Ransomware Attacks: What To Do If Your Business is Affected

Ransomware Attacks: What To Do If Your Business is Affected

REPORT • Apr 2022

Ransomware attacks increased significantly in 2021. Q1 and Q2 of 2021 saw a 93% increase in ransomware compared to the same period in 2020.

This report provides high-level guidance to business leaders on how to detect the signs of a ransomware attack and the preventative measures that are currently available.

Key Points

This report provides high-level guidance to business leaders on how to detect the signs of a ransomware attack and the preventative measures currently available.

  • Seven stages of a typical ransomware attack
  • How ransomware might be found in your estate
  • The first steps to take if you detect ransomware

Understanding ransomware attacks

Depending on your cyber security posture, and the cyber tools that you have within your organisation the detection of a ransomware attack can occur at numerous stages throughout the attack lifecycle. The earlier the point of detection, the greater the chance of mitigating the damage – and ultimately rescuing your organisation. It is important to highlight that the most damaging part of any ransomware attack (the encryption of files) typically takes place at a later stage. At this point, your organisation may have unknowingly been exposed for days or even weeks before noticing any symptoms, the point of encryption exponentially decreases the chances that any organisation has of mitigating material loss. This article will discuss the typical stages of a ransomware attack and the available mitigation steps at each stage.

STAGES OF A RANSOMWARE ATTACK

STAGE ONE

Attackers will enter the estate typically through remote access points with stolen credentials, via a brute force attack or through exploitable vulnerabilities. Alternatively, a payload may have been dropped onto an employee’s device from a phishing email attack with an aim of spreading into the network.

STAGE TWO

Attackers will deploy vulnerability detection sensors (Cobalt Strike Beacons) onto servers and lateral movement will occur where more Cobalt Strike Beacons will be deployed across the estate. Available exploits in servers are often used to laterally move around the server estate.

STAGE THREE

Attackers will analyse the estate to determine what is available to them and what are the most critical servers. The attackers will look to uninstall or alter the anti-virus products. They will also look to inhibit any other security solutions within the estate. Any backups that are not sitting within a storage repository off the corporate domain and network (air gapped) could be deleted, encrypted or tampered with to prevent business recovery

STAGE FOUR

Tools will be deployed into the estate and these tools will be used to collect and then extract data from your organisation. A common tool that was used in 2021 is rclone.exe. These tools are used to extract data outwards usually to common sharing sites like MEGA.NZ.

STAGE FIVE

Once all your data has been extracted and Cobalt Strike Beacons have been deployed across the entire estate the ransomware will begin. Servers will begin to be encrypted and files with be renamed with encryption extensions. Servers will become unresponsive and ransomware notes will be installed so that they can easily be found. All endpoints connected to the network at the point of encryption may also be affected and at risk of encryption.

STAGE SIX

Emails will arrive into the organisation usually from free mail accounts (e.g. Proton, Gmail, Hotmail). These emails will threaten that if payment is not received, your data will be published on the dark web or the attackers associated web pages.

STAGE SEVEN

Data will be published on these malicious websites and can include Terabytes worth of your data. Usually there is a 14- 28 day gap between stage 6 and stage 7. You may also be sent samples of your data before stage 7 occurs.

HOW RANSOMWARE MAY BE DETECTED

Early stages of the ransomware attack can be detected within the following tools and if these tools are available it is important that regular checks are made on their output.

  • Anti-Virus Products (if not uninstalled by the attack)
  • Security Incident Event Monitoring (SIEM) technology
  • Endpoint Detection and Response (EDR) technology
  • Security Event Logs
  • Regular analysis of the firewall logs
  • Security tools monitoring the email audit logs or any email alerting configured

Typically, the ransomware only becomes known to the organisation at the point of encryption, where machines become unresponsive, encrypted files are detected or the ransomware note is found.

FIRST STEPS TO TAKE WHEN RANSOMWARE IS DETECTED

EDR

If you have an EDR solution, this will kill malicious processes and can also disable infected or all servers and endpoints. Often the disabling of machines is not turned on by default and in those instances, you should contact your provider who can disable the estate quickly via the EDR console.

 

ISOLATE AFFECTED MACHINES

If no such tools are available and you can determine which machines have been affected, then these machines need to be isolated from the network. The simplest method to achieve this is to disable the Network Interface Cards (NICS), unplug the network connector or disable the WI-FI connector.

 

ISOLATE

If you cannot determine the exact machines that have been impacted, the safest option is to isolate all servers from the network. It is recommended to do this at the switch level and taking network segments offline rather than individual devices. Is this is not possible, then isolate devices individually.

NOTE: If you just power devices off you can lose important forensics and getting them back on may prove difficult or impossible.

 

DETERMINE IMPACTED ENPOINTS AND SERVERS

The next phase is to determine which endpoints and servers have been impacted. The simplest way to achieve this is to run available online tools that can scan devices. You need to determine if your backups have been impacted and if not ensure you take offline copies immediately. This is essential for business recovery.

 

MODIFY FIREWALLS

You can modify your firewall and put pin-holes in for business-critical activities only. This may prevent the extraction of your data. If you can determine the ransomware strand, then you can find generic Indicators of Compromise (IOC) from reverse engineering papers online and implement these generic blocks.

 

CONTACT YOUR CSIRT TEAM

If you have access to a Cyber Security Incident Response Team (CSIRT), it is always recommended to contact them and seek their guidance and immediate assistance. If you have cyber insurance these organisations should be contacted and they will make ransomware recovery teams available. .

NOTE: It is recommended not to use email as the attackers may have compromised the email estate and using the phone would be a preferred communication method.

Don’t have access to a partner with CSIRT capability?
We can help.

Discover free resources and risk assessments, to help identify your organisation’s cyber security position.

Access further information and resources on cyber security risk management
Book a free of charge cyber risk assessment

 

Contact our cyber risk management specialists today

We are only able to accept company email addresses

Recent Alerts

0956 26 Sep 2022

Solace Global Maritime's guard vessels are on project 24/7. Our offshore marine coordinators are expected to be rea… https://t.co/sYHgJnU5hh

0942 21 Sep 2022

One of Solace Global Maritime's environmental obligations is monitoring any marine wildlife in the vicinity of each… https://t.co/z63DsIlB7w

1439 14 Sep 2022

*WE ARE RECRUITING* Solace Global Risk is recruiting an Intelligence Analyst to join their HQ in Poole, Dorset. F… https://t.co/wvUmM88OsQ

0833 09 Sep 2022

A tribute to Her Majesty for a life of selfless service. We are immeasurably grateful, thank you. https://t.co/gZ9RUdrgkS

1121 08 Sep 2022

#SolaceCyber help #businessleaders understand their cyber threats. A #CyberSecurity Risk Assessment identifies the… https://t.co/sHICVKOlqo

1306 07 Sep 2022

*WE ARE RECRUITING* Solace Global Risk is recruiting for a Product Developer. The successful candidate work closel… https://t.co/M1kvGEvi1Z

1100 01 Sep 2022

The industry makes #cybersecurity very complicated. It’s not. Visibility of all your cyber security risks via a sin… https://t.co/gaWZnI41jv

1125 08 Aug 2022

The quick reaction time of our team on board meant that a positive outcome was achieved, and the RNLI thanked SGM f… https://t.co/cgfwbPAWRd

1125 08 Aug 2022

Being a larger vessel, Reaper had a better line of sight, spotted the casualty's position and immediately relayed i… https://t.co/zGXlhFiNyJ

1125 08 Aug 2022

Last week, a SGM guard vessel assisted in the rescue of a paddleboarder who got into trouble off Reiss, in Scotland… https://t.co/TqEqbSiyhm

0905 02 Aug 2022

We’re accredited by LRQA for information security compliance, so you can be assured that both your travellers & you… https://t.co/eGKWonCp7B

1024 01 Aug 2022

With our first month in Scotland complete, and with recruitment for the next phase ongoing, we continue to look for… https://t.co/JTK1dzx9gn