Demystify Cyber Project

Articles by the cybersecurity community

Showing posts with label ransomware. Show all posts
Showing posts with label ransomware. Show all posts

#Ransomware - Brief guide to response

Following on from my short article on protecting yourself from ransomware, this post is a very brief overview of points to consider when formulating a response plan to a ransomware incident.

In ransomware events, prompt containment is critical and staying calm and following the pre-agreed steps your business has is essential. Communication should be done in parallel to response, and must be timely, relevant, and to the appropriate stakeholders. Different personnel and teams would be actioning these steps and sometimes in parallel. It is important for businesses to have an agreed plan of action in the event of a ransomware incident. it is also important to stay calm. 

In the words of the late Douglas Adams 'Don't Panic'.

image of a hand held computing device with the words 'don't panic' on it
From Hitch Hiker's Guide to the Galaxy - image owner unknown

Ransomware event actions

Notice in the below that communcation is at every step? This is very important. During a ransomware event there will be many stakeholders, (both internal and external) impacted, and various personnel and teams involved in responding to the incident. Despite the best intentions to stay calm, there will be panic, and there will be pressure from various areas to fix this, find answers and get things back to normal. It is important that communication is clear, calm and provided to the relevant people in a timely manner.

1. Stay Calm, isolate the compromised assets - communicate

Your goal here is to obtain as many details as possible, quickly, isolate the compromised machine/s, and then create a Sit-Rep to communicate to the relevant parties. Try to get a photo fo the ransome screen it may be useful later! Turning the compromised assets off helps prevent infection of other machines and communciation to the C2. (the command and control computer that gives the malware instructions). Ensure relevant network personal are notified and provided with concise instructions.

2. Investigate/ Analyse – communicate

What is the scope of this incident? – All machines? The entire network? One team? One person/ one computer? When was this first noticed? What is the malware and how did it infect the assets? What was the vector?

3. Contain and Eradicate -communicate

Make sure relevant people are informed, do you need to notify your businesses' media team? Will you be making a police report? Cyber security teams may need to access the compromised assets to analyse further, infrastructure areas may need to locate their backups (hopefully they have them!) and ensure the back up is clean. The network and any compromised assets neet to be throughly cleansed of the malware, to ensure it isn't sitting there waiting to return. Check for exploitable vulnerabiblties and ensure everything is patched, have passowrds been changed,  was their any data exfiltrated?Any impacted users need to be kept in communicated with in a timely fashion and given the approrpiate level of detail for their needs.

4. Restore - communicate 

Once the relevant teams are satisfied that any restore points/offline backups are clean and that the compromised assets are also now clean, restoration needs to be done as quickly as possible to restore services. Communciation is again essential with all relevant stakeholders.


5. Lessons learned - communicate

Every cyber security incident, regardless of how well prepared you  are, is going to throw some virtual spanner in the works somewhere. teams can always improve, nobody is perfect. It is important to debrief and apply lessons learned - without laying blame - in a constructive and positive way.

Nobody is safe from cybercrime, ransomware can compromise home computer users as well as the computers of both small and large businesses. Being prepared is key. Also - Don't Panic!
Labels:

#ransomware - protect yourselves

Ransomware is a type of malware that is designed to, in very general terms, deny you access to your computer and files by either locking or encrypting them. The malware includes a pop up screen with instruction on how to pay the ransom to have the files unlocked/decrypted.

There are currently two main types of ransomware, locker and crypto. Locker ransomware aims to lock you out of your computer and its functions, but the malware permits some access so you can interact wth the ransom message. This type of malware does not usually destroy your files, it is aimed mainly to lock you out. Crypto ransomware, however, is used to encrypt your files meaning that while your computer still functions you are unable to open any of your files. Ransomware is evolving, and some cybercrime campaigns of this type now include data exfiltration.

The main mechinsims of ransomware infection tend to be via malicious attachments in emails, drive-by downloads from compromised websites, or through malware in advertising (i.e malvertising).  

While ransomware may be targeted to businesses or organisaitons that criminals believe will or can afford to pay the ransom, individuals and smal businesses can also be impacted by this type of cybercrime.

Prevention

This list is not exhaustive, however it does provide some easy to do ways to help prevent your computer/ files becoming compromised by ransomware, or prove a back up if they do.
  • Ensure you keep up to date offline back ups of your important files and configurations
  • Take care not to open attachments that prompt you to run macros to view 
  • Do not click on  links in unsolicited emails
  • Keep your operating system and software patched
  • Use only official legitimate sources to download software

For ransomware incident response ideas please see the post on this page:  https://demystifycyber.blogspot.com/2021/05/ransomware-brief-guide-to-response.html
Labels:
Subscribe to: Posts (Atom)