How to effectively respond to a ransomware attack

A comprehensive ransomware response checklist

Preparation for a ransomware attack

When is the preparation phase of a ransomware incident response plan? Any time the cybersecurity team isn't actively dealing with an incident.

The following covers the important steps in this phase.

Determine core computer security incident response team (CSIRT) membership. This team investigates security events that might or might not result in the declaration of an incident. Ideally, this team will focus solely on cybersecurity. When an organization forms its core CSIRT team, it might include some members from the IT operations staff, depending on the organization's size.

Determine extended CSIRT membership. This larger group will be needed if a ransomware incident occurs. You will want the legal team available for important discussions, such as the legality of payment and potential negotiations with attackers. The compliance team will ensure that all regulations and industry requirements are met when dealing with a ransomware incident. Public relations and communications teams will help coordinate and manage crisis communications to the public (if needed), partners and other stakeholders. And, you will need the executive leadership team at the table to make critical decisions.

Conduct tabletop and threat modeling exercises. Ransomware exercises define escalation paths should the organization face an attack. Incidents might start as low-severity events and then require more attention as the team gathers further information. Define when and how escalation occurs if ransomware is detected and who should be involved at particular stages.

Identification and investigation of ransomware

In the identification phase of a ransomware response, it's crucial to have a playbook ready to follow. This enables the right people to react according to plan and not haphazardly.

Once an organization learns of an attack -- usually through a notification or message that appears on compromised systems -- the response needs to be swift and organized. The critical steps to follow at that point include the following:

1. Notify all core CSIRT members of the situation.
2. Determine the type of ransomware involved, if possible. Check if it's a well-known variant by looking for the following:
   1. Graphical user interfaces for the malware itself.
   2. Text or HTML files that sometimes open automatically after encryption.
   3. Image files often disguised as wallpaper on infected systems.
   4. Contact emails in encrypted file extensions.
   5. Pop-ups seen when trying to open an encrypted file.
   6. Voice messages.
3. Analyze messages and text for the following clues:
   1. Ransomware name, if stated.
   2. Language, structure, phrases and artwork.
   3. Contact email, if provided.
   4. Format of the user ID, if provided.
   5. Ransom demands, such as the digital currency type.
   6. Payment address in case of digital currency.
   7. Support chat or support page.
4. Analyze affected and/or new files and file modification behavior. Look for these indicators:
   1. File extensions of encrypted files (for example, .crypt, .cry or .locked) and any other conventions.
   2. File corruption vs. encryption, if applicable.
   3. Targeted file types and locations, if clear.
   4. Ownership permissions of affected files.
   5. Specific icons for encrypted files, if applicable.
5. Upload any captured indicators of compromise (IOCs) to services such as Crypto Sheriff, ID Ransomware or Proven Data, which can help identify the ransomware involved.

The next step is to determine, to the extent possible, the scope of the infection within the environment. This should encompass both systems and data.

Specifically, consider the following actions:

6. Check for affected systems:
   1. Scan for any clear IOCs, such as file hashes, processes, network connections and so on, using endpoint protection/endpoint detection and response (EDR) tools. Also, look at system logs.
   2. Use any detected IOCs to check similar systems for infection, including systems with similar users, groups, data, tools, departments, configuration and patch status.
   3. Look for external command-and-control sites, if present, and find other systems connecting to them by looking into firewall and intrusion detection/intrusion prevention logs, system logs/EDR, domain name server logs, NetFlow or router logs.
7. Check for affected data:
   1. Find anomalous changes to file metadata, such as mass changes to creation or modification times.
   2. Find changes to normally unchanged and critical data files.
   3. Check file integrity monitoring tools, if in use.
8. Determine, as best you can, the effect of the infection. This will differ for every organization based on size, industry, where the infection is and so on. First, consider the financial impact: How much money is lost or at risk? Second, consider which critical business functions are in jeopardy. Finally, try to determine what, if any, data is unavailable and how that will affect business processes and functions.
9. Determine, if possible, the source of the infection. This is not a simple task, and identifying a root cause could take a long time. The following are some areas to examine:
   1. For email attachments, check email logs, email security appliances and services, e-discovery tools, etc.
   2. For insecure remote desktop protocol implementations, check vulnerability scanning results, firewall configurations, etc.
   3. For self-propagation -- such as a worm or virus -- check host telemetry/EDR, system logs, forensic analysis, etc.
   4. For infection via removable drives, check for worms or viruses.
   5. Expand the investigation to include additional attacker tools or malware.

Containment

In the containment phase, the goals are often short-term actions that provide breathing room. The team will work to prevent the infection from spreading further. The following outlines steps to take in this situation.

Quarantine affected infrastructure. For systems, use network isolation and host-based firewalls and agents. Use directory services and identity platforms for affected users and groups. Most organizations might also want to isolate the following elements:

• File shares, both known infected shares and uninfected.
• Shared databases, both known infected and uninfected.
• Backups and backup servers, if not already secured.

You can take these additional steps to stop the spread of ransomware:

• Block known command-and-control domains and addresses.
• Remove detected malicious emails from inboxes.
• Confirm that endpoint protection -- antivirus, next-gen antivirus, EDR, etc. -- is up to date and enabled on all systems.
• Confirm patches are deployed on all systems, prioritizing targeted systems, OSes and software.
• Deploy custom signatures to endpoint protection and network security tools based on discovered IOCs.

These are suggestions to consider. Each organization will have its own methods and isolation tactics for their environments.

Eradication

The eradication phase focuses on removing known malicious artifacts, updating systems and services known to be infected and replacing data from backups. When restoring systems from known-good media, be sure to check that backups are clean and not already infected. This will take quite a bit of effort. Also, confirm that endpoint protections, such as antivirus, next-gen antivirus and EDR, are current and enabled on all systems. Ensure certain patches are deployed on all systems, putting a priority on the targeted systems, OSes and software.

If needed, deploy custom signatures to endpoint protection and network security tools based on discovered IOCs. Watch for reinfection and consider increased priority for alarms/alerts related to this incident.

Communication

The key to communication during a ransomware incident is to coordinate with extended CSIRT membership. Escalate the event and communicate with leadership early. Be sure to document the ongoing incident and provide regular updates to senior leadership.

Given the rampant spread of this type of malware, it's prudent for all organizations to spend the time to develop a ransomware incident response playbook.

Communicate with internal and external legal counsel per policy and crisis management protocol, including discussions of compliance, risk exposure, liability and law enforcement contact.

Then, be sure you've got a plan to initiate messaging and information flow during a ransomware incident. Consider the following actions:

• Communicate with internal users and groups:
  • Advise the support desk or help desk, as they will be receiving calls and requests.
  • Alert users about the disruptive effects of the incident as well as the incident response, such as quarantining of systems, data and services.
  • Communicate any actions users should or should not take.
• Communicate with customers and regulators:
  • Prioritize customers whose data was affected.
  • Generate required notifications based on applicable regulations, particularly those that might consider ransomware a data breach or otherwise require notification. Find out if regulators can provide help (as required or desired).
• Contact insurance provider(s):
  • Discuss the resources your insurer can make available and which tools and services it will pay for.
  • Comply with reporting and claims requirements.
  • Consider notifying and involving law enforcement.
• Communicate with security and IT vendors/providers:
  • Notify and collaborate with managed providers.
  • Notify and collaborate with incident response consultants.

Recovery

To minimize downtime and restore operations, the recovery phase of a ransomware incident will require a full team effort. Key considerations should include the following:

• Consider paying the ransom. Engage legal teams to check the legality of payment. Some nations have strict rules and restrictions, such as the U.S. Treasury Department's Office of Foreign Assets Control requirements. Discuss potential payment and payment logistics with legal counsel, insurer(s), law enforcement, consultants and negotiation specialists.
• Set up the currency exchange so that you are able to pay the ransom.
• Negotiate with the attackers. If you pay, you can negotiate -- sometimes to reduce the ransom payment by more than 50%. Don't contact them as your own company; instead, contact them as a consulting firm.

Recover data from known-clean backups to known-clean, patched, monitored systems -- post-eradication -- in accordance with your backup strategy. Be sure to check backups for known IOCs and consider partial recovery and backup integrity testing.

Also, look for known decryptors by checking the No More Ransoms page and similar sites. You might get lucky.

Why a ransomware plan matters

Given the rampant spread of this type of malware, it's prudent for all organizations to spend the time to develop a ransomware incident response playbook.

Data on ransomware trends show that the threat has not diminished. Researchers say several dozen ransomware groups are active at any given time, and those groups target organizations across industries and sectors, from retail to education to local government and healthcare.

For certain organizations, an attack can prove costly. The "State of Ransomware 2024" report from Sophos, for example, found that the average ransom payment rose from $400,000 in 2023 to $2 million in 2024. Obtaining cyber insurance is no easy feat, and a policy can be expensive.

There's no such thing as a perfect strategy for ransomware response, especially given the changing nature of these attacks. Still, cybersecurity teams should have a workflow defined ahead of time. Be sure to regularly review and update that plan.

Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.