In the Trenches: Lessons Learned from Ransomware Attacks

By Ashish Shah, Enterprise Architect

With each passing year, more and more clients ask Dasher for assistance responding to Ransomware attacks. In this series of blog posts, I’ll be sharing with you the lessons we have learned as we help clients to respond to the initial attack and to prevent future breeches. Dasher combines top-notch Incident Response (IR) teams from our partners (like Cylance and Mandiant) with Dasher professional services (thus adding “boots on the ground”).

Chapter 1: Tough Decisions

The current blog post will provide some perspectives to consider when tough decisions need to be made just after the attack has been identified and during recovery efforts. But while writing this post, I realized it may be beneficial to write a follow up post that will go over the anatomy and inner workings of Ransomware. It will also go over Dasher recommended best practices around Proactive Incident Response, Disaster Recovery planning and Business Continuity. Our hope is that these plans will help our clients to be better prepared and guard against ransomware attacks. So let’s dive in…

What Should I Do First when Attacked by Ransomware?

Even when an organization trains its employees to guard against social engineering, disables macros, configures ad-blockers, and takes an array of other steps to protect its data, it only takes one misstep for threat actors to hold data hostage. Outlined below are some of the most important first steps to take when you suspect a ransomware attack. The order and priority might vary slightly depending on the size and complexity of your network, so we recommend reviewing these steps with your IR and business continuity (BC) plans. It will take some time to iron out what order makes the most sense for your company, but a few hours of preparation now can save days of downtime later.

DO NOT POWER OFF INFECTED MACHINES! Leaving the machines running can preserve vital data for later forensic investigation.
DO ISOLATE INFECTED MACHINES. Infected machines can be isolated by disconnecting them from the network – either by unplugging network cables or by disabling ports on network switches
DO NOT DELETE ENCRYPTED FILES! You may need them for data recovery.
DO NOT BEGIN RESTORING DATA FROM BACKUP until the full scope of the incident is known and a remediation plan has been created with your IR team.
Secure your perimeter
Isolate backups
Close RDP ports and any other open external access
If an infected machine is non-critical, can easily be recovered from backups, and will not be used for forensic investigation; those systems may be powered down. The IR team can help determine which systems can be powered down. Identifying in advance which systems are critical will help speed this decision-making process. (We will cover this in more detail later in this blog series.)
Change administrative credentials
Change user credentials
Collect evidence of ransomware
Evaluate and plan your restore strategy via available backups

What Are the Tough Decisions I Will Be Faced With?

Is there a Chance the Ransom Will Need to Be Paid?

This blog will not delve into the ethics of paying the ransom nor provide a recommendation on whether a company should pay it. This option comes with some harsh realities. If backups are unavailable or have become encrypted, the organization might decide that losing that data will be more costly than paying the ransom and may even force the business to close.

At Dasher, our stance has been molded by listening to how our clients think and act during a crippling ransomware attack. Organizations might consider paying the ransom because the alternative is going out of business. It really is that simple. If backups are available, they are restored. If backups are not available or have become encrypted, the organization must decide if the recovery of their data is critical to their business. On occasion, there is a middle ground where the business value of the encrypted data is less than the cost of paying the ransom and the company can return to production without having to recover the data.

Although a last resort, it is widely understood that if data loss is not an option, then negotiating for and paying a ransom is a necessary option to investigate. In that scenario, a common mistake is waiting to engage with the hacker. Contact should be made quickly after the attack, so multiple remediation efforts can be pursued simultaneously. Searching for viable backups while establishing contact and negotiating with the hacker means you will be exploring all options in parallel. If working backups are uncovered down the line, then communications with the hacker can be dropped.

If you wait to make contact, what seems like a worst-case scenario can become even worse. The hacker may have abandoned his email, or you may be more desperate than you initially expected. If you do need to contact the hacker, we recommend that you don’t contact them yourselves. When your business is held hostage and emotions are running high, you are at a disadvantage during the negotiations. Dasher can recommend companies that specialize in this phase of the ransomware remediation process. Their trained professionals can handle those negotiations on your behalf.

Determining which Ransomware Has My Company Been Hit With

There are several free resources available that can assist in the identification of the ransomware which attacked you. There are also several bad resources that will take advantage of your situation. Before contacting an outside resource, it is important that you know your rights as a victim of ransomware.

Resources to leverage:

NomoreRansomware.org and ID Ransomware are great resources that help identify ransomware. To use these resources be prepared with a copy of the ransom notice and a sample encrypted file. The sample encrypted file should be free of confidential information (especially information covered by regulations like PCI or HIPAA). Don’t unintentionally turn a ransomware attack into a data breach as well! You may also submit your information to Dasher for a free, real time assessment that Dasher can offer through our partner ecosystem.

Be wary of dozens of dishonest data recovery firms that tell you they can decrypt variants of ransomware that cannot be decrypted. Some have been exposed through sting operations, while others are under investigation by law enforcement for their business practices. If Nomoreransomware.org or ID Ransomware report that the type of ransomware you have is not decryptable with a free tool, you should believe them. Finally, you should NOT send the ransom note or email address of the hacker to any firm that you have not signed a legal agreement with. Some data recovery firms will email the hacker without your consent, which can cause confusion and problems down the line.

Use the Ransomware Identification to Inform Your Strategy

At any given time, there are dozens of ransomware variations in circulation. Ransomware variants have unique attributes that inform how the decryption process works. The cyber criminals that distribute ransomware also have their own unique attributes on how they target companies, how they negotiate (or don’t), how technologically astute they are, and most importantly how economically rational they are. When combined with the desperation of a victim company, the permutations of these ransomware variants and hacker attributes are dizzying. However, when you understand attributes of your ransomware and have identified the urgency of your situation, then a strategy begins to unfold.

For example, if your company has no backups, a high budget and high urgency after being attacked by Matrix Ransomware, the decision to pay the ransom might be relatively straightforward given the high likelihood of recovering data. Conversely, a company with low urgency, minimal budget that was attacked by Ryuk Ransomware, would likely opt not to engage with the hackers or bother paying (given historically high cost and low data recovery rate).

What Happens when I Want to Pay the Ransom and Receive the Decryption Keys?

If you decide to pay the ransom, we do not recommend undertaking this action on your own. In an emergency, interacting with cyber criminals and fumbling with crypto currency is not a good idea. Cyber criminals can use the urgency of the situation to take further advantage of their victims. Working with an incident response firm can save time and money.

Procuring bitcoin in a hurry is extremely difficult. Most bitcoin exchanges take days or weeks to approve new accounts. Funding a new account can take time as well, as traditional banks can cause friction during the funding process. Additionally, most bitcoin exchanges take measures to prevent users from paying ransomware from their accounts. These measures include withdrawal speed bumps (you can buy, but can’t transfer), and blocking known hacker wallets. Meanwhile business downtime continues to accrue.

Some Concluding Thoughts…

It is impossible to stop every attack, but there are steps organizations can take to decrease the chances of being infected with crypto-ransomware.

Inquire about the Incident Response retainer programs available with Dasher Technologies and our partners. These retainers can be leveraged for more than just IR and forensics. But also, for Ransomware negotiations and payment of money. Similarly, it may also be worth bringing in extra sets of hands from a local managed service provider (like Dasher) that has expertise in both security and data storage recovery. Business downtime is a business killer and the incremental expense of this professional help will be a fraction of the downtime cost it will save.

Please reach out to me or one of my Dasher Engineering colleagues to help your company put together an IR plan in conjunction with your Disaster Recovery and Business Continuity plans. As they say, it’s not a matter of IF, but WHEN an organization will be targeted by hackers.

If you have further questions about responding to Ransomware attacks or about security in general, please contact Dasher Technologies at [email protected].