Ransomware Attack: Incident Response Plan and Action Items


Cybercrime is a growing problem in the computer age. One single Vulnerability is all the attacker needs today. There are numerous ways to earn money. As far as we can determine, cybercriminals are aware of this, and their imagination is limitless. Ransomware is unique among cybercrime because for the attack to be successful, it requires the victim to become a willing accomplice after the fact. The message for companies that think they haven’t been attacked is: ”They are not looking hard enough”.

The recent ransomware” Kaseya ” which is spreading faster is the biggest ransomware attack on record, which has affected hundreds of businesses globally. Kaseya regularly pushes out updates to its customers meant to ensure the security of its systems. But in this case, those safety features were subverted to push out malicious software to customers’ systems. The hacker behind this attack is REVil, the Russian hacker group. Still, the organizations are checking internally as well as with their customers to safeguard them from the attack.

Let’s take a close look at how to handle ransomware, a notorious form of malware as a SOC Analyst.

Incident response lifecycle for Ransomware:

Phase 1: Preparation

The Preparation phase covers the work an organization does to get ready for incident response, including establishing the right tools and resources and training the team. This phase includes work done to prevent incidents from happening.

  • Our first line of defense is AV. AV won’t catch the Ransomware until it had finished encryption. But when it starts to hunt, it might delete all the virus files along with registry keys that the virus had created, which holds information on how to decrypt when payment was received. So, setting up an advanced level AV is more important.
  • A good backup is always a backbone to stand stiff while ransom attacks. Backup servers need to be tested regularly. Use DNS sinkholing to block connections to known bad domains.
  • Creating rules for dropping/initiating base64-encoded text documents from a parent process like .doc or other file-related extensions will help to avoid unknown malicious droppers.
  • Apply software restriction policies to the normal users except local administrators by creating new OU with all the possible software. Create a rule based on EventId 865 to keep track of the users who all are trying to install the software. This method seems old, but they’re still needed. They are the basics that most organizations are missing.
  • Hide the network shares or just don’t map the drives. Because no hidden shares will be enumerated by WNetOpenEnum().
  • Delegate write access only where necessary, and don’t let the employees change file ownership unless it is necessary.
  • Defenders need to include a monitor for common names given for the decryption help instruction files using FSRM.  We can use File Server Resource Manager (FSRM) is a system to help prevent the already-executing malware from infecting the entire file server.
  • We can set up FSRM to monitor the shares for suspicious activity associated with Ransomware, email designated admin addresses, and then block the infected user’s access to the shares on that server.
  • Employ content scanning and filtering on your mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
  • Need to make sure that all systems and software are up-to-date with relevant patches Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.
  • Threat intelligence/hunting can be performed by collecting all the IOC related to ransom and regularly feed those indicators back into detection mechanisms such as IDS will help out more.
  • Enabling sysmon to endpoints can detect these infections early so that they don’t become big incidents.
  • Creating an Incident Response Playbook should detail the specific actions people should take as soon as it becomes apparent that an attack is underway.
  • Phishing Campaigns can be performed to ensure the employees are aware of the malicious emails.
  • One of the additional safeguards is disabling the abode flash because in most cases this was the reason behind the ransom attack.
  • Software restriction policies and restrictions on running macros in Office policies are the last attempt to stop the ransomware from encrypting everything.
  • Need to make sure that the Incident Response teams know their roles and the required notifications to make at the critical situation.
  • Internal Pentesting needs to be done wider to know the loopholes in the organization, The same will help to know the capability of a Blue Team. Because they are the last line of defense.

Phase 2: Detection and Analysis

Accurately detecting and assessing incidents is often the most difficult part of incident response.


  • Identifying all infected systems, as well as those in immediate danger of getting infected, is the most time-sensitive issue at the start of the attack. Below are a few points for detecting the ransom:
  • We need to restrict the execution of programs from the two common areas %APPDATA% folder and the %TEMP% folder on the system. Looking for any file executing from these locations is an effective way to spot ransomware before it has had a chance to encrypt files. So need to define a rule to get an alert if there is a match.  
  • Another approach for security teams to become aware of an ongoing ransomware situation is seeing file manipulation thresholds cross significantly beyond their normal daily records. This type of alert is usually generated by a SIEM solution that has been configured with the appropriate rules.
  • A good defense is to get signatures and IOCs into the IDS or network devices. We can use the threat intelligence sources to block or at least alert on the presence of anomalies associated with ransomware in the network traffic.
  • Perform full scans like Anti-Virus Scans, EDR Scans, Email Attachment Scans. The emails which contain file extensions should be monitored and kept under help for the IR team review and the .doc files with macros should be scanned before reaching the user inbox are the best- automated defense for ransom emails.
  • If the organization is large, the number of files the user can access could be several hundred thousand, which could take days for the ransomware to encrypt. This delay can contribute to the fact that the victim’s computer never displays a message since it is still going through all the files and network shares to which the user has access. In this case, it is extremely important and time-sensitive to determine the victim’s computer. This is most commonly achieved by looking at the ownership permissions of the files that have been encrypted.
  • Use Sysmon to implement file and registry monitoring with system service and device driver or an FIM to detect any file modification operations such as file delete, file rename, file create, etc.


The analysis phase largely focuses on two areas:  identifying the specific variant of ransomware and determining how the malware entered the organization. Here are a few points which can be noticed while analyzing.

  • Before moving on to the Containment phase, we must first figure out which ransomware variant we are dealing with.
  • To understand how the ransomware got into the environment, a root cause study should be performed. It’s important to figure out whether the vulnerability came from an email or a web browser.
  • The organization should keep in mind that while blocking the identified malicious site is the first step, it may not be an adequate compensating control since mobile employees will not be blocked by the organization’s firewall rules while they are not on the organization’s local area network (LAN).
  • Looking for random filename patterns or known ransom extensions is another way to detect the ransomware as it is running.
  • Odd registry keys, malicious files, encrypted data, unusual amounts of internal traffic flow, unexplained system crashes, illegal and unexplained software installation, not whitelisted apps, or files are all examples of manual operation.
  • EDR Logs, Inbound/Outbound Network Traffic Logs, Windows Event Logs, SIEM Logs, System Logs, Threat Intelligence Sources should be monitored intensively.
  • To identify possible risks and affected assets or users, an automatic or manual intervention should be performed by:
    • Put compromised accounts on monitoring.
    • List hosts communicated with external IP, external URL, external domain.
    • List users opened an email message and collect all email messages. List all the email message receivers. Make sure the email message is phishing. Extract observables from the email messages.

Phase 3: Containment, Eradication, and Recovery

This phase focuses on keeping the incident impact as small as possible and mitigating service disruptions.


  • If the ransomware is already done with its encrypting and notice, there are steps you can take to contain it locally so that network files are not affected.
  • Having an endpoint protection system that can look for the execution and kill the process is usually the best means of containment.
  • Once a system has been identified as potentially having ransomware, the potentially infected computer should be immediately removed from your networks (including WiFi), and either shut down or ideally hibernated (to assist in forensic and sample analysis) to minimize the risk of the ransomware continuing the encryption process.
  • If the above point is not applicable in any organization, then taking the file shares offline will help to minimize the risk and impact to the business. The file servers do not need to be shut down, but all access to the file shares should be terminated (remove the share, restrict by network or host-based firewall ACL, etc.). 
  • Having a good EDR solution is helpful in cases of malware attacks in a few ways.


This phase involves removing the ransomware from the infected systems. After containing the infected machine, we need to eradicate it from the network.

  • The identified infected machine with ransomware can be rebuilt from a trusted source.
  • It is better to replace or reimage the machine rather than cleaning it. If we choose to clean rather than replace, continue to monitor for signatures and other IOCs to prevent the attack from re-emerging.
  • Need to take action according to the RCA(Root cause analysis). If it is via email, need to delete all the emails related to it take action for the IOC. If it is via web browser exploit, those sites should be blocked and monitored. The organization should then determine whether any vulnerable browser components need to be updated or removed.
  • As a precaution, all impacted users’ passwords should be changed. To avoid alerting the attackers, this action should be conducted cautiously and intelligently. It’s likely an attacker has several credential sets and may attempt to use them and pivot the attack if their initial access is suddenly revoked.


This is the process of restoring and returning affected systems and devices into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach.

  • Restore from a clean backup, look for the infection vector, and notify Law Enforcement, if appropriate.
  • Depending on the results of the root cause analysis, if the attack was made possible by vulnerable systems, those should have to be patched to prevent them from being re-exploited in the future.
  • It’s essential to check the status of backups when recovery is needed. Using backups to recover systems is not a realistic solution if the attackers have been in the networks for months and backup data are likewise encrypted.
  • Redundancy is a best practice for backups, as is having backups verified, separated, or offline to decrease the risk of manipulation.
  • Encryption reversal can be done in the cases if a full backup is impossible. Organizations may seek to find ways to break the encryption without paying the ransom, or perhaps locate decryption keys on infected systems.
  • Paying a ransom does not ensure that you will be rescued, and it does not imply that you will be rescued immediately. Paying ransom to cybercriminals is a federal violation, and some countries are liable to US penalties.
  • Remember that paying a ransom encourages attackers to raise the frequency of attacks as well as the ransom price.

Phase 4: Post-Event Activity

Hold an after-action meeting with all members of the Incident Response Team to share what you’ve learned from the data breach once the investigation is finished.

  • The analysis should also include the technical measures in place to assist in the detection and protection of the infrastructure.
  • This is where you will analyze and document everything about the breach.  Determine what worked well in your response plan, and where there were some holes.
  • The attack will be handled differently by each organization. Lessons learned to like these can help the business improve its processes over time, ensuring that future crises are handled more efficiently and with less potential harm. 
Latest Threat Intel: Kaseya VSA Ransomware IOC


The Active Defense of the Blue Team has the potential to modify the public perception of Blue Team defeat as normal. It also illustrates how businesses employ the Red Team exercise to ensure that solid Active Defense is successful.

Previous articleDefending and Preventing Against Active Directory Kerberos Attacks
Next articleKaseya VSA Ransomware IOC
Anusthika Jeyashankar
Ambitious Blue Teamer; Enthused Security Analyst


Please enter your comment!
Please enter your name here