On September 30, 2020, The US Cybersecurity & Infrastructure Security Agency (US CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) announced the release of a joint guide on defending against and responding to ransomware threats.
LIFARS has observed a significant increase in the volume and impact of ransomware attacks over the last months. Therefore, we recommend that system administrators and security professionals thoroughly review this guide and deploy all applicable measures. Critical Infrastructure Organizations may be eligible for cyber-assistance from US-CISA.
The Ransomware Guide consists of two main parts. The Ransomware Prevention Best Practices and Ransomware Response Checklist.
Ransomware Prevention
US-CISA and MS-ISAC stress the urgency of being prepared for this type of threat by employing the following best practices. This will help to reduce the risk of ransomware and prepare for swift and efficient response. The guide lists current best practices, such as:
- Maintaining offline and encrypted backups that are regularly tested
- Creating and maintaining incident response plan that is regularly exercised
The guide also underlines that Internet-facing vulnerabilities and misconfigurations are among infection vectors of ransomware. To mitigate this, the guide recommends to:
- Conduct regular vulnerability scans
- Patch and update software and operating systems regularly
- Ensure proper and secure configurations of devices
- Secure RDP and other remote desktop services
- Disable SMB protocol
Phishing is also one of the most used infection vectors. Best practices to reduce the risk of phishing are mainly:
- User awareness and training program
- Email gateway filters
- Implementation of DMARC
- Disabling macros for MS Office files
Another possible infection vector can be a precursor malware, third parties and MSPs. Best practices are:
- Up-to-date antimalware solution
- Application allowlisting
- Implementation of IDS
- Risk management of third parties
Other general cyber security best practices and hardening guidance include:
- Employing MFA
- Application of the principle of least privilege
- Enabling security settings in cloud environments
- Develop and maintain a comprehensive network diagram to help during incident response
- Employ network segmentation
- Employ asset management
- Restrict usage of PowerShell
- Secure domain controllers
- Retain and secure logs from both network devices and local hosts
- Determine normal network behavioral patterns to help detecting anomalous activity
Ransomware Response
Second part of the Ransomware Guide by US CISA and MS-ISAC provides a ransomware response checklist that can be utilized should you became a victim of this threat.
Detection and Analysis
- Determine and isolate impacted systems
- Only if you are unable to disconnect, power them down
- Triage impacted systems
- Develop and document an understanding of the situation
- Engage internal and external teams
Containment and Eradication
- Collect system images, memory captures, logs, malware binaries and IoCs
- Consult federal LEAs for possible decryptors
- Research trusted guidance for your particular ransomware variant
- Identify initially breached systems (patient zero)
- Contain any associated systems
- Perform server-side data encryption identification
- Examine security devices and their logs
- Conduct extended analysis to identify persistence mechanisms
- Rebuild systems
- Issue password reset for all affected systems and patch associated security gaps
- Declare the end of the ransomware incident
Recovery and Post-Incident Activity
- Reconnect systems and restore from backups
- Document lessons learned
- Share lessons learned and IoCs with CISA and/or ISAC for the benefit of others
Resources
https://www.cisa.gov/publication/ransomware-guide
https://www.cisa. gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf