This article is part of a series that aims to educate cyber security professionals on the lessons learned by breach victims. Each lesson will include simple recommendations, many of which do not require organizations to purchase any solutions.
Our previous Hindsights have focussed on the prevention side of learning from other victims. This article aims to assist with what do to if you are the unlucky victim of a breach. It focuses on how to minimize damage and maximize learning from your own experiences. Although I focus on ransomware, many of the recommendations apply to other types of breach, such as coinminer infestations and industrial espionage.
Have a plan
An Incident Response (IR) plan is a great way to map out the actions you need to take in the event of a breach. How serious is the incident? Where are the critical systems and how to isolate them? How to communicate and with whom? Who to contact and which actions to take? What about the backups? Keep your IR plan simple and high level so it’s easy to follow in a highly-pressured breach situation, and focus on trusting the team to think on their feet. The SANS Incident Handler’s Handbook has a great section on preparation, as does Sophos’s own Incident Response Guide.
Get help first
Before you even start to reimage machines or negotiate a ransom, own the problem and seek help. Incident Response (IR) requires a specialised skill set, and most organizations don’t retain incident responders on staff for an event they hope will never happen.
Plan ahead and have the contact details of a couple of IR companies at hand. I say a couple because the IR industry can reach capacity very quickly if there are frequent or large-scale attacks. If the attack is against servers and endpoints, such as a ransomware incident, I suggest you first contact your endpoint security vendor if they provide an IR service. They will likely have telemetry from your environment, and access to pre-installed tools like EDR/XDR which enables them to remediate rapidly. You may feel that the vendor has let you down but, in reality, the vast majority of breaches are due to lapses by people or process and not the technology.
Other help to consider:
Engage local law enforcement: a crime has probably been committed and they may have resources that can help
Contact your cyber security insurance provider, if you have one, and put them ‘on notice’ of the incident
If you work with a technology provider or systems integrator, they may be able to provide ‘boots-on-ground’ assistance with recovery, such as restoring backups
Isolate and contain
There are no hard-and-fast recommendations here other than to isolate and contain as best you can. This can include switching off the power, disconnecting the internet and pulling network cables out, using software-based isolation, applying deny-all firewall rules, and shutting down critical systems. If you still have a functional domain controller, try and keep it that way by shutting it down and/or disconnecting it from the network. If you have backups be sure they are isolated and off the network. Any passwords you suspect may be compromised should be changed and the accounts reset.
Incident Response services are largely delivered over the internet, so seek their guidance on bringing systems and connectivity back online. By the time you see evidence of ransomware the attack is usually in its final stages, however it is important to extricate the threat actors before restoration work begins, lest they strike again.
Don’t pay the ransom
While it can look like the easy way out, paying the ransom further enables and emboldens criminals. Long gone are the days when the ransom was $500 to unlock a machine: the Sophos State of Ransomware Report 2021 reveals the average ransom paid last year by mid-sized organizations was US$170,404. Threat actors search for your critical data, often exfiltrate it to the dark web for sale, delete your backups and then encrypt your data. What they neglect to say when issuing their ransom demand is that you are very unlikely to get all your data back, in fact our survey revealed that only 65% of the encrypted data was restored after the ransom was paid leaving over a third inaccessible.
Ransomware, like any software, has bugs and vulnerabilities, and the human operators behind it can have bad days too. While occasionally this can play to your advantage, in the main it further compounds the challenge of decrypting data. What’s more, ransomware gangs can disappear overnight, only to reappear with a new branding if things go bad for them while leaving you without access to a decryption key.
Bear in mind that the legality of making ransom payments varies around the world. You would be wise to remain up-to-date on any limitations or restrictions in the country (or countries) in which your organization operates.
Too often, we see breach victims rush to restore services as quickly as possible and in the process lose a lot of the information that would help determine the root cause and understand the extent of the breach. A great example is a ransom note. Even if you have no intention of paying or contacting the adversary, the note itself is forensically interesting. The note can tell an Incident Response team who they are up against, and the common tactics used by that group. It might even reveal a whole new strain of ransomware and the tactics, techniques and procedures used (TTPs) by the adversary group.
Recently I saw the Lockfile note for the first time and observed how it mimicked Lockbit 2.0 but used a much more aggressive deployment strategy. This meant that we could apply valuable learnings from our Lockbit 2.0 experiences to every subsequent Lockfile attack, especially around early identification of indicators of breach (IoB). Keep the ransom note – they are usually simple text or HTML documents that can be stored elsewhere easily.
Another interesting item to retain for analysis is often the ransomware or malware sample itself. The industry standard is for these to be added to an archive file with the password ‘virus’ or ‘infected’ and stored somewhere safe. The password-protected .zip can usually be safely passed to analysts if needed. Malware can be reversed to discover its modus operandi, which helps responders and investigators narrow down where to look for damage.
If possible, retain system and virtual machine images as well. For extra brownie points, all forensic evidence should be stored using encryption and the SHA256 recorded at the time of collection just in case it needs to be used in court and you need to prove it has not been tampered with. Although rare, this may be required if insurance claims end up in court or you need to prove to a government body that you have not breached disclosure laws.
Attribution and retribution
In many cases, there are in fact several groups behind a ransomware attack. Group one might gain the initial access. They sell the access to group two. Group two uses the Ransomware-as-a-Service from group three to carry out the attack. The different groups, and group members, are often spread across many countries. Attributing the breach to any single group is difficult and won’t help much during the chaos after a breach. Usually information from the ransom note and commonalities in tactics, techniques, and procedures (TTPs) will enable an experienced Incident Response team to know what and who they are up against very quickly.
Attempting retribution, known as a “Hack Back”, is strongly discouraged. It is probably illegal to start with and may just make the situation worse.
The role of cyber insurance
If you experience a cyber incident that is covered by cyber insurance, a cyber claims adjuster from the insurance company will first direct the hiring of an outside legal counsel to organize both internal and external resources and coordinate activities through the resolution of the incident. For a ransomware attack, these service activities typically include:
Establish roles and responsibilities, identify scale of impact, establish communication preference
Investigate and analyze active threat, stop damage, identify Indicators of Compromise (IoC)
If needed, appoint a specialist to advise on the handling and negotiation of the ransom demand
If needed, appoint a specialist to advise on the nature of data access, exfiltration, and recovery. Identify the lowest cost way to restore the data (ransom payment, decryption, backups etc.)
Deploy preventative actions, remove attacker access, establish incident timeline
Compile a final report, indicating status of environment, root cause analysis, nature of attack, and identified threat actor tactics, techniques and procedures.
While most insurance companies have a “provider panel” of product/service providers for each of the aforementioned activities, when sourcing an insurance policy it’s worth discussing upfront which activities and the corresponding providers will be covered if you experience a major cyber attack. Most cyber insurance policies will support the use of pre-existing providers but it’s best to ensure compatibility up front. Swapping out protection agents during an incident creates both additional work and security risk – often the existing solution is preventing the attack from escalating and should not be removed.
Communicating is hampered by a breach. Your email systems may be offline, electronic copies of your insurance policy and IR plan encrypted, and the threat actor might be monitoring your conversations. Be prepared for this, and have an alternate communication method, such as an Instant Messaging application, so you can communicate on a separate channel with your team and everyone else involved. Insurance details, IR plan and IR firm contacts should be kept in a physical form.
Tabletop exercises are a great way to practice for a data breach or ransomware event. To add realism, conduct it at 2am on a long weekend and prevent use of the corporate email system!
The articles below explain what to expect when you are hit with some of the more common families of ransomware. They are a great learning tool, without having to experience the pain firsthand.