If your network experiences a ransomware attack, it is likely that your IT staff will want to immediately begin researching and working to stop the attack before they get assistance from an outside incident response firm. This guidance is to help aid your first responders in identifying the most important response priorities for containing a ransomware attack and avoiding common pitfalls that can hinder later investigation and recovery activities.
IMMEDIATE RESPONSE PRIORITIES FOR A RANSOMWARE ATTACK
- Notify your incident response partner and cyber insurance agent (if you have these relationships in place).
- Stop any malicious encryption software that may still be running.
- If you suspect servers and workstations are still encrypting data, power down as quickly as possible to reliably stop further encryption.
- If continued encryption is not a concern on a system, leave the system powered on but disconnect it from the network (as RAM may contain forensic data).
- Disconnect network attached storage (NAS) systems from the network immediately and until you can validate that all systems are free of ransomware.
- Isolate critical systems to prevent further spread of the malware.
- Isolate backups and backup servers.
- Shut down servers or disconnect them from networks.
- Shut down wide area network tunnels.
- Disable any employee remote access services that do not use multi-factor authentication (MFA).
- Disable VPNs or whitelist source IPs to known employees.
- Disable Remote Desktop Protocol (RDP) services or whitelist source IPs to known employees.
- Disable existing domain administrator accounts.
- Create new domain administrator accounts for critical IT staff.
- Disable all other domain administrator accounts (to prevent logins and use of issued Kerberos tickets).
- Disable malware command-and-control channels.
- Disable outbound web traffic.
- Disable all other outbound services/protocols through the firewall.
- Collect and retain logs that are not already in a centralized archive.
- As Windows security event logs can by default be overwritten within days, copy the folder c:\windows\system32\winevt\logs from any domain controllers, RDP servers and other key impacted servers to a safe place.
- Since many firewall logs and VPN are also overwritten quickly, work to export VPN access logs and firewall traffic logs to a safe place.
Develop a recovery strategyAt this point you can stop, take a breath, and begin to evaluate the situation and develop an investigation and recovery strategy. Examples of key next steps include:
- If needed, completing contracting with a legal firm and/or incident response firm
- Determining the state of storage systems and status of online and offline backups
- Creating an inventory of impacted systems
- Prioritizing applications for recovery
- Creating an inventory of sensitive or high-risk data that could have been stolen
- Evaluating potential risk to cloud email accounts or other cloud services