Ransomware Incident Response and Recovery

Clients IT infrastructure has been affected by a ransomware attack. The client was expecting investigators to gather indicators of compromise via digital forensics after noticing suspicious activity as part of the engagement. Also, the client wants to identify “smarter” tools that can detect and quarantine suspicious files in the future automatically.

The fundamental purpose of the project is to reduce the impact that ransomware attacks have on the operations of the organization, protect vital assets, and restore normalcy while simultaneously improving the defenses of the infrastructure against any future threats.

The Approach:

In the beginning, we assisted the client’s IT team in rapidly recovering from the situation by assisting them in restoring from a backup and maintaining some domain controllers in isolation mode based on our previous experience with ransomware scenarios (within next 10 days, the attacker will attempt again)

As soon as it was recovered, we provided our comprehensive risk assessment questionnaire to the IT team to fill out to understand the client’s IT infrastructure boundary and also to define the project scope, objectives, and deliverables. The risk assessment questionnaire can be downloaded here.

As soon as the SOW was authorized, we immediately carried out a thorough risk assessment to detect ransomware vulnerabilities. In addition to this, we built an incident response strategy that was adapted to the organization’s organizational structure and the resources it possessed. Once we had identified a few IOCs, we moved on to the next step, which was to begin the process of prevention and defense. This step would offer a list of the components or configurations that were lacking in the existing environment, such as network segmentation, multi-factor authentication, intrusion prevention and detection systems, and so on.

If the identified remediation is scoped, then our team would take it further; in this contract, it was end-to-end support, so we took it up with concern team and instantly initiated the actions (because of the sensitive nature of these projects, I’m unable to disclose what was falling behind).

As soon as it was put into effect, the next phase that would take place would be developing incident response protocols. During this process, we would build a response team and define roles and duties, as well as develop step-by-step procedures for identifying incidents, isolating them, and reporting them.

After that, we got started on the task of containing and eradicating the incident. wherein we carried out incident response procedures in order to isolate and contain ransomware infections. Deploy tools to eliminate ransomware on systems that have been compromised. Following that, we suggested the use of automatic tools and followed it up with a comparative analysis and a recommendation. Due to the sensitive nature of the information, the suggested tools cannot be discussed here.

Post procurement of the tool, our SOC engineers helped to deploy the same across all servers and endpoints. After that, the key and critical CVEs will be addressed, and subsequently, the rest will be taken care of automatically, Our team is monitoring till date.

As a deliverable, we have provided the post-incident analysis report and improvements, the data backup and recovery strategy, the data recovery and system restoration process, communication, and reporting, along with the missing tools report and an indicative pricing sheet.

My Role:

Senior Principal, I am accountable and responsible for the delivery of the entire project, from beginning to end. This consists of assessment and remediation, tool implementation, and remediating the most critical CVEs.

Project Details:

Team Size: 5 Members

Project Duration: 3 Months

Project Cost: T&M

Conclusion:

Insofar as this project is concerned, the flaw is in the CI/CD process, and as a result, we insisted that the client adopt DevSecOps methods with shift left. In addition, we proposed several tools with our recommendations that the customer would implement shortly.