Professional Documents
Culture Documents
Ransomware Infection Protection
Ransomware Infection Protection
THE PLAYBOOK
Once the incident is identified, quarantine the affected device and perform the
mitigation actions aligned with the organizations’ best practices. In response to an
alert about suspected malware, the following workflow kicks off.
1. Get md5 and name of the suspect file and send it to a known malware
database (Like VirusTotal).
a. If the md5 and file name matches known malware, jump to step 3.
a. If the result of the sandbox confirms the infected file’s ability to communicate
laterally or externally, jump to step 2c.
b. Jump to step 3.
d. Update the end user that his computer was infected and is under investigation.
e. Search reputation DB for the destination IP. *If the destination IP is a known
malware or threat source, update the ACL to block any future connections to this
destination.
3. Scan all the computers on the networks (plus the isolated one) for the files and
process from step 2.
4. Search SIEM (or end systems if no SIEM Available) for other potential servers that
might have made contact to or communicated with the threat source identified in 2e.
5. If additional computers are found with the files, perform steps 2c – 2d for each
infected computer.
6. Update antivirus software block file list with the filename and md5 to block any
future attacks.
8. Kill the malware process matched in step 3 as part of the remediation actions.)
a. If no new connection started after step 8, add the computer back to the
organization’s network and update the users that they can now return to their normal
work.
1. If from computer in the isolated vLAN, check which process started the
connection and kill it and return to step 10.
2. If from computer not in the isolated vLAN, move the computer to isolated
vLAN and jump back to step 8.
11. Search in the SIEM (or end systems if no SIEM Available) for first match of the
file name and log it as source for reporting and documenting purposes.
12. Create a list of users whose systems were affected by the malware in step 3.
Alerts that occur outside standard business operating hours (at night or on
weekends) could signal a compromised host.
These incidents detect from Perimeter network defenses such as firewall and
IPS. You must choose Zone/Interface from “Internal” to “Internal” only. For
Future, you should focus form “Internal” to “DMZ” too. It may be “Insider
Threat” or “Compromise hosts” that they need more information from your
networks (Reconnaissance)
Example of Network Scans Report that filters from “Internal” to “Internal” zone
Multiple alarm events from a single host or duplicate events across multiple
machines in the same subnet over a 24-hour period, such as repeated
authentication failures. THIS IS COMMON USE CASE.
Example Dashboard that monitoring “User Login Failures” from Single Hosts
Note: some login failed events form e-mail applications on mobile phones can
generate events more 500 events/minute. I found this case when the
password of a user account is expired but they have not changed the new
password on their devices.
7) The system is reinfected with malware
After Infected host is cleaned, a system is reinfected with malware within 5-10
minutes, repeated reinfections signal the presence of a rootkit or persistent
compromise. This incident may detect from Endpoint Security Protection or
Anti Virus events.
1. The rule alert when it found infected host then “Add To” Current Infected
Hosts List and Historical Infected Hosts List (Store at least 1 week)
2. The rule alert when malware is cleaned from infected Host then “Remove To”
Current Infected Hosts List
3. The rule alert when it found an infected host that is “Historical Infected Hosts
List” within specific time range. THAT SYSTEMs SHOULD
SCAN/INVESTIGATE MALWARE AGAIN!!!
8. Multiple Login from different regions
Example of Correlated rule that Ideal solutions may vary based on your network
conditions and security policy.
This rule detects from an event in the “Login” normalization category, with an
Event Outcome equal “Success” with multiple Source Geo-locations, within a
specified Time Range and Events are grouped by Source User.
Many organization has Internal DNS servers for caching records and serve
DNS service to internal hosts. DHCP configuration is defined as Primary DNS
Server to Internal DNS server. If you found that some internal hosts query to
External DNS such as 8.8.8.8, 8.8.4.4 (Google DNS), you should try scan
malware on that clients.
Some Incidents found that the internal host query many requests to the
internal DNS server (> 1,000 events/hour)