Ransomware cyber response - Lessons from the trenches

" On a long enough timeline, the survival rate of an organization against a dedicated adversary drops to zero. "

7 years back, around this time, on a long night in the middle of nowhere, I encountered a curious malware sample. Something didn't feel right about it, and thankfully my schedule was wide open.

As I went through the sample, I was able to glean couple of things – it encrypted files, left a backdoor (classic “sethc”) and required manual intervention for execution. It also tried to reach out to a C2 IP ( Ergo, with some effort – I was able to deduce its tactics and surmise its nature. 

On a long enough timeline, the survival rate of an organization against a dedicated adversary drops to zero.

It was my first brush with “LeChiffre”, a malware that offered “Ransomware as a Service” or RaaS capabilities. I was young then, and could not have comprehended the myriad scale of RaaS industry, that would later unfold in front of my eyes.

Back then, ransomware (or "Scareware", its fore-bearer) used to be a type of an opportunistic software, typically run by a ragtag gang of cyber criminals. Organized criminal gangs were yet to realize the immense potential of RaaS from a financial and operational risk standpoint. Over a period of time, RaaS would evolve into a vast enterprise with functions akin to the heads of a hydra – ransomware gangs, exploit brokers, forum owners, initial access brokers, chat support operators, ransomware developers, infrastructure providers and so on. Law enforcement may slay one head, another one will take it's place and assume dominance.

Now, as I look back, 75 plus "cyber response incidents" wiser – that was the moment that actually defined my strategy towards ransomware incidents in particular. Through this post, I would like to share some key lessons that might help you improve your cyber security posture, and preparedness against a ransomware incident.

Don’t Panic!

Panic is the mother of chaos, and father of discord

Don't panic, because everything is probably all right, and if it's not, panicking will make it worse. ” – Emily Barr

Ransomware incidents have the power to bring an enterprise to a grinding halt. The double, and triple extortion tactics are squarely aimed to impact where it hurts the most – reputation and regulators. However, know this – You are not the first it has happened to, neither you will be the last. However, if you play your cards right, you will become percipient and resilient.

Enterprise wide panic does nothing to solve an ongoing crisis. 

A single source of truth.

The path to truth is not for the faint hearted

Experiment is the sole source of truth. It alone can teach us something new; it alone can give us certainty.” – Henri Poincare

I cannot overstate the importance of log availability and coverage during the course of a ransomware incident. Attackers love to wipe them to impede cyber response and to deter RCA. A centralized log repository acts as a single source of truth from a monitoring, detection and response standpoint.

Ensure your critical assets are correctly configured to send logs to a centralized repository or a SIEM, and they are sending the correct telemetry which can provide early warnings against an impending attack.

Your source of truth is the backbone of your security operations, and preparedness.

Seat-belts first.

Seat-belts, the yard stick of your risk appetite

Superman don't need no seat belt. ” – Muhammad Ali

For the lesser mortals, seat-belts first.

Ensure your environments are configured with “seatbelts first” mindset, it hurts to get hacked later on. I have observed production applications deployed on environments with key security settings disabled – as they were observed to interfere with the application functionality. Instead of fixing the issues with the application behavior via developer or vendor route, the security defenses were disabled in the interest of going live.

This provides good opportunities for an attacker to target vulnerable environments; and to their owners, an opportunity to learn costly lessons later on.

When in doubt, seat-belts first.

You cannot protect what you cannot see.

Underestimate the value of visibility at your own peril

The power of visibility can never be underestimated. ” – Margaret Cho

Countless times, I have observed an internet exposed RDP, for a server configured for “Rob”. Rob was a project admin with administrator privileges, and his server was enabled with an “Any-Any” firewall rule. The server was not integrated with SIEM as it was "test environment" and was not protected by the anti-virus as it interfered with testing. Rob used to access the server through Anydesk or RDP.

Few remember when Rob left the organization, fewer know about that exposed, poorly secured server.

The RCA report will reveal that the attackers knew about that server and leveraged RDP to pivot inside, unobtrusively.

You may laugh now, but I know your deepest fears. Ultimately, you cannot protect what you cannot see.

Shields up!

Armor only protects warriors, the unprepared tend to get slaughtered

Shall we raise our shields, Captain? ” – Pavel Chekov

While C.I.A principles are good for compliance, I would argue environment compartmentalization is a better strategy for all practical reasons. Containerize your applications, test applications on containers before they are deployed on production. Implement segmentation (and micro segmentation), actually enable payload & TLS inspection on firewalls, stop turning secure defaults off.

Backups are a different ball game altogether, ensure they are protected adequately and tested religiously. They are the lynch-pin for a successful recovery operation against a ransomware attack.

Your sysadmin’s machine is probably the most insecure machine in the network, an access to it exposes everything. Leverage PIM or MFA (hardware tokens, authenticator apps) for authentication and escalation of privileges across environment. Implement principles of least privileges and stop having exceptions for special user groups – Security is an onus for everyone.

Funnel the aforementioned telemetry to SIEM and tune it with at least MITRE ATT&CK use cases. Have some trained eyes to action anomalies and make your environment a cold and unwelcome place for adversaries.

Keep your shields up.

Practice, practice and practice!

Uncharted waters demand unrelenting practice

Amateurs practice till they get it right, professionals practice till they cant get it wrong. ” – Anonymous

Offensive exercises such as red teaming may help identify attack avenues that you might have not considered as part of your existing threat model. Cyber drills may identify response paradigms and preparedness of your organization against a cyber attack.

Cyber drills or ransomware simulations may help uncover pain areas can induce panic and reduce operative effectiveness during the course of a ransomware incident – such as miscommunication, stakeholder accountability, regulator reporting & compliance measures, availability of technical owners and vendors, vendor support clauses, communication channels, PR strategy and communication, decision making process etc.

Practice till it becomes second nature.


Never invite an enemy for a dance

The winner of the game is the player who makes the next-to-last mistake. ” – Tartakower

Ransomware, or any other cyber attack for that matter is a perpetual game of cat and mouse. The attackers will keep hunting for the right opportunity, while the defenders face the ever looming "goalkeepers paradox". In the grand scheme of things, reduction of opportunities against an invisible, impending attacker helps protects against known-unknowns, and potentially unknown-unknowns.

Cyber, just like any other discipline, is susceptible to the usual debates on the technicalities of implementation, nuances of operations, verbiage of policy, and stratagems of future. But when the curtain falls in the event of an incident; exeunt omnes – only the principles and lessons learnt remain, forged by experience, decisiveness and preparedness of an organization.

Happy holidays!

Thanks to Dasarath S and Vivek Gupta for proof reading. This was cross posted on my personal blog as well. Added inputs from backup standpoint as rightely pointed out by Vikram Jeet Singh

 This was cross posted on my linkedin blog as well.



Need to say something ? Spell it out :)