What should we do if we become victims of ransomware?

1. What is ransomware and what impact does it have?

In this article, we will explore how to proceed in the event that our systems have been compromised by ransomware, something that has become quite common in recent times.

Ransomware is defined as a type of malicious program (malware) that encrypts the computer data of infected machines and demands a ransom payment, usually in cryptocurrencies (Bitcoin, Monero, etc.), in exchange for removing this restriction and restoring data access to the victim.

A ransomware attack can result in significant financial losses for companies. If they don’t have recovery plans in place to resume business operations, they can remain paralyzed for several weeks or even months until they manage to restore their pre-attack state, if they can recover it at all. This is in addition to the costs incurred by hiring external services such as digital forensic analysis to clarify what happened and determine the security breach, as well as potential fines from the Spanish Data Protection Agency.

Regarding the payment demanded by cybercriminals, you can read the following articles that compile various aspects concerning the legality and implications of making the payment:

• https://www.welivesecurity.com/la-es/2021/07/08/ransomware-pagar-o-no-pagar-es-legal-o-ilegal/
• https://www.redeszone.net/tutoriales/seguridad/ataque-ransomware-preparacion-peligros-evitar/

To conclude this section, it’s worth noting that after a cyberattack, 60% of small and medium-sized businesses shut down within six months.

2. What does a ransomware attack look like?

The typical sequence of a ransomware attack is as follows:

1. The victim system gets infected.
   • It experiences an intrusion through the exploitation of the Remote Desktop Protocol (RDP), and the cybercriminal infects the victim system with ransomware. This is due to inadequate security configuration of the exposed service.
   • The session is active and unlocked because the user has left it unattended while going elsewhere, and the criminal (an insider) installs ransomware using a BadUSB device. This is a result of a lack of cybersecurity awareness.
   • It becomes infected because the victim connects a USB drive to their computer that contains ransomware (or other malware) they stumbled upon “by chance” or received in the mail as a gift in a beautifully laminated magazine about their favorite hobbies, which they daily post about on their social media. This is a result of a lack of cybersecurity awareness.
   • It becomes infected after installing pirated software. This can result from various issues, including a lack of awareness and proper security policies.
2. Encryption and Propagation: Once the ransomware is executed on the victim system, it attempts to encrypt all files on the computer, and subsequently (or simultaneously) tries to spread to other interconnected systems. In this way, the ransomware can potentially compromise an entire business organization by performing lateral movements (pivoting) and vertical movements (escalating privileges).
3. Ransom Demand: Once the ransomware has completed the process of encrypting files on all the computers it managed to infect, it will leave a visible message requesting a ransom payment, usually in cryptocurrencies that are difficult for authorities to trace (Bitcoin, Monero, etc.).

3. How to proceed in the event of a ransomware attack?

Based on the timing of discovering the attack, we can differentiate different types of procedures to follow:

1. In the event that the attack is detected as it’s happening, it’s advised to:

• Disconnect all computers on the same network segment from the internet or power them off as quickly as possible. This will prevent potential exfiltration of sensitive information to an external server controlled by cybercriminals and also halt the ransomware from completing its encryption and lateral movement within the organization’s systems.

Disconnecting the machines is a necessary measure, but the affected parties should assess whether they can afford it based on the potential impact it might have on their business.

Advantages and disadvantages:

• The advantages of taking these actions are that, by booting up the machines in safe mode afterwards, we might gather sufficient evidence to determine the source of the attack, and we won’t have to interrupt the business’s operations.

• The disadvantages of taking these actions could involve losing potential evidence, such as in the RAM, as shutting down the computer would clear the RAM.

Normally, ransomware doesn’t encrypt files on the victim’s system, which means that logging in is almost guaranteed. This is because it’s essential to remember that cybercriminals, having put in the effort to infect and exploit the system, ultimately want to receive the ransom payment.

2. In the event of having suffered the attack and finding all files already encrypted along with the ransom message to access them, it is advised to:

• Isolate the affected computers by disconnecting them from all networks they were connected to (Internet and intranet). Keep them powered on to retain data in RAM and other resources that could assist forensic analysts in determining the point of entry for the infection. Similarly, if any remnants of the ransomware remain, forensic analysts can use reverse engineering and network analysis to determine if there has been data exfiltration and where that information was sent. This is vital for tracing cybercriminals, as well as creating indicators of compromise (IoC), among other things.

In the event that the servers storing backup copies are connected to the same network, they should be the first to be disconnected to prevent the ransomware from spreading and potentially encrypting them.

Once the previous steps have been followed to control the infection, it’s advisable to seek the assistance of professionals in order to:

• Perform a Digital Forensic Analysis (DFA).
• Provide guidance and support regarding the procedures for reporting to the authorities.
• Initiate the recovery of encrypted files if it’s feasible.

4. Reporting, Disaster Recovery, Data Recovery, Implementation of Security Policies, and Awareness Training

Once the previous steps have been taken, several additional actions are recommended to be carried out. These actions have been ordered based on their urgency, with the most urgent ones listed first and the least urgent ones listed last:

1. Firstly, change the passwords of the affected online services. Until the causes of the attack are discovered, the passwords should be considered compromised.
2. Perform a Digital Forensic Analysis (DFA) of the affected computer systems to determine the origin and extent of the security breach. If sufficient information is obtained, it can help clarify the infection source, identify potential preventive measures, determine whether sensitive information was exfiltrated that cybercriminals might sell or use for extortion, among other insights.
3. Concurrently with the analysis or upon its completion (always within the stipulated incident reporting deadlines), report the incident to the National Police, Civil Guard, and the Spanish Data Protection Agency (AEPD) as appropriate. Each of these entities will guide the affected parties on the legal steps they should take.
4. Simultaneously, execute disaster recovery plans as necessary and use backup copies, if available, to attempt to restore systems and operations.
5. If there is no other option due to lack of sufficiently recent backup copies, you could attempt to recover the encrypted data. The feasibility of this action is largely determined by the type of malware, and recovery is not possible in many cases.
6. In the longer term, implement or review security policies to mitigate potential attack vectors, such as the one experienced with the ransomware infection.
7. It’s recommended to conduct a security audit such as a Pentest, also known as penetration testing or ethical hacking, to verify the organization’s security. In case vulnerabilities are identified, they can be patched in a timely manner to prevent incidents.
8. Lastly, it’s advised to enhance cybersecurity awareness among employees so they understand the common risks and threats employed by cybercriminal groups.

5. Conclusions and Recommendations

In this article, we’ve explored a recommended approach on how to proceed after falling victim to a ransomware attack, depending on the stage of the attack.

The most common ways of experiencing a ransomware attack are through social engineering, installation of pirated software, outdated systems, and poor configurations of exposed services. This underscores the importance of continuous cybersecurity awareness and training, as users are often the weakest links in the chain.

The most effective way to mitigate a ransomware attack (aside from keeping everything updated) is to have strong security and disaster recovery policies, as well as robust cybersecurity awareness training.

If you’ve been a victim of ransomware, need a forensic analysis of your systems, require assistance with administrative procedures, or are interested in assessing the security of your assets through ethical hacking or a Red Team Operation, or if you’re considering implementing robust security policies, don’t hesitate to contact us.

Disclaimer

This article provides general recommendations and steps to take in the event of a ransomware attack. JAYMON SECURITY S.L. does not accept any responsibility for any issues or problems that may arise from implementing these practices. It is the reader’s responsibility to carefully consider and apply these recommendations at their own discretion. The information provided should not be considered as legal, professional, or exhaustive advice. For specific guidance and assistance, it is recommended to consult with qualified professionals.