0% found this document useful (0 votes)
9 views29 pagesSentinnel One Malware Protection
The document is a comprehensive guide by SentinelOne on enterprise ransomware protection, detailing the evolution, methods of infection, and various ransomware examples. It emphasizes the importance of understanding ransomware threats, planning for incidents, and implementing effective response and prevention strategies. The guide aims to equip organizations with the knowledge to protect against the growing ransomware menace.
Uploaded by
wisdomofadiyogiCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
9 views29 pagesSentinnel One Malware Protection
The document is a comprehensive guide by SentinelOne on enterprise ransomware protection, detailing the evolution, methods of infection, and various ransomware examples. It emphasizes the importance of understanding ransomware threats, planning for incidents, and implementing effective response and prevention strategies. The guide aims to equip organizations with the knowledge to protect against the growing ransomware menace.
Uploaded by
wisdomofadiyogiCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 29
SentinelOne
The Complete
Guide to Enterprise
Ransomware
Protection
By SentinelOne
September 2021
Table of Contents
Introduction
Understanding the Ransomware Threat
Melt
is of Infection
on, Prevalent and Historte Ransomware Examples
The Ransom
The Ransomware “Kill Chain’
r0.as 2 Servioo Raa) Model
Planning for a Ransomware Inciclent
Incident Response Policy
Recruitment
Define Roles and Responsibilities
reato a Communication Plan
Test Your Incident Response Plan
Review and Understand Policies
Responding to a Ransomware Incident
Identification
Containment
Eradication
Recovery
Post-Incidant
Prevention: Reducing Your Attack Surface
Threat Intelligence
Discovery and Inventory
‘ontral Vulnerabilities and Harden Configuration
Contra Human Vulnerabilities
Improve Endpoint Security
How Can SentinelOne Help?
Propare
Protect
Respond
Recover
tw)
ae
Boo
6
16
16
16
16
7
7
6
9
19
20
22
22
BERD
2s
28
26
27
a7
Ol
Introduction
Ransomwate is a form of malicious software that, when deployed on a device, encrypts &
user's sensitive data, In order to secure a decryption key or initiate a decryption process,
the vietim is required! to pay ransom to the attacker, usually in the form of eryotacurrency
such as Bitcoin, The amount demanded by attackers can vary, with ransoms typically inthe
range of $200 to over $10,008 per endgcint, degending on the size of the enterprise and
the value of the data held for ransom,
Ransomwate, in concent, can be traced back tothe late 1990s and early 2000s with the rise
inpopularty of "FakeAV" or fake system utilities which “find” falseinfections or nonexistent
system issues, then cemand (aka extort) fees in order to enable “removal” of these fake
artifacts. Eventually, these morphed into threats like PGPCoder and similar, These threats
have much in common with modern ransomware, but there was still a weakness in the
chain in the form of payment collection, processing, and management, When attackers
had to rely on more tangible means of payment through legitimate conduits ke Western
Union, Perfect Money, and wire transfers, there was far more risk involved. These payment
systems were eesily traceable and pronete vasious points of failure
Therise of eryptocur tency was the answer ransemware and other malware developers had
been waiting for Bitcoin and similar technolagies allow for a far simpler, nore streamlined
and dynamic payment architecturefor criminals, whocauld nowusetheseblockehain-basext
currencias to control ransom demands over time, and collect and manage all payments
lightly. Bitcoin, Litecoin, Monero and others also greatly obfuscate transactions, making
it more difficult for law enforcement to tie transactions directly to individuals. Once cyber
criminals fully embtacad eryptocurrencies, ransomware was propelled into the madel we
see today,
‘Aside from demanding payment to cleerypt files, tansomware operators may also threaten
to publicly leak the vietin’s data if payment is not mace. This complicates the scenario in
multiple ways: aside from dealing with the immediate problem of restoting access to files
and services, organizations may haveto declare a breach incident to regulators, could face
regulatory fine, face reputation loss, legal action ftom clients, and the risk of sensitive data
or IP leaking to competitors. All these complications could remain in play regardless of
whether the victim actually pays the initial ransom demand,
The SentinelOne Gomplete Ransomware Guide will help you understand, plan for,
respond to and protect against this now-prevalent threet. This guide offers examples,
recommendations and advice to ensure you stay unaffected by the constantly evolving
rensomware menace,
O02
Understanding the
Ransomware Threat
Methods of Infection
Understanciing how ransonmwate infects and soreads is the key to avoiging falling victim to
an attack, Post-infection, ransomware can spread to other machines or encrypt network
filers in the organization's network, In some cases, it ean spread across organizational
boundaties to infect supply chains, customers and ather organizations.
Allof the following can be vectors of infection for ransomwvare attacks:
1. Phishing,
2. Compromised Websites
3. Malvertising
4. Exploit Kits
5. Downloads
6. Messaging Applications
7. Brute Force via RDP
Phishing
Still the most common method for attackers to inttally infect an endpoint with ransomvware
is through phishing emails, Increasingly targeted, personalised and specific information is
used to craft emails to gain trust and trick potential victims into opening attachments or
clicking on links to dawnload malicious file . Malicious files can look indistinguishable to
normal file, and attackers may take advantage of a dafault Windows configuration that hides
the file's true extension, For example, an attachment may appear to be called filename,
pa, but revealing the full extension shows itto be an executable; filename.pot.exe!
Files can take the foim of standard formats like MS Office attachments, PDF file or
JavaScript. Clicking on these files or enabling macros allows the fle o execute, starting the
process of encrypting data on the victim's machine.
Compromised Websites
Not all ransomware attacks have to be packaged in a maliciously-crafted email.
Compromised websites ate easy places to insert malicious cade. All it takes is for an
unsuspecting victim to visit the site, pethaps one they frequent often. The compromised
site then refoutes to-a page that prompts the user to download a newer version of same
software, such as the web browser, plugin, or media player. If clicked, the ransomware is
either activated directly or runs an installer that downloads and runs the ransomware
Malvertising
Ifa user has an unpatched vulnerability in bis or her browser, a malvertising attack ean
oceur, Using common advertisements on websites, cyber criminals ean insert malicious
code that will download the ransomWare once an advertisement is displayed. White this is
a less common ransomware vector, istill noses a dangersinceit doesn't recuire thevietim
totake any overt action such as downloading a file and enabling Mac OS.
Exploit Kits
Angler, Neutrino, and Nuclear are exploit kits that have been widely used in ransomware
attacks. Exploit kits are a type of malicious toolkit with pre-written exploits that target
vulnerabilities in browser plugins like Java and Adobe Flash. Common ransomeare like
Locky and CryptoWall have been delivered through this vector on booby-trapped sites or
through malvertising campaigns,
Downloads
Any fle or application that can be downloaded can also be used for ransomware, While
cownloadables on illegal file-sharing sites ate ripe for compromise, there is also potential
for attackers to explait legitimate websites to deliver an infected executable, Alt takes is
for the vietim to dawnload the filear application anc then the ransomwareis injected.
Messaging Applications
Through messaging apps like Facebook Messenger, ransornware can be disguised as
sealable vector graphics (SVG) to load the file that bypasses traditional extension filters,
Sine SVG is based on XML, cybercriminals are ablle to embed ary kind of content they
please, Once accessed, the infected image file directs victims toaseemingly legtimatesite,
After loading, the victim is promoted to accept an install, which ifcompleted distributes the
payload and goas on to the victim's contacts to cortinue the impact.
Brute Force Via RDP
Attackers use ransomware [ike SamSam to directly compromise endpoints using @ brute
force attack through Intemet-facing ROP servers, Remote Desktap Protacol enables IT
admins to aoness and control a user’s device remotely, but this presents an opportunity for
attackers to exploitit for criminal use,
‘Attackers can search for vulnerable machines using tools like Shodan and! port scanners
like Nmap and Zenmap, Once target machines are identified, a tackers may gain access by
bbrute-forcing the password to log on asan administrator. Acombination of default or weak
password credentials and open source password-cracking tools such as “Aitcracking”,
“John TheRipper”. ane "DaveGroht” help achieve this pbjective, Once laggedon asatrusted
admin, attackers have full command of the machine and are able ta drop ransomware and
encrypt data. They may also be able to disable endpoint protection, delete backups to
increase likelihood of payment of pivot to achieve other objectives,
Ransomwarecontinues to evolve, with ransomware-as-e-service now growingin popularity
Malware authors sell custom-built ransomware to cyber criminals in exchange for a
percentage of the profit, The bu et of the service decides on the targets and the delivery
methods. This division of labour and tisk is leading to increasingly targeted malware,
innovation in delivery methods and ultimately a higher frequency of ransomeare attacks,
Common, Prevalent and Historic
Ransomware Examples.
Ransomwate comes in all shapes and sizes. Over the last five years we have seen a wide
variety of ransomware, with new ones appearing regularly. Below are ust a few examples.
‘WannaCry
WannaCry hit @ number of high profile businesses around the world in 2027, including
Renault, FedEx and Britain’s national health service. Tt infected Windows computers,
encrypting files and crippling ma y businesses anc public organizations such as the
National Health Service in the U.K. WannaCry used an innovative attack vector, exploiting a
vulnerability in the Windows implementation of the Server Message Block (SMB) protocol
which helps various nodes on @ network communicete, The worm component spread the
infection by scanning for IP addresses of ather computers.
GandCrab
GandCrab was released at the end of January 2018 and quickly rosein popularity among
cybercriminals, mainly due to its innovative affiliate scheme, It was the fir t ransormware
to be observed using the Dash cryptocurtency for payments rather than the more popular
Bitcoin, GandCrab is distributed via the Rig and GrancSoft exploit kits, as well as via email
campaigns and compromised websites, Information released by the malware authors
stated that “In one year, people who worked with us have eamed aver US $2 billion.” and
iTis estimated to have infected over a million vietims to date, Notably, GandCrab checks for
the existence of akeyboard with Russian layout and aborts if found.
Maze
Maze was initially observed in May 2019, Becoming more prevalent throughout 2019,
authors claimed credit for attacks on both Allied Financial as well as the City of Pensacola
Florida, Maze adced a new trick to the ransomware extortion racket, oy first exfiltrating the
Vietin’s data before encryption. This alloves theattacker extra leverage toensure payment:
if the ransom demand is not met, the attackers dump part of the vietim’s sensitive data
to 2 public tepository. The data may contain confidential intellectual oraperty, oF more
commonly PII of the vietin’s customers, thus setting up the pessibility of further financial
penalties in the form of severe reputation loss and/or lawsuits.
RobinHood
The RobinHood (aka ‘RobbinHood’) ransomware wes previously used in the high-profile
infection encrypting computers of large government entities liketheCity of Grervilleand the
City of Baltimore. The ransomwaredoes not spread within the network, It dropsall Windows
shares, which likely means that the ransomwate is pushed on each machine individually
after the initial network breach, Whilst the ransomware doas not aopear sophisticated,
itis typicelly deployed as part of a well-planned and orchestrated network intrusion, and
consequently results in high payouts with individual ransoms set per machine,
Cerber
Cerber emerged in early 2016 as a highly-exclusive ReaS. It differed from more common
‘public’ ransomware services in terms of vetting clients and the granting of affiliate access,
The platform was designed to offer ransomware distributors efficiency and automation,
making operation, management and payment processing and manigulation very
streamlined, Delivery was typically achieved via spam/phish email ar drive-by downloads,
though it wes also seen used in conjunetion with various exploit Kits (e.g, RIG). Cerber is
also known for adcitional features such as disceveryand theft of eryptocutrency wallets.
Ryuk
Ryuk has been responsible for numerous high-profile attacks over the last few years. This
includes 2 2018 attack on the Los Angeles Times. It has also been associated with (though
not exclusively) the Lazarus group (DPRK), Ryuk is known to be particularly aggressive
in terms of speed-of-encryption as well as additional measures to cripple defenses and
recovery options on machines. Ryuk, like other ransomware families, will attempt to
terminate processes known ta be associated with endpoint security products. This is in
addition to the deletion of backup Volume Shadow Copies (VSS). Such features: are not
exclusive to Ryuk; however, combined with the prolific nature of Ryuk’s infections, it has
proven to bea powerful and cangerous combination. Over the years, the actors behind
Ryuk have collected millions of dollars in profit
CryptoLocker
Cryptolocker was first reported in late 2013 and was one of the first to employ the
encryptionfransom technique, Originally, it also gave vietims only 72 hours to make
payment before the decryption key was permanently deleted. Cryptolocker made a point
oftargetingbusinesses specifically, and file encryotion wes focused on business application
files belonging to Microsoft Office and Adobe products, Famously, one of CryptoLocker’s
early vietims wes the Swansea Police, who themselves were forced to pay a ransom to
recover their own data.
TeslaCrypt
TeslaCryot was detected in February 2045. Originally, it targeted computer game data
such as games saves and player profiles, Early versions of TaslaCrypt were also found to
be decryptable by security researchers, Newer variants of TeslaGrypt were not focused
fon game-related data and also encrypted JPEG, POF, and other file tyoes and closed the
programming flew that made it possible to create public decryptors,
Locky
Locky was first discovered in February 2016. Distributed through malicious email
attachments, it encrypts files and renames then with the .lacky extension, Locky
ransomware also deletes any VSS backup ‘shadow’ copies of original files made by the
Windows operating system and changes the computer's desktop wallpaper to an image file
isplaving the ransom message with cetalls of how to pay,
NotPetya
NotPetya hit the news in 2017, rapidly spreading to affect a wide range of organizations
across 65+ countries, drawing comparisons with the WannaGry attack, While it shows
characteristics similar to ransornwate, NotPetya is mote akin toa wiper, whichis generally
regarded as a kind of malware responsible for destraying data on the target's hard disk.
NotPetya infects the master boot record (MBR) and prevents any system from booting,
Even if the ransom is paid, however, the damage from NotPatya is irreversible, so it is
likely that the actor's aim was to sabotage the infected system rather than gaining money
out of it
Samsam
Samsam ransomware wes first sean in 2015 and has bean increasingly used in targeted
attacks on healthcare, schools, and other networks containing valuable sensitive
information. Samsam is unique because 1 infects servers directly using a vulnerability th
Red Hat's JBoss enterprise products, Attackers use tools like JexBoss, an open-source
penetration testing tool, ta identify unpatched vulnerabilities in JBoss application servers,
Having gained access to a system, the operators move laterally from the entry point to
identify more hosts and manually deploy more ransomware, SamSam deletes shadow
copies after encrypting the original files,
Cryptowall
Cryptowall was frst discovered in June 2044, and primarily distributed through emails with
ZIP attachments in order to bypass blacklisting from anti spam email security solutions.
A commonly usa trick with CryptoWall ransomvare is to rename an exe file as a scr or
-pif file, and then zip it, as Windows usually will still execute such files normally, Users
may suspect that a .exe could be malicious, but few users are aware of other executable
extensions. CryptoWall encrypts files and deletes ary VSS or shadow copies to prevent
cata recovery,
REvil
Used! in targeted ransomware attacks throughaut 2019, REvil ransornware hit one of
‘America’s largest data center providers, CyrusOne, It also believed to have been used in
the Travelex breach on New Years Eve, 2020, when criminals demanded a ransom of $3m,
With the apparent retitement of Ganderab, affiliates are looking for a new tool and this is
increasingly looking like a similar affifate set up, It may build on GandCrab source code
and business model, but REvil campaigns can ciffer in skills and toals due to the cifferent
affiliates operating these campaigns,
‘Snake
First appearing in January 2020, Snake (aka Ekans) ransomware is written in Golang and is
capable of cross-platform infections, Large-scale targeted campaigns heve hit healthcare
organizations across the world, with 2 sustained campaign occurring throughout May
2020, Snake has been known to target ICS systems and supporting environments, Snake
infections come equipped with a hard-coded process ‘kill ist’ to terminate any process or
applications that either interfere with its encryption routines or the collection of data,
Early Snake campaigns included many 1CS-specific processes in these lists, leaciing many
to view Snake as an ICS-specific threat, That is not entirely the case, as the kilklist can
be customized for any environmental requirements. As with other recent variants of
ransomwate, Snake attempts to also exfiltrate victim data prior to encryption. Victims that
refuse to comply with the ransom demand within 48 hours ate threatened with a data leak.
The Ransomware as a Service (RaaS) Model
Throughout 2019 and into 2026 there was an increasing trend by some of theabove as well
as new ransomwere familias of selling ransomware as a service to other cybercriminals
In particular, Maze, REvil, NetWalker, Nephilim, Project Root, SMAUG and others began
following the RaaS model.
, however. Betw
nware
at least in th
families, Starting with TOX, a whole new generation of
criminals a wey into the thriving ransom
high-de
aa offerings offered non-skilles
‘OX quickly imploded under the
from the security industry,
requicktopick upon thetrend, Services such asRansoi
up to fill the demane
Nemesis, SATAN, Encryptor RAS, and mote quickly ro
Eventually more sophisticated efforts embraced the RaaS model as well. For examplePetya
started out asa highly-destructive and closed ransamware ecasyste
ver, they eventually opened up the system as a full public Rea, allowing anyon
£0-cost up front
2 their own Petya of Mischa payloads for
create an account and gene
services eventually evalved into GoldenEye
JANUS
Public registration for our Raa system opened! Check it out at
Janusqqde22x7Se!.onior
the idea of RaaS has an established history, it has become incre
1019/2020, RaaS sen
anattr
distribute, and manage their ransomware and subsequent profits wit » barrier te
entry, Buying ransomwere asa service requires no prior codin
srovides instant results and is cheap to launch, Typically, these services either require a
1p front payment from clients or a share of the profits once
he victims pay
For ransomware developers the benefits are that they do not need to directly concer
thense
division of labor and craft r
vith either the risk or the trade-craft of finding and infecting targets. This
ins criminals with different areas of expertise and interest ca
lis to make attacks more efficient and more profitable
effectively combine:
Image from Project Root
Raas advertisement
Why
cee 4
Co
pe eaten hk eee TENT
Dead
en
discussion is that
ning in the Re
nware
puilders' or kits, These are sort of the ‘bargain bin’ intersection of ransomware and RaaS
models. They allow urskilled attackers to generate their own rarsomware payloads,
nut they do not include any of the hallmark features of a full RaaS. These kits are simply
applications that output new ransomware binaries. Many are
riments ole, Hidden Tear)
ransomwat
The Ransomware “Kill Chain”
Ransomware, while unique ftom other malware, still exhibits several telltale signs which
can indicatethatanattackis underway, The MITRE ATT&CK framework provides acommon
language for defenders to better understand the elements of attack, detect an attack and
prepare for it by discovering ifthey could defend against sucha threat,
In fine with the MITRE ATTACK framework, the following offers a high level flow of events
in atypical ransomwereattack.
+ TA0001. Initial Access: The adversary is tying to get into your network,
+ TA0002 Executio
he adversaryis trying to run malicious code,
+ TA0003 Persistence! The adversary is trying to maintain their foothold.
+ TA0004 Privilege Escalation: The acversary is trying to gain higher-leval
permissions.
+ TAQ005 Defense Evasio
he acversaty is trying to avoid being detected,
+ TAOO06 Credential Access: The aiversary is tying to steal account names
and passwords
+ TAQOO7 Discover: The adversary is trying to figure out your environment.
+ TAOODE Lateral Movement: The adversary is trying to move through your
erwitonament
+ TAG009 Collection: The adversary trying to gather data of interest to their
goal.
+ TA0011 Command and Control: The adversary s trying to commuricate with
‘compromised systems to control them,
+ TAOO10. Exfiltration: The adversary is tryingto steal data,
+ TAOOAO Impact: The adversary is trying to manipulate, interrupt, or destroy
your systems and data,
O03
A common high level attack may look similarto the following:
ymon Ransomware Attack
@ B & “ex
&,
&
Planning for a Ransomware
Incident
You should prepare for a pessible ransomware incident by creating all the relevant
components for an incident response management process. You nieed to consider specific
ransomware responses and recognize that existing IR plans might not be applicable to
ransomware incidents due to the combined possibilities of eneryption, lass of access to
critical system files and services and data breach notification issues.
Development throughout 2019 and early 2020 made it clear that most ransormware
infections would now need to be treated es possible full data breaches, including all the
regulatory and legal requirenents around breach notification and open disclosure. This
includes understanding relevant regulatory fines and penalties such as GDPR, and tying
that assessinent into risk management processes and calculations, The permanent
inaccessibilty and damageto importent files may also lead to specific challengesthat need
to be considered in order to restore business continuity.
With that context in mind, there are six key elements which should be considered when
planning and preparing for a ransomware incident:
Incident Response Policy
When writing an effective incident response policy to deal with ransomwvare, the six-step
SANS ptocess for incident handling provides a useful place to start. Considering what you
‘would do if you were attacked forms the basis of the policy and gives you a framaveork to
followin response,
Thesix steps of the Incident Response Policy are:
1. Prepatation hase: How are staff trained and prepared? What tools and resources
‘ate they armed with to respond to ransomware incidents? Consider awareness and
‘education for users here,
2. Identification phase: How do you recagnize and detect a ransomware incident? How
doyou go about understanding the strain of ransomvware, attack vector, attack group
‘and real motivation, through gathering cata and performing initial analysis?
3. Containment phase: With ransomware itis imperative that infected systemsare
‘quickly contained to limit the damage, How will you contain the incident from
spreading to netwerk shares and other connected devices? Actions to consider
includes
+ Shutting the system down
+ Turning off the system's port at the switch
+ Utilizing network access control (NAC) to isolate the system
+ Implementing the quarantine feature of your EDR solution
4. Eradication phase: How will you perform a forensic analysis of data to determine
the cause of the incident, remove the ransomwate from infected devices, patch
vulnerabilities and uodate protection? Ransomware might not bethe only mabware
onthe system, just the noisiest. Consider that the detacted attack may be a pivot ot
«version, so incluce wider forensi¢ analysis and methods to assign attribution in order
to uncover and! resgond to what might bea wider campaign,
5. Recovery phase: How will you return to natmal operation? Refmaging or restoring from
backup may nat workif the ransomware kay dormant during the last image or backup
cycle, orif part of the ransomware attack wes to seek and destroy back-ups. With
ransomware you should consider
+ Howto identify and decrypt using communities lke Nomoreransom
+ Howto quickly and easily rebuild affected devices and servers
+ Whether payment is an option, Can you pay, do you have access to Bitooin,
do you need a middleman?
6. Post-Incident phase: After the incident is resolved, what can you leain to prevent i
from happening again in the future?
+ How will you dacument the ineident? Detail improvements toIR plans,
additional security controls, preventative measures or new security
initiatives,
+ How can you monitor to stop repeat perforrnances or further connected
activities? What IOCs do you need to collect and haw do you use them in
any monitoring technology?
+ How can you improve anc! update organizational threat intelligence feeds?
+ How will you understand and quantity the financial impact on the
organization, in terms of man haurs, business down time, regulatory fines
and possibly ransoms paid?
We discuss responses to these challenges in the Responding to a Ransomware Incident
section later in this guide,
Recruitment
Teams assembled to deal with ransomwaremay need specificskills, knowledge and access
to relevant system tools and technologies in order to effectively detect, investigate and
respond, This may include outsourced help as well as non-technical staff like executives,
PRand media teams. You may need links to legal teams, regulators and law enforcement
as specific responses lke paying the ransom need to be considered.
Define Roles and Responsibilities
Prepare documentation that clearly states the roles, responsibilities and processes. Clarity
makes for timely action and eliminates confusion ina time-sensitive ransomwareinfection,
Create a Communication Plan
‘The entire response team should know who to contact, why and when during an incident
What information will be required in the first stages of a detection? Specttic contact details
and information requitements need to be documented to ensure the right people cen be
contacted quickly and effectively,
Test Your Incident Response Plan
Performa riskassessment and prioritizesecurityissues, identify which arethe mostsensitive
assets and what are the ital security incidents the team shaulé focus on, Roliplay, table
top and test the incident response plan to identity any weaknesses proactively. As the old
military strategy says, “no plan survives contact with the enemy”,
Review and Understand Policies
Review and consider changes and updates to existing policies and procedures to ensure
they are it for purpose relating to ransomware, Examples with available templates include:
04
Acceptable Use Policies
Asset Control Policies
Audit Policy
+ Loggi cy
Evidence Collection Policy
+ Linkageto Other Policies
nforation Security Policy
+ Information Security Assurance Policy
+ Physical Security Policy
Responding to a Ransomware
Incident
victim of a ransomwareattack
ww handle the aftermath badly, h
business ending. Using the SANS process for inci
response to ransomwiare.
+ Identii
+ Containmer
Recovery
Post-Incident
Identification
Ransomware is often detected when its in the process of encrypting files or shares, or
worse, when it announces itself in the form of a ransom note,
2 SS
ERE Re at aes yen fge vs mn ma tng pre pt
sraretiin,sarretate thane en
either SE TEA Elway,
SSE pe Seas toe ge
eS nos WAS SLE PE ea,
SPREE SSRs
SEMIS SAE wee met
SRHaraajgosaeans)
Just becausean organization has identified an infected device, ora devicathat is responsible
for encrypting files, it doesn't necessarily mean that it is the only device affected, The
detection starts a race against time to identify any and all parts of the network that have
been infected or that could become infected with ransomware. Tf the rarsomware is
wormable and exploits.a vulnerability, thenthere isa strong possibilty of multipleinfections
as thesame vulnerability may exist in other devices on the network, Security teams need to
identify the source rapidly toprevent further damage, and they must makesure the process
Coesn't repeat when backups are restored. Isolating the infected parts of the network and
stopping any eneryption currently underway reduces the potential impact and damage to
the organization, Identification is more than deteetingthat you have been attacked. Further
analysis of the situation is needed to inform the best course of action for containment,
eradication and recovery. The analysis needs to answer two key questions:
+ What is the specific variant of ransomware?
+ How cid the ransomvare enter the organization?
Each variant of ransomwate can have a different message that is cisplayed to the user
and the message text itself may vary. The message displayed on the infacted computer
can be very helpful in determining which variant of ransomware is involved, Any displayed
messages should be captured by taking a screenshot or shoto with another device,
Ransomware Identification
It is essential to identity the specific variant of ransomware within your ervironment. As
highlighted in the Common, Prevalent and Historic Ransomware Examples section, there
are many varieties of ransomware with new ones or adaptations emerging regularly. Each
vatiant has different or unique capabilities which need tobe understood to truly contain the
spread, As we have sean, some ransomware vatiants like SAMSAM and RobinHood enable
altackets to move laterally and extitrate data.
Initial Root Cause Analysis
Organizations need to establish how ransomware wes introduced to their networks to
support the containment phase, This does not need to be a full blown roat cause analysis,
which normally takes place in the recovery phase, but incident responders need to besure
that when they do contain the ransomware and move onto recovery, theattackers don't just
repeat their actions and encrypt files again.
In the Methods of Infection section above, we detailed a number of infection vectors,
Identification determines actions like searching for and destroying unopened emails
containing the malware, patching vulnerabilities where possible and isolating systems
where not, as well as blocking access to websites and removing devices or revoking user
access to the network and file shares.
Containment
Once a part of your network has been identified or suspected as having been infected with
ransomware, the devices should be immaciately removed from your network, af isolated
from communicating with the rest of your network or the wider internet through network
protocols like WEFi, Having an EDR solution allows for the isolation of the machine and
blocking of communication channels used for moving to file shares or propagation to other
endpoints. Without shutting dewn the machine, this allows intelligence to be gathered and
forensicanc sample analysis to aid in deeper understanding of the ransomware campaign,
If you don't have an EDR solution, or you cannot quickly establish the root cause of the
ransomware, you may have to consider shutting down the endpoint and taking file shares
and connected systems offline, terminating all access or using NAC to block access,
Eradication
Once you are confident the ransermware outbreak is contained, the next step is toeradicate
it, You have to be confident that ne residual files are hidden on the system that may be able
to re-infect devices. IFyou have an EDR solution installed on the endpoint device, this may
be as easy as initiating 2 rollback. IF you are confident based on identification and analysis
that your backups are cleanand uncomprom’sed, yau can use this to rebuild, Alternatively,
you may be left with no other option than to replace machines that have been affected.
For other network locations, such as mailboxes or file shares, you need to clean these
locations, search for and remove any unopened malicious emails or code, and sot up
close monitoring using details uncovered from your analysis to prevent the attack from
re-emerging, Consider keeping devices connected to mailboxes isolated until you can
Ceterimine they are clean from infection and change passwords to prevent use of any
credentials scraped curing the attack.
Recovery
Once you understand the ransomware variant, root cause and the extent of the attack and
affected systems, you can attemot to recover,
To recawer from ransomwareyou have five options:
+ Rollback the device
+ Restore from backup
+ Decrypt files using a decryption toot
+ Donothing, simply rebuild affected systems.
+ Negotiate and pay the ransom
Rollback the Device
Some EDR solutions such as SentinelOne provide a one-click solution to eradication and
recovery through a feature known as rollback, Be sure that your EDR solution also guards:
against the deletion of shadow copies sean in ransomware variants like RobinHocd,
Rollback is by far and away the simplest, least disruptive solution to a ransomware attack
and can be accomplished in minutes,
Restore from Backup
If backups are available, predating the ground zero of the ransomwate attack, you can
estore endpoints and filestares fram this date, Backups should be archived and removed
and organizations should not raly on local network backups or disk images as these can be
‘encrypted by the ransomware, or destroyed’ by targeted attacks prior to infection,
Decrypt Files Using a Decryption Too!
Identification of the ransomvare variant can allow decryption iF neither rollback nor
backups are available, Cammurities like No More Ransom help infected users to regain
access to their encrypted files or locked systems without having.to pay, They curate a
repesitory of keys that can decrypt data locked by different types of ransomware, The
number of decryptors available now is into the hundreds; unfortunately, the recent flurry
of ransomware variants means that there are many strains of ransomware for which no
cecryptor is available,
DoNothing, Rebuild Affected Systems
To be absolutely sure that ransomware is removed from the system, you can wipe the
infected devices and rebuild the operating system from the ground! up. If your devices and
the encrypted files are not mission critical or do not contain irreplaceable data, then ths is
an option especially if you can quickly rebuild devices and servers. However, be awere of
the possibility that data may have also been exfittrated and could be publicly dumped ar
‘obtained by competitors (ee Maze ransomware mentioned earlier)
Negotiate and Pay the Ransom
If you have run out of options, your files cannot be recovered ard the encrypted systems
are not easily replaced and critical to the operation of your business and reputation, you
may not have any choice but to pay, If the ransomware also involved a data breach, with
‘company data exfttrated, you may also be pressured into paying to avoid sensitive data
being leaked publiely and to competitors,
In general, SentinelOne does net recommend paying fansomwvare attackers as it supports
the ransemwate business modal anc encourages more criminals ta join in and multiply
the number of attacks, It also supports organized crime and cash gained here will be used!
acrass a wider network of organised crime, Even in the ease of a combined ransomvware
attack and data breach, there is no guarantee that paying the ransom will ensure any
exfttrated data will not still be sold to others or leaked to competitors, the madia or the
general oublc. You haveto consider that data exfiltrated by threat actorsis now “out there”
and access to it's heyond your control, regardless af whether or not you choose to pay the
attackers, If you do decide to pay, you may need the services of a data recovery specialist
ora negotiator and access to crypto currency such as Bitcoin, Monero or Dash,
Post-Incident
Your incident is resolved, but how can you prevent this happening in the future and
whet lessons did you lear curing incident response? Post incident, you need to gather
data together into @ report to establish what detection and security controls were in
place and why they were nat able to prevent the infection, The review should include
recommendations and developments of new technicues to respond, detect, analyze or
prevent similar incidents in the future, The reporting should also include quantifying the
financial impact on the organization, in terms of man hours, business down tine, regulatory
fines and possibly ransoms paid.
O05
Prevention: Reducing Your
Attack Surface
Ransomware attacks are nat going away; in fact, the increasing diversity and total volume
enabled by ReaS and affiliate schernes along with the low risk and lucrative returns only
setves to suggest that ransomare will continue to evolve and increase in sophistication
forthe foreseeable future,
Examples lice DopplePaymer ransomware employ lightning-fast payloads to perform ver
2008 malicious operations on the host in less than 7 seconds, This means that legacy
etection and response methods are failing to prevent infections and defenders response
to ransomware often starts after the ransomware has achieved its objactives.
In order to become more effective in preventing ransomware, try to implement as many
of the following recommendations as possible, where appropriate for your business
environment.
To reduce your attack surface, first you have to understand and have visibility into it
Threat Intelligence
How well do you know your attack surface? Prevention starts with intelligence on possible
adversaries TTPs. Access to feeds and research powers your defences and helps you to
understand and control your attack surface,
Highly organized crimeware groups such as Dridex and Trickbot have demonstrated
success at scale utilizing ransomware as their primary attack vectors, Where they once
relied) primarily on banking fraud, their operations have noticeably shifted, This has
attracted many new startup groups attempting to emulate their success. The proliferation
of RaaS (Ransomware as a service) operations have undoubtedly wreaked havoc on many
corporate networks
However, there appears ta have been an escalation amongst the groups struggling for
corrinance in the burgeoning ransomware services. The operators are no longer content
with holding a network hostage, They are: naw seeking major payouts, The operators rifle
through networks for days and weeks an end attempting to map the data points and find
the juiciest data targets that will provide them with the best leverage for a payout.
Ransomwate operators ate now attempting to perfect their extortion schemes, Recent
statistics put out by the FBE in the RSA presentation, attributed $61 million dollars to the
group operating the RYUK ransomware, This figure accounted for operations conducted
only between February 2018 and October 2019,
The operators of Maze and REvil (sodinokdb) are leveraging media and data leak sites in
order to further threaten and humiliate vietins into paying out their extortionist demands.
Many groups such as DoppelPaymet, Clop, Netwalker, ATO and others have followed suit
with loak ites, As the payouts continue, the attacks are not likely to go away anytime soon,
The groups are now armed with substantial capital to further their attacks an! further
imptave thelr products.
Discovery and Inventory
Ransomwate criminals take advantage of the challenges and vulnerabilities created by
BYOD, IoT and cigtal transformation initiatives using technologies like social, mobile,
cloud, and software defined networks, Remote work forces demanding the ability to work
from anywhere, any time whilst accessing company data and using cloud applications also
create challenges and! increase your attack surface, Visibility into who and what is on your
network is crucial,
Tocontral and take action, aim for continuous discovery and fingerprinting ofall connected
evices usingactiveand passivedisnovery to identify and create areal time inventory of even
intermittently connecting devices. This will help you to find and control rague endpoints,
Software vulnerabilities allow attackers to use exploit Kits to distribute ransomeare,
Supplementing endpoint discovery with an understanding of what operating systems,
software and versions you have on which endpoints and servers is important to any patch
management process.
Can you answer these questions?
+ Which devices are connected to my environment?
+ Which devices were connected in my environment?
+ When wes a devioe last seen or first seen in my environment?
+ Which devices are unmanaged and unprotected?
+ What isa device's IP? MAC? Manufacturer? Type?
+ Does this device havea specific port agen?
+ What information does the device report on this port?
+ Inyehich network (behind which GW) is it connected?
+ What applications ate installed on connected endpoints?
+ Aretheteany unauthorized applications running in the organization?
Control Vulnerabilities and Harden Configuration
After you understand what devices arein your environmentand what programsare installed
‘on them, you eed to control access, mitigate vulnerabilities and harden these endpoints
and the software on them,
Centrally managingthe evaluation and enforcement of device configuration and complian
isimportant to reducingyour attack surface. Nor-compliant devices should be reconfigured
and hardened, Enforcing VPN connectivity, mandatory disk encryption, and port cantral will
reduce the attack surface for ransomvvate.
Patch management is key, but with thousands of new vulnerabilities appearing, every
year, no organization is realistically going to patch every single one, Having a risk-based
structured approach is best, but no approach i infallible,
Having centrally-managed application control allows security teams to control all software
tunring within the endpoint environment and protect against exploits of unpatched
vulnerabilities. It allows authorization of new software and prevents other, unauthorized,
malicious, untrusted, or unnecessary applications fram executing,
Control Human Vulnerabilities
Often with ransomware the weakest link is us, the human, The main entry vector is still
‘email of visiting risky websites. Phishing, spear phishing and whaling is becoming more
sophisticated and targeted, loaded with maldocs or ransomware links that tempt even
Vigilant users to click,
Having a programme of staff education and training is important to ereate @ culture of
suspicion and vigilance, sharing real world examples with staff and testing resilience is
important, but even the best of us have the weakest of monvents, You can reduce risk but
‘you cannot eliminate it with training alone,
‘You can improve your email security with products that include features such ast
+ URL scanning of inbound or archived email which does not allow clicks on target
sites until the site can be checked for malware
+ Detecting weaponized attachments in the mailbox and redirecting toa sandbox
beforedelivery
+ Protection againstimpersonation, social engineering, tyoosquattingand masking
Ransomware only has rightsto change and encrypt filesifthe infected user dees, Controlling
User access to critical network resources is necessary to limit exposure to this and ensure
lateral movernent is mace moredifficult,
Thetefore, itis critical to ensure privileges are current and up to dete and that users can
only access appropriate files and network locations required for their duties.
Monitoring and controlling user behaviour on and off the network will allow alerts and
actions to automatically respond to suspicious deviations to server, file share or unusual
areas of the network. Recording data, credential usage and connections by endpoints can
O05
highlight productivity changeor possiblesecurity breach signals. Tools likeEDR are available
to record every file execution and modification, registry change, network connection and
binary execution across an organization's connected endpoints, enhancing threat visibility
to speed upaction,
Improve Endpoint Security
‘Almost all organizations have endooint security; however, to prevent ransomware, static
detection and antivirus is na longer enough. Having advanced features in your endpaint
protection and the ability to perform endpoint management and hygiene from a centralized
management system is increasingly important.
Good endpoint security should include multiple static and behavioural detection engines,
using machine learning and AI to speed up detection and analysis. It is also important
to have exoloit protection, device control, access control, vulnerability and application
control, The addition of endpoint detection and response {EDR} into the mix provides
forensic analysis and root cause and immediate response actions like isolation, transfer
to sandbox and rollback features to automate remediation are important considerations,
Having these features in one platform and one agent capable of protecting all devices and
servers will ensure centialized visibility and control for your eyber security tearn across
yourentire endpoint estate,
How Can SentinelOne Help?
SentinelOne provides one platform to prevent, detect, respond, and hunt ransomware
across all enterprise assats, See what has never been seen before, Control the unknown,
Allat machine speed,
Prepare
Virtual Patching and Exploit Shield
SentinelOne prevents reliance on the traditional patching process, SentinelOne can
Cramatically reduce your attack surface by identifying out-of-date applications and
immediately deploying an Exploit Shield policy to “wrap” a vulnerable application.
loT Discovery & Control
With no additional agents or harciwareto install, SentinelOnecan automate device discovery,
access and control. SentinelOne can automatically generate and maintain five device
asset inventory of every endpoint, including IoT, IP, mebile and industrial control devices
connecting to your network, It can fingerprint operating systems, device configuration ard
applications, aush protection and enforce compliance, all from one management console,
ree eae
mes
Protect
SentinelOne's multi-layered approach has bean very effective in preventing ransonmware
infections, It features:
A Static AI engine trained on millions of malware and ransomwate samples. It is able to
Cetect and quarantine unique, never-seen-before ransomware downloaded from links in
email campaigns or drive-by dropper websites.
A Behavioral AI engine which monitors all punning processes, network communications,
and interprocess communication toensuresystem integrity, By loggingall thechanges made
onthe system and automatically correlating these events to a TrueContextID, SentinelOne
is able to group all the variations of related processes together. Malicious activity, when
detected, results in the entire process group getting killed and quarantined,
Next-Generation server and workload protection that is purpose-built for containers,
including managed or unmanaged Kubernetes systems. Behavioral AT and autonomous
response capabilities are available across all major Linux platforms, physical and virtual,
cloud native workloads, and containers, providing prevention, detection, response, and
hunting for today and tomorrow's cyber threats, SentinelOne's server and workload
protection is infrastructure agnostic and can be deployed either in containers themselves,
or in the machines that host them, in servers in the clauc,
Respond
ActiveEDR
Forensic work is done by the single SentinelOne agent on the endpoint. Stories are already
assembled using Truecontext, so the security analyst can save timeand focus on reviewing
full, contextualized stories to understand the root cause quickly. The technology can
autonomously attribute each event on the endpoint to its root cause without any reliance
on cloud reso:
ActiveEDR knowstthe full story, soit will mitigate ransomware at run time, beforeencryption
begins. Other response actions can be used to isolate suspected targets based on root
cause analysss, or tracking email mailboxes to the users devices.
Rollback
SentinelOne offers a unique rollback function, powered by protected copies of Volume
Shadow Copy Services