Ransomware Incident Response: 7 steps to success

Ransomware infections are becoming increasingly commonplace, and companies that put a plan together before an incident are much more effective at combatting this pervasive malware.

Ransomware response can be broken down into seven steps. Here’s a cheat sheet:

The first step is to confirm whether a reported ransomware infection is an actual infection. There are cases where a user reports what they think is ransomware, but it turns out to be adware, phishing, or some other virus. Validation is important because it keeps efforts focused on important issues. But if you see a ransomware note demanding payment to unlock files, and your system or files are locked or frozen, then you’ve been hit.

Now it’s time for the incident response team to assemble. Incident response teams often include members of your IT staff, management, public relations, and legal. The incident response plan outlines how each member should be trained on how to respond to a ransomware incident. In some cases, the primary person may be unavailable, and it will be necessary to call in a secondary resource to handle that role.

The next step is to determine the scope of the incident, including which networks, applications and systems are impacted and whether the ransomware continues to spread. This is often the role of the IT and security point people.

Containment actions can take place concurrently with analysis activities. In this phase, infected machines are isolated to stop the spread of the ransomware by disconnecting the computers from the network or shutting them down. The scope often changes when containment is underway, and ransomware is still spreading. This phase ends when all infected machines have been isolated from clean machines.

The investigation starts by preserving evidence. Some machines will need to be returned to service as soon as possible while others might be less critical. Evidence such as log files or system images is taken of the affected machines along with documentation of serial numbers and asset identifiers.

The eradication phase removes the ransomware from machines and brings them back into a functioning state. Isolated machines are wiped, and then data is restored from backupto each of the machines after the evidence on the computers has been preserved. In some cases, organizations may decide to remove the ransomware and then restore files that were encrypted by the ransomware without wiping the device first.

A full machine restoration prevents other ransomware or malware from causing problems on the computer, and it also prevents backdoors or other software that the ransomware might have installed from being used to infect the machine later. For this reason, it is typically recommended that you wipe the device and restore the operating system and data from backup.

The last step is to remediate the problem that the ransomware exploited in the first place. This is often a user training issue, so companies implement more awareness training or coaching of individuals. In other cases, new technology needs to be put in place. If backups were found to be inadequate, the company would back up more data or back up more often. The ransomware incident should result in some improvement actions that the organization can perform to be better prepared for future incidents.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button

Mamba ransomware takes a bigger bite out of your data

As if encrypting your individual files was not enough, a recently discovered ransomware virus called Mamba encrypts your entire hard drive.

This may sound similar to the Peyta drive encryption ransomware that made headlines earlier this year. But Mamba is a different animal. It differs from Peyta in that it encrypts the entire hard drive while Peyta encrypts only the Master File Table (MFT), the information store that tracks which files are on the drive and where they are located. With Peyta, forensics can recover the data from the drive since the data itself is not impacted. There is also a password generator tool for Peyta that can be used to decrypt the MFT. There is currently no easy fix for the sneaky snake known as Mamba.

Mamba starts by overwriting the Master Boot Record (MBR), the program that tells your computer where to find the files to start your operating system. Mamba’s custom MBR tells the computer to load a ransom demand instead of the operating system when the machine restarts. The ransom demand reads as follows:

You are Hacked! H.D.D. Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 987654

Mamba encrypts the hard drive as well as other mounted drives such as USB flash drives using an AES-256 compatible open source full-disk encryption program called DiskCryptor.  Mamba is primarily distributed through phishing emails, but that could change as Mamba distribution grows. The ransomware currently targets only Microsoft Windows machines of any variety including Windows XP, Windows 7 and Windows 10.

What to do if you’re attacked with Mamba

If your computer is infected with Mamba, your first recovery step is to restore from backup. Mamba encrypts the entire drive so victims will be unable to access the files or operating system without the decryption key. This means that the operating system and all files will need to be restored from backup.

With most ransomware, you have the option of restoring just the files or folders that were encrypted, or the entire machine. The recommended approach is to restore the whole computer, but some cases require the that the device be put back into service as quickly as possible, so a file restore is performed. There is no such choice with Mamba.

There are two options when restoring the system, based on what data is available to restore. Victims with a full system backup can restore the entire system backup to the machine in a single operation. If a full system backup is not available, victims will need to install the operating system and programs and then restore the data. The second option takes more time to perform, and it requires that the user knows which applications were installed on the system, but it will bring the system to a fully functional state with applications and data in the end.

Take the time now to ensure that you have adequate backups so that you can restore your system in case you encounter full-disk encryption ransomware like Mamba. Consider which restore strategy would be ideal for your company, and how much time your employees can go without access to their computers or data. Then craft a backup strategy that meets your recovery expectations.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today

Share Button
auditor checking documentation

Crucial Elements of an Incident Response Plan

The news is crowded with reports from noteworthy companies of cyber-attacks.  Last year was the year of the data breach and this year is the year of ransomware.  Companies large and small, even those with large security budgets and mature security practices, still proved vulnerable to attack.  Every company will suffer a security incident someday, but not all companies are prepared for it, and preparation will determine what impact a security incident will have on your company.

Will your company weather the attack and come out stronger for it or will you lose customers, brand image, or your company?

“We’re not in Kansas anymore”

This is where your incident response plan comes in.  The incident response plan outlines the activities that will take place in an incident.  Decisions made before an incident are far superior to those made in the heat of the moment when the stress is on.  Plans can be thought through and properly vetted, and this leads to more robust decision making, more effective incident response, less company and customer loss due to the incident, and less stress overall.

“Houston, we have a problem”

The first step in an incident response plan is to define the team of individuals who will conduct and coordinate the incident response.  This is more than just a group of technical wizards or high-level executives.  It also includes PR, legal, security, and third parties.

“To the Batcave”

Once the team is assembled, the next step is to create an incident response plan.  This is not a step that is given to one or two team members.  Rather, those involved on the team should also be involved in the incident response planning effort.

Scenarios or table top exercises can be used to develop plans for specific incidents or to enhance existing plans.  Scenarios such as malware infection, ransomware infection, a lost or stolen device, Distributed Denial of Service (DDoS) attacks, cyber breaches, and social engineering should be specifically addressed in meetings where each team member walks through the actions they would take in that incident.  A facilitator guides the discussion and aids in making sure critical steps are not skipped.  The output from scenario planning is a detailed step by step process for handling specific incidents.

“Who’s on First?”

It is not enough to know what to do.  You also have to know who is going to do it.  Many plans have failed because no one knew who was supposed to carry out the expertly-written instructions.  Each task in the incident response plan should have a designated person or role assigned to it.  Role-specific tasks provide accountability and ensure that there will be someone to conduct those activities during an incident.  None of the tasks identified in the procedures should be overlooked.  It is important to also assign alternates in case the primary person is unavailable when the actual incident occurs.  Once the incident procedures have been properly vetted and approved and the roles outlined, response activities should be practiced regularly so that the incident response team is familiar with their responsibilities.

There is a lot more information available on incident response, but an effective incident response plan requires the right team, well-thought-out instructions, and tasks that are clearly assigned to individuals.  Plans lacking these elements will not provide your company, customers, and employees with the guidance they need when an incident occurs, and it will happen.  Be prepared.

This post is sponsored by AT&T Security.

Share Button
5 steps to a winning incident response team

5 steps to a winning incident response team

People are the core of any incident response effort.  You must have the right people to provide the right response.  Incident response teams should include a diverse set of individuals across the organization including executives, information technology, security, public relations, legal and relevant 3rd parties.  Here is what makes a winning incident response team.

  1. Winning teams have top level support

Top level support is essential in an incident response team, and executives can provide it.  Executives are the ones who will be able to allocate the resources necessary to take action during a breach, and they can rally support and establish budgets for planning and preparation activities.  Executives also bring legitimacy to incident response plans and procedures.

  1. Winning teams have the technical skills

Almost every incident will require some level of technical skill to resolve it and most incidents will require significant technical effort.  Information technology (IT) team members are usually the first to find out about an incident.  Sometimes users report an incident to IT and in other cases, IT learns about the incident through detective security controls such as log monitoring or intrusion detection systems, or antivirus.  IT is also responsible for making technical changes as incident response activities progress.

  1. Winning teams have a security perspective

A keen understanding of the risks, impact, and scope are needed in incident response.  This is where members of the incident response team responsible for security step in.  Security team members take point on validating reported events and determining if they constitute an incident.  They analyze information collected by technology tools and assess the scope and impact of the incident.

  1. Winning teams know how to communicate

Communication, both internally and externally, is a fundamental component of incident response.  Public relations team members communicate with employees, partners, law enforcement, the media, or investors regarding the incident.  They work with the legal team to understand the compliance and contractual liability and cyber breach notification requirements.

  1. Winning teams cross organizational boundaries

Teams may include both internal employees and contractors.  Incident response is not something most companies do every day, and an effective response requires individuals who have the unique skills, tools, and techniques required to address the incident.  Some third parties that may be part of the incident response team include forensics, security consultants, attorneys, insurance, law enforcement, or upstream providers such as Internet Service Providers (ISP), datacenters, or cloud providers.

Team makeup is critical for successful incident response.  A winning team needs to have adequate support, the required technical and security skills, effective communicators, and outside expertise.  So who is on your team?

This post is sponsored by AT&T Security.

Share Button
Economics of Extortion

The Economics of Extortion: Understanding the ransomware market

We all know money is the motivating force behind cybercrimes like the creation and distribution of ransomware. The interesting twist with ransomware is that the basic rules of supply and demand become a little hard to follow. Typically you have a buyer and a seller. In the case of ransomware, the distributor—or supplier—has to steal what’s in demand—your data.

Cybercriminals create the demand by restricting access. Victims realize they need access and­—if they cannot get access themselves by restoring critical files from backup—they end up paying the ransom and fueling this economy. This applies to online consumers, small business owners, and CEOs—they have all paid to retrieve data.

It’s interesting to consider the ransomware economy in the following five segments:

1) Investment 

Cybercriminals leasing ransomware can obtain it for as little as $39 and as high as $3,000 depending on which type is purchased. They must then distribute it. Distribution costs include time spent creating and sending emails. According to Trustwave, an IT security team that spent time trying to dissect the ransomware economy, it would cost about $2,500 to spread 2,000 ransomware infections once you factor in the time to send emails and compromise sites.

2) Pricing 

Ransom demands in the United States have been known to be several hundred dollars higher than the same ransomware in Mexico or other countries with lower median incomes than the U.S. Ransomware authors have researched regions and incomes—and they understand that they can only charge what the market will bear. Ransomware authors also consider the bitcoin exchange rate when determining the ransom demand. This helps cyber criminals set a ransom that victims can afford to pay regardless of which country they’re from. In the U.S., the average ask is between $300 and $500, according to many industry sources.

3) Target market 

The target market for ransomware consists of consumers and companies that retain important or business-critical information and have the ability to pay the ransom. Unfortunately, these people also typically aren’t adhering to IT security best practices. Hospitals and other healthcare organizations are a popular target for cybercriminals because of the pressure to pay up quickly, rather than risk patient health.

4) Revenue 

Estimates as to how much has been paid in ransom tend to be conservative because many payments are undisclosed. That said, The U.S. Departments of Justice Internet Crime Complaint Center received reports of ransom payments totaling $24 million in 2015. And in July 2016, ransom payments for Cerber ransomware alone totaled $195,000 for the month. But the market is growing exponentially, and the FBI has said ransomware costs could total $1billion this year.

5) Competition 

The relatively low barrier to entry has resulted in fierce competition among cyber criminals. Some ransomware authors and cyber-extortionists have even adopted higher levels of professionalism to make it easier for victims to pay up. And, in an interesting angle to the supplier side, ransomware kits are easily available and come with simple instructions, meaning that distributors can sell ransomware to new, smaller distributors—as long as they are guaranteed a piece of the profits.

The ransomware economy is booming and returns are high. That means you can expect the number of ransomware attacks to continue rising. Protect yourself by having adequate backups in place before a ransomware attack occurs. Test your backups to ensure that the right data is being protected and can be restored in satisfactory time frames. Also, ensure that a backup copy is kept in a different location from production data so that ransomware does not infect both at the same time.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button

Pokemon Go ransomware virus is out to catch’em all

A Pokemon Go-themed ransomware virus has appeared on Windows computers, tablets, and phones. The ransomware is the latest in a series of malicious applications that have popped up in the wake of the global Pokemon Go obsession.

This particular piece of malware is known as POGO Tear and it’s based on open source ransomware code called Hidden Tear. POGO Tear encrypts the files on victims’ computers, changes the extension to “.locked” and then demands a ransom on a screen emblazoned with famed character Pikachu’s picture.

POGO Tear is currently coded to display its ransom message in Arabic only as shown below. The text informs users that their data has been encrypted and instructs them to contact blackhat20152015@gmail.com to decrypt their files. It also thanks them for their generosity.


What’s interesting about this malware is that it incorporates several features not usually found in other ransomware viruses. POGO Tear creates an administrative user account called Hack3r on the victim’s machine and then hides it from the logon screen so the user can’t tell it’s there.

It also creates a network share on the victim’s computer and copies itself to all available network drives. The ransomware automatically executes when Windows starts.

How to recover from POGO Tear
When your computer is attacked with POGO Tear, it’s not enough to simply remove the infected files and restore from backup. Victims must also remove the backdoor administrator account and ensure that it has been cleaned from all removable drives and connected computers before performing restore operations. Otherwise, the administrative account could allow an attacker to install additional ransomware, or even steal data using more traditional attack methods.

It appears that POGO Tear is still in a beta or development stage. It uses a static decryption key which will most likely be replaced with a random key when it’s fully deployed. Currently, files encrypted by POGO Tear can be decrypted with the following AES encryption key: 123vivalalgerie

POGO Tear has a private IP address of coded into it for command and control, indicating that the developer of it is still testing out command and control functionality since a private IP address cannot be directly referenced by other computers over the internet. This will most likely be replaced with a set of internet-accessible dynamic DNS names once the full version is released. POGO Tear does not exist in any other languages besides Arabic and it currently does not specify a value for the ransom.

If you are infected with POGO Tear, you can decrypt your files with the key mentioned above. But be sure to have adequate backups, endpoint protection, and network security controls in place to guard against the future release of the full version.  And if you’re interested in playing Pokemon Go, be sure to download the official version from Niantic when visiting your favorite online app store.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button
Securing Hybrid IT the Right Way

Securing Hybrid IT the Right Way

The average company today is a hybrid collection of traditional on-premise and cloud-based IT solutions.  On-premise solutions may include identity and authorization servers, custom applications, packaged applications, and local data repositories. Cloud services fulfill a wide variety of business tasks such as document sharing, group collaboration, customer relationship management, payment processing, marketing, and communication.  This combination of on-premise and cloud services is called Hybrid IT.

On-premise applications require equipment purchases, software deployment, and user training but cloud services can be purchased with a credit card and used almost immediately.  As a result, the same rigor in assessing the business need, risk, and other factors is not often conducted with adopting cloud applications.

Getting up to speed

Hybrid IT can be difficult to manage when different users who may or may not be tech savvy utilize cloud systems in whatever way they deem best for the situation.  Many organizations are in a hybrid IT situation now that was somewhat unplanned for.  Follow these steps to get up to speed.

  1. Identify the cloud solutions in place.
  2. Determine if it is feasible to continue using the solutions.
  3. Transfer administrative credentials to IT.
  4. Create an approved application list
  5. Enforce restrictions through network and endpoint controls on which cloud services can be utilized for organizational data.
  6. Standardize security controls on systems including those in organizational private clouds.

Identify a security solutions provider that can deploy consistent security onto your on-premise equipment, private clouds, and other assets. For example, Bitdefender delivers solutions that have solved the technical challenges of Advanced Persistent Threats (APT) and zero-day exploits.  These same solutions meet the increasingly stringent compliance requirements and give datacenter owners the ability to know what they don’t know, and act on information from below the operating system.

Maintaining control

The most frequently cited risk in hybrid IT is the potential for a lack of organizational control over customer, employee, and business data.  Without effective endpoint and network security controls, a single user may adopt a cloud platform using their personal email address. They can then load organizational data to it and leave the organization.  At this point, his or her successor tries to assume control over the system but realizes that they have no ability to do so.

Organizations need to strike a balance between agility and administration.  There needs to be a level of control over which cloud applications are used for business purposes, but the process for evaluating and approving applications needs to be able to keep pace with today’s fast-paced business. See the suggested steps below.

  1. Establish a procedure for requesting a cloud application.
  2. Create a semi-automated workflow from the procedure.
  3. Establish a cross-functional approval group that will respond to requests through the workflow.
  4. Educate employees on the process.

Risk mitigation

Hybrid solutions are often user or department initiated with little or no involvement of the IT department or those responsible for security within the organization.  Cloud applications may change the organizational risk profile, but the business as a whole is not often aware of this change in risk and therefore cannot evaluate whether actions are required to reduce the risk to an acceptable level. One good way for data center administrators to be as informed as possible about risks is to deploy solutions such as Hypervisor Introspection which can evaluate security independent of the virtual machine and analyze system memory at the hypervisor level.  This ensures consistent security management and awareness even when users or administrators deploy non-standard virtual machines.

From there, a combination of endpoint and network controls such as software restrictions on agents on user machines and traffic filtering on the network can be used to restrict access to unapproved cloud services and applications.  This way, users will be required to utilize the process to request applications.

Next, using the workflow developed earlier, users can take the information collected on the approved cloud applications and services and compile into a report for risk management.  The entire process of creating this document can be automated in the workflow.  The cross-functional approval team should have included someone from risk management but this portion of the process involves a more in-depth review of the hybrid IT portfolio of applications against the organizational risk tolerance threshold.  Risk management can then make recommendations to ensure that risk is kept to acceptable levels.

Reducing attack surface

In some cases, a cloud application is adopted by a user or department when another cloud application has already been adopted to satisfy the same need.  Redundant cloud services increase management costs as well as the attack surface because they create additional potential avenues for attackers to obtain access to organizational data or systems.

  1. Determine which cloud service offers the greatest fit for the organization
  2. Train users of the redundant service on how to use the preferred one
  3. Transfer data from one service to the other
  4. Terminate the redundant service.

Hybrid IT offers organizations an excellent way to augment existing on-premise IT offerings with cutting-edge cloud services.  However, it can also be a nightmare if not management properly.  Some companies are in a precarious security position. Yet, the problem is not insurmountable.  With some planning, automation, discipline and the right mix of endpoint and network security controls, organizations can deploy and manage hybrid IT so that attack surfaces, cloud costs, and management time and efforts are minimized.

Continue reading

Share Button