The document is intended to be a guide for organizations faced with a ransomware infection. This guide is split into several sections, with the most critical and time-sensitive being in the initial response section.
If you are currently experiencing a ransomware incident, it is highly recommended you immediately review the containment section below, and return to this section at a later time for an overall background of ransomware.
Why Read This Report ?
- Incident Lifecycle
- Preparation, Detection, Analysis
- Containment
- Eradication, Recovery
- Post Incident Activity
When a computer is infected with ransomware, the malware typically generates a very small amount of external network traffic. Upon infection, most versions/variants of ransomware utilize a Domain Generation Algorithm (DGA) to randomize the DNS request that it makes to the command & control (C&C) server. This makes blacklisting the known domains much harder since the malware will use the DGA to generate thousands of randomized domain names, where one may be a legitimate domain used to connect to the C&C server. This initial contact with the C&C server is to enroll the computer with the C&C server and to obtain the public encryption key(s) it then uses to encrypt all the user’s files. Therefore, a memory dump or network traffic capture will do very little to help gain the necessary information to restore the files since the private key that is needed to decrypt the files never exists on the victim computer. In the case of SamSam, there is no key-exchange as the public key (used to encrypt files) is included in the deployed package. However, as SamSam is introduced via traditional hacking activities, other indicators of compromise should be visible and acted upon.
Comments