The clock starts ticking the moment an employee finds encrypted files or a ransomware note, or when your SIEM tool throws a ransomware detection alert. The first 24 hours are the most crucial time to deploy everything in your arsenal to mitigate the effects of the attack. This blog discusses a step-by-step incident response plan you can adopt with a few prerequisites. But first, here's a brief introduction to ransomware.

A ransomware attack is a cyberattack wherein malicious software encrypts the victim's files or data and holds it for ransom. The attackers demand a ransom payment from the victim to provide the decryption key to restore access to the data or files. There are five stages of any ransomware attack: Initial exploitation, malware installation, backup destruction, encryption, and blackmail or extortion.

Some prerequisites for a ransomware response plan

There are three fundamental requirements that need to be met in order to effectively respond to a ransomware attack.

  • Take regular backups of data and ensure they're stored in a secure location. This will help you safely restore your data and operations without having to pay a ransom.
  • Establish a designated critical incident response team composed of senior executives or decision-makers, forensic analysts, and incident response analysts with clearly defined roles. It will be easier to deploy the team in the event of a ransomware attack, and each specialist can start working on their tasks right away.
  • Deploy a real-time log management solution for detection, response automation, and incident management. A SIEM solution can help you with executing the first line of defense, conducting forensics and monitoring file changes at a granular level.

Ransomware incident response plan

Your ransomware response strategy for the first 24 hours should primarily involve steps to contain and investigate the attack. Containment and impact assessment involves thoroughly analyzing the situation to learn about the attack's severity. The second stage, investigation and response, is where the malware is more closely examined and specific response measures are taken.

Containment and impact assessment

The containment and impact assessment stage involves detaching the reported user and host from the network as the first action. Following this, you can notify and assemble your incident management team and further assess the situation as described in the steps below.

Isolate the user and the machine in which ransomware was reported from the rest of the network. Files may have already been encrypted, and isolating the device may hinder business operations, but it's a critical decision. Moreover, containment helps forensic analysts work on the infected machine safely and proceed with restoration.

Notification: Alert the relevant stakeholders and assemble a team of decision-makers, analysts, and system admins for the next set of actions. It is vital to have these roles clearly defined.

Start with the infected file location: Ransomware creates TXT and HTML files at encrypted file locations to deliver the ransom note. Check for user details of such newly created files. This will reveal information about the user account being used to perform ransomware operations.

If the encrypted files were found in the shared network folder, check the file owner permissions to identify other possibly affected users.

Isolate all the hosts and check the associated users' risk scores and privileges.

Check for Active Directory compromise: Are users unable to access their AD accounts? Look for changes to AD users, groups, and DCs. This could denote that the ransomware has been potentially deployed at scale with AD access.

Checking the state of backup storage is a vital component of impact analysis because many ransomware programs tend to delete backups before starting the encryption process.

Investigation and response

The investigation and response stage begins with probing into the malware variant, then identifying and plugging the malware entry points as listed below.

Identify the malware variant: Ransomware typically follows a specific attack pattern, and identifying the pattern can lead to ascertaining the ransomware variant. Initial exploitation method used, executable file names and hashes, targeted file locations and types, and process names are some areas to look during your investigation.

Closely examine the ransom note: The text and image in the ransom message can help in identifying the threat group and the ransomware variant. The ransom message is also a crucial artifact to include in your incident report.

Initial access vector: Phishing and email attachments are the most widely used ransomware delivery methods. Other entry methods include drive-by downloads and exploitation of software vulnerabilities.

  • Look for suspicious email attachment files from the email client and mail server, and check the file hash reputation with threat feeds.
  • Check the infected users' activity history against logs from proxy servers, IDS, and firewalls to find interactions with malicious URLs or IPs.
  • Notify users: advise them not to click on suspicious emails and URLs and to disconnect from the network if required.
  • Extract suspicious files from email attachments, and contain hosts where the email was delivered. Update the access control list (ACL) and firewall rules in response to the discovery.

The below image shows the critical ransomware response actions to take in the first few hours.

Ransomware attack response: The first 24 hours

The aforementioned steps comprise a ransomware incident response playbook for the first 24 hours after detection. Backup restoration can only be started after complete containment, impact assessment, and initial investigation. It is essential to conduct test runs for backup restorations.

Create incidents and tickets with all the evidence gathered for further forensic analysis and cleanup. The typical evidence includes user and host details, associated URLs and IPs, IoCs, file locations, process names, and all associated event logs. You can notify the board, public relations, and legal team at this stage.

SIEM use cases to accelerate and manage your incident response

Event correlation: A SIEM solution with real-time log collection enabled can correlate events from different sources like workstations, servers, firewalls, and antivirus solutions to identify malware patterns and raise alerts.

Response workflows: Outbound firewall rules can be set using workflows after corroborating IPs and URLs with real-time threat intelligence feeds. Automated workflows can also execute AD actions, such as disabling users and workstations, running scripts, and stopping processes. Emails and SMS alerts to notify users and IT admins can be automated based on conditional logic.

Forensics: Drill through logs to perform root-cause-analysis at a granular level using historical and real-time log data.

File integrity monitoring and data loss prevention: Locate and classify sensitive files, track permissions, and track file modifications and creations.

Incident management: Automatically create incidents, assign technicians, and track the status of any malware or ransomware detections.

  • Please enter a business email id
  • By clicking 'Read the ebook', you agree to processing of personal data according to the Privacy Policy

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.