1. Determine which systems were impacted, and immediately isolate them. If several systems or subnets appear impacted, take the network offline at the switch level. It may not be feasible to disconnect individual systems during an incident. If taking the network temporarily offline is not immediately possible, locate the network (e.g., Ethernet) cable and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.If it's one or two computers that have been infected by the ransomware then you may be able to get away with just disconnecting those PCs and dealing with them individually. But if the infection has distributed itself more widely then you may have to take more significant action to prevent the ransomware from spreading further. So clearly it's important to attempt to determine the scale of the problem as quickly as possible, as this will influence the nature of your response.
After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication methods like phone calls or other means to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken.In some instances, organisations have used personal email accounts or instant messaging services like WhatsApp to communicate if they fear corporate communications systems may be being monitored by the attackers. Obviously response teams should be careful to ensure that out-of-band communications they receive are genuinely from fellow workers rather than malicious themselves.
Not doing so could cause actors to move laterally to preserve their access — already a common tactic — or deploy ransomware widely prior to networks being taken offline.But what if you cannot temporarily shut down your network or disconnect affected computers from the network? In that case, the response guide offers the following advice:
2. Only in the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.However, it should be noted that if you do this you may lose potential evidence about the attack which would be useful to the authorities. Law enforcement agencies, as well as CISA and MS-ISAC, may be interested in gathering a wide variety of other information that could be useful in their investigation. This includes, but is not limited to, the following:
- Recovered executable file
- Copies of any readme file (this should not be removed as it often assists decryption)
- Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
- Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
- Malware samples
- Names of any other malware identified on systems
- Encrypted file samples
- Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)
- Any PowerShell scripts found having executed on the systems
- Any user accounts created in Active Directory or machines added to the network during the exploitation
- Email addresses used by the attackers and any associated phishing emails
- A copy of the ransom note itself
- Ransom amount and whether or not the ransom was paid
- Bitcoin wallets used by the attackers
- Bitcoin wallets used to pay the ransom (if applicable)
- Copies of any communications with attackers
3. Triage impacted systems for restoration and recovery. Identify and prioritize critical systems for restoration, and confirm the nature of data housed on impacted systems. - Prioritize restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on. Keep track of systems and devices that are not perceived to be impacted so they can be deprioritized for restoration and recovery. This enables your organization to get back to business in a more efficient manner.While these first three steps are being considered in order, however, there is additional work that can be taking place in parallel.
4. Confer with your team to develop and document an initial understanding of what has occurred based on initial analysis.This clearly is a document that will grow over time as more information is found out about the ransomware, and what systems have been attacked and which have not.
5. Engage internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.The guide provides contact information for CISA, MS-ISAC, as well as the FBI and US Secret Service.
Share the information you have at your disposal to receive the most timely and relevant assistance. Keep management and senior leaders informed via regular updates as the situation develops. Relevant stakeholders may include your IT department, managed security service providers, cyber insurance company, and departmental or elected leaders.The guide also references the "Public Power Cyber Incident Response Playbook", which although targeted at power utilities contains advice that would be appropriate for any organisation needing step-by-step guidance on how to engage teams and co-ordinate messaging to customers and the public. Ideally you do not wait until you are suffering a ransomware attack to read guidance like this, but build a set of your own in advance that is specific to your organisation. There are many more steps detailed, and good advice offered, in the full MS-ISAC Ransomware Guide and I would strongly recommend it to anyone responsible for securing an organisation against an attack.