Gmail, Hotmail). These emails will threaten that if payment is not received, your data will be published on the dark web or the attackers associated web pages.
Data will be published on these malicious websites and can include Terabytes worth of your data. Usually there is a 14- 28 day gap between stage 6 and stage 7. You may also be sent samples of your data before stage 7 occurs.
HOW RANSOMWARE MAY BE DETECTED
Early stages of the ransomware attack can be detected within the following tools and if these tools are available it is important that regular checks are made on their output.
Anti-Virus Products (if not uninstalled by the attack)
Security tools monitoring the email audit logs or any email alerting configured
Typically, the ransomware only becomes known to the organisation at the point of encryption, where machines become unresponsive, encrypted files are detected or the ransomware note is found.
FIRST STEPS TO TAKE WHEN RANSOMWARE IS DETECTED
If you have an EDR solution, this will kill malicious processes and can also disable infected or all servers and endpoints. Often the disabling of machines is not turned on by default and in those instances, you should contact your provider who can disable the estate quickly via the EDR console.
ISOLATE AFFECTED MACHINES
If no such tools are available and you can determine which machines have been affected, then these machines need to be isolated from the network. The simplest method to achieve this is to disable the Network Interface Cards (NICS), unplug the network connector or disable the WI-FI connector.
If you cannot determine the exact machines that have been impacted, the safest option is to isolate all servers from the network. It is recommended to do this at the switch level and taking network segments offline rather than individual devices. Is this is not possible, then isolate devices individually.
NOTE: If you just power devices off you can lose important forensics and getting them back on may prove difficult or impossible.
DETERMINE IMPACTED ENPOINTS AND SERVERS
The next phase is to determine which endpoints and servers have been impacted. The simplest way to achieve this is to run available online tools that can scan devices. You need to determine if your backups have been impacted and if not ensure you take offline copies immediately. This is essential for business recovery.
You can modify your firewall and put pin-holes in for business-critical activities only. This may prevent the extraction of your data. If you can determine the ransomware strand, then you can find generic Indicators of Compromise (IOC) from reverse engineering papers online and implement these generic blocks.
CONTACT YOUR CSIRT TEAM
If you have access to a Cyber Security Incident Response Team (CSIRT), it is always recommended to contact them and seek their guidance and immediate assistance. If you have cyber insurance these organisations should be contacted and they will make ransomware recovery teams available. .
NOTE: It is recommended not to use email as the attackers may have compromised the email estate and using the phone would be a preferred communication method.
Don’t have access to a partner with CSIRT capability? We can help.
Discover free resources and risk assessments, to help identify your organisation’s cyber security position.