Sadly, 2021 already seems to be a year of cyber attacks. Earlier this week, the German municipality of Anhalt-Bitterfeld suffered Germany’s first ever cyber catastrophe. The week before saw reports that hackers had attacked US company Kaseya, affecting between 800 and 1,500 customers around the world.
These examples clearly show that both weak and strong IT infrastructures are being attacked.
SMEs are particularly at risk. They often don’t have the necessary emergency preparedness concepts or crisis planning in place to know what steps to take in the immediate aftermath of a ransomware attack.
In an attempt to provide a type of first aid in the event of a ransomware attack, Germany’s Mechanical Engineering Industry Association (VDMA) has published an emergency ransomware guide.
This document is primarily aimed at IT managers and IT security officers in SMEs that have few in-house resources, and is intended to answer their most burning questions.
Important note: The emergency ransomware guide does not set out mandatory guidelines or requirements relating to protection against ransomware. It is designed to offer recommendations based on recognized documents by independent third parties. Each case is unique, which means that all actions and recommendations must be evaluated in the context of the situation at hand.
Below, we have included a summary of two fundamental questions about ransomware attacks taken from the emergency guide:
How can we recognize a cyber attack?
Employee indicators (client PC, file server access)
- Computers start running slow
- Discovery of encrypted or unreadable files
- Files can suddenly no longer be opened
- Unknown files/file extensions
- Virus scanner alerts
- Computers restart into safe mode
- Files contain information/instructions that a hack has happened (ransom demand)
- On-screen ransom demand
- Ransom demand on system startup
- Random system reboot
- Antivirus software deactivated/reports errors and does not start
- System asks to install a program or input the administrator password
- Desktop background changes
- Emails contain unusual or unexpected attachments, links, or requests to take unusual actions
To this end, the VDMA recommends training employees to identify these indicators. When anyone notices any suspicious activity, they should immediately call the system administrator (IT department) or IT helpdesk/support by phone. All colleagues should know the number to call (and it should be available offline, since ransomware attacks often block access to online address books). Be aware that during an incident the telephony system can also be affected.
Indicators of automated scripts (administrators)
- Typical encrypted files
- Typical file extensions
- Outbound command and control traffic through the firewall, IPS, or secure web gateway
- Emails blocked at the gateway (potentially some may have been delivered)
- Firewall deactivated/modified
- Volume shadow copies have all been deleted (far fewer than usual)
- Internal hosts are communicating with external hosts not through the usual ports
- Communication and/or alerts at unusual (business) times
- Suspicious (internal) network scans
- Frequent suspicious incidents identified
- Suspicious login attempts by a user into the corporate network (login attempts from different locations within a short space of time)
- Excessive broadening of authorizations in administrative accounts and changes to group policies
- Unauthorized software installation
- Identification and automatic deletion of malware in multiple places at the same time (this process repeats indefinitely)
- Unusual traffic from servers to the Internet (domain controller http, https etc.)
- Accesses to unused shares/files (“canary files”)
- Backups disappearing, failing, or being incomplete
Important: These indicators can suggest a potential attack or an infection. It is vital to respond quickly to an attack.
When should I declare a ransomware emergency?
Ask the following questions to help determine whether your specific situation is in fact an emergency. If you answer every question with “Yes”, the situation is certainly a ransomware emergency.
Damage factor (effects and spread)
- Is the infection (encryption) likely to spread uncontrolled throughout the entire network?
- Are critical IT systems or information no longer available or under acute threat?
- Have critical business processes been disrupted or are they under acute threat?
Time factor (since when/how much longer?)
- Are the steps and the amount of time it will take to resolve the incident unclear?
- Is it likely that the time until processes or systems are restored will be unacceptable?
- Is the incident having a significant impact beyond internal processes, services, and systems, e.g., in a customer’s supply chain?
The following additional questions can help concretize a ransomware emergency:
- Are the attackers still in the process of probing and capturing the network?
- Are files still being encrypted?
- Has anything(/everything) already been encrypted?
- Are privileged accounts affected?
- Is it possible to limit the disruption?
- Is it possible to trace the activities without any gaps? Are other locations affected?
- Does anyone know what actions need to be taken to resolve the disruption?
- Are backups of the affected systems available?
- Are there any viable workarounds (mobile communication instead of fixed line, paper instead of PDF, etc.)?
- Have key areas of production shut down?
- Is product quality being affected?
- Is the ability to deliver to customers being affected?
- Have communication channels been compromised?
- Are other non-critical functional areas affected (staff restaurant, parking garages)?
- Is the incident having visible external consequences (image or reputation damage) that can be observed by third parties, e.g., web store unavailable, phone lines unavailable?
- Does the company have any obligations to notify other parties about the incident (authorities, business partners, etc.)?
If multiple systems are impacted then initially it is best to assume that the majority of the network is affected. In flat network structures with no protective zones, it must be assumed that the entire network is affected. At current speeds, malware has the ability to spread in just a few minutes. Thanks to SSDs, Gigabit, and high-performance systems, encryption often takes a mere 1 to 2 hours to complete. So any response needs to happen fast.
What should I do in a ransomware emergency?
Protect core systems
- Where possible, isolate core systems
- Deny/limit user access to business-critical systems
Protect file servers, domain controllers, and databases
- Block write access to files for all users (use a script if available)
- Identify users with the most open files
- Set file servers to hibernation mode to preserve device working memory
Emergency steps for devices
- WARNING: DO NOT log in to the system with admin rights while the device is still connected to the network and/or Internet
- Separate from the network and other communication connections (LAN, Wi-Fi); in an emergency, use the network switch to deactivate the relevant ports
- Set virtual machines to suspend mode (preserve working memory)
- Set physical machines (PC) to standby mode to preserve device working memory (standby mode needs to be activated first in Windows 10 [Win10])
- Use a smartphone to take photos or film any ransom demands and relevant events. Write down the device ID and the time to allow for accurate tracking later on
Emergency steps in the IT network
- Break all network connections between the company and the outside world (firewall, Internet)
- Between all project network segments one Src: ANY– Dest: ANY– Service: ANY– Action: Add a drop at the first point in the firewall rule set so that network segments can be gradually ramped up on restart
- Cap network connections to outside entities (MPLS, VPN, etc.). If outside entities are already affected, potentially use firewalls and whitelisting to permit only dedicated emergency administration connections so that the damaging software cannot spread uncontrollably in other locations (loss of control)
- Switch off client remote access
- Deactivate internal switches and routers if it is not possible to switch off network segments (e.g., stage switch, router into the production network)
- Switch off wireless networks (guests, employees), e.g., Wi-Fi, 5G campus network
- Disconnect IT end devices (laptops, servers, PCs, smart TVs, ClickShare, projectors, printers, mass storage) from the network
Other emergency steps
- Establish an alternative communication infrastructure (e.g., telephone chain) since attackers could potentially be reading emails
- Establish a crisis team with colleagues from IT, Communications, Legal, and Data Protection
- Do not open/forward any emails or files, also not via the cloud, since that could infect devices outside the network (e.g., personal PCs, customers, suppliers)
- Do not log mobile work devices into private or business networks
- Inform your own subsidiaries and IT staff in other locations
- Immediately inform external IT service partners, e.g., cloud providers
- Do not make any “repair attempts” without calling on specialists for the systems affected
- Reinstall the systems affected or restore to a status prior to infection, then back up immediately
- Create “clean” admin users and block all other (admin) users
- Stick to rotation processes (backup rotation, log rotation, snapshot rotation) so that no other data is lost, and back up system logs (proxy, firewall, antivirus, Active Directory, VPN, systems affected)
- Assign employees to other tasks if they cannot work due to the incident (e.g., coordination, messenger tasks, placing warning posters/stickers)
Notes on forensic investigations
There are specific rules of conduct that ensure forensic investigations remain an option:
- UNDER NO CIRCUMSTANCES disconnect the power supply to IT systems
- DO NOT DELETE ANY files/systems, even if they might be infected with malware
- Create (or have someone create) a forensic backup (bit-by-bit 1:1 copy) including a core image for future criminal proceedings
- Under no circumstances install any software. However, if this is absolutely necessary, make sure to document the source of the software and the installation time
- Create a log for every step, for every individual system from the time the compromise is detected through to the end of the recovery work
- Secure relevant log files (antivirus, Citrix, login, firewall, web traffic, etc.) and protect against manipulation
- Call in specialists for forensic investigations
- If there is cyber insurance in place, contact the insurer’s claims hotline for support from specialist computer forensics investigators
Crisis team: Senior management board should take a decision to set up a crisis team to manage the emergency situation. The crisis team is tasked with securing a return to operational business as soon as possible, and for keeping follow-on losses to an absolute minimum.
During – and after – a ransomware attack, not only is it essential to trigger emergency measures, but also to install permanent security measures based on lessons learned. It is important to reinforce your infrastructure with increased but above all “correct” security measures. These don’t have to be complicated or expensive, but must be tailored to your needs. Long-term protection and risk mitigation must be structured to fit your own risk situation to allow cybersecurity measures to be implemented based on future investigation outcomes. This includes risk mitigation and prevention, as well as risk transfer (e.g., insurance) and acceptance.
The complete emergency ransomware guide, including other helpful tips and guidance, is available on the VMDA website at https://www.vdma.org/viewer/-/v2article/render/1295961