Ransomware Incident Response and Forensics
Generally it’s a good idea to switch off or hibernate the infected system, in case you are lucky enough it hasn’t finished encrypting files on disk. If it’s a Virtual Machine, take a snapshot.
Many ransomware variants encrypt network shares, or spread within networks.
If you choose not to turn the system off, or are unable to, isolate the host from the network. You can do this remotely, or simply disconnect it from the network if you have physical access to the machine.
We’ve built a platform to automate incident response and forensics in AWS — you can deploy it from the AWS Marketplace here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.
What kind of ransomware are you dealing with?
It’s important to quickly identify if you are dealing with common opportunistic ransomware - or something more targeted.
Most ransomware is deployed through malicious emails or exploit kits. These normally don’t provide the attacker with interactive access to your network.
Increasingly though opportunistic ransomware includes worm-like functionalities to spread quickly through networks.
Some ransomware, such as SamSam and LockCrypt, are deployed manually by an attacker as part of a classic intrusion. The attacker will likely spread to multiple systems, and maintain access until they are removed.
You can identify what ransomware you are dealing with by:
- Comparing the ransomware note by searches on a search engine or uploading to ID ransomware;
- Identifying the ransomware executable responsible; and
- Identifying the initial infection vector
Identifying Ransomware Notes
Ransomware notes are normally easy to find, as the ransomware author wants you to find them.
But you can double-check by running keyword searches or yara rules for common phrases in ransomware notes. These may also find the ransomware executable itself.
Identifying the Ransomware Executable
Normally the ransomware executable is easy to find using timeline analysis. Look for the creation of executables surrounding the first encrypted files, or the initial compromise.
Timeline analysis of a JBoss web-server compromised withSamSam ransomware. Via RSA
Alternatively, most ransomware is well detected by both Anti-Virus signatures and Yara rules.
Identify the Initial Compromise
Identifying the initial compromise is required to protect other systems that could be vulnerable too.
You can identifty exploits in temporary internet files using Yara and Anti-Virus signatures. Review the Internet history.
Exploit Public-Facing Application
Depending upon the application, you may have both web-server logs and application logs to review. Look for web-shells and other signs of post-compromise. SamSam ransomware is known to target JBoss.
You can parse Outlook web archives (PST files) using forensic tools such as Encase or pffexport (included with SIFT). You can also review attachments if you have access to the mail system itself.
Once extracted, attachments can be analysed using Yara and Anti-virus, or by hand.
You can also review Outlooks temporary archive, and Temporary Internet Files for web-mail.
In addition to reviewing attachments, you may want to extract any URLs from messages and check to see if they are malicious.
Check for Lateral Movement
Review Event logs to identify any potential lateral movement from the infected system.
There are a number of tools that may used to recover deleted files, both paid and free. You can run these over forensic images of the infected disk.
Normally ransomware will delete volume shadow backups
Response and Remediation
If you’re dealing with manually deployed ransomware such as SamSam you will need to go through a number of steps to secure your network.
If it’s an opportunistic attack, identify the initial method of intrusion and fix any gaps. For example if the initial infection was through an exploit kit, make sure your network is patched against the successful exploit.
Ideally you have off-site back-ups of any lost data that you can recover from. If not, consider how effective your back-up strategies were and if they could be improved.
Any passwords or credentials used on the infected system should be considered compromised, and reset. Normally the infected system should be wiped and re-installed.
US-CERT provides additional guidance around responding to ransomware.
We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.