Canadian Centre for Cyber Security updated their How to prevent and recover from Ransomware document back in September 2021. As someone who deals with ransomware cases nearly every day I thought I would share a few of my thoughts on its contents.
Overall, its a really solid document that organizations should action upon before and not after they are impacted by ransomware.
How do I recover from an Attack section though is where I see some issues. For starters, it doesn’t recommend engaging with an Incident Response firm to help with eradication of the threat. The IR team will also be able to provide answers into the What and How of what happened that lead to the attack. Without those answers, how can you be sure the threat is neutralized?
I understand that not all companies will be able to afford an IR investigation, especially if they don’t have cyber insurance, but it is at least worth mentioning as the preferred option. An uninformed person reading the document might just assume the DIY appoarch is the best way to recover from a ransomware attack. Unless you have a mature Incident Response plan, with your own in-house security and/or IR team, it most isn’t.
Section Step #1, of the How to Recover section, is to Isolate the device immediately, by taking the device offline.
This is not wrong, but it could destory some evidence - specifically what is running in memory. A better approach is to disconnect the network so stop spread to other systems in the network. There could be exceptions to this, for example if it is a file server that is activty being encrypted, it might make sense to shut it down to kill the malicious process. In this case, you don’t want to hit the shutdown button, on the contrary, the best thing you can do is just yank the power cord. This stops Windows from cleaning up various artifacts during shutdown that can be used for forensic analysis.
For Step #2, a word of caution. Never upload a ransom notes or ranomware binaries to sites like VirusTotal or other sandboxes you don’t control. Uploaded files will be accessible by others, who may have ill intent, and depending on the ransomware varient the files may provide access to your private communication channel with the ransomware operater. If you had planned on paying the ransomware to get encrypted files back, your negotiations may no longer be private - potentially leading to a PR nightmare - as if being hit by ransomware wasn’t bad enough.
Step #3 is a good one. If you are really lucky a security researcher, like Fabian Wosar from Emsisoft, may have discovered a flaw in the ransomware and developed a decryptor. Unfortunately, once the decrytpor has been made public, the ransomware operator fixes it pretty quickly. Attempts to keep these flaws a secret from the ransomware operators thus far have not been successful. Companies that benefit from these free decryptors have a hard time keeping it to themselves…
Steps #4 and #5 should only be undertaken once you’ve completed your IR investigation or you’ve decided that you will not be conducting one. A major frustration for incident responders is to come into a situation only to find out one or more key systems have been wiped and restored already.
Last comment, on the
Risks of Paying the Ransom. They mention that some threat actors use a fake ransomware called a wiper malware. I haven’t seen this personally, but this is one reason why you must always confirm “Proof of Life.” That means verifying the files are actually encrypted and its not just that the extension was changed, then confirm the threat actor you are negotiation with can decrypt several obscure files from your impacted network.