What is a ransomware attack?
A ransomware attack involves sending malicious software to a target that, once activated, encrypts the operating system’s files and data. A ransom is then demanded in exchange for a decryption key.
What are the warning signs of a ransomware attack?
There are some small indications, but they can be hard to detect.
The attacker’s goal is to remain undetected for as long as possible. Once they have infiltrated a computer system, they can wait months before launching their attack. What can tell us something is amiss is abnormal behaviour, such as activity during the night or unusual network transfers.
What happens once an attack is out in the open?
IT systems stop responding or behave abnormally. The user observes unexpected behaviour on their workstation, like software that has stopped working or a wallpaper that looks different. Then a text file appears, often marked “Read me”, which contains the typical fateful message “We have encrypted your data, call this number to get it back for a fee of x”.
1 to 3 days
The standard ransom deadline (LegiFrance).
Should you contact the attacker?
I advise against contacting the attacker directly and engaging in negotiations to pay the ransom. It might not save you any time, and there is no guarantee that the attacker will restore access to your data.
But every minute counts, and if a user discovers an attack, you must immediately alert the cyber security team or, failing that, IT support, and never deal with the incident yourself.
What are the first steps in the Advens CERT’s operating procedure in the event of a ransomware attack?
The problem identification phase consists of several steps: these are a kind of “first aid”.
Our CERT first conducts an initial assessment by telephone to analyse the extent of the damage and determine what measures have already been taken. It then communicates the most urgent measures to take via an emergency e-mail address until the team arrives on site.
Our team gets to the client as quickly as possible, ideally within 24 hours in France. During this time, the client must carry out all the prioritised measures itself:
- Its technical teams should prepare to rebuild a healthy IT by continuing to assess the damage: they should cut off the IT from the internet, disconnect the Active Directory to prevent the attacker from progressing and back up data that has not yet been encrypted by malware.
- At the same time, management should begin implementing the crisis management plan (if one exists). This might go as far as applying a business continuity plan: what is affected, how, why and how will it affect the encrypted data? Which services must remain active?
When we arrive, we will map the damage and identify the initial measures to take in the first two or three days.
The CERT conducts an in-depth investigation: it establishes the percentage of the IT affected and identifies the starting point of the attack. The CERT may have to use an EDR solution to gain efficiency and speed. We can then restart some workstations or critical servers and directly protect them. The client can then resume work under close supervision.
In parallel, we assist the client’s teams in selecting the right internal and external communications.
A team of “volunteer firefighters” from Advens is available to take over to provide additional or complementary skills. For example, some have been called upon in the past to speak to the media.
What does the “contain and remediate” phase involve?
After a week of investigation, we create what we call a “trusted zone.”
What is a trusted zone?
A 100% secure IT environment that allows you to rebuild a robust IT infrastructure. Everything in it has been checked; we know the attacker isn’t there and can’t get in because we isolate the other computers before putting them back in the trusted zone.
The main challenge of the trusted zone is ensuring that only completely secure sections of the IT are allowed in. During the crisis, the threat could continue, the attacker could change tack, or new vulnerabilities might be discovered. A combination of care and agility is crucial to ensure the success of the containment and recovery work.
In parallel, the Advens CERT provides ongoing support. We launch or work with the crisis unit of the organisation under attack. This allows us to liaise with the client and share the results of our analysis. Once the recovery has progressed sufficiently, we can restart the affected services. Working closely with management, we determine which business functions should be recovered first.
At this stage, there are two possible scenarios:
- A BIA (Business Impact Analysis) has already been produced. This can save us time, as it indicates which service/application should be restarted first, followed by the rest in order of priority.
- Nothing has been planned for: we help the victim company to identify its priorities for resuming business, which can be very time-consuming.
How do you recover an IT and help clients become independent?
The next step is the IT recovery phase. This can take anywhere from 4-6 weeks to several months.
Once an IT is recovered and operational, the CERT team will gradually withdraw. According to the established action plan, other Advens services will then come into play. These can include implementing a supervised SOC, maintaining security conditions, defining new procedures or training and awareness.
At the end of the CERT response, we produce a response report. It contains the CERT’s digital investigations, a timeline of what happened during the incident response, a diagram of the attack, along with general and technical conclusions from which an action plan is derived.
The client is responsible for the final stages of remediation, sometimes with the help of Advens teams outside the CERT, and then it can resume business.
A big thank you to David Quesada for sharing the Advens CERT’s operating procedure in the event of a ransomware attack. To keep abstreat of new developments, follow the CERT reports on GitHub.