Ransomware incident response

Handling a targeted ransomware attack

06/24/2022

Perhaps the most interesting case last year was the incident management of a European financial firm’s application. The unnamed company had a significant number of its servers compromised by a targeted ransomware attack. The attacked infrastructure provided services that were used by hundreds of partners continuously, in real time. These partners were in direct contact with end users, a prolonged loss of service would have caused critical problems.

The ransomware attack was targeted, fitting into a typical attack scenario (based on tools-tactics-procedures). Detecting the fact of a ransomware attack was not easy, mainly due to the size of the attacked infrastructure. Most of the client’s critical data was stored on virtual machines, which were saved as large, standalone files. During the investigation, we discovered a feature of the ransomware that could be used to separate the compromised file parts from the undamaged ones, thus later restoring the system.

In addition to the technological aspects, the following factors had to be managed as well:

• The client had to execute the forensics methodology calmly and professionally during the recovery, accepting the fact that there could be unforeseen pitfalls and that success only had a probability and was not a certainty.
• Even though the client may have had multiple levels of backups, recovery using even the most recent backup is a time-consuming task, and if anything goes wrong, the process can take a considerable amount of time.
• During the recovery process, no shut down system could be turned back on, this action could have caused additional problems, for example, booting up infected systems could have caused further systems to be damaged or compromised.

We had to provide essential assistance in the following areas:

• Incident interpretation, detection, assessment. Based on the log files provided, we were able to reconstruct the attack vector quite accurately (you can never be 100% sure though).
• Helping the client to regain control: normalizing initial near panic states; rapid demonstration of forensics processes; initiating coordinated, calm incident management; preparing decisions for senior management.
• Informing the client about the situation in an understandable way, so management can make immediate and correct decisions about: denunciations, partner briefings, press relations and communication, recovery strategy, recovery organization principles, specific case management and assessment of specific systems, logging, evaluation, root-of-cause identification, evaluation of the attacker.
• Coordination with different teams: technical, governance, legal, communications.
• Information sharing and analysis tasks, suggestions for correct communication.

With the help of the procedures and specific technical ideas detailed above, the company was able to restart its operations in a matter of days, without paying the attackers. Through the process we were able to find a heuristic, quick and efficient solution to negate the effects of the attack, instead of going with the trivial, but complex and time-consuming way. The success is mutual: the company under attack organized the recovery efficiently, we worked hard to fix the problem with our best people and the coordination was smooth, which is rare in such tense situations. In addition, during the investigation we were able to identify several vulnerabilities in the client’s systems, which were reported and later patched.

The loss of services could have affected hundreds of companies if it had been a longer-term problem, but we were able to pull together the most successful of all the possible scenarios, which meant that the case did not end in either a financial or a PR disaster.

Generally speaking, the key factor in the success of incident management is the attacked company itself. It must be prepared for similar cases like the one described above, the external team of experts can only rely on knowledge, tools and procedures acquired before and already in effect during an attack. Our job is to make the most out of this internal preparation, and to take it to the next level.

[This service is available in the form of a subscription.]