I've Been Hit By Ransomware!

The Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends responding to ransomware by using the following checklist provided in a Joint CISA, FBI, NSA, and Multi-State Information Sharing and Analysis Center (MS-ISAC) #StopRansomware Guide, updated in May 2023. This information will take you through the response process from detection to containment and eradication. Be sure to move through the first three steps in sequence.

Detection and Analysis

Refer to the best practices and references below to help manage the risk posed by ransomware and support your organization’s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest extent possible based on availability of organizational resources.

• Determine which systems were impacted, and immediately isolate them.
  • If several systems or subnets appear impacted, take the network offline at the switch level. It may not be feasible to disconnect individual systems during an incident.
  • Prioritize isolating critical systems that are essential to daily operations.
  • If taking the network temporarily offline is not immediately possible, locate the network cable (e.g., ethernet) and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.
  • For cloud resources, take a snapshot of volumes to get a point in time copy for reviewing later for forensic investigation.
  • After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Isolate systems in a coordinated manner and use out-of-band communication methods such as phone calls to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken. Not doing so could cause actors to move laterally to preserve their access or deploy ransomware widely prior to networks being taken offline.
  • Note: This step will prevent your organization from maintaining ransomware infection artifacts and potential evidence stored in volatile memory. It should be carried out only if it is not possible to temporarily shut down the network or disconnect affected hosts from the network using other means.
  • Identify and prioritize critical systems for restoration on a clean network and confirm the nature of data housed on impacted systems.
    • Prioritize restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on.
    • Look for evidence of precursor “dropper” malware, such as Bumblebee, Dridex, Emotet, QakBot, or Anchor. A ransomware event may be evidence of a previous, unresolved network compromise.
      • Operators of these advanced malware variants will often sell access to a network. Malicious actors will sometimes use this access to exfiltrate data and then threaten to release the data publicly before ransoming the network to further extort the victim and pressure them into paying.
      • Malicious actors often drop ransomware variants to obscure post-compromise activity. Care must be taken to identify such dropper malware before rebuilding from backups to prevent continuing compromises.
      • For enterprise environments, check for:
        • Newly created AD accounts or accounts with escalated privileges and recent activity related to privileged accounts such as Domain Admins.
        • Anomalous VPN device logins or other suspicious logins.
        • Endpoint modifications that may impair backups, shadow copy, disk journaling, or boot configurations. Look for anomalous usage of built-in Windows tools such as bcdedit.exe, fsutil.exe (deletejournal), vssadmin.exe, wbadmin.exe, and wmic.exe (shadowcopy or shadowstorage). Misuse of these tools is a common ransomware technique to inhibit system recovery.
        • Signs of the presence of Cobalt Strike beacon/client. Cobalt Strike is a commercial penetration testing software suite. Malicious actors often name Cobalt Strike Windows processes with the same names as legitimate Windows processes to obfuscate their presence and complicate investigations.
        • Signs of any unexpected usage of remote monitoring and management (RMM) software (including portable executables that are not installed). RMM software is commonly used by malicious actors to maintain persistence.
        • Any unexpected PowerShell execution or use of PsTools suite.
        • Signs of enumeration of AD and/or LSASS credentials being dumped (e.g., Mimikatz or NTDSutil.exe).
        • Signs of unexpected endpoint-to-endpoint (including servers) communications.
        • Potential signs of data being exfiltrated from the network. Common tools for data exfiltration include Rclone, Rsync, various web-based file storage services (also used by threat actors to implant malware/tools on the affected network), and FTP/SFTP.
        • Newly created services, unexpected scheduled tasks, unexpected software installed, etc.
        • Enable tools to detect and prevent modifications to IAM, network security, and data protection resources.
        • Use automation to detect common issues (e.g., disabling features, introduction of new firewall rules) and take automated actions as soon as they occur. For example, if a new firewall rule is created that allows open traffic (0.0.0.0/0), an automated action can be taken to disable or delete this rule and send notifications to the user that created it as well as the security team for awareness. This will help avoid alert fatigue and allow security personnel to focus on critical issues.

        Reporting and Notification

        Note: Refer to the Contact Information section at the end of this guide for details on how to report and notify about ransomware incidents.

        • Follow notification requirements as outlined in your cyber incident response and communications plan to engage internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.
          • Share the information you have at your disposal to receive timely and relevant assistance. Keep management and senior leaders informed via regular updates as the situation develops. Relevant stakeholders may include your IT department, managed security service providers, cyber insurance company, and departmental or elected leaders [CPG 4.A].
          • Report the incident to—and consider requesting assistance from—CISA, your local FBI field office, the FBI Internet Crime Complaint Center (IC3), or your local U.S. Secret Service field office.
          • As appropriate, coordinate with communications and public information personnel to ensure accurate information is shared internally with your organization and externally with the public.

          Containment and Eradication

          If no initial mitigation actions appear possible:

          • Take a system image and memory capture of a sample of affected devices (e.g., workstations, servers, virtual servers, and cloud servers). Collect any relevant logs as well as samples of any “precursor” malware binaries and associated observables or indicators of compromise (e.g., suspected command and control IP addresses, suspicious registry entries, or other relevant files detected). The contacts below may be able to assist you in performing these tasks.
            • Preserve evidence that is highly volatile in nature—or limited in retention—to prevent loss or tampering (e.g., system memory, Windows Security logs, data in firewall log buffers).

            To continue steps to contain and mitigate the incident:

            • Research trusted guidance (e.g., published by sources such as the U.S. Government, MS-ISAC, or a reputable security vendor) for the particular ransomware variant and follow any additional recommended steps to identify and contain systems or networks that are confirmed to be impacted.
              • Kill or disable the execution of known ransomware binaries; this will minimize damage and impact to your systems. Delete other known associated registry values and files.
              • Disable virtual private networks, remote access servers, single sign-on resources, and cloud-based or other public-facing assets.
              • Review Computer Management > Sessions and Open Files lists on associated servers to determine the user or system accessing those files.
              • Review file properties of encrypted files or ransom notes to identify specific users that may be associated with file ownership.
              • Review the TerminalServices-RemoteConnectionManager event log to check for successful RDP network connections.
              • Review the Windows Security log, SMB event logs, and related logs that may identify significant authentication or access events.
              • Run packet capture software, such as Wireshark, on the impacted server with a filter to identify IP addresses involved in actively writing or renaming files (e.g., smb2.filename contains cryptxxx).
              • Outside-in persistence may include authenticated access to external systems via rogue accounts, backdoors on perimeter systems, exploitation of external vulnerabilities, etc.
              • Inside-out persistence may include malware implants on the internal network or a variety of living-off-the-land style modifications (e.g., use of commercial penetration testing tools like Cobalt Strike; use of PsTools suite, including PsExec, to remotely install and control malware and gather information regarding—or perform remote management of—Windows systems; use of PowerShell scripts).
              • Identification may involve deployment of EDR solutions, audits of local and domain accounts, examination of data found in centralized logging systems, or deeper forensic analysis of specific systems once movement within the environment has been mapped out.

              Recovery and Post Incident Activity

              • Reconnect systems and restore data from offline, encrypted backups based on a prioritization of critical services.
                • Take care not to re-infect clean systems during recovery. For example, if a new Virtual Local Area Network (VLAN) has been created for recovery purposes, ensure only clean systems are added.

                We understand attacks can severely impact business processes and leave organizations without the data needed to operate and deliver mission-critical services. To continue taking steps and mitigating the ransomware incident, please see the updated #StopRansomware Guide for more information.