Ransomware Attacks: What To Do If Your Business is Affected

Ransomware Attacks: What To Do If Your Business is Affected

REPORT • Apr 2022

Ransomware attacks increased significantly in 2021. Q1 and Q2 of 2021 saw a 93% increase in ransomware compared to the same period in 2020.

This report provides high-level guidance to business leaders on how to detect the signs of a ransomware attack and the preventative measures that are currently available.

Key Points

This report provides high-level guidance to business leaders on how to detect the signs of a ransomware attack and the preventative measures currently available.

  • Seven stages of a typical ransomware attack
  • How ransomware might be found in your estate
  • The first steps to take if you detect ransomware

Understanding ransomware attacks

Depending on your cyber security posture, and the cyber tools that you have within your organisation the detection of a ransomware attack can occur at numerous stages throughout the attack lifecycle. The earlier the point of detection, the greater the chance of mitigating the damage – and ultimately rescuing your organisation. It is important to highlight that the most damaging part of any ransomware attack (the encryption of files) typically takes place at a later stage. At this point, your organisation may have unknowingly been exposed for days or even weeks before noticing any symptoms, the point of encryption exponentially decreases the chances that any organisation has of mitigating material loss. This article will discuss the typical stages of a ransomware attack and the available mitigation steps at each stage.

STAGES OF A RANSOMWARE ATTACK

STAGE ONE

Attackers will enter the estate typically through remote access points with stolen credentials, via a brute force attack or through exploitable vulnerabilities. Alternatively, a payload may have been dropped onto an employee’s device from a phishing email attack with an aim of spreading into the network.

STAGE TWO

Attackers will deploy vulnerability detection sensors (Cobalt Strike Beacons) onto servers and lateral movement will occur where more Cobalt Strike Beacons will be deployed across the estate. Available exploits in servers are often used to laterally move around the server estate.

STAGE THREE

Attackers will analyse the estate to determine what is available to them and what are the most critical servers. The attackers will look to uninstall or alter the anti-virus products. They will also look to inhibit any other security solutions within the estate. Any backups that are not sitting within a storage repository off the corporate domain and network (air gapped) could be deleted, encrypted or tampered with to prevent business recovery

STAGE FOUR

Tools will be deployed into the estate and these tools will be used to collect and then extract data from your organisation. A common tool that was used in 2021 is rclone.exe. These tools are used to extract data outwards usually to common sharing sites like MEGA.NZ.

STAGE FIVE

Once all your data has been extracted and Cobalt Strike Beacons have been deployed across the entire estate the ransomware will begin. Servers will begin to be encrypted and files with be renamed with encryption extensions. Servers will become unresponsive and ransomware notes will be installed so that they can easily be found. All endpoints connected to the network at the point of encryption may also be affected and at risk of encryption.

STAGE SIX

Emails will arrive into the organisation usually from free mail accounts (e.g. Proton, Gmail, Hotmail). These emails will threaten that if payment is not received, your data will be published on the dark web or the attackers associated web pages.

STAGE SEVEN

Data will be published on these malicious websites and can include Terabytes worth of your data. Usually there is a 14- 28 day gap between stage 6 and stage 7. You may also be sent samples of your data before stage 7 occurs.

HOW RANSOMWARE MAY BE DETECTED

Early stages of the ransomware attack can be detected within the following tools and if these tools are available it is important that regular checks are made on their output.

  • Anti-Virus Products (if not uninstalled by the attack)
  • Security Incident Event Monitoring (SIEM) technology
  • Endpoint Detection and Response (EDR) technology
  • Security Event Logs
  • Regular analysis of the firewall logs
  • Security tools monitoring the email audit logs or any email alerting configured

Typically, the ransomware only becomes known to the organisation at the point of encryption, where machines become unresponsive, encrypted files are detected or the ransomware note is found.

FIRST STEPS TO TAKE WHEN RANSOMWARE IS DETECTED

EDR

If you have an EDR solution, this will kill malicious processes and can also disable infected or all servers and endpoints. Often the disabling of machines is not turned on by default and in those instances, you should contact your provider who can disable the estate quickly via the EDR console.

 

ISOLATE AFFECTED MACHINES

If no such tools are available and you can determine which machines have been affected, then these machines need to be isolated from the network. The simplest method to achieve this is to disable the Network Interface Cards (NICS), unplug the network connector or disable the WI-FI connector.

 

ISOLATE

If you cannot determine the exact machines that have been impacted, the safest option is to isolate all servers from the network. It is recommended to do this at the switch level and taking network segments offline rather than individual devices. Is this is not possible, then isolate devices individually.

NOTE: If you just power devices off you can lose important forensics and getting them back on may prove difficult or impossible.

 

DETERMINE IMPACTED ENPOINTS AND SERVERS

The next phase is to determine which endpoints and servers have been impacted. The simplest way to achieve this is to run available online tools that can scan devices. You need to determine if your backups have been impacted and if not ensure you take offline copies immediately. This is essential for business recovery.

 

MODIFY FIREWALLS

You can modify your firewall and put pin-holes in for business-critical activities only. This may prevent the extraction of your data. If you can determine the ransomware strand, then you can find generic Indicators of Compromise (IOC) from reverse engineering papers online and implement these generic blocks.

 

CONTACT YOUR CSIRT TEAM

If you have access to a Cyber Security Incident Response Team (CSIRT), it is always recommended to contact them and seek their guidance and immediate assistance. If you have cyber insurance these organisations should be contacted and they will make ransomware recovery teams available. .

NOTE: It is recommended not to use email as the attackers may have compromised the email estate and using the phone would be a preferred communication method.

Don’t have access to a partner with CSIRT capability?
We can help.

Discover free resources and risk assessments, to help identify your organisation’s cyber security position.

Access further information and resources on cyber security risk management
Book a free of charge cyber risk assessment

 

Contact our cyber risk management specialists today

We are only able to accept company email addresses

Recent Alerts

1004 20 May 2022

RT @PataYamahaBRIXX: Welcome to the team @SolaceGlobal! Find out more about our new cyber security & travel risk partnership and how you ca…

0959 20 May 2022

We have become official risk & security management partners of Crescent Yamaha for the WorldSBK series. To celebrat… https://t.co/XnuBO2DNQR

1357 13 May 2022

As part of our focus on #climatechange & the effects on #travelriskmanagement we look at the forthcoming 2022… https://t.co/Tk4aYK0Wh4

1255 09 May 2022

#workingfromhome used to be an unusual occurrence. Now it is commonplace, it is important that increased… https://t.co/r0qDpfQRQw

1334 27 Apr 2022

#Ransomware attacks significantly increased in 2021. Comparing Q1 and Q2 2021 there has been a 93% increase in rans… https://t.co/dpO9S8Ftmi

1321 26 Apr 2022

Political instability report: What #crises are affecting #globalinstability, plus what hotspots should be monitored… https://t.co/bCu5TiwBHB

0850 14 Apr 2022

The number of #journalists in Ukraine going missing, become injured or killed is rising. Each year, many… https://t.co/KusAyxogjG

1538 12 Apr 2022

Please find attached our latest Alert Plus, covering an ongoing incident in #Brooklyn, #NewYork. To read more and… https://t.co/dCJukKLQs7

0838 08 Apr 2022

Extinction Rebellion protests starting in Hyde Park this weekend aim to be “the most disruptive yet”. We share how… https://t.co/hMKWrhSLYp

1349 06 Apr 2022

What does the world look like without #Russian & #Ukrainian #commodities? The complexities of readjusting the wor… https://t.co/71IYRjwKGW

1426 31 Mar 2022

There have been 3 attacks in less than a week – as a result the last week is Israel’s deadliest in recent years. T… https://t.co/if7SuzUEaq

1320 24 Mar 2022

Are media crews safe while reporting from Ukraine? As part of our focus on the crisis in Ukraine, we look at how t… https://t.co/lomGCRqaQm