How to respond to a ransomware infection
Technical Articles ID:
KB89805
Last Modified: 2023-02-06 19:49:48 Etc/GMT
Environment
Endpoint Security (ENS) Threat Prevention 10.x
Summary
This article provides general guidance to first responders during a ransomware outbreak.
Ransomware is malware that employs asymmetric encryption to hold a victim's information at ransom. Asymmetric (public-private) encryption is cryptography that uses a pair of keys to encrypt and decrypt a file. The attacker uniquely generates a public-private pair of keys for the victim, with the private key to decrypt the files stored on the attacker's server. The compromised user has to pay a ransom to get the private keys to decrypt the files.
Currently, many different variations of ransomware exist. Typically, ransomware and other malware are distributed using spam campaigns, phishing emails, or targeted attacks. Our security products use several technologies that help prevent ransomware.
Perform the steps below to respond to a ransomware outbreak in your environment:
- Identify and isolate the affected systems.
Isolating the affected systems helps prevent the threat from spreading. Not all threats or variants of ransomware display this behavior.
- Apply updates for vulnerabilities and ensure environmental compliance:
- Apply any vendor or operating system updates on all systems. This action is critical to mitigate the vulnerability that the malware is exploiting. Leaving even one system not updated exposes a hole in your environment that the malware can take advantage of.
- Make sure that the environment is compliant based on the existing security policy. Not all variants of ransomware exploit application or operating system vulnerabilities.
- Apply related ENS rules to the online systems for all known ransomware behavior. See the related articles for details:
- Confirm that the recommended best practices are in place. See the related articles for details:
- Apply, test, and deploy the related Extra.DAT (if available).
An Extra.DAT is a temporary detection file that is provided to detect and remove threats. It’s a file that hasn’t yet been added to the regular DAT files. If Trellix Advanced Research Center provided an Extra.DAT, the best practice is to apply and test it locally on an infected system. After you’ve properly tested the Extra.DAT, apply it to run a full system on-demand scan (ODS).
- Run a full ODS on all systems.
- Confirm control of the environment.
Check for threats detected in the last 24 hours. For more information, see the related articles:
- Place the isolated systems back online once they’re confirmed clean.
After the isolated systems have been confirmed clean, we recommend that you place them back online in small groups, and closely monitor their behavior afterward.
- Restore the affected files from a backup.
When all systems are clean and back on the network, restore the affected application files from a known good backup source or Windows Shadow Volume.
- Perform incident response and proactive measures.
Blocking file types at the gateway is the best and easiest line of defense (see the file types listed below). Ransomware, downloaders, and JS/Nemucod all masquerade with one another. Generally speaking, downloaders arrive in spam or phishing emails as DOC or XLS, and less often as JS. JS/Nemucod arrives in spam or phishing emails as J. Ransomware arrives as JS, EXE, TMP, SCR, and WSF. Most installers drop an EXE in the user profile directory. It’s easier to protect against ransomware if you also protect against its installers and droppers.
For downloaders and Nemucod (trojan), create firewall rules to prevent Microsoft Word, Microsoft Excel, scripts, and PowerShell from making outbound calls. You also need to create appropriate allow lists based on legitimate traffic generated by these applications.
For example, if an organization uses Office 365, see the Microsoft document Office 365 URLs and IP address ranges. Endpoints include fully qualified domain names, ports, URLs, IPv4 address ranges, and IPv6 address ranges to include in your outbound allow lists. These endpoints make sure that your computers can successfully use Office 365.
It’s also recommended to block archive files, if not against company policies. Examples of archive files are ZIP, RAR, TAR, and JAR.
- Consider implementing more recommendations:
- Implement security awareness and training:
- Simulate a phishing/spam campaign to bring security awareness to those users who fall for social engineering attacks.
- Remind your users to think twice before clicking any links sent through email.
- Instruct users to not open unknown or unsolicited file attachments unless requested from the sender. View the email header or send a separate email to validate the sender before opening attachments.
- Report suspicious email to the organization's Security Operations Center. Remind your users of how and where to submit suspicious email safely.
- Disable macros in Microsoft Office applications. Macros can run in Office applications if either action below is performed:
- Select the option Enable all macros under Macro Settings.
- Manually enable a macro.
NOTE: Macros are disabled by default. We recommend that you select the Disable all macros with notification option under Macro Settings.
- Users must back up business data to the organization's shared folders. Data residing on user devices might be permanently lost during a ransomware infection.
- Block .EXE, .RAR, .SCR, .CAB, .VBS, .BAT, .WSF, .JS, and similar attachments at the mail and web gateway.
- Prevent PowerShell from running on systems in which PowerShell isn’t intended to run.
- Make sure that there are no allow list policies that exempt .doc, .docx, .xls, .xlsx, or .JS attachments from antispam or antivirus scanning.
- Install the SiteAdvisor Enterprise browser plug-in to detect spam attachments and block access to malicious domains.
- Use mail and web gateway products that identify malicious links and block emails with links or attachments.
- Enable spam filtering.
|