Ransomware is one of the fast Growing threat in the worldwide and its considered as a leader of Global cyber attack in recent days which cause some dangerous issues and loss in many organizations and individuals. Here is the Ransomware Checklist for Attack Response and Mitigation.
The ransomware is a turnkey business for some criminals, and victims still pay the ever-increasing demands for ransom, it’s become a billion-dollar industry that shows no signs of going away anytime soon.
A cost of Ransomware attacks Crossed more than $1Billion in a single year alone and day by day number of Ransomware attacks are increasing and threatening around the world.
Here we will see the important ransomware checklist and mitigation techniques for Sophisticated Ransomware attacks.
A common factor of Ransomware is that very strong Encryption(2048 RSA key) method are using for all the Ransomware variant which is estimated to take around 6.4 quadrillion years to crack an RSA 2048 key by an average desktop computer.
The wide availability of advanced encryption algorithms including RSA and AES ciphers made ransomware more robust.
Ransomware is using Bitcoin Payment that is untraceable and Every Ransomware variant are demanding different bitcoin amount to get the decryption key.
Some time attacker can provide the decryption key some time they won’t even you paid. Instead of that, they forcing the victim to infect another Few Peoples to get the decryption key.
To Maintain the Anonymity, attacker always using the “Tor”(The Onion Router) to Establish the Communication to Victim which helps an attacker to hide their IP Address since Tor network is created by thousands of nodes in different countries You cannot browse TOR sites using a regular Internet browser.
Also Read List of Ransomware variants distributed
Symptoms of Infection – Ransomware Checklist
A window has opened that you can’t close it that contains Ransomware Program and instruction.A warning countdown program instructs you that how to pay to unlock your file and Device.
A Countdown program warns you that, there is a countdown to Deadline to pay else you can no longer Decrypt the file or Ransome amount will be increased.
Suddenly you can’t open the file or et errors such as the file are corrupted.
You can See Different Directories that says HOW TO DECRYPT FILES.TXT Or some related instruction.
Ransomware Entry point and Infection Vector
A user will receive an Email with malicious Link in the body content. once you Click the link that will Download A File that Contains Ransomware.
Email Looks like from Major Brand, Social Engineering, or Seeking.
A user will receive an Email with an Attached Innocent file. once a user opens the file then it will be Triggered in the Victims computer and finally he will be victimized by Ra; ransomware.
Ex: urgent Requirement, Job offers, Common Zip file, Sense of Urgency to open Document, Money Transferred.
A Malicious Document Contains Embedded Hyperlink . when user Click the hyperlink then I will go out to the internet and download the Malicious File that contains Ransomware variant.
Ex: normal Looking Document, Innocent Looking Hyperlink, linked to Ransomware.
Websites & Downloads
A Users Browser the infected site and Compromised website and download a software and they think its a genuine software but it actually contains a Ransomware variant.
Ex: General Browsing, Porn Websites, File Download from Bit Torrent, PC Downloads, Play Stores.
Drive by Infection
A User Browser with old Browser, Malicious plug-in, an unpatched third-party application will infect the machine and spread via infected user within the organization and file Sharing platform such as IRC, Skype, and other Social Media.
infected sites will redirect the user into exploit kit and it will have a concern ransomware exploits which will later download and exploit the ransomware.
Ex: No user interact for some time, Malvertising.
Incident Response and Mitigation
Once you feel that you’re infected or you find some unusual activities occur in your network then the following Steps are urged to take for Mitigation.
Finding the Indicator of Compromise
During the Encryption Process File Extention will be Changed with a new type of extension that you have not seen it before.
so collecting the Known Ransomware file Extention and monitoring the Extensions. This will help you to identify the Ransomware even before the incident will be occurred.
In this case, existing file extension remains the same but new file extension will be created during the encryption process and new extension will be added next to normal file extension of the infected file.
Check the all unusual Ransomware related File Extention Type – Ransomware file Extention
Bulk File Renamed
Monitoring a large number of Files being Renamed with your network or your computer. It will be a good indicator of compromised by ransomware.
Check whether any of large volume file name has changed with your Asset.
Using Behaviour analysis will help to identify you to find any number files being changed or suddenly using in your network when compared to normal uses.
Security tools such as Endpoint protection, Antivirus, Web content filtering in your organization that you may allow you to filter the content that your access on the internet that analysis the behavior of your network and your computer will help you to find the behaviourally based indications.
It will monitor the normal behavior of user baseline and if there will be some unusual things occur then it will intimate you to have a look at it.
Intrusion detection and prevention system that you have implemented into your network will prevent to call back the unusual files and encrypting your file.
Also, it will prevent from download an encryption key from command and control server and stop being encrypted your files in your system.
Ransomware notes is an Explicit indicator of compromise that popups into your screen and telling you to pay some demanding ransom amount to pay.
its one of the First indicator of the ransomware attack that most of the people should be aware of it.
A report from user to help desk that they cannot open files or cannot Find the files and also PC Running Slow.
Ensure that you’re organization help desk professional’s are fully trained to Face the ransomware impact and take appropriate mitigation steps.
What next: if you’re Infected
Once you find and confirm that your computer or network have been infected then immediately take the following actions.
Disconnect the Network – Ransomware Checklist
Completely Disconnected the infected computer from any network and isolate it completely.
Remove all the Storage Devices such as External Hard Drive, USB drive, and other Storage Devices.
Turn of the Any Wireless Devices such as a router, WiFi, Bluetooth other wireless devices that you have in your organization.
Simply unplug the computer from the network and any other storage devices.
Don’t Try to Erase anything such as clean up your devices, format, etc. this is very important for the investigation process.
Determine the Scope – Ransomware Checklist
In this case, you need to evaluate how much if your organization infrastructure has been compromised or Encrypted.
Find your First Infected machine and confirm the infected storage medium. It could be any one of following these.
- USB memory sticks with some valuable information
- shared or unshared Drives or folders
- External hard drives
- cloud-based storage (DropBox, Google Drive, Microsoft OneDrive/Skydrive etc…)
- Network storage
Check the above asset and confirm the sign of encryption.If it will be cloud storage then Try to revert the recent unencrypted version of your files.
If you have back available for the encrypted storage then identify the infected or encrypted part of files and which file you need to restore or what may not be backed up.
Finally, if you don’t have any option to proceed the above possibility then reconnect memory drive and check the other possibility for decryption.
Understand the version or Type of Ransomware
First Ransomware needs to know which files it needs to decrypt if you paid the ransom amount.
To determine the scope of the infection is to check for a registry or file listing that has been
created by the ransomware.
Each and every Ransomware are having different version and types. It is recommended to do a bit of googling to determine the version of ransomware you have been hit with and do your research based on the right version of the ransomware.
Determine the Strains of Ransomware
In terms of strains, each and every ransomware type are having different method and function. so you have to make sure which type of ransomware you’re dealing with and what is the option you have in your hand.
If you feel that you are the first person who infected with concern ransomware then try to consult with some for security experts to determine that what kind of ransomware you are actually facing by providing the information about various files and system information.
Most of the ransomware does not have future to self-spreading function to jump across the network unless you will directly share from the infected machine.
Generally, ransomware infects to only single machine or related shared network files and it won’t Encrypt the files where it has not directly control over for the concerned network or system.
So make sure you have checked with above things in the infected ransomware strains.
Fast Emergency Response
Ransomware does not need an any of user interaction to performing its Task.so you have to have a very concern about the time to take the necessary steps.
You need to take some rapid response by calling the helpdesk and internal parties immediately make them aware that Ransomware attack has occurred.
Notify your company’s executive, other legal and emergency response team.
Notify your regulatory agency and consult your law enforcement and also try to implement your communication plan as soon as possible.
You can also contact industry’s Information Sharing and Analysis Center (ISAC) site to know about the similar attack.
Paying the Ransomware – Ransomware Checklist
- It gives a faster solution than restoring the data from Backup
- It would be the cheapest solution in terms of total cost of recovery
- Its help to minimize the disruption to business and users.
Advantage: Not Paying
- You can maintain the integrity of data by certain of recovery of data.
- Not paying criminal and supporting the cybercrime.
- You may protect yourself from targeting again and you can decrease the risk to attack you again.
- Supporting the crime and rewarding the crime
- It would make you high risk in future and you might be victimized again
- There is no guaranty that you will be data recover
Disadvantage: Not Paying – Ransomware Checklist
- There will be a lot of time-consuming to restore the data
- If you don’t have a proper backup it will lead to a critical situation.
- It disturbs the business continuity and users and it will be cost-effective.
Getting Funds to ready in Bitcoin – Ransomware Checklist
Before paying ransom to criminals you have to make your Bitcoin vault ready.
Its take time to prepare the bitcoin vault and you have to deposit the bitcoin in the vault.
Even though you are paying the ransom about it doesn’t mean that your file decrypted and available immediately.
Some time criminals may perform manual verification of your ransom amount that you have transferred.
It takes even more than 1 day to get you decryption key back. Sometimes you may receive unresponsive situation from criminals.
Mitigation and Preparing the Incident Response – Ransomware Checklist
Defending the Ransomware Attack – Ransomware Checklist
Take regular backups of your data and test your Backups that perfectly available for any time to be restored.
One of the main infection vectors is Microsoft office document so make sure your Microsoft office Macros are disabled by Default.
Use Strong Firewall to block the command & control server callbacks. It helps to prevent the malware accessing the encryption key from the callback C&C Server.
Scan all your emails for malicious links, content, and attachment.Segregate the physical and logical network to minimize the infection vector.
Always use anti-malware and anti-virus protection. most the current antivirus using behavior-based analysis that helps to minimize the unknown ransomware threats takes place in your network.
Don’t Provide local administrator rights to any user by default.Avoid high privilege by default.
Enforce access control permission for the concerned user and allow them to access the files which they actually needed to access for their work.
Provide proper training for your employees about ransomware attack and its common function to attack the network and train users to handle the links.
Block the adds and unnecessary web content. It will download ransomware and other malicious content.