Ransomware Explained w/ Incident Response Plan

Ransomware

Technology is not inherently good or bad, rather, it is the kind of culture we build around innovation and the way people receive and use it. While we continue to put up the right regulations on technology built around amassing data, it remains the core path to significant life improvements. However, it has become trendy to talk about technology as a bad thing because of its side effects. One of the side effects of technology is cybercrime, specifically, malware attacks. This article focuses on ransomware as a type of malware that applies encryption to hold a victim’s information at ransom. Ransomware is one of the biggest internet security threats and a type of cyber attack that most organizations face today.

History  

The history of ransomware dates to 1989 as detailed by Joseph Popp, an American scholar, and scientist. He communicated the existence of AIDS Trojan, which had a design failure, yet the user was requested to pay ransom to get a repair tool. 

This might have been the first failed ransomware however the idea inspired a series of abuse on anonymous cash systems to safely collect ransom from kidnapped victims. In 1992, Solms and Naccache made an article to propose cryptovirus extortion attacks that could aid ransomware. Later in 1996, Adam L. Young critiques Popp’s failed AIDS Trojan before introducing a new crypto viral extortion protocol that uses an asymmetric decryption key that is hard to extract and can only be released to the victim after paying the ransom fee. Since then, there have been multiple cases of extortionate ransomware. 

Current News 

Ransomware is ever-evolving with its increased popularity on our PCs. It has been improvised to target mobile operating systems. Indeed, it has been making major headlines within the last quarter of 2020 and the start of 2021. Ransomware attacks are a topic that has always caused concerns for government institutions, healthcare providers, businesses, and other organizations not forgetting their employees and customers whose data is the major target of this type of cyber-attacks. 

Media reports indicate that the daily average of ransomware attacks within the last quarter of 2020 alone increased by 50% compared to the previous months (Check Point, 2020). To make matters worse, the victims and targeted organizations are more likely to pay ransoms than in previous years. In their reports on Cyberthreat Defense, CyberEdge Group noted the recent trends and reports on ransomware victims which indicate that almost 90% of targets paid the ransom fee to their attackers. 

Some of the cases include ransomware attacks on 966 U.S governments, the healthcare sector, and educational institutions. It is reported that the victims parted with $7.5 billion in 2019 alone according to Emsisoft’s 2020 reports. Other reports from NinjaRMM (2020-2021) on ransomware resiliency indicate that most ransomware incidents resulted in damages ranging between $1 million to $5 million for over 35% of organizations that were under their survey. That is just too much resource loss for the organizations with the potential for big reputational damage. 

Specific organizations have been hit by attacks and the list is endless as the world continues to be ravaged by this malicious software. They include Habana Labs, Cognizant, United Health Services, Colonial Pipeline, CWT Global among others in the latest ransomware trend. The most recent news is the Bose Ransomware attack in May 2021 exposing employee’s data including Social Security Numbers that targeted the US-based company. Preceded by the Colonial Pipeline Ransomware attack on January 11. Notably, these are cases of ransomware attacks within the US soil.

What it Does 

There are countless others in other parts of the world. Needless to say, ransomware is unhealthy for business in any part. While any organization may strive to acquire publicity, making the headlines as the next victim of a ransomware attack is not just one of them. There are ways to prevent these attacks but first, one must know the techniques attackers use. As a form of malware, ransomware is designed to encrypt files on any device and renders any files and system unusable. The user will need to decrypt the system to gain access; this is an opportunity for the malicious actors to demand ransom in exchange for decryption keys. They would then threaten to leak or sell the exfiltrated data obtained if the victim fails to pay the ransom. 

Sample message from attackers 

These tactics have been adjusted and evolved. The earlier versions of this type of malware used a variety of tactics to disable computers by locking the system machine of the victims. The ransomware locks the screen by portraying a message from a local law enforcement branch indicating the user's lines like "You have accessed illicit files and must pay a fine."

Typical Delivery Methods:

• Phishing Emails: Most commonly delivered through unsolicited emails with malicious attachments and email links. Once clicked, malicious executables are downloaded, ran, and therefore infects the system.
• Exploitation: Vulnerabilities that are exploited by a threat actor using exploit kits to compromise systems and plant RATs or allowing their ransomware to exploit automatically.
• Drive-By's: Drive-by downloads are another way to deliver malware. Threat actors exploit compromised websites by embedding their ransomware without the user's knowledge.
• Removable Media: As stated earlier on AIDS Trojan, a removable media, is one example of how ransomware can sneak into your device. Throughout the years these methods have become more sophisticated as threat actors are using USB devices containing malicious software.

After the initial probe is successful, execution is initiated either through PowerShell, scripting, or user execution. Once they get their foot in our network, they plan lateral movement and deploy as many systems with their ransomware.

Incident Handling

Most companies opt to pay the ransom fee. The case of Colonial Pipeline is an example that would have been handled better because it came barely a few months after an antivirus company, Bitdefender announced a free tool to protect the software. The attackers Identified as DarkSide unleashed a string of attacks on companies including the Colonial Pipeline Company that threatened to shut down the 5500-mile pipeline company. They could have adopted the decryption tool instead of paying a hefty $4.4 million to its attackers. The attack on Colonial Pipeline, and the resulting confusion at gas stations across the Southeast, appear to have prompted the federal government to step up its security. President Joe Biden signed an executive order aimed at improving cybersecurity and laying out a blueprint for the federal government's response to cyberattacks. Although ransomware crews have frequently split to avoid inspection and then re-formed under new names, or its members have launched or joined other gangs, DarkSide indicated it was shutting down due to US pressure.

DarkSide, which debuted in August of last year, exemplified this new type. It selected targets based on a thorough financial analysis or data gathered from business emails. One of Tantleff's clients, for example, was targeted during a period when the hackers knew the company would be vulnerable since it was migrating its files to the cloud and did not have clean backups.

The gang employed advanced methods such as "zero-day exploits," which take advantage of software weaknesses before they can be patched, to access target networks. Once inside, it proceeded quickly, searching not only for vital information but also for other threats.

The following basic measures towards reducing the effects of ransomware attacks:

• Conduct training for your end-users -- especially those who click on unsolicited emails or suspicious links that carry malicious drive-bys. To add on drive-bys, sinkhole malicious domains. 
• Improve ransomware protection on endpoints and servers to strengthen the defenses against future ransomware attacks; this includes disabling the window script host.
• Mitigate exploitation by improving your patch management, scan regularly for vulnerabilities, deploy automated patching.
• Assess the effects of the ransomware, conduct a complete forensics study on the afflicted server.
• Enhance monitoring and logging to detect any future threats or similar attacks from the threat actor.

In the aftermath of a ransomware attack: 

• To prevent further malware transmission or data exfiltration attempts, the malicious files utilized during the endpoint attack should be blocked.
• To prevent potential exfiltration, freshly detected malicious sites and IPs associated with this threat actor should be blocked on external firewalls.
• Passwords for all end-users and privileged users should be changed.
• Change access keys for all service accounts.

The IR plan is a more sophisticated approach to handling ransomware incidents as listed below:

Incidents Handling Life Cycle (NIST Framework)

1. Preparation

In most incident response techniques, preparedness is emphasized—not just in terms of developing an incident response capacity so that the company is prepared to respond to incidents, but also in terms of preventing incidents by ensuring that systems, networks, and applications are properly secure. Even though the incident response team is not usually in charge of incident prevention, it is critical to the success of incident response programs. This section offers general guidelines for handling incidents and preventing them. 

Preparing to Handle Incidents 

There is incident handling communication and facilities including:  

• Contact information – for all team members within and outside the organization
• On-call information – for other teams within the organization
• Incident reporting mechanisms – e.g. phone numbers, forms, email addresses that can be used to report suspected incidences 

Others include issue tracking systems, war room, encryption, and secure storage facility.  

Preventing Incidents 

It is critical to keep the number of incidents low to protect the organization's business processes. Higher quantities of events may occur if security controls are weak, overloading the incident response team. This can result in slow and incomplete responses, which can have a significant negative impact on your organization (e.g., more extensive damage, longer periods of service, and data unavailability).

Recommended practices for securing networks include risk assessment, host security, network security, malware prevention, and training. Ensure your endpoints are receiving auto-updates (OS’s, AV, and mission-critical software) and are currently backed up. Make sure the workforce knows how to report possible ransomware incidents or unusual network behavior. This usually happens during phishing emails - so conduct phishing email tests, and have an anti-phishing software program. Lastly, develop an organization-wide policy regarding ransomware attacks - an IR plan.

2. Detection and Analysis 

Involves identification of attack vectors, including external/removable media, attrition, web, emails, and impersonation. Thereafter, identify the signs of an incident before assessing the sources of precursors and indicators then analyzing the incident. This helps keep informed updates on the incident before documentation, prioritization, and notification. 

Signs of an incident 

The most difficult component of the incident response process for many businesses is effectively recognizing and assessing potential incidents—determining whether an event has occurred and, if so, what type, extent, and degree of the problem has happened. Three elements combine to make this such a difficult task: 

• varying level of details and fidelity
• a high volume of potential incidents
• requirement for extensive experience for analysis of incident-related data 

Sources of precursors and Indicators 

IDPS (Intrusion Detection and Prevention System) solutions detect suspicious occurrences and log essential information, such as the date and time of detection, the type of attack, the source, and destination IP addresses, and the login (if applicable and known). Most IDPS technologies rely on attack signatures to detect malicious activity; signatures must be kept up to date to detect the most recent attacks. 

• SIEM (Security Information and Event Management) systems are comparable to IDPS (Intrusion Detection and Prevention System), except they create warnings based on log data analysis.
• Antivirus and antispam software - Antivirus software detects various types of malware, sends out notifications, and avoids infecting hosts. If antivirus signatures are kept up to date, current antivirus programs are successful in blocking many types of malware. 
• Spam is detected by anti-spam software, which then prevents it from reaching users' inboxes. Anti-spam software notifications may indicate attack attempts because spam can contain malware, phishing assaults, and other dangerous materials. 
• File integrity checking software - During an incident, file integrity checking software can detect modifications to crucial files. It generates a cryptographic checksum for each specified file using a hashing method. If the file is changed and the checksum is recalculated, there is a very good chance that the new checksum will differ from the old checksum. 
• Third-party monitoring - A range of subscription-based and free monitoring programs are available from third parties. Fraud detection systems, for example, will alert an organization if its IP addresses, domain names, or other identifiers are linked to current incident activity involving other firms.

3. Containment, eradication, and Recovery 

The first action at this stage is to choose a containment strategy before the incident overwhelms the resources. Next is to gather evidence and handle them just in case there should be a legal procedure. Again, it is important to identify the attacking hosts before eradication and recovery to eliminate components of the system. Once ransomware is identified, start the containment steps by disconnecting all the indicated computers from the network. To eradicate, reform the hard drives, and reimage the computer. If data is held hostage, then ask yourself if data is valuable, if it's critical to operations, see if ransom insurance covers it. Patch all OS and turn on automatic updates. 

Choosing a Containment strategy 

Depending on the nature of the occurrence, several containment tactics are used. A strategy for containing an email-borne malware infection, for example, is very different from a network-based DDoS attack. Organizations should develop distinct containment strategies for each major incident category, with criteria documented to aid decision-making. The following are some criteria to consider when deciding on the best strategy:

• Resources could be harmed or stolen
• Evidence preservation is required
• Availability of services (e.g., network connectivity, services provided to external parties)
• Time and resources are required to put the strategy into action
• The strategy's effectiveness

Evidence gathering and handling 

• Identifying information (for example, a computer's location, serial number, model number, hostname, MAC addresses, and IP addresses)
• Each person who collected or handled evidence during the inquiry was given a name, title, and phone number
• Time and date of each instance of evidence handling (including time zone)
• Places where the evidence was kept 

Identifying the attacking host 

• Validating the source’s IP address
• Using a search engine to search the attacking host 
• Using an incident database
• Monitoring possible attacker communication channels

4. Post Incident Activities 

Finally, note the lessons learned from the incident and use collected incident data to prepare subjective and objective information on each incident. 

Then proceed to an evidence retention policy for the company. At this point, one will consider the possibility of prosecuting the attackers and the costs. Prepare an incident handling checklist to assess performance based on the type of incident and nature. Make sure to validate the restored system and check if it is back to its normal state. Verify all patches are installed and automatic updates are turned on. Install anti-virus software, their signatures, and perform regular scans. 

Lastly, REHEARSE these steps!

Sources 

J. Bates, "Trojan Horse: AIDS Information Introductory Diskette Version 2.0," In Wilding E, Skulason F (eds) Virus Bulletin. Virus Bulletin Ltd., Oxon, England, Jan., pages 3–6, 1990  

A. Young, M. Yung, "Cryptovirology: Extortion-Based Security Threats and Countermeasures," In McHugh J, Dinolt G (eds) Symposium on Security & Privacy. IEEE Computer Society Press, Washington DC, pages 129–141, 1996.

Paul Cichonski Tom Millar TimGrance Karen Scarfone (2020). Recommendations of the National Institute of Standards and Technology Special Publication 800-61 Revision 2. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

By Charlie Osborne (2021). Colonial Pipeline attack: Everything you need to know Updated: DarkSide has claimed responsibility for the catastrophic ransomware outbreak. https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/

IBM 2021. The definitive guide to ransomware: Readiness, response, and remediation A prescriptive approach to ransomware attacks and insight into powerful risk mitigation techniques. https://www.ibm.com/downloads/cas/EV6NAQR4