When a company suffers a ransomware attack, many victims feel that the attackers quickly deploy the ransomware and leave so they won’t get caught. Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked so hard to control.
Instead, ransomware attacks are conducted over time, ranging from a day to even a month, starting with a ransomware operator breaching a network.
This breach is through exposed remote desktop services, vulnerabilities in VPN software, or via remote access given by malware such as TrickBot, Dridex, and QakBot.
Once they gain access, they use tools such as Mimikatz, PowerShell Empire, PSExec, and others to gather login credentials and spread laterally throughout the network.
As they gain access to computers on the network, they use these credentials to steal unencrypted files from backup devices and servers before deploying the ransomware attack.
Once the ransomware is deployed, while their network is still compromised, they think the ransomware operators are now gone from the system.
This continued access is not uncommon when it comes to these types of attacks.
After detecting a ransomware attack, the first step a company should do is shut down their network and the computers running on it. These actions prevent the continued encryption of data and deny access to the system for the attackers.
Once this is done, a third-party cybersecurity company should be brought in to perform a full investigation of the attack and audit of all internal and public-facing devices.
This audit includes analyzing the corporate devices for persistent infections, vulnerabilities, weak passwords, and malicious tools left behind by the ransomware operators.
The larger corporate ransomware attacks almost always involve a complete compromise of a victim’s network from backup servers to Domain controllers. By having complete control of a network, Ransomware actors can easily turn off defense and deploy their ransomware.
Incident Response (IR) teams faced with such a far going intrusion need to assume that the attacker is still in the network till proven otherwise. This means first and foremost choosing a different communication channel
It is important to note is that attackers already have been ploughing around in a victim’s Active Directory so in order to flush out any remaining backdoor accounts a full AD review needs to be undertaken.
Treat ransomware attacks as data breach incidents with the hypothesis that the attackers might still be inside the network. Therefore, victims should work from the bottom-up trying to obtain forensics evidence that validates or invalidates the hypothesis.
Reimaging the devices on a compromised network is suggested, but may not be enough as the attackers likely have full access to network credentials that can be used for another attack.
Victims should potentially reinstall the machines and servers. However, they should be mindful the criminal might have already stolen the credentials. Simply reinstalling might not be enough. They would also need to change the domain passwords as the criminals might come back using such credentials.
Ultimately, it is essential to operate under the assumption that even after an attack, the attackers are likely to be still watching a victim’s movements.
This spying could not only hamper a breached network’s cleanup but could also affect negotiation tactics as the attackers read a victim’s email and stay one step ahead.