Incident Response - Analysis
Actively keeping your systems safe
The Analysis phase largely focuses on two areas:
1. Identifying the specific variant of ransomware in action
2. Determining how the malware entered the organization (root cause analysis)
When embarking on the Analysis phase of the incident, it is essential to identify the specific variant of ransomware that compromised the environment. Because there are many varieties of ransomware, with new ones emerging on an all too frequent basis, and each with their own unique capabilities, understanding which variant of ransomware is a prerequisite before advancing to the Containment phase. Some versions of ransomware can leverage lateral movement features while others may not have this ability or feature. The capabilities of each ransomware code greatly influence containment and eradication efforts steps down the line. Determining the variant can be tricky and X-Force recommends organizations consult internal subject matter experts or external professional assistance, such as a security services provider, to help determine the variant and group behind it.
Initial root cause analysis
An abridged level of root cause analysis (RCA) should be performed to help the security team understand how the ransomware was introduced into the digital environment. While a formal root cause analysis can wait until the Post-Incident Activity phase, an abridged RCA will aid planning for and entering the Containment phase. Without a basic RCA, the infection cycle is more likely to repeat itself. It is also important to perform the RCA before the recovery phase, since an organization could expend a large amount of time and effort recovering files only to see them re-encrypted shortly thereafter.
Some common entry points are:
— Browser exploitation
— Other vulnerabilities
Email entry point
One of ransomware’s most common entry points into the organization is via unsolicited email with an attachment, or via web browser vulnerabilities that can attempt a drive-by download infection. If an employee received an unsolicited email that contained ransomware, a search across the organization’s email store should be quickly conducted to identify other, possibly unopened, emails in additional employee mailboxes. These emails should be immediately extracted and purged to prevent them from being opened by employees.
Drive-by download entry
Web browser vulnerabilities are a little more complicated and harder to determine, but an RCA in this case can likely rely on the organization’s patch management infrastructure. A proper analysis would help identify what initial website caused the infection, thus providing the organization the ability to block access to that site from its networks. The organization should keep in mind that while blocking the identified malicious site is a first step, it won’t automatically protect employees who are mobile and not blocked by the organization’s firewall rules outside the local area network (LAN). Moreover, there could be other sites spreading the malware at the same time or activated shortly thereafter.
Exploitation and manual infection
Another way that ransomware-wielding attackers get into organizations is by exploiting specific software or server vulnerabilities and plant ransomware manually in key areas on the network, aiming to infect as many devices as possible. In some cases, the malicious process can be set to start at a certain time. Criminals may set the start time on a weekend or holiday to reduce the chance of real-time discovery by employees or security staff. X-Force recommends using internal incident response subject matter experts (SMEs) or an external third-party SME to assist in a proper root cause analysis.