The ransomware phenomenon
If there is one term that has earned its way to the top of the headlines in the media over the last two years, ransomware is undoubtedly the clear winner. It is rare the week when the media does not tell us about an incident using this type of approach and it is rare the sector that has been exempt from this sort of biblical curse of the latest generation.
Whether the background is really understood or not, the public always translates this term as synonymous with serious cyber-attacks and a significant level of damage to companies. Usually, the media narrative is somewhat confusing as they talk about the impact (the website that is down or the factory that cannot open) and not so much about the incident itself, which usually has happened a long time ago and often has other stories to tell.
This article is the first in a series of four articles in which we will try to share our close vision of the phenomenon, narrating how we experience the dynamics of this type of cyber security incidents when they are a reality in our organisation.
Ransomware incident response at a glance
In an incident of this type, an actor will have gained access to the client’s infrastructure and will have begun a sequence of easily foreseeable steps where it will download tools (to analyse its environment, detect machines and IP addresses, to enumerate systems and users, etc.) and then try to make various lateral movements towards a progressive escalation of privileges that will optimise the culmination of its activity by eliminating the environment’s own resistance. Connections with their C2 (the attacker’s centre of operations, known as Command & Control) will be frequent in these movements.
The timing of the multiple phases used to often take several weeks to complete, although recent experiences in 2021 have confirmed shorter timescales (around one week in total in many cases), making detection and response platforms (EDR, XDR, etc.) even more urgently needed, if that is possible.
Once the actor has the desired level of knowledge and access, the attack will actually take place, either because a large amount of data is exfiltrated and encrypted, or because it is only exfiltrated (not all actors who follow this pattern exfiltrate data). In any case, within a very short period of time, a significant number of our client’s folders and files will have been compromised and encrypted, and the famous “ransom notes” will appear (similar to the traditional ones when it comes to kidnapping people) where we are usually informed about the attack, about the perpetrators (who will be identified by a certain nom de guerre, organisation name, etc.) and about the conditions of the “ransom”. The recovery of the files encrypted in the attack is usually very complex (the encryption mechanisms are very robust) and therefore, the actor will invite us to visit a page on TOR (Darkweb) where we can check how much time we have to make the payment (countdown) and the expected way to do it (usually with cryptocurrencies, to make it difficult to trace).
It is important to highlight the fact that, in recent months, the RaaS approach (Ransomware as a service, using the nomenclature of cloud services) has been used very intensively. In these cases, a first actor develops software to carry out Ransomware attacks and is shared with a different actor that, based on different models (profit sharing, monthly payment, etc.), will finally carry out the attacks. In this model, the first actor will provide technical support to the second, so the actor that actually attacks does not need to have extensive knowledge of offensive technology.
Once an organisation is the victim of a ransomware attack, a significant number of computers (usually servers and, collaterally, workstations) will be encrypted and their performance will start to degrade (the attackers do not fully encrypt the systems to allow the ransom note to be displayed) or stop completely.
In many cases, the customer’s own IT/security services will detect the attack or at least some aspects of it. Perhaps they can hopefully contain part of the attack. In any case, the situation will be obvious within minutes. The impact on services will be immediate and absolute.
When an organisation suffers a Ransomware-based security incident, it will initiate an Incident Response (IR) process that typically follows various best practices from international bodies such as NIST (US) or ENISA (Europa). During this process it will essentially try to cover three stages:
- Containment (preventing the damage from spreading and the threat from growing)
- Eradication (eliminating the presence of the actor/malware so that it does not reactivate in the future)
- Recovery (of systems and services, securely and safely)
It is rare that the company/organisation has enough resources or activates (already active service companies) to face this IR process with only its own resources, which is why Telefónica TECH‘s DFIR (Digital Forensics, Incident Response) services are usually required.
How do we carry out an IR-Ransomware process?
Telefónica TECH’s incident response team has resources in several countries and offers various IR services globally, having carried out work for clients in Europe, USA and LATAM. The IR service is delivered in both Spanish and English.
The main factor on which all the work revolves is an EDR (Endpoint Detection & Response) platform. If the client does not have such a system already deployed, the team activates it in the cloud and deploys one of the solutions of our technological partners in a matter of minutes.
The first meeting with the client is essential in order to provide initial guidelines and to support the client’s decision-making process: cut or minimise external communications, deploy or reuse an EDR platform, preventive shutdown of other systems and communications, communication with the media, users, clients, etc. As well as the corresponding communication with the data protection agency that applies in the specific case.
Once the client has taken the first decisions, a mixed work team is formed in which different technical roles from both Telefónica TECH and the client (or related third parties such as manufacturers or service providers) participate and which will initiate a routine of work and regular checkpoints in a 24×7 mode (reaction time is fundamental). After a period of no less than 15 days, the situation is relatively stable, the threat will have been contained and eradicated and the level of recovery is usually high or total (perhaps with some loss of data due to the impact of the attack). It is common to hold parallel sessions to support the client on paralegal, regulatory, law enforcement or communication process issues.
In the following articles of this series we will look in more detail at the specific operations of the three main groups that Telefónica TECH works with in these IR-ransomware processes:
- The DFIR (general coordination, diverse forensic work, malware analysis, etc.)
- The group known as Threat Hunting (which will investigate and support the process in different ways using the EDR console as a focal point)
- The intelligence group, whose reports and specific suggestions will allow the containment work and forensic investigation to be focused in an optimal way.
Once the IR process is completed, the Telefónica TECH team will complete the delivery of related documentation, always including a final investigation report and several collateral intelligence reports. In the final meeting, the report will be reviewed, doubts of the client team will be solved and the most important security recommendations will be reviewed.