Table of Contents
This Incident Response Cheat Sheet is for performing live analysis on a system you suspect is infected with ransomware. It is important to follow through each step in sequence as you handle an incident.
Step 1: Preparation
- Ensure that endpoints are receiving and installing automatic updates for the operating system, major software components, and anti-virus/anti-malware software.
- Have a recent backup of the critical files on user endpoints as well as networked file-shares that the user may have attached to their system.
- Ransomware is often first detected by end-users. Raise awareness about ransomware and reporting ransomware/malware incidents to departmental IT staff or the DIT Security Operations Center at soc@umd.edu.
Step 2: Identification
Typical signs of Ransomeware
- A ransom message being displayed that states the user's files have been encrypted and asks for a payment (often in cryptocurrency such as Bitcoin) to recover the files.
- Users reporting that their files (on local disk and/or on a network share) are not accessible, are corrupted, or have been replaced with versions with odd file extensions (.xyz, .abc, .aaa, etc.).
- Numerous files being modified in a short period of time.
- High CPU usage on the infected computer.
- User reporting that odd professional looking emails (often claiming to be invoices) containing attachments that don't load properly are being received.
Host-based identification
- Look for ransomware messages on the system.
- Look for unusual file extensions on the system/file shares (.xyz, .abc, .aaa, etc.).
- Look for unusual executable files in user's profiles (%ALLUSERSPROFILE% or %APPDATA%) and %SystemDrive%.
- Look for unusual processes running.
Step 3: Containment
- Disconnect all computers that have been identified as infected with ransomware from the network.
- If you cannot disconnect the computer, disconnect the networked file shares with:
- C:\> net use X: \\fileshare\path delete
- Replace "X:" and "\\fileshare\path" with the actual drive and file server location.
- Contact the DIT Security Operations Center (soc@umd.edu; 301-226-4225) with the IP address of the system that has been infected so the SOC can review network traffic and block access to the ransomware command and control server.
- Coordinate with the DIT Security Operations Center to obtain a copy of the ransomware executable so we can share with our anti-virus provider.
Step 4: Eradication
- Reformat the hard drive and reimage the computer. If the computer has been infected and all user files have been encrypted, then the only resolution is to reformat the hard drive, reimage the system, and store critical files from backup.
- Install all operating system patches and turn on automatic updates.
Step 5: Recovery
- Validate the restored system and that it is back to a normal state.
- Verify that all operating system patches are installed and that automatic updates are turned on.
- Reinstall all needed software and verify they are up to date and automatic updates are turned on where possible.
- Install anti-virus software, update the anti-virus signatures and perform a full scan.
- Locate the most recent clean backup of the system and use that to restore the user's files.
Step 6: Lessons learned
A report should be written and made available discussing the following themes:
- How was this initially detected?
- Timeline of important events of the incident
- Actions taken (most importantly during containment, eradication, and recovery)
- What went right?
- What went wrong?
- Incident cost to the department
Ensure that all parties involved in the incident handling process agree to what is written in the report. If someone strongly disagrees, they should write their own report to document the incident from their point of view.
The report(s) should be reviewed by the team and potentially upper management and discussed in a meeting held within two weeks of resuming production.