Ransomware is one of the most common threats in the last few years. You might have heard of the following high-profile breaches where ransomware was involved.
Colonial Pipeline Company
American oil pipeline system Colonial Pipeline Company suffered a major ransomware attack in May this year. The cyberattack affected its computerized equipment managing the pipeline originating from Houston, Texas, disrupting the fuel supply to most of the US East Coast for days.
Despite affecting just its IT systems, Colonial Pipeline Company shut down its entire pipeline operations to prevent further harm. With the FBI’s help, the company paid $4.4 million in bitcoin, as demanded by the hackers.
According to the FBI, the attack was carried out by DarkSide. A month after payment, the Department of Justice reported that the FBI was able to seize a portion of the payment using a private key.
Taiwanese computer giant Acer was hit by a REvil ransomware attack in March this year. The hackers demanded a whopping $50 million. They shared images of stolen files as proof of breaching Acer’s security and the consequent data leak. These included images of financial spreadsheets, bank communications, and bank balances.
According to media reports, the group got access to Acer’s network through a Microsoft Exchange vulnerability that had earlier led to the hacking of 30,000 US governmental and commercial organisations’ emails.
A subsidiary of Hyundai, Kia Motors, suffered ransom in February this year. Attackers DopplePaymer gang reportedly asked for $20 million for a decrypter and not leak the stolen data. As claimed by Kia Motors, the subsequent ‘IT outage’ affected the mobile UVO Link apps, payment systems, owner’s portal, phone services, and internal sites used by Kia Motors America.
Automating Ransomware Response.
Securaa provides content for automating ransomware response. It can be used when an EPP/EDR system detects ransomware. The incident responders can use the ransomware playbook to understand the impact of the incident, collect data needed for investigation and contain the threat from spreading further.
Here are the steps involved in the automation.
- Collect Alerts from EDR/EPP
- Check if the alert category is ransomware.
- Isolate the endpoint.
- Fetch the user details from the Active directory
- Disable userID on AD
- Fetch User’s manager’s email
- Send notification to the manager with Alert Details and AD account Status
- Fetch the ransomware Binary from EPP Product
- Upload the binary on a secure FTP. Fetch the upload link.
- Email the binary upload link to the EPP vendor for signature creation
- Send the binary to the Malware sandbox for detonation.
- Download the report and email it to IR Team for further analysis
Pls, note this approach is just one of the methods to handle this threat category. There can be multiple ways depending on the organization’s security policies.