I feel it’s important to start by giving you the top things to do if you are a victim of ransomware:
- Don’t pay the ransom
- Don’t power off any endpoints
- Contact Symantec Incident Response team as quickly as possible
- Ensure you have good backups, ready to restore
We are seeing a lot in the media lately about ransomware. This type of attack isn’t new, but the attention is greater than ever. And what’s worse? Many organizations suffering through ransomware attacks think they are at the mercy of the attacker. This doesn’t have to be the case.
There are many things an incident response (IR) provider can do to help in this situation. Symantec has one of the world’s largest civilian cyber security threat intelligence networks – giving our IR team access to not only technical intelligence about the malware, but also adversary intelligence that provides Indicators of Compromise (IoC). Symantec’s IR team has been able to use this wealth of intelligence during our ransomware investigations to learn several important facts about ransomware.
One of the most important things to bring light to is that ransomware is almost never the primary attack vector. Ransomware is deployed as either a way to deflect attention from a primary attack or as “clean up” after an attack to help the attackers make a few extra bucks selling the access that they already used to perform their initial operation.
Here are some examples of what our team has seen during investigations.
“Smoke Screen” Attack
One customer was battling a worm-based ransomware variant. The infection had taken over the network and had started encrypting files. Their first reaction was that this wasn’t a big deal, just a nuisance. The problem got bigger when it spread and they couldn’t control it, which prompted them to call our IR team. During the investigation we performed memory forensics and found a memory-only resident attack that was positioned to capture account and login information. It was a very well written piece of code that was masking itself in 64-bit memory. Once we discovered it, we were able to stop the primary attack, contain the worm and provide the customer with recommendations to minimize further attacks.
Having learned this, we were able to apply this information to many other customers that called with the same indicators, allowing us to more rapidly respond and contain the attack, ultimately ending the campaign.
Ransomware Used After Failed Primary Attack
One of our customers had been compromised and the attacker’s primary objective was to gain full access to the victim’s network and sell that access in the dark web. When there weren’t any buyers, the attacker needed a way to financially recoup resources spent on the initial attack and decided to take the ransomware route. These attackers purchased an attack and deployed it against the victim, launching a second attack. During our investigation, we were able to identify the originating attack, push the attacker out of the network, provide the point of origin for the initial attack and recommend how to prevent similar attacks in the future.
These are just a couple examples of investigations we’ve successfully closed, but we expect to see more and want to make sure organizations know to engage resources that can help them look beyond the obvious ransomware attack to understand the full spectrum.