📑
Has your information system been affected by malicious encryption or deletion ransomware? From identifying the incident to containing it, here is some practical advice from InterCERT France’s reflex sheets.
First, you need to confirm that an incident is in progress and that it is indeed ransomware. This step aims to assess the severity of the incident: its scope and impact on your organization, and of course, its criticality.
Qualifying ransomware
Prerequisites for qualifying ransomware
Internally and externally, an organization must mobilize expertise to qualify the security incident. Those involved at this stage must have access to the administration and monitoring of the information system and security equipment, and they must also be aware of the organization’s business priorities and emergency contacts.
A logbook must be opened, taking care to store it outside the compromised information system — on a shared cloud or possibly in paper format. If actions in response to the incident have already been taken, these notes must be recorded in the logbook.
This will enable you to establish a timeline of the incident, monitor the remediation progress, and assess its effectiveness. It must include:
- The date and time of the action or event
- The name of the person or department that detected or reported the event
- A detailed description of the action or event
What are the key steps to confirm that an incident is ransomware, and to assess its scope, impact, and criticality? Let’s now go into detail.
Ransomware: how to assess the incident
Confirm the nature of the security incident
Assessing ransomware begins with tracing the incident back to its source: when was the first anomaly detected and when does the incident appear to have started? Investigations can be conducted using data from a SIEM, EDR, or network probes, and can reveal two types of information:
- Strong signals collected by EDR or SOC tools, reports from information system users (pop-ups appearing on workstations, readme.txt files explicitly demanding a ransom, files with abnormal extensions, mass creation of archives, etc.).
- Weak signals such as inability to access services, servers, or files, deactivation of protection or detection tools, mass shutdown of virtual machines, etc.
If the incident is confirmed as ransomware, or even encryption, immediate containment measures must be considered.
At the same time, the assistance of specialized CERT or CSIRT teams can be requested.
Assess the scope of the ransomware attack
Once the ransomware or encryption has been identified, the scope of the attack must be determined: workstations, servers, storage servers, hypervisors, or virtual machines, etc., and the level of compromise, particularly to understand whether administration workstations or Active Directory are affected.
In addition, what types of systems are impacted: DMZ, office systems, business systems, administration systems, backup systems?
Are the affected systems connected to other internal or external systems or resources?
Assess the impact of ransomware
In addition to the impact on assets, the impact on business must be measured: which activities are disrupted, and are they business, external, or vital activities? Is business continuity compromised? Are infrastructures critical to the functioning of the information system affected (e.g., domain controller, DNS, hypervisor, administration workstations, etc.)?
Ransomware can also have regulatory implications, particularly for critical or vital organizations (OSE or OIV). It is therefore necessary to check whether sensitive data and backups have been affected, and whether the recovery infrastructure is available and operational.
Assess the urgency of the actions to be taken to remedy ransomware
At this stage, the organization affected by ransomware must also validate the existence and application of procedures for continuity and maintenance of activity in regular and degraded modes. This step makes it possible to assess how long these procedures can be maintained and to define the vital services for which emergency intervention is necessary, as well as those that can be maintained in degraded mode.
Once the incident has been classified, its impact assessed, and its potential containment through containment measures determined, its criticality can be established as a common anomaly, a minor or major incident, or even a cybersecurity crisis.
Let’s now look at the containment measures for a ransomware attack, including the management steps to resolve the incident and the deployment of the crisis management system.
Containing ransomware
The first containment actions aim to limit the attack to reduce its spread and impact, and to give defenders time to organize and respond effectively. Defense teams can be called upon in-house or externally.
Containing the spread of ransomware
The first measure to take is to temporarily isolate the information system from the Internet.
This involves disabling all incoming and outgoing traffic, while preserving any WANs essential to internal business flows if necessary, to prevent the ransomware from receiving new encryption and lateralization commands, exfiltrating sensitive data, installing backdoors, or observing ongoing defense operations. This measure may result in a loss of revenue if the organization’s activity is interrupted, but this cost is statistically much lower than the damage caused by the spread of the threat!
Internet access can be gradually restored in due course with security provided by an EDR or SOC.
Subsequently, infected endpoints must be isolated, for example by pausing virtual machines, putting physical machines in standby mode, or isolating the network. The aim is to prevent the threat from spreading to the rest of the information system.
If the spread continues, it is probably a sign that the administration system has been compromised, or that the code is being deployed centrally or autonomously with the credentials of a high-privilege account. Privileged accounts suspected of being compromised can be neutralized or reset, and the SYSVOL folder of the Active Directory domain can be scanned by an antivirus program while waiting for specialized teams to take action.
Preserving essential assets in the face of ransomware
Preserving backups (management servers, storage media, backup servers on hypervisors and in the cloud) is also crucial to containing a ransomware attack.
After identifying the types of information system backups and backup management servers, and after preserving physical and virtual machines, it may be necessary to disable or isolate NAS, SAN, backup robots, and other media from the network. Note that these are in principle already protected by the previous actions taken on the backup management servers, and that side effects may occur if these servers store application files
Be careful not to restore backups until the incident response team has indicated a safe restoration date!
If the backup management server is a virtual machine that has been shut down as a security measure, it is necessary to take a snapshot of the paused virtual machine and export it to a dedicated offline disk.
Finally, backup management or storage servers hosted in the cloud should be treated as virtual machines and subject to the same procedures. Note that it will not be possible to perform new backups until they are back in service.
As for unsaved file servers, they must be shut down until the threat has been fully remedied, or they can be confined to a network bubble with the critical applications that depend on them to maintain vital activities.
The domain controller must be shut down if it is physical, or exported to an offline disk if it is virtual.
For organizations that manage multiple Active Directory domains with separate domain controllers, it is recommended that one controller per domain be retained; otherwise, a single domain controller is sufficient
Note: In most cases, domain controller services are redundant and are not interrupted if one of the controllers is taken offline. However, side effects may occur if the domain controller is the first one contacted in the DNS list received by clients, or if the FQDN or IP address of the domain controller has been hard-coded into a service.
Preserving traces
Traces are essential for investigation teams. Logs from EDR consoles, firewalls, VPN gateways, proxies, etc. must therefore be kept for as long as possible and with as much detail as possible. They can be exported to an offline disk or to a SIEM-type log sink, after first checking that it has not been compromised (disconnecting from the network may be necessary in this case).
Beyond investigations by cyber experts, all traces can be useful to law enforcement agencies in the event of legal proceedings.
Ransomware containment: what next?
Following the detection of a security incident such as ransomware, the resolution must be consistent with the identified impacts and, if necessary, with the help of specialized teams for forensic investigations, remediation, business recovery, internal and external communication, filing complaints and reports, and more.
How can you protect your workspace from ransomware?
Discover our dedicated detection engine:
More articles
Email account compromise: assessing and containing an incident
How should you respond if your information system is affected by a security incident involving the compromise of one or…
5 KPIs for assessing and monitoring IT assets security
Can security be measured? Absolutely! Here is a selection of key indicators to help assess security, adapt your strategy and…
Assessing and containing the compromise of network edge equipment
Network edge equipment is physical or virtual equipment including firewalls at the edge, VPN gateways, enterprise edge routers, and Internet…
Cybersecurity: choosing an EDR, key points to assess
How do you choose the right solution for your organization to protect your endpoints against threats? What criteria should you…