Ransomware for business

What Is Ransomware?

According to the FTC, ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data "hostage" until the victim pays a ransom, frequently demanding payment in Bitcoin.  According to the FBI, after the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, data may be deleted or leaked online as a form of extortion. 

How Is Ransomware Delivered?

According to the FTC, ransomware often arrives through email phishing campaigns, which typically require the user to take an action such as clicking on a link or downloading a malicious attachment. Other campaigns use drive-by downloads, where a user visits a malicious website or a site that has been compromised, and the act of loading the site causes the ransomware to automatically download onto the user's computer. In addition, ransomware is delivered through "malvertising" campaigns, where malicious code is hidden in an online ad that infects the user's computer. These attacks can occur even on trusted websites through third-party ad networks that redirect the user to an infected server.

• Scam emails with links and attachments that put your data and network at risk. These phishing emails make up most ransomware attacks.
• Server vulnerabilities that can be exploited by hackers.
• Infected websites that automatically download malicious software onto your computer.
• Online ads that contain malicious code — even on websites you know and trust.

Responding to Ransomware

It is recommended that organizations do the following to respond to Ransomware.

• Determine which systems were impacted, and isolate the infected computer immediately, and remove infected systems from the network as soon as possible to prevent ransomware from attacking the network or share drives.
• If several systems or subnets appear impacted, take the network offline at the switch level. It may not be feasible to disconnect individual systems during an incident. 
• If taking the network temporarily offline is not immediately possible, locate the network (e.g., Ethernet) cable and unplug affected devices from the network or remove them from Wi-Fi to contain the infection. 
• After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication methods such as phone calls or other means to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken. Not doing so could cause actors to move laterally to preserve their access—already a common tactic—or deploy ransomware widely prior to networks being taken offline. Only in the event, you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.   Please Note: Powering off a device will prevent you from maintaining ransomware infection artifacts and potential evidence stored in volatile memory. It should be carried out only if it is not possible to temporarily shut down the network or disconnect affected hosts from the network using other means. 
• Identify and prioritize critical systems for restoration and confirm the nature of data housed on impacted systems. 
• Prioritize restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on. 
• Keep track of systems and devices that are not perceived to be impacted so they can be deprioritized for restoration and recovery. This enables your organization to get back to business in a more efficient manner.
• Consult with your incident response team to develop and document an initial understanding of what has occurred based on initial analysis. 
• Engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident. 
• Share the information you have at your disposal to receive the most timely and relevant assistance. Keep management and senior leaders informed via regular updates as the situation develops. Relevant stakeholders may include your IT department, managed security service providers, cyber insurance company, shareholders, investors, suppliers, and departmental or elected leaders.
• Immediately secure backup data or systems by taking them offline, and ensure backups are free of malware.
• Contact law enforcement immediately.
• Collect and secure partial portions of the ransomed data that might exist if available.
• Change all online account passwords and network passwords after removing the system from the network if possible, and change all system passwords once the malware is removed from the system.
• Delete registry values and files to stop the program from loading.
• Implement security incident response and business continuity plans.
• Conduct a post-incident review of the response to the incident, and assess the strengths and weaknesses of the incident response plan. 

How Should You Report Ransomware to Law Enforcement?

The FBI is requesting that victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center with the following ransomware infection details (as applicable).

• Date of infection
• Ransomware variant (identified on the ransom page or by the encrypted file extension)
• Victim company information (industry type, business size, etc.)
• How the infection occurred (link in email, browsing the Internet, etc.)
• Requested ransom amount
• Actor's Bitcoin wallet address (may be listed on the ransom page)
• Ransom amount paid (if any)
• Overall losses associated with a ransomware infection (including the ransom amount)
• Victim impact statement 

Should Organizations Pay the Ransom?

The FBI does not support paying a ransom to the adversary because it does not guarantee the victim will regain access to their data. In fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit and could provide an incentive for other criminals to engage in similar illicit activities for financial gain. Although the FBI does not support paying a ransom, it recognizes that executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.

There are serious risks to consider before paying the ransom. USG does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup. Ransomware victims may also wish to consider the following factors:

• Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.
• Some victims who paid the demand were targeted again by cyber actors.
• After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
• Paying could inadvertently encourage this criminal business model. 

What Prevention and Continuity Measures Exist?

• Invest in resiliency. Participate in ransomware exercises to build the muscle memory in your organization to respond quickly and consider common decisions associated with a ransomware attack. Upskill your teams (not just security, but everyone who needs to be involved in case of an attack) to be able to anticipate, communicate, respond, and identify any gaps in your process or communications.
• Vault your data. Savvy ransomware attackers go into your system and delete your backup before sending ransom notes and encrypting data. Make sure your critical data is archived in an offline vault that is detached from the rest of your systems. If your backups remain online, ensure segregation from production systems, and use unique credentials for access. 
• Protect your endpoints. Since ransomware targets endpoints, focusing on them reduces the likelihood of initial compromise, promotes early detection, and minimizes spread. 
• Deploy agent-based disk and process/execution scanning (EDR) to identify and block known malicious software and behaviors. 
• Implement network-based IPS that can identify and drop malicious network traffic, as well as block known malicious domains and IPs. 
• Use DNS Filtering to prevent access to newly registered and unverified domains. 
• Limit remote administrative access (RDP) and enforce MFA. 
• Require signed executables and scripts to avoid unsanctioned or malicious executables running in your environment.
• Perform ongoing patch management prioritizing remediation of public, remote, and crown jewel systems.