Fighting Ransomware Before, During and After an Attack
At US Signal, we’ve had many customers reporting ransomware. Not surprisingly, no two attacks are alike. As such, there’s no single one-size-fits-all approach to fighting the problem. However, we can break ransomware attacks into “before,” “during” and “after” stages to help identify some of the tactics to take to mitigate data loss and downtime.
Sometimes, the best way to fight ransomware is before it does any damage. For example, we had a customer that was notified by the FBI that a malicious entity was targeting it. This is often known as the recon phase.
Malicious entities find a way into an organization and begin collecting data. They only want to take advantage of organizations that are likely to pay. Like other businesses, they’re not interested in wasting resources for little or no profit. This leads to the first point that needs to be made. Ransomware targets those who are likely to pay.
The customer, with the help of the FBI and a cyber insurance company, began hardening its defenses strategically and slowly enough so as not to raise the attention of the malicious entity. If the entity knew it had been detected, it would detonate the ransomware that was likely already in place. This brings us to the second crucial point. It’s becoming common to see ransomware being placed but not detonated as a strategic move by the malicious entity.
It’s an attempt to outlive a company’s recovery software’s retention and/or compromise recovery points to ensure recovery isn’t possible. It also increases the likelihood that the customer will have to pay. To date, the ransomware in this case hasn’t been detonated or was effectively hardened against, so there was no compromised data or downtime for the customer.
Read Now: Build a Defense in Depth Strategy - EDR and MDR
Detonation and post-detonation phase
Another US Signal customer had quickly become aware that ransomware had been detonated or made active within its environment. The ransomware was spreading via compromised network accounts. The customer began quarantining the infected machines by removing network visibility/connectivity. Ultimately, it disabled networking to its servers and workstations to stop the spread of the ransomware while planning its recovery options.
Here’s a third crucial point to note. Just because an endpoint/node in an environment doesn’t show the symptoms of being encrypted doesn’t mean it isn’t a vector through which the ransomware passes. Luckily, the customer had management items and networking equipment on a diverse subnet and didn’t have to turn down networking entirely.
This enabled the company to perform restores via its backup platform to a unique network segment and partially restore business critical operations. At that point, it was a matter of reviewing restores to find a recovery point in time prior to the ransomware existing on each server — a lengthy process. Never begin the recovery process in the same source environment until you’re sure the ransomware threat has been mitigated. Otherwise, reinfection is likely.
Post-detonation and cleanup
In yet another case, a customer’s entire environment had been encrypted by ransomware, and there was no time to stop the spread. Its backups had been compromised as well. The only option was to pay the ransom to get back to some form of a workable state.
But paying the ransom didn’t solve the issue. Like many companies, this one didn’t have 200% of its resources available to restore its decrypted machines alongside the encrypted ones. It didn’t even have the resources to unpack a machine or two at a time and remove the original encrypted source.
US Signal was able to assist the customer by physically driving hardware to the customer site to augment its existing virtual environment. We gave the customer the resources needed to unpack the decrypted machines alongside the encrypted source machines so it could run in this state until the original encrypted machines could be removed after a return to business as usual.
This leads us to one more important point. For many different reasons, you may determine the ransom should be paid. But be sure you understand how the encryption and decryption mechanisms will work once recovery begins.
One of the recommendations we make to our customers is to detonate popular types of ransomware in a sandbox environment. They helps you be aware of what attacks looks like. There is some great free tooling we use called “any.run.” It lets you run many of the well-known types if malicious software in an internet browser sandbox VM and review the attack vectors.
Endpoint Detection and Response
Another recommendation is to mitigate potential damage from ransomware early on is to implement endpoint protection. There are various options. Among them:
- Antivirus solutions. These solutions are installed on endpoint devices inside and outside an organization’s firewall. They typically employ a signature-based system of threat detection, matching any files identified as threats with a database of malicious files. This works well for identifying and stopping known malware and viruses like Trojans and worms. With some antivirus solutions, the software can automatically block, quarantine, or remove malware found on an endpoint. Otherwise, it will issue an alert notifying the user that malware has been found so action can be taken to resolve the threat.
- Endpoint Protection Platform (EPP) solutions focus solely on prevention at the perimeter. They deliver antivirus, anti-spyware, personal firewall, application control and other styles of host intrusion prevention capabilities into a single, cohesive solution. They also offer data protection capabilities like disk and file encryption, data loss prevention, and even device control to provide comprehensive endpoint protection. In addition, some integrate vulnerability, patch, and configuration management capabilities, to deliver more proactive protection.
- Endpoint detection and response (EDR) solutions are considered the successors to EPP and antivirus solutions. They continuously collect and analyze data from all endpoints to provide visibility across these devices. They employ behavioral analysis to detect malicious attacks in progress, and then remediate or isolate the attack to prevent lateral movement across an organization’s IT environment.
Unlike EPP solutions that focus on prevention at the perimeter, EDR solutions also deal with malicious attacks that have evaded frontline defenses. In addition, they check for threats round the clock, offering more comprehensive security against breaches than antivirus solutions that run only scheduled checks. Many EDR solutions also incorporate machine learning technologies to identify the most current threats, something the signature-based systems used by antivirus solutions can’t do.
Of course, there are many other tactics that can help mitigate ransomware and its effects. What you choose to use will depend on many factors. The important thing is to not wait until ransomware strikes. Be ready — before, during and after any ransomware attack.
For more information on dealing with ransomware, download 10 TIPS TO COMBAT RANSOMWARE.
Or talk to a US Signal solution architect. Call 866.2.SIGNAL or email [email protected].