Ransomware continues to ravage systems across the globe in part because, unlike more typical malware, its lifespan on a computer is incredibly short. Recent strains like Ryuk and BitPaymer encrypt files and deliver their ransomware messages within seconds of appearance on a victim's computer, leaving little time for detection and defense. The FBI recently alerted data security professionals worldwide to be aware of yet another new variant – this one called RobbinHood –that follows similar attack vectors.
We have previously written at length about responding and preparing for ransomware attacks. As a reminder, here are two handy checklists – one for defending against ransomware, and the other to help avoid mistakes in responding to an attack.
Best Practices for Ransomware Defense
- Deploy a system for creating backups, checking backups, and restoring backups of all vital applications and data in a separate and secure location.
- Implement cybersecurity tools including an anti-malware solution that has endpoint or heuristic monitoring.
- Report relevant information about cyberattacks to cywatch@fbi.gov which helps the FBI track malicious actors and prevent future attacks.
- Do not open any attachments or download anything you do not trust, or cannot validate its authenticity.
- Enable automatic patching for updates on your operating systems and web browsers.
Biggest Mistakes in Responding to a Ransomware Incident
- Not calling your broker/carrier immediately. The reason you carry cyber insurance is so that these critical resources are available to you when you need them! Your broker/carrier will connect you with breach response counsel who can properly guide you through the entire process and connect you with skilled and resourced vendors.
- Initiating contact with attacker from the victim domain. Attackers often do not know the identity of their victims – they may only know their IP address. It is important that victims not reveal their identities to the attacker as the information may result in higher ransom demands or further damage to the victim's infrastructure.
- Disclosing information about the victim's network infrastructure. Information pertaining to the victim's infrastructure may result in higher ransom demands. If the incident is not yet fully contained, it may also result in further damage to the victim's network infrastructure.
- Paying ransom without exhausting other resources for decryption keys. Decryption keys for some ransomware variants exist in the public domain, with some maintained by digital forensics firms and others maintained by the FBI. Decryption keys should be sought in all available sources before paying a ransom.
- Paying ransom directly, without using a vetted third party or following protocols to comply with Department of Treasury regulations. It is important that due diligence protocols be followed to comply with anti-money laundering and foreign asset laws.
- Not deploying appropriate forensics resources. Ransomware variants like Ryuk and BitPaymer are often preceded by bank credential stealing Trojans like Emotet and Trickbot. These Trojans gather user credentials and establish persistence within networks before seeding the ransomware. It is important to deploy appropriate forensic resources to detect and remove the malware before the system is returned to operational status. Appropriately prepared forensics investigators have established protocols to comply with Department of Treasury laws if a ransom must be paid. They will also be able to determine whether a decryption key is safe to deploy in the victim's environment.
- Wiping devices without obtaining forensic image. It is important to gather forensic evidence before rebuilding the network. This evidence may help to determine how and when the attack happened, what the malware was designed to do, and whether sensitive information was accessed or acquired without authorization.
- Enabling operations without identifying and securing vulnerability, or clearing all end points. It is important that the environment be free of malware before it is returned to operational status to prevent reinfection.
- Making unnecessary public statements. It is important not to make unnecessary public statements that may reveal your identity to the attacker. The best course of action is to work with breach response counsel to craft internal and external messaging that will comply with your legal obligations while simultaneously protecting your company's best interests.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.