You might think your corporate email accounts are safe enough, maybe you have a decent password policy, and your email service does a pretty good job of filtering suspicious emails and malicious URLs. Still, there are ways attackers could gain access, and the playing field isn’t level, cybersecurity threats are [...]
Resolve ransomware vulnerability and incidents quickly, efficiently and providing a long-term solution with White Hat rapid response and full-scale management services
check Manage ransomware cases and incidents
check Root cause analysis & digital forensics
check Ensure long-term protection
Remember, once a breach is detected you have 72 hours to report to authorities! Do you need help? Contact us for reporting assistance!
Our group of seasoned incident responders use purpose-built response technologies enriched with years of first-hand experiences and threat group data to help you respond to, manage and mitigate cyber incidents efficiently and effectively.
White Hat IT Security is an MSSP recognized by industry giants like Microsoft or Zimperium for its full-scope, advanced managed solution. Defence and response completed by extra services to provide 360° security – including awareness training, phishing campaign, penetration testing and ISMS development to ensure compliance with top industry standards.
Incident response is a structured process organizations use to identify and deal with cyber security incidents. Response includes several stages, including
Out team of IT security experts apply their extensive knowledge of cyber security best practices and standards to ensure that mission-critical systems are reliably protected from all known and emerging threats. With our cybersecurity consulting services, we help our clients stay safe.
Ransomware is a type of malware used by criminals to extort money from individuals, organizations, and businesses. Nowadays, the term ransomware almost exclusively means encrypting ransomware that encrypts the victim’s data and demands a ransom payment in exchange of providing the decryption keys to restore the data.
To make things even worse, most ransomware groups not just render your data inaccessible, they make a copy of the most sensitive parts and threaten to publish them unless even more payment is made.
INITIAL ACCESS. Attacks start with gaining access to the organization. This usually happens quietly; most attacks could be traced back to phishing emails, weak credentials on publicly available devices or the use of previously leaked accounts as initial access point. These events may occur months before the ransomware is launched, but compromising a whole organization has been proven to be done in hours
PRIVILEGE ESCALATION. Right after ransomware operators gained access to a device in the victim’s environment, they start to hunt for high-privileged accounts, such as domain administrators’. They tend to use publicly available red team tools or even pirated commercial software to harvest credentials of privileged accounts. Once they have these privileges, all other tactics come to play:
REALIZATION. By the time a confirmed ransomware attack is detected in your organization, most likely all business processes will have been halted due to the ransomware. The production environment are now stopped because the underlying servers and database were hit, and no one can access the company emails. The workstations are not functioning properly, shared storages only contain encrypted files, and logins to the machines fail, because domain services are stopped and won’t restart. If the attackers found the backup storages, even the backups are gone.
ASSUME BREACH. Assume that the impact is not only the encryption of data along with all its consequences, the attackers do have your data and they will demand a higher price in exchange for them not publishing those sensitive data. The attackers gained the highest privileges possible in your environment to launch the attack, you can expect that they will not give up these privileges and the access to your organization easily. Most of the devices are victims, but some of them stil contain and run malicious code, providing access to the attackers whenever they wish. Without proper eradication and removal of these, you can count on them coming back.
LONG RECOVERY. While you can try to negotiate with the attackers, but even if you choose to pay the ransom, there is no guarantee. As long as they have access to the data, they can demand money for it. Even if they provide a decryptor tool for your files, it might not work properly. Even if it does work, the decryption has to be done machine to machine, one by one, which usually takes even more time than to restore from backups. Ultimately, they can publish the stolen data anytime, regardless of payment. The recovery process are going to be long, tediuos and costly decisions has to be made along the way, we advise you not to pay criminals.
AFTERMATH. And even after the hardest parts, expect some consequences that could lead to another attack in your organization or one of your partners’ network: due to the breach, the attackers have access to company data with potential partner information in them, your employees’ email addresses, credentials and even the messages themselves. These can and likely will lead to future phishing campaigns towards your employees and the partners using your identities and email formats.
ASK FOR HELP. The first actions shortly after detection is key: we recommend involving third parties who are experienced in incident response. Among other things, you should set up emergency teams, chain of command, emergency communication channels, reach out to the employees in any way you can to inform them about the incident, give them clear instructions and provide them access to emergency communication channels if necessary. The rule of thumb is: network access should be cut and turned off machines should not be turned on until further investigation.
DO NOT PAY. Negotiating with criminals and paying the ransom is ultimately your decision, we encourage you not to pay as there is no guarantee whatsoever that they hold on to their side of the deal (e.g. providing decryptor, not publishing data, not infecting the network again, providing details on how they gained access). Moreover, paying ransom pours even more to the millions of euros worth of money these groups already have, financing more and more advanced attacks in the future.
ISOLATE. The impact of a ransomware compromise highly depends on whether the organization have backups of their data, parts of their data and whether these backups survived the infection. Isolate storages that contain only intact data or backups, these will help the most in restoring business-critical systems as fast as possible.
COMMUNICATE. Being transparent towards your employees, partners, stakeholders and the public is always encouraged, especially in hard times. Giving them regular updates as the investigation and the recovery progesses seem tedious, but we urge you to keep others informed. Furthermore, security incidents have to be reported to local authorities regarding the data breach and the criminal activity.
PRIORITIZE. Define those business-critical elements that need to be restored first, make them priority. Business continuity have to be reinstated, core processes have to be running again as well as email communication, but only you can define what are most important. The steps of recovery is further detailed below.
ANALYZE. If you restore your environment to the same exact state it was before, it either means the attackers are still have access to your network or at least you have the same weaknesses that they originally had exploited. This is why it is cruicial to have an experienced team of forensic analysts, network forensic analysts, malware analysts who can trace back the security events leading to the ransomware attack. Unfortunately, due to the destructive nature of the ransomware itself and the attackers evasiveness, these forensic artifacts will not always be present or recoverable, but still, it is worth conducting the root cause analysis. The goal of the investigation is to find and patch those weaknesses attackers had found and used during their attack, and not to point fingers.
PROTECT. Once the recovery is complete and you are back in business, it is high time you made steps to decrease the risks of such events ever happening again. If an organization cannot prove they had at least the basic defensive measures in place, they most likely face a significant amount of fine from data protection authorities and the insurance company can and will deny coverage. Also please keep in mind that the new infrastructure had been reinstalled hastily in a very short period of time, which increases the chance of introducing yet another weakness, so we encourage you to double-check your configurations, public-facing devices and services, and the protection of user credentials. Protecting enterprises or SMB’s have their own challenges and it is a continuous grind, but still cost orders of magnitudes less than the implications of a full-scale security incident such as ransomware attacks.
CLEAN INSTALL. Regardless of having intact backups, we recommend clean installs on affected devices. In case of workstations, this may even take less time than to investigate and clean up each endpoint. Reinstalling servers can take time, but most services have to be restored manually anyways, including domain services and local databases. Be careful when restoring virtual machines from image backups as they may contain working ransomware or other malware samples depending on the time of the archiving and the timeline of the attack.
EVALUATE DECISIONS. Organizations, who had been victims of a ransomware attack before, often choose to ‘migrate’ some of their assets to cloud providers as a step of recovery. Please always evaluate before making these decisions, even if time is not on your side while business is halted. Some services can easily be converted to cloud providers and may be a better long-term solution, such as email services or shared storage, but it is probably not a good time to switch your most profitable or critical systems to new platforms as it may delay recovery.
As the endpoints and services are getting back up and running, it is important to constantly monitor them during the whole recovery phase, looking for suspicious activities.
Don't be the next: we can help you!
