According to reports from several security solutions providers, there has been a very large increase in ransomware attacks during 2020.  Data from Bitdefender’s “Mid-Year Threat Landscape Report 2020” shows a 715% YoY increase in reported global ransomware threats during the first half of 2020, compared to the first half of 2019.  Checkpoint reports that there was a 50% increase in the daily average of attacks during Q3, compared to the first half of 2020.  And to make matters worse, ransomware threats continue to change and get more sophisticated.  Organizations of all types need to take the threat of ransomware seriously because disruption to operations caused by a successful attack is significant.  Complete remediation can take multiple days if not weeks, and result in lost revenue and sizable expense.

 Organizations compromised by a ransomware incident should take the following steps to limit the impact of the incident and prepare for the remediation process.  These steps are based in part on recommendations from the Cybersecurity and Infrastructure Security Agency (CISA).

1. Prevent data exfiltration
2. Isolate the infection
3. Assess impact
4. Get help

1.  Prevent Data Exfiltration

Data exfiltration is an unauthorized transfer of data.  Ransomware continues to evolve and some variants are now not only encrypting data and demanding a ransom to decrypt the data, but also collecting sensitive data and threatening to post that data publicly if the ransom is not paid.  As a result, it’s important to quickly prevent or limit any data exfiltration by halting Internet access at all locations.  If that is not feasible due to organization size or use of the Internet for site-to-site connectivity, an alternative is temporarily adding deny statements on border firewalls, both inside-to-outside and outside-to-inside rules, to exclude non-essential web traffic.

Older ransomware variants were only capable of encrypting data on the local machine they infected.  Newer and more advanced variants include self-propagating mechanisms that allow it to spread through networks and infect other systems.  Therefore, the most effective approach to limit the spread of ransomware involves disconnect all systems from the network (wired and wireless) until scans can be completed to ensure they are not infected before reconnecting them to the network.

The quickest way to disconnect physical systems involves temporarily powering down network switches and wireless connectivity.  Virtual servers will need to be disconnected from virtual adapters to isolate the guest operating systems from virtual switches.  Organizations with multiple locations should also ensure that remote offices or branches are disconnected from private WAN connections.

Particular attention should be given to ensuring the backup data and storage area networks are isolated to protect backups from being infected.

NOTE: It’s important to avoid powering down systems since doing so can result in loss of infection artifacts and evidence, and make getting systems operational again more difficult.

Once systems have been isolated from the network, they need to be inventoried and scanned for infection in priority order.  Systems containing Personal Identifying Information (PII), Protected Health Information (PHI), intellectual property, and financial information should be the first systems accessed.

Contact your cyber insurance provider to notify them of the incident at your first reasonable opportunity.  Many Cyber Insurance policies cover ransomware, but the provider may require you to follow their procedures or use their recommended service providers.  When contacting the provider to determine coverage and next steps, be prepared to give them the following.

• Details about the incident
• Ransom note
• High-level impact inventory
• Business details - locations and employee count
• Number of infected and non-infected servers
• Virtual server infrastructure used
• Number of infected and non-infected workstations
• Firewalls and/or perimeter solution used
• Backup solution used

In summary, organizations infected by ransomware should take the following four steps as quickly as possible to limit the impact of the incident and begin the process of restoring business operations.

1. Prevent data exfiltration
   1. Halt internet access at all locations
      1. Manually disconnect Internet service provider equipment or cabling, or
      2. Temporarily add deny statements (inside-to-outside and outside-to-inside) on border firewall(s), being sure to not block yourself
2. Isolate the infection
   1. Disconnect physical systems from the network (wired and wireless), either individually or in bulk by powering down switches and wireless connectivity
   2. Disconnect virtual server network adapters to isolate guest operating systems from virtual switches
   3. Disconnect remote/branch locations from private WAN connections
3. Assess impact
   1. Inventory and scan systems for infection, prioritizing systems with PII, PHI, intellectual property, and financial information
   2. Locate the ransom note, typically a readme.txt file in multiple directories on infected systems
4. Get help
   1. Contact your cybersecurity insurance provider to determine coverage and next steps, providing:
   2. Details of the incident
   3. Ransom note
   4. High-level impact inventory

A future blog post will detail preventative steps organizations should take to greatly mitigate the risk associated with ransomware.