Label

Initial Response

It happened. Despite the organization’s best efforts, the ransomware actor bypassed all the defenses and went undetected in the network. Now the organization is under an active ransomware attack.

When It Hits the Fan

It happened. Despite the organization’s best efforts, the ransomware actor bypassed all the defenses and went undetected in the network. Now the organization is under an active ransomware attack. One by one, network segments are going offline, and the phones of both the head of IT and security are blowing up with panicked employees asking what to do. In some cases, printers may be going crazy spitting out ransomware notes.
Senior leadership and the board of directors are calling.
The ransomware attack has started, and a lot of damage has already been done. As tempting as it is to find a desk to hide under, now is not the time. At this point, the only thing the IT and security teams can do is work to limit the damage. And, yes, the damage can be limited if the organization is able to act quickly.
Consider this page to be tied to the "Implementing DR and IR Plans" page. The activities in this chapter will flow right into that page as a continuation of initial response to incident response (IR) and disaster recovery (DR).

Don't Panic

In “Thor: Ragnarok,” Bruce Banner returns to himself after being the Hulk for an extended period. In his first conversation with Thor, Thor says, “I just need you to stay calm.” To which Banner responds, “Calm?! I’m on an alien planet!” The start of a ransomware attack is a lot like that. For many IT and security people, their first ransomware attack is an alien experience. Telling them not to panic seems counterproductive, especially considering there’s a lot to panic about.

The truth is a lot of work needs to be ...

... completed very quickly (and also for a long time after that). Panicking at this point in the attack is going to make the recovery last that much longer. Panicking also prevents the teams from taking the necessary immediate actions to limit the damage.
So, despite the very understandable urge to panic, and the panic that's likely gripping many parts of the organization, several clear-headed actions must be taken immediately. This is where the training from conducting the tabletop exercises with the IR and DR plans comes into play. It’s time to put those plans into action and contain the damage.
This Content Made Available 
Compliments of
rubrik
Our Community Thanks You!
School house

Designate Someone To Document 
and Communicate Information

Part of every IR plan is designating someone to communicate information once the damage has been assessed, but don’t forget to have someone handling communication during the initial assessment. This person should ideally be part of the response team and is responsible only for internal communications. During a crisis like this, employees will likely be reaching out to everyone they know, hoping to get an understanding of what’s happening. All that does is slow down the initial response.
Sending out a note early in the attack letting employees know what’s happening will hopefully slow down the deluge of calls and text messages. Many employees might be shut off from email, so consider text messages or some other form of pre-planned communication. That note should identify a point of contact in case employees have questions or want to report additional suspicious activity. In addition, the note should let employees know when they should expect the next update. Again, that should slow down the number of phone calls and texts. Consider different communication schedules for leadership and for other employees.
The person or team in charge of communication should also start the process of documenting initial findings. During initial response, a lot of the findings are reported in an ad hoc manner. Getting everything documented and stored in a place easily accessible by everyone will make further triage much easier.

Contain the Attack

The first step in the IR plan for successful ransomware attack recovery is to contain the damage. The Cybersecurity and Infrastructure Security Agency (CISA) has released a Ransomware Guide that includes advice on how to prevent and respond to a ransomware attack.

A ransomware attack can sometimes ...

... take hours to fully complete. This gives IT and security teams time to isolate the infected machines and, hopefully, keep the ransomware from spreading. This initial response team should consist of members of the IT, security, and IR teams who are onsite and can act immediately. At this point, there likely isn’t time to call in reinforcements for this initial response, especially not knowing whether remote access will need to be shut down to keep out the ransomware actor.
If the infected systems are properly segmented, shut down the infected network segment at the switch, isolating all the infected systems with a single command. This is an ideal way to contain an attack, because it can be done quickly and has the biggest impact on containing the attack.
Step-by-step guide to isolating and shutting down encrypted systems during a ransomware attack

If the networks aren't properly segmented ...

... or if the ransomware actor seems to be infecting systems at random, infected machines should be immediately disconnected from the network and Wi-Fi turned off. Ideally, that can be done remotely, but if remote tools are unavailable, the response teams need to go from machine to machine to turn off Wi-Fi manually. This action should also disconnect the machine from any network mappings, but to be safe, teams should disable any network mappings for those machines. Depending on how the ransomware is spreading, this may include taking Active Directory services offline. These steps are outlined in the diagram above.
If, for some reason, the systems can’t be disconnected from the network by pulling the network cable or turning off the Wi-Fi, start shutting the infected machines down. If the response team isn’t sure how the ransomware is spreading, they may be forced to shut down all of the systems on the network. While there’s certainly a sense of urgency here, be especially careful if forced to shut down servers. Some servers, such as database servers, don’t recover well from emergency shutdowns, so the shutdown may cause as much damage as the ransomware.
Machines that are definitely encrypted need to be labeled as such, so they aren’t accidentally turned back on later in the IR or DR process and start re-infecting the network.

Expect containment of the ransomware attack to take several hours.

Unlike a lot of other cybercriminal activities, there’s almost always a human on the other end of the keyboard launching the attack. In their (perverse) thinking, they’ve invested money and time launching this attack and they won’t want to leave without stealing files and encrypting systems on the network. As the initial response team is shutting things down, it’s likely that the ransomware actor will be trying to find other access points or ways to deliver the ransomware.
This is a good time to bring in food for everyone who has likely been working non-stop for several hours.
Watch out

Shut Down with Caution

Shutting down systems is often necessary. However, keep in mind that since many ransomware operators prefer to use tools that load into memory, shutting down encrypted systems will mean those tools disappear. This will result in the loss of valuable forensic evidence for the IR team and, if called in, law enforcement.
This doesn’t mean that systems shouldn’t be powered down if necessary, but it's important to step through the order outlined in this section and not start with immediate shutdown. Also, keep in mind, not all tools used by the ransomware groups run in memory; there are often enough artifacts left behind by the ransomware actor to piece together most of the attack. This is where the experience of the IR team or law enforcement are necessary.

Assess the Damage

Once the initial response team is confident that the ransomware isn’t spreading any further, it’s time to assess the damage and start pulling in the larger IR team. The documentation that was, hopefully, done during the initial response will be invaluable here.

Assessment should include ...

... defining which systems or network segments have definitely been encrypted, which ones definitely haven’t, and which ones the teams aren’t sure about. In addition, the teams need to document clearly what data was on the encrypted machines for prioritization purposes, as well as to start to understand what data may have been exfiltrated.
Once the extent of the ransomware infection is fully understood, the DR team can start prioritizing which systems will need to be brought back online first, based on business need. This information should all be defined in the DR plan. This doesn’t mean that organizations can start restoring immediately; this is still the planning stage.

Also, the DR plan should specify clearly ...

... how both encrypted and “clean” systems will be brought online. Even systems that are initially considered clean may have artifacts from the ransomware actor hiding on them, such as dropped tools, persistence mechanisms, backdoors, and others. All systems need to be brought online in a manner isolated from the rest of the network by someone from the IR team who can ensure that reconnecting the system to the network won’t cause more damage.
Finally, during this initial assessment, check the backups to ensure that they haven’t been encrypted and are still reachable from the rest of the network. Don’t start planning restoration without knowing that working backups actually exist.

Want More Like This?

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too

Block Initial Access Vectors

At this point, the IR team probably has no idea what the initial access vector was for this ransomware attack. To ensure that the ransomware actor doesn’t regain access, all possible initial access vectors need to be taken temporarily offline. Shut down any Internet-facing Remote Desktop Protocol (RDP) servers, Citrix servers, vCenter servers, and VPN concentrators. Basically, anything that’s touching the Internet, or might be hosting a webshell, that might have been exploited by a ransomware actor will need to be temporarily blocked from access.

There will absolutely be a business disruption.

However, it’s going to be less of a business disruption than the ransomware actor regaining access and attempting to finish the job. Therefore, it’s imperative to get the ransomware actor’s artifacts removed from the systems. As systems are returned online, they need to be fully scrubbed, Active Directory credentials reset, and thorough discussion about what the ransomware actor might have done to facilitate regaining access needs to be had. Once that last point has been identified, organizations need to do something about it.
Assessment and blocking initial access vectors should take several hours. At this point, it’s likely several hours since the ransomware attack first started (of course, it might be more or less time, depending on the size of the organization). Everyone is likely very tired, but the next meeting is critical.
Pay attetntion

Now Would Be a Good Time 
to Open a Bridge

Whether it’s a conference call, a permanent Zoom session, or other video conferencing tool, the bridge will allow those who need to check in with the ability to do so easily. It will also make it easier to schedule regular updates. If the IR team is going to provide updates every four hours, everyone who needs to hear the update can just connect to the bridge.
Make sure, whatever form the bridge takes, that it’s password-protected. The last thing an organization needs during a ransomware cleanup is outsiders connecting to the bridge and learning sensitive organization details.

Get Everyone in and 
Put Together Plans

Now it's time to bring everyone together.

Everyone who participated in the tabletop exercise and who has a role in the IR and DR plans should meet either in person or remotely.
The meeting will likely open with a briefing on the initial assessment of the damage caused by the ransomware attack, as well as how long it’s expected to take to get things back up and running. Set realistic goals here, based on the prioritizations outlined earlier (consider planning for this during the ransomware tabletop exercises). Prepare everyone to grasp that some systems are going to be down longer than others and that recovery is a gradual process, with the dual priorities being getting the organization back online quickly without risking reinfection by the ransomware actor.

Communication should now be ...

... handed over to the person or team designated in the IR plan. They keep employees updated, as well as partners and vendors, as needed. They also communicate with the press, should it become necessary.
There will likely be two simultaneous processes:
The IR team tracks down which ransomware group or affiliate launched the attack and how they got in
The DR team begins restoring the network and getting critical services back up and running

Senior management will undoubtedly ...

... want regular status updates about the situation. Set expectations early on that reports will be provided on a defined regular interval. This might change over time. For example, at the beginning, senior management may want hourly reports because there’s a lot happening. As the recovery progresses, the reports will become less frequent because there’s less to report.
Don’t forget that rules about where, when, and how to communicate should have all been approved in advance by the organization’s legal counsel. There will likely be a lawsuit over the ransomware attack. Clearing communication with the legal team helps ensure that all relevant communication is preserved when that lawsuit happens.

At this point, it will probably have been ...

... many hours since the attack was noticed, and there will be some people on the team who haven’t gone home or slept since the start of the attack. Send them home or to a nearby hotel so they can get some rest and be ready for the next day.
The first day of the attack is long and hard for everyone, but the next few days are going to be just as long and sometimes as difficult. There’s no point in burning anyone out this early, because there’s still a lot of work to do.
Dive deeper into the DR and IR processes to learn how to move through those processes in a manner that will protect the organization and get critical services operational as quickly as possible.

Liked This? Get The Rest Of The Free 313 Page Book:
Ransomware: Understand. Prevent. Recover

Get the Book 
in Your Inbox

how-to-remove-ransomware-infographic

Download The 
"How To Recover From Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Recover a From Ransomware Attack" resource on your site or blog using this code.

Share this Infographic On Your Site

how-to-remove-ransomware-infographic

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT IMPLEMENTING YOUR DR AND IR PLANS
envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram