Ransomware Attacks: What To Do If Your Business is Affected
REPORT • Apr 2022
Ransomware attacks increased significantly in 2021. Q1 and Q2 of 2021 saw a 93% increase in ransomware compared to the same period in 2020.
This report provides high-level guidance to business leaders on how to detect the signs of a ransomware attack and the preventative measures that are currently available.
This report provides high-level guidance to business leaders on how to detect the signs of a ransomware attack and the preventative measures currently available.
Seven stages of a typical ransomware attack
How ransomware might be found in your estate
The first steps to take if you detect ransomware
Understanding ransomware attacks
Depending on your cyber security posture, and the cyber tools that you have within your organisation the detection of a ransomware attack can occur at numerous stages throughout the attack lifecycle. The earlier the point of detection, the greater the chance of mitigating the damage – and ultimately rescuing your organisation. It is important to highlight that the most damaging part of any ransomware attack (the encryption of files) typically takes place at a later stage. At this point, your organisation may have unknowingly been exposed for days or even weeks before noticing any symptoms, the point of encryption exponentially decreases the chances that any organisation has of mitigating material loss. This article will discuss the typical stages of a ransomware attack and the available mitigation steps at each stage.
STAGES OF A RANSOMWARE ATTACK
STAGE ONE
Attackers will enter the estate typically through remote access points with stolen credentials, via a brute force attack or through exploitable vulnerabilities. Alternatively, a payload may have been dropped onto an employee’s device from a phishing email attack with an aim of spreading into the network.
STAGE TWO
Attackers will deploy vulnerability detection sensors (Cobalt Strike Beacons) onto servers and lateral movement will occur where more Cobalt Strike Beacons will be deployed across the estate. Available exploits in servers are often used to laterally move around the server estate.
STAGE THREE
Attackers will analyse the estate to determine what is available to them and what are the most critical servers. The attackers will look to uninstall or alter the anti-virus products. They will also look to inhibit any other security solutions within the estate. Any backups that are not sitting within a storage repository off the corporate domain and network (air gapped) could be deleted, encrypted or tampered with to prevent business recovery
STAGE FOUR
Tools will be deployed into the estate and these tools will be used to collect and then extract data from your organisation. A common tool that was used in 2021 is rclone.exe. These tools are used to extract data outwards usually to common sharing sites like MEGA.NZ.
STAGE FIVE
Once all your data has been extracted and Cobalt Strike Beacons have been deployed across the entire estate the ransomware will begin. Servers will begin to be encrypted and files with be renamed with encryption extensions. Servers will become unresponsive and ransomware notes will be installed so that they can easily be found. All endpoints connected to the network at the point of encryption may also be affected and at risk of encryption.
STAGE SIX
Emails will arrive into the organisation usually from free mail accounts (e.g. Proton, Gmail, Hotmail). These emails will threaten that if payment is not received, your data will be published on the dark web or the attackers associated web pages.
STAGE SEVEN
Data will be published on these malicious websites and can include Terabytes worth of your data. Usually there is a 14- 28 day gap between stage 6 and stage 7. You may also be sent samples of your data before stage 7 occurs.
HOW RANSOMWARE MAY BE DETECTED
Early stages of the ransomware attack can be detected within the following tools and if these tools are available it is important that regular checks are made on their output.
Anti-Virus Products (if not uninstalled by the attack)
Security tools monitoring the email audit logs or any email alerting configured
Typically, the ransomware only becomes known to the organisation at the point of encryption, where machines become unresponsive, encrypted files are detected or the ransomware note is found.
FIRST STEPS TO TAKE WHEN RANSOMWARE IS DETECTED
EDR
If you have an EDR solution, this will kill malicious processes and can also disable infected or all servers and endpoints. Often the disabling of machines is not turned on by default and in those instances, you should contact your provider who can disable the estate quickly via the EDR console.
ISOLATE AFFECTED MACHINES
If no such tools are available and you can determine which machines have been affected, then these machines need to be isolated from the network. The simplest method to achieve this is to disable the Network Interface Cards (NICS), unplug the network connector or disable the WI-FI connector.
ISOLATE
If you cannot determine the exact machines that have been impacted, the safest option is to isolate all servers from the network. It is recommended to do this at the switch level and taking network segments offline rather than individual devices. Is this is not possible, then isolate devices individually.
NOTE: If you just power devices off you can lose important forensics and getting them back on may prove difficult or impossible.
DETERMINE IMPACTED ENPOINTS AND SERVERS
The next phase is to determine which endpoints and servers have been impacted. The simplest way to achieve this is to run available online tools that can scan devices. You need to determine if your backups have been impacted and if not ensure you take offline copies immediately. This is essential for business recovery.
MODIFY FIREWALLS
You can modify your firewall and put pin-holes in for business-critical activities only. This may prevent the extraction of your data. If you can determine the ransomware strand, then you can find generic Indicators of Compromise (IOC) from reverse engineering papers online and implement these generic blocks.
CONTACT YOUR CSIRT TEAM
If you have access to a Cyber Security Incident Response Team (CSIRT), it is always recommended to contact them and seek their guidance and immediate assistance. If you have cyber insurance these organisations should be contacted and they will make ransomware recovery teams available. .
NOTE: It is recommended not to use email as the attackers may have compromised the email estate and using the phone would be a preferred communication method.
Don’t have access to a partner with CSIRT capability? We can help.
Discover free resources and risk assessments, to help identify your organisation’s cyber security position.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.