Cybercriminalists usually unravel the traces of hacker activity, but sometimes resist attacks that continue to develop "here and now". What might this look like on the example of a ransomware attack?
A fairly common situation: IT department specialists detect an attack by a ransomware program and more than that: they see that the program continues to work in the company's infrastructure, encrypting more and more new data! Before calling in response specialists to help you find out the reasons for the success of this cyberattack, uncover the tactics, techniques and procedures used by attackers, assess the damage caused, and get recommendations on improving the level of infrastructure security and eliminating security weaknesses — you can still have time to perform a number of actions to minimize damage from the ransomware…
Researchers analyzed the movement of cryptocurrencies — in most cases, hackers request a ransom in the "crypt". If the dynamics continue, the total amount of buybacks in 2023 may be more than $ 900 million. Perhaps the record of 2021, when buybacks totaled $ 939.9 million, will be broken.
The ransomware ecosystem is developing extremely dynamically and, as Kaspersky Lab experts note, is becoming even more "industrialized". Let me remind you, for example, that hackers actively use modern practices that allow, in particular, to rent tools for cybercrime. There are more and more RaaS offers — Ransomware as a Service — on the darknet, and they are becoming more popular. According to Kaspersky, more than half (58%) of the malware distributed by attackers using the "Malware as a Service" model (MaaS, Malware as a Service) is ransomware.
We photograph the ransom note, a ransom note. We are taking pictures! In theory, you can make a "printscreen", but in practice it will be faster and easier to get a picture of the " ransom note — - everyone has a smartphone with a camera! You can immediately pass this information to the information security specialists who are engaged in repelling this attack, but you can forget it for a while — now we have other tasks.
All the actions that I will describe below will affect — at least partially-the usual IT processes in the company, while disrupting operational activities. But IT processes have already been affected by a working "ransomware" - do you remember? And we're stopping him now, and we'll deal with the rest later.
Now call the "security guards" and computer forensics specialists. This is where the real forensic science begins.
The most important thing here is to remember that responding to a computer incident is not only a story about deterrence, but also a set of measures to identify and eliminate the consequences as fully as possible.
I note that paying a ransom in general does not guarantee data recovery in any way! Often, hackers, after receiving the agreed ransom from the victim, simply hide with the money, not fulfilling the terms of the agreement. Sometimes the "ransomware" is written with errors that do not allow data recovery, and sometimes recovery is simply not provided, which the victim finds out too late.
And, of course, getting a number of practical conclusions in order to exclude "ransomware" attacks in the future — at least according to the scheme already implemented in this case.
In other words: "lessons must be learned".
A fairly common situation: IT department specialists detect an attack by a ransomware program and more than that: they see that the program continues to work in the company's infrastructure, encrypting more and more new data! Before calling in response specialists to help you find out the reasons for the success of this cyberattack, uncover the tactics, techniques and procedures used by attackers, assess the damage caused, and get recommendations on improving the level of infrastructure security and eliminating security weaknesses — you can still have time to perform a number of actions to minimize damage from the ransomware…
Why we are considering "ransomware" specifically
Ransomware programs are becoming more popular every year. There are several reasons for this, one of the main ones is the ease of monetization of criminal activity. In the first half of 2023, the total requests of cybercriminals for unlocking encrypted information were $ 175.8 million more than a year ago, according to Chainalysis.Researchers analyzed the movement of cryptocurrencies — in most cases, hackers request a ransom in the "crypt". If the dynamics continue, the total amount of buybacks in 2023 may be more than $ 900 million. Perhaps the record of 2021, when buybacks totaled $ 939.9 million, will be broken.
The ransomware ecosystem is developing extremely dynamically and, as Kaspersky Lab experts note, is becoming even more "industrialized". Let me remind you, for example, that hackers actively use modern practices that allow, in particular, to rent tools for cybercrime. There are more and more RaaS offers — Ransomware as a Service — on the darknet, and they are becoming more popular. According to Kaspersky, more than half (58%) of the malware distributed by attackers using the "Malware as a Service" model (MaaS, Malware as a Service) is ransomware.
What do we do when faced with ransomware activity in real time?
The first action needed in such a situation is not related to digital technologies, but to psychology: you need to stop panicking! Emotions can't help matters, and the main goal right now is to contain the threat by keeping as much of the company's data intact as possible.We photograph the ransom note, a ransom note. We are taking pictures! In theory, you can make a "printscreen", but in practice it will be faster and easier to get a picture of the " ransom note — - everyone has a smartphone with a camera! You can immediately pass this information to the information security specialists who are engaged in repelling this attack, but you can forget it for a while — now we have other tasks.
All the actions that I will describe below will affect — at least partially-the usual IT processes in the company, while disrupting operational activities. But IT processes have already been affected by a working "ransomware" - do you remember? And we're stopping him now, and we'll deal with the rest later.
The "just now" sequence of actions
Perform this sequence quickly, but calmly: actions require accuracy.- Disable backup tools that work in this IT infrastructure. Perhaps they have already been processed by the "ransomware" or were removed in advance by its operators, or perhaps already encrypted data fragments were backed up, but there are chances — and considerable ones! - restore affected fragments from backups. Backup as the last echelon of data protection should be" isolated " first of all.
- Disabling administrative resources, namely C$, IPC$, ADMIN$.
- If you use any additional data synchronization functionality, you must disable it.
- Isolate individual network segments and / or the most critical hosts. All methods are good at this! Sometimes firewalls can do this for end nodes-inside the network or standing on the perimeter-built-in firewalls, some EDR/XDR solutions with appropriate functionality, etc. Sometimes the fastest and therefore most effective option is to turn off the power supply— this will definitely make the data on these systems inaccessible to the "ransomware".
Now call the "security guards" and computer forensics specialists. This is where the real forensic science begins.
What's next?
After completing points 1-4, you can start studying the activity of cryptographer operators together with specialists. How exactly was malicious software distributed on the company's network? How did the attackers move and what actions might they still have performed? Do attackers currently have access to your network?The most important thing here is to remember that responding to a computer incident is not only a story about deterrence, but also a set of measures to identify and eliminate the consequences as fully as possible.
I note that paying a ransom in general does not guarantee data recovery in any way! Often, hackers, after receiving the agreed ransom from the victim, simply hide with the money, not fulfilling the terms of the agreement. Sometimes the "ransomware" is written with errors that do not allow data recovery, and sometimes recovery is simply not provided, which the victim finds out too late.
And, of course, getting a number of practical conclusions in order to exclude "ransomware" attacks in the future — at least according to the scheme already implemented in this case.
In other words: "lessons must be learned".
