Upon identification of a ransomware incident, many individuals may experience some level of stress or panic. However, while minimizing business interruption by restoring data from backups or other means, other post-incident factors must be considered so organizations can take proper precautions and avoid further security compromises.

Three’s a Crowd – Having Multiple Actors in Your Environment

In rare cases, continued use of initial access brokers (IABs) by ransomware groups can lead to multiple threat actors within an environment simultaneously. IABs sometimes sell the same access to multiple actors to increase profits, leading to re-encryption of the environment or, in some cases, multi-encryption events from multiple ransomware executables. Unsurprisingly, recovery in these scenarios is extremely difficult.

Malvertising is another way multiple actors can inadvertently end up within a victim’s environment. Malvertising is a malicious attack that involves injecting code into a legitimate advertising site. Various threat actors operate campaigns where they distribute backdoored or otherwise malicious versions of commonly used information security tools like Putty and WinSCP. When a victim downloads these tools, they may give the threat actors access to the environment, leading to threats as serious as ransomware. However, some threat actors also use simple Google searches to find and download legitimate tools they abuse to facilitate their operations. In some cases, threat actors may accidentally download an application backdoored by a different threat actor, meaning two threat actors are now operational within the victim environment.

The threat of having multiple actors within any given network demonstrates the importance of proper forensic analysis and top-tier endpoint detection and response (EDR) deployment following a security incident. Whether an organization chooses to recover from backups or pay for decryption, it is imperative that incident response companies can acquire adequate logs surrounding the time of the incident to conduct their analysis. Failure to do so can lead to increased costs associated with analysis, gaps in the timeline, and in the worst-case scenario, threat actors maintaining persistence in the victim environment, leading to events such as re-encryption.

Non-Reputable Companies and Software

In the critical moments following the identification of a ransomware incident, an overwhelming number of choices must be made. Ideally, the victim organization has a detailed incident response plan, practiced it several times in mock engagements, and printed out the plan in several physical locations which can be enacted with calm and purpose during the incident to decrease frenzy surrounding decision making. Of the many decisions to be made during the incident response process, one of the most important is choosing which organizations to partner with in the legal and recovery efforts. Pre-selection of data privacy counsel specializing in these events and a digital forensic incident response company are ideal, but not typically the case.

In cases where a ransom payment is required, most organizations will enlist a third-party organization registered as a money service business (MSB) to facilitate the ransom payment.  The use of an unregistered third-party leads to higher organizational risks surrounding ransom payments, including potential regulatory action and the possibility of losing the ransom fund itself to a scam or otherwise, necessitating a second payment sum.

Additionally, when receiving a decryptor, whether from a third-party resource or a threat actor, the decryptor should be validated to ensure there are no hidden malicious functions. If a commercial decryptor is not properly vetted prior to being used to decrypt the victim’s more valuable files, it could lead to the inability to recover the files.

Conclusion

The best precaution against ancillary threats following a ransomware incident is an existing and tested incident response plan and immediate implementation of the remediation instructions provided by reputable vendors retained to respond to the incident. From increased security to financial risks, an organization’s choices following an incident can have a lasting impact on their ability to recover successfully.

For more information visit Arete’s Advisory Services

Sources

• Arete CTI Team

• Ongoing Malvertising Campaign leads to Ransomware

• Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising