Ransomware
It is a type of malware that locks and encrypts the data on the infected computer. And then attackers will notify the infected users to pay the ransom in bitcoins to unlock the encrypted data.
Types of Ransomware
Ransomware uses different types to obtain the ransom from the infected users,
Locker Ransomware – This malware doesn’t target critical files in the computer, it generally locks the basic functions on the computer and it allows to continue to function until the ransom is paid to attackers. Example: Locky Ransomware, WannaCry Ransomware, Bad Rabbit, Ryuk Ransomware, Jigsaw Ransomware.
Crypto Ransomware – This malware encrypts critical data such as Documents, Pictures, Video, but this will not include in basic computer functions. Crypto Ransomware developers will add a notification to the users to pay the ransom on the given deadline, if not the encrypted files will be deleted. Due to unawareness of the backup files of the system infected users tend to pay the ransoms to get the files back. Example: Petya Ransomware, GoldenEye Ransomware, Grand Crab, B0r0nt0k Ransomware, Dharma Ransomware, etc.,
Double Extortion – It is a malware type that demands one payment to decrypt and another payment not to exfiltrate the encrypted data to the public. Example: Maze Ransomware, Sodinokibi attack. Example: Maze Ransomware, Sodinokibi attack.
How to respond and recover from Ransomware attacks?
Ransomware attacks are increasing every day and every organization needs a ransomware incident response plan to prevent and protect the critical assets from such attacks, we will see a few steps to respond and recover the ransomware attacks as follows,
Here is the enterprise ransomware incident response plan which can be included:
Step 1: Validating the attack – The first step here is to validate the reported attack as an incident and try to correlate it with other events such as Phishing, malware incidents, and is it specific to ransomware. I.e., if the files seem to be encrypted or locked with unknown/Random extension then proceed to the next step.
Step 2: Gathering the IR team – It’s important to gather the IT team to work on the incident reported to necessary actions like tracing the infected hosts, IP address, Subnet, URLs, IOCs, etc., And if required sending an immediate notification to the corresponding team and device owners.
Step 3: Incident Analysis – With the gathered information analyst need to analyze the incident by examining the scope of the incident by validating the Network ranges, connected applications, Users, Domains, and how the infection is spreading in the network.
Step 4: Containment – It is an important step in the process, where it minimizes the damage or infection spreading the malware. And try to disconnect the infected system from the network to stop the infection. And every incident will trace the infection as a system artefact for analysis. Documenting the analysis of the artefacts to check the further spread and avoid the feature spread by understanding the Ransomware patterns. In most cases nowadays, ransomware encryption can be stopped before even the ransomware encryption is completed.
Step 5: Investigation – In this stage, it’s crucial to understand the ransomware patterns to see which type of techniques are used. And also, to check if the encryption techniques used are publicly available decryption mechanism is used or shared by a security researcher.
Step 6: Eradicate malware and recover – This step involves clearing the malware from the infected system and trying to restore the data backup from the restore point if any. And also ensure all the security controls and policies have been updated as per the latest infections. Also, reset the user domain credentials after clearing the ransomware infections from the network.
Step 7: Post-incident activities – Affected organizations should validate and verify the entry points and backup restoration are applied. And make sure to check if BCP (Backup Continuity Plan) team have implemented necessary security measures and process in case of a breach.
Step 8: Learn from attack – This step involves the Forensics analysis to understand why the malware infection has occurred and the reason behind it, in case of phishing attack the user clicked the malicious links organizations need to take more cautious to provide security awareness to the user and initiate security training. Also, review the security policies and incident plan process if did not perform as per the process which was implemented earlier and improve it better for now after the recent malware incidents.