The first article in this ransomware blog series, Hacker Procedure, described the three main phases of an attack. The second article, Exposing What's Under the Hood of Ransomware Attacks, examined important details about ransomware crime. This final installment walks through the experience of an actual ransomware incident. I’ll provide guidance for handling the different phases of this devastating experience in order to minimize long-term harm to the victim.
Once ransomers take control of an organization’s infrastructure, the victim typically goes through four phases of reaction:
- Chaos phase
- Constitutive phase
- Emergency operation
- Return to normal operation
The first three phases take an average of 23 days. The progression to normal operational mode can take many months, depending on the damage inflicted.
Chaos phase
The initial reaction to the ransoming of a company’s infrastructure is the chaos phase. I like to call this phase headless chicken mode because there are a lot of frantic people running around without any understanding or purpose.
It’s full panic. The situation is unclear to anyone in the company. The CEO is upset. The CISO and IT manager are desperate and don't know what to do. No organization is ever prepared for this level of crisis.
Little, if anything, is accomplished during the chaos phase.
Constitutive phase
Once the initial panic recedes, the first productive step is to form a crisis team to assess the situation, identify the most important systems, and get them up and running again. Meanwhile, a team begins forensic activities. The constitutive phase also includes the negotiation with the ransomers and as much restoration of systems as possible.
Crisis response
For many companies who find their infrastructure in the grip of a cybercriminal, the best option is to hire an incident response consultant. These professionals are familiar with hacking and ransoming techniques and know how to minimize disruption and damage. Having played this role in ransomware events myself, I can share how a typical incident progresses.
The first few hours
- What happened?
- Which systems are offline?
- Which systems are still running?
- Get an overview of the situation.
- What data backups are available?
- Start ransom negotiations.
- Prepare a system for negotiation.
- Prepare communication channels
- Start forensics.
- Involve the authorities.
- Begin restoring the IT infrastructure or building it from scratch.
Situation overview
When you first arrive on the scene as an incident response consultant, you need an overview of the situation. What have the attackers gained access to? Which systems have they shut down and which are still online? What backups are available? If no backups remain, then you must start the ransomware negotiation immediately.
Prepare to negotiate
Before you communicate, remember that these are hackers! Be sure that you don’t create an opportunity for them to commit more crimes against you. Prepare a new, isolated system and communication channels dedicated to the negotiation. For example, create a box with its own LTE connection.
Begin forensics
Your main forensic objectives are to learn:
- What happened?some text
- What was the first access?
- How did the lateral movement occur?
- Which user accounts did the attackers use?
- What tools did the attackers use?
- Which backdoors were installed and used?
- What data have the attackers stolen?
Involve the authorities
The legal authorities to involve depend on where the company is located. Generally you should contact the police, the local public prosecutor’s office, and your country’s office for information security. In the United States, you contact the FBI, who inform other federal agencies (CISA and NSA).
Begin restoration
Don’t delay the effort to restore the IT infrastructure. If there’s no chance of restoring it, you should begin rebuilding it from the ground up.
Negotiating with the ransomers
All negotiation begins with the ransom note that the criminals leave for the victims. This is an example of an actual ransom note:
Typically a ransom note contains these elements:
- An introduction to who the ransomers are and what they’ve done
- How to reach the group who has ransomed the infrastructure
- A key with which they identify you (because most groups attack several companies at the same time)
=> To learn more about hacker groups, see Exposing What's Under the Hood of Ransomware Attacks.
Find and fix the security risks that pose the biggest threat to your business.
The ransom note above had a link to a page on the darknet and instructions for authenticating on that page. The darknet page had information about the hacker group who was holding the company’s infrastructure for ransom, their demands, and a timeline.
The ransom demand was five million US dollars. A timer on the page indicated that the ransom amount would double if not received within seven days.
The darknet site also offered a chat function for communicating with the ransomers. This is a common practice. There needs to be a communication path between the victim and the hacker to discuss details, ask questions, and negotiate terms.
In this incident, we pursued three goals:
- Reduce the ransom amount.
- Change the transaction from Monero (XMR) to Bitcoin. Monero is a privacy crypto coin with a small market, which makes it difficult to obtain quickly in such large quantities.
- Allow more time. The company needed to register legally with an exchange and comply with the necessary government regulations.
The communication with the hacker group is a typical negotiation in which one party has greater advantage. As you might guess, hacker groups don’t go out of their way to provide outstanding service to the companies they hold for ransom. Negotiations can be unpleasant and response times can be slow.
After we successfully transferred the ransom money, we asked for the universal decryptor to restore the system faster. Their answer demonstrated their mindset:
“I think it’ll be soon, we’re not robots. our employees need sleep as soon as someone shows up. They will make you uni_dec.exe”
After about three hours, we did receive the universal decryptor and were able to decrypt all of the customer’s data.
Emergency operation phase
While negotiations are underway, the company is unable to conduct normal business. Yet there are customers who need products, services, or support. There are suppliers who require payment. There are deadlines to be met. Everyone in the organization needs the IT systems to do their jobs, but those systems aren’t running. The company may need to set up temporary systems to accomplish the most important tasks. The pressure on the IT team is enormous.
Reasonable resource planning is critical during this phase, so that employees can endure this exhausting time. Prioritization is also essential: What business functions are most important to get up and running? Internal communication must manage employees’ expectations and provide channels for questions and requests. Management must devise plans for communicating outside the organization as well—with suppliers, customers, partners, regulators, and so on.
Return to normal operation
The final phase of response to a ransomware attack is the return to normal operation. The ransom has been paid. The IT team is decrypting data and applications and restoring systems. During this phase, the company sets up projects to transition the infrastructure into normal operation.
One priority during this time is to improve the company's IT security posture. By this time, the forensic investigation has revealed the attackers’ access points, accounts used, lateral movement, and backdoors created. It’s urgent to eliminate these vulnerabilities to prevent another attack by the same hacker group or other criminals. But it’s important to assume that those aren’t the only vulnerabilities in the infrastructure.
Preventing ransomware attacks
In my career as a pentester and incident response consultant, I’ve identified two main reasons why attackers are so successful in compromising companies:
- The systems are not up to date with the latest patches
- The systems do not have secure configurations
Most organizations are not aware of how vulnerable they are. Time and time again, when I’ve seen companies become victims due to one or both of these risks, it’s because the system versioning and configurations are not visible across their entire infrastructure. Without that visibility, they can’t perform an appropriate risk assessment.
That's why we founded Mondoo, to help companies see their vulnerabilities and to provide them with concrete recommendations for action.
Mondoo provides a risk score per system across your complete infrastructure (Windows, Linux, AWS, Azure, M365, GCP, Kubernetes, CI/CD, and more).
Identify which updates are missing on each system.
Receive clear instructions on how to fix individual problems.