Understanding the Importance of First Steps After a Ransomware Attack
19.10.2021

What to do and what not to do when you are under a ransomware attack?

Despite a lot of discussion about ransomware attacks in the past few years, the statistics reveal that attacks are becoming more frequent and new ways and techniques are emerging. Tackling attacks “ad-hoc” with no adequate knowledge of how to respond to an incident is never a good reaction. Despite the errors, you may sometimes even successfully resolve an incident, but the problem arises in forensic analysis. The sections below are divided into three most important steps of an incident response.

Mistakes that can cost successful solutions

  • Panic: Panic causes mistakes. Make sure that you don't panic in the event of an incident. You can avoid it with previously prepared documents that define a step-by-step process for the best possible response to an incident.
  • Don't Assume Wrongly: Don't assume that the incident will definitely compromise all your information. The extent of the incident should be determined after the identification of the incident.
  • Turn Off Systems: Many probably remember the picture of a server circulating on the internet with a note saying: "In case of a cyberattack, break glass and pull out the cables." Unfortunately, pulling out the cables from the ports and sockets doesn't help with anything except the loss of valuable data that helps with forensic analysis. In this way you also lose track of the information that is essential in determining the timeline and sequence of the events.
  • Use of Domain Account: Under no circumstances should a domain account be used to access the environment. Attackers are patiently waiting for the user to gain access to login by capturing the password and therefore obtain full control of the environment.
  • Use of Non-Dedicated Tools: You should NOT, under any circumstances, install antivirus solutions on the infected systems or not use any software that is not intended for the forensic analysis, as this may overwrite the timeline associated with the attack in the master file table and destroy it.
  • Do Not Discuss the Event: Do not discuss the event with others unless it is ordered by the incident response provider. It's important to be careful with the audience you're communicating with about the event.

What should be done immediately upon incident detection?

  • Disconnect the System from the Network: Only if this blocks the attack. This should not be done in case the attack is already over.
  • Assemble a Team: A dedicated team that will deal with the incident response should be defined in advance. It should consist of: Management, legal service, public relations, and engineers with access rights.
  • Call: Call the incident response company immediately (e.g. NIL SOC)

If the system and internal knowledge allow IT, address the following points:

  • Collect Data: By using forensic tools (if there is adequate knowledge in the company) collect as much data and other critical information as possible, which could be useful in incident response and further forensics. Forensic tools can be connected to the timestamp monitoring system on a  device, allowing you to prepare and understand the timeline of the attack.
  • Check Backups: Make sure that the data on the backups is not part of the hack. If not, it will be possible to retrieve the lost data.
  • Secure Data: Securing the data you've obtained from your system is the most important step of the incident response.
  • Data Verification: Check the data you have collected with the information available online. Check the HASH values, IP addresses, domains you have found, all of which can help responding more quickly to an incident. You should try to find out what kind of an attack it was. Also, try to collect as much information as possible about the attackers, such as which types of attacks they usually use.
  • Collect Logs: If possible, collect all necessary logs from the systems you use, Windows events, firewall records, network data, antivirus data, etc. It is very important that you consider the event both from the network and endpoint perspectives.
  • Call: Immediately call the incident response team and provide them with all information you have obtained (e.g. NIL SOC)

When collecting the information, it is necessary to be aware that communication can be compromised (e-mail), therefore use only the tools that encrypt communication and ensure safe usage. Trust the professionals who will take you through the whole process safely and without panic, since only with proper communication and cooperation will there be a possibility to resolve the attack without paying the requested ransom.

Author: Suzana Kužnik, Cybersecurity Analyst at SOC, NIL

Author: Suzana Kužnik