How to respond to a ransomware infection

How to respond to a ransomware infection

Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x
McAfee Host Intrusion Prevention (Host IPS) 8.0
McAfee VirusScan Enterprise (VSE) 8.8

Summary

This article provides general guidance to first responders during a ransomware outbreak.

Ransomware is malware that employs asymmetric encryption to hold a victim's information at ransom. Asymmetric (public-private) encryption is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker's server. The compromised user has to pay the attacker a ransom to get the private keys and files decrypted.

Many different variations of ransomware currently exist. Ransomware and other malware are typically distributed using spam campaigns, phishing emails, or targeted attacks. McAfee security products use several technologies that help prevent ransomware.

Use the following topics to guide your response to a ransomware outbreak in your environment:
  1. Identify and isolate the affected systems
  2. Apply updates for vulnerabilities and ensure environmental compliance
  3. Apply related ENS/Host IPS/VSE rules to the online systems for all known ransomware behavior
  4. Confirm that the recommended best practices are in place
  5. Apply, test, and deploy the related Extra.DAT (if available)
  6. Run a full on-demand scan on all systems
  7. Confirm control of the environment
  8. Place the isolated systems back online once they are confirmed clean
  9. Restore the affected files from a backup
  10. Perform incident response and proactive measures
  11. Consider implementing additional recommendations
 

Problem

Ransomware has affected systems in your environment.

Solution

Perform the following steps:
  1. Identify and isolate the affected systems.
    Isolating the affected systems helps prevent the threat from spreading if it has that capability. Not all threats or variants of ransomware display this behavior.

    For instructions to build a report with the threat source details for VSE, see KB81336.
     
  2. Apply updates for vulnerabilities and ensure environmental compliance.
    • Apply any vendor or operating system updates on all systems. This action is critical to mitigate the vulnerability that the malware is exploiting. Leaving even one system not updated exposes a hole in your environment that the malware can take advantage of. 
    • Ensure environmental compliance based on the existing security policy. Not all variants of ransomware exploit application or operating system vulnerabilities.
     
  3. Apply related ENS/Host IPS/VSE rules to the online systems for all known ransomware behavior.
    • For information about ENS/Host IPS/VSE rules that protect against ransomware, see PD25203.
    • For a list of and best practices for ENS Dynamic Application Containment rules, see KB87843.
     
  4. Confirm that the recommended best practices are in place.
    • For best practices and ENS Dynamic Application Containment rules, see KB87843.
    • For VSE best practices, see PD22940.
    • For instructions to enable the Global Threat Intelligence technology in McAfee products, see KB70130.
    • For best practices to avoid being compromised by software exploits, see PD25171.
     
  5. Apply, test, and deploy the related Extra.DAT (if available).
    An Extra.DAT is a temporary detection file created by McAfee Labs to detect and remove threats that have not yet been added to the daily DAT files. If an Extra.DAT has been provided by McAfee Labs, the best practice is to apply and test it locally on an infected system to ensure that no issues arise. After you have properly tested the Extra.DAT, apply it to run a full system on-demand scan (ODS).
    1. Locally apply and test the Extra.DAT on isolated/offline systems.
      For instructions to apply an Extra.DAT locally for VSE, see KB50642.
      For instructions to check in an Extra.DAT for ENS, see the "Use Extra.DAT files" section in PD26799.
    2. Once tested, check in and deploy the Extra.DAT to all systems.
      For instructions to check in and deploy an Extra.DAT through ePO, see KB67602.
    3. Confirm via ePO reporting that the Extra.DAT has been successfully installed.
      For instructions to determine which computers have an Extra.DAT installed via ePO reporting, see KB59410.
       
      NOTE: Extra.DATs can clean (delete) the malware host file that it was tailored for. Due to asymmetric encryption and being unable to obtain private keys for the affected application files, an ODS with the current DAT/Extra.DAT cannot decrypt the affected files. These files must be restored from a known good backup source.
       
  6. Run a full On-Demand Scan on all systems.
    • For instructions to run an ENS ODS (use policy-based, not custom-based scans for full reporting), see the "Configure, schedule, and run scan tasks" section of PD26799.
    • For instructions to run a VSE ODS, see the "Configuring on-demand scan tasks" section (using ePO) or the "VirusScan Console" section (individual systems) of PD22941.
    • For best practices for VSE ODS, see KB74059.
    • For an optional offline command-line scanning method if the system is unable to boot into normal Windows mode, see KB51141. If using an Extra.DAT with the command-line scanning method, place the Extra.DAT in the c:\scan\ folder after Step 5 in KB51141.
     
  7. Confirm control of the environment.
    Check for threats detected in the last 24 hours.
    • For instructions to create an ePO report for ENS reporting Event ID: 1203 (on-demand scans), see KB87752.
    • For instructions to create an ePO report for ENS/VSE reporting Event ID: 1203 (on-demand scan Completed), see KB69428.
    • For instructions to build a report with the threat source details for VSE, see KB81336.
     
  8. Place the isolated systems back online once they are confirmed clean.
    Once the isolated systems have been confirmed clean, it is recommended to place them back online in small groups, closely monitoring their behavior afterward.
     
  9. Restore the affected files from a backup.
    When all systems are clean and back on the network, restore the affected application files from a known good backup source or Windows Shadow Volume.
     
  10. Perform incident response and proactive measures.
    Blocking file types at the gateway is the best and easiest line of defense (see the file types listed below). Ransomware, downloaders, and JS/Nemucod all masquerade with one another. Generally speaking, downloaders arrive in spam or phishing emails as DOC or XLS, and less often as JS. JS/Nemucod arrives in spam or phishing emails as J. Ransomware arrives as JS, EXE, TMP, SCR, WSF, and so on. Most installers drop an EXE in the user profile directory. It is easier to protect against ransomware if you also protect against its installers and droppers.
     
    For downloaders and Nemucod, create firewall rules to prevent Microsoft Word, Microsoft Excel, scripts, and PowerShell from making outbound calls. You also need to create appropriate allow lists based on legitimate traffic generated by these applications.

    For example, if an organization uses Office 365, see the following for the endpoints (Fully Qualified Domain Names, ports, URLs, IPv4 address ranges, and IPv6 address ranges) that you should include in your outbound allow lists to ensure that your computers can successfully use Office 365: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
     
    It is also recommended to block archive files (ZIP, RAR, TAR, JAR, and so on), if not against company policies.
     
  11. Consider implementing additional recommendations.
     
    • Implement security awareness and training:
      • Simulate a phishing/spam campaign to bring security awareness to those users who fall for social engineering attacks.
      • Reminder your users to think twice before clicking on anything sent in an email.
      • Instruct users to not open unknown or unsolicited file attachments unless specifically requested from the sender. View the email header or send a separate email to validate the sender before opening attachments.
      • Report suspect email to the organization's Security Operations Center. Remind your users how and where to submit suspicious email safely.
         
    • Disable macros in Microsoft Office applications. Macros can run in Office applications only if Macro Settings is set to Enable all macros or if the user manually enables a macro. By default, it will be in a disabled state. The recommended setting is to select the option Disable all macros with notification in Macro Settings.
    • End users should back up business data to the organization's shared folders. Data residing on user devices might be permanently lost in the event of a ransomware infection.
    • Block .EXE, .RAR, .SCR, .CAB, .VBS, .BAT, .WSF, .JS, and similar attachments at the mail and web gateway.
    • Prevent PowerShell from running on systems in which PowerShell is not intended to run.
    • Ensure that there are no allow list policies that exempt .doc, .docx, .xls, .xlsx, or .JS attachments from anti-spam or anti-virus scanning.
    • Install the SiteAdvisor Enterprise browser plug-in to detect spam attachments and to block access to the malicious domains.
    • Use mail and web gateway products that identify malicious links and block emails with link or attachments.
    • Enable spam filtering.