TR-73 - Ransomware FAQ

Ransomware - Definition

A crypto ransomware is a type of malware that - when successfully executed - enumerates all (locally and remotely) accessible files and uses a strong cryptographic algorithm in order to encrypt the files the malware is configured to process. When the malware is implementing the cryptographic part correctly, it is practically impossible to decrypt the affected files without possessing the right key. From the victim’s point of view, the content of the files is lost. It can only be recovered by purchasing the key from the criminals or, if available, by restoring the files from a functioning backup which wasn’t accessible during the enumeration and encryption phase. In some cases, attackers may be able to gain full access to the infrastructure and destroy the backups from the backup server, making the recovery impossible.

Crypto ransomware attacks are most of the time opportunistic attacks, where an attacker is sending the malware itself or links to the malware by email to large email lists, similar to spam mails. Unattentive computer users executing the malware are then encrypting all files they have access to.

Previously infected machines are also sometimes resold to other criminals, which have different ways of generating money, for instance through ransomware.

In other cases, targeted attacks are carried out by either addressing specific users of companies with more detailed, disguised information, or by breaking into the infrastructure by exploiting vulnerable systems exposed to the Internet.

Special case: Double Extortion Ransomware

Organisations that became victim of a ransomware attack are facing more issues than merely losing access to all of their data alone. Additionally, the attackers may exfiltrate parts, or even comprehensive amounts of the organisation’s sensitive data. This gives the criminal additional leverage to ask for ransom.

If the ransom is not paid, the attackers will publish the sensitive data publicly. This becomes critical if PII - Personally Identifiable Information - of customers and/or employees are affected.

Prevention

  • Keep all software up to date: Make sure that all software, including the operating system and applications, are kept up to date with the latest patches and updates. This helps to close vulnerabilities that could be exploited by ransomware.
  • Use antivirus software: Install and regularly update antivirus software to detect and block ransomware attacks, but don’t rely on them exclusively.
  • Use strong, unique passwords: Use strong, unique passwords for all accounts and make sure to enable two-factor authentication (2FA) whenever possible.
  • Back up your data: Regularly back your data up to a secure location, such as an external hard drive or a cloud storage service. This will allow you to recover your data, would it get encrypted by ransomware.
  • Use caution when opening email attachments or clicking on links: Be wary of opening email attachments or clicking on links from unknown sources, as these are common ways for ransomware to be delivered.
  • Teach your employees and provide appropriate awareness training. The security level of Email and SMS can be compared with the security level of a postcard. Employees must be trained to not trust this media by default, but to instead stay vigilant.
  • Don’t allow execution of email attachments. Filter out and quarantine if necessary.
  • Segregation of duty: This involves separating different tasks and responsibilities among different users or groups of users. For example, an organisation may have one group of users responsible for managing servers and another group responsible for managing user accounts. This can help prevent a single user from having the ability to both initiate and authorise a ransomware attack.
  • Network segmentation: Network segmentation involves dividing a network into smaller, isolated segments or subnetworks. This can help to limit the spread of ransomware within a network, as it can only move between segments with the help of a user or through a weakness in the network.

By implementing these measures, organisations can better protect themselves against ransomware attacks and reduce the risk of a successful attack. It is important to note, however, that no single measure is foolproof and a combination of measures is typically the most effective approach.

It’s best to not become a victim of a ransomware attack in the first place. The best protection is an offline backup that is not connected when the ransomware attack is executed. Critical business related data can be copied to offline devices such as hard-drives or usb-disks. These offline backups could be complementary backups to existing backup systems.

Incident preparedness

Prepare out-of-band communication channels. In case of ransomware, your email and phone infrastructure can be disrupted. Maintain print outs of critical mobile phone numbers (of IT suppliers, support teams, etc) If you run your own IT department, take care to implement IT security best practices.

If your IT is outsourced, we recommend to assess your ICT supplier and choose a reliable ICT supplier. CIRCL TR-69 - How to choose an ICT supplier from a security perspective is a good starting point.

After a successful breach

Identify the ransomware

It is important to identify the ransomware. Maybe there are already decryptors available.

  • Analyse the ransom note
  • Collect some encrypted files
  • If possible, collect the corresponding original files To help you identify the kind of ransomware used, the nomoreransomware tool Crypto Sheriff can be of help to you.

Identify the root cause and potentially the entry point

It is key to identify the root cause of the incident. Most common attack vectors are:

  • Unpatched publicly accessible server software (e.g. Vulnerable Microsoft Exchange or vulnerable VPN gateways)
  • Email with a password protected office document
  • Email with an external link
  • Publicly accessible remote access service (Remote Desktop)

Lock out the attacker

The attacker may still have access to your network and can interfere your communication. At this point, you can not trust your infrastructure anymore.

  • Use out-of-band communication such as public available communication channels (Gmail, Hotmail, …) on trusted devices outside the scope of the ransomware attack.
  • Setup a clean new infrastructure from scratch in parallel.
  • After the setup is completed, switch to the new infrastructure in one shot if possible.

How to proceed

After the initial root cause of the incident, the attackers escalate their privileges. They use automated tools to quickly gather domain admin privileges. With this rights they have access to all the systems and all the data.

After successful data exfiltration the criminals start to destroy data which are far away from the users. They first try to access and destroy the backups which are stored on the network.

They delete the Volume Shadow Copies of the NTFS partitions and encrypt all the data which still reside inside the trashbin. Just afterwards, they start encrypting the other data, reachable by the users.

This means, if users detect the attack, it is almost always to late. Sensitive data are already exfiltrated and most of the data are already destroyed.

But at least, there is the small chance that the attackers overlooked one or the other system somewhere in some corner of the corporate network. Therefore, it would be good advice to disconnect the system from the network.

It is advised to perform a forensic investigation on the systems. The goal is to find the answer to the questions listed above, such as ‘What was the root cause?’. For a successful forensic analysis a memory dump and a disk image are the essential sources of evidence.

The memory dump has to be done before the shutdown of the system. After the shutdown of the system, important information is lost. Later on, following the memory dump and the shutdown of the system, comes the point to perform a disk aquisition by creating a disk image. Here you can find details about how to proceed, CIRCL TR-22 - Recommendations for Readiness to Handle Computer Security Incidents.

Facing an attack like this is a stressfull situation for all parties involved. This is not the point in time where you should begin to start searching for tools and learning how to use them. Best to prepare some USB devices in advance, document and practice, how to use them. This article is intended to help you to be prepared, CIRCL TR-30 - Acquisition Support Tools for Local Incident Response Teams (LIRT).

Legal and Communication Aspects

  • Contact your compliance team which regulators you have to contact and in which delays. Commonly used regulators in Luxembourg are: CNPD, ILR, CSSF, HCPN
  • If you faced a ransomware attack, your data is likely breached. In case you operate a business you have to notify CNPD by filling the data breach notification form.
  • Prepare your communication about the incident and prepare in advance press-release or communication template to be used with media requests.

How CIRCL can help

What CIRCL can do to help you and others

NoMoreRansom is an initiative launched 2016 by EuroPol and partners. CIRCL is partner and supports this initiative.

In addition, CIRCL is collecting threat intelligence from the different threat actors actively doing ransomware. Sharing with CIRCL evidences such as malware found, encrypted files, ransom notes or even details about the techniques used helps us to improve our ransomware group overview which is used in MISP and many other threat intelligence platform.

CIRCL can also help victims with various recommendations in case of a ransomware attack.

What CIRCL can not do

There is little chance that CIRCL can help with decrypting the data. This is only possible for cases where a known decryption key or a known weakness in the implemented algorithm is known. Nevertheless we advise to keep a backup of the disks, since maybe in the future a key or weakness does get discovered.

About this document

CIRCL was approached by CNPD to compile input for a Ransomware FAQ. This document is the source for CNPD’s ransomware FAQ (in French)

Other references

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.1 - TLP:CLEAR - Minor Fixes - 9th March 2023
  • Version 1.0 - TLP:CLEAR - First version - 2nd March 2023