How to Automate a Ransomware Response in 5 Steps

by Dan Kaplan on October 14, 2020

As if organizations are not under enough pressure from ransomware purveyors, Check Point estimates that ransomware attacks have roughly doubled in the United States over the past three months, due in part to the shift to remote working which has increased phishing opportunities and exposed new gaps in corporate IT infrastructure. And the situation has become even more distressing with the U.S. government now threatening fines to victims who pay the cyber extortionists’ demands.

Ransomware attackers, whose ranks may be growing as more people flock to a lifestyle of online crime due to poor economic conditions brought on by the pandemic, are also adding an extra wrinkle to their heists. It involves threatening to expose sensitive information belonging to the victim if they refuse to pony up the ransom money.

Best practices like avoiding clicking on malicious links or attachments, patching vulnerabilities and having backups in place are essential controls. But with the surge in numbers and attacks demonstrating greater sophistication, you will also want to have a ransomware response plan in place, much of which can be streamlined so that you delegate manual and time-consuming steps to technology while reserving your human capital for decision making and resolution. Automating your response also helps to limit spread across your network and allows you to remove infected systems as quickly as possible before more files and data become encrypted and potentially lost.

Here are the rough steps that an automated ransomware playbook, as part of a security orchestration, automation and response (SOAR) platform, will cover.

Sponsorships Available

Download our free top security playbooks template to equip you with workflows for responding to common threats

1) Identify and Verify

The beauty of practicing security in 2020 is that there are many advanced tools available to help detect even the most under-the-radar attacks, allowing your security operations team to be flagged as quickly as possible of a potential incident in progress. The downside is that the level of alerts has increased to a point where it is impossible for teams to manually address every single one to determine its legitimacy. Fortunately (in the most ironic way possible), it will be quite apparent when a ransomware infection has taken hold on your network. The source of the ransomware infection, from phishing emails to RDP/VPN compromises, may also spring alerts whose indicators and details can be automatically parsed out for further investigation.

2) Triage and Contextualize

Once a ransomware alert has been triggered, automation will kickstart the response process, first by enriching the alert with telemetry and threat intelligence data to supply analysts with the necessary information and contextual relationships about the threat and affected endpoint (is this alert stemming from an actual event? What is the source of this alert? Has this been through our system before?). An automated workflow can also search third-party intelligence sources for information on the ransomware and its associated variants to determine the severity and impact of the specific threat at hand.

3) Investigate and Prioritize

Once this ransomware case is flagged as critical based on past similar investigation results and machine learning algorithms, you can automate additional investigation. This includes obtaining additional visibility around what actions the endpoint and user took to provide a fuller picture of the attack. If the case requires prioritization, case management functionality as part of the automated workflow can assign and provide Tier 2 and 3 analysts with asset data and any new information gathered about the malware type/family and the potential impact on the victim and overall business.

4) Respond and Resolve

Now that you have determined response is urgently needed, you can automate many steps that allow you to take a series of rapid actions. Cases that are escalated in this way are addressed in different ways, depending on what the specific situation requires. For a ransomware event, this likely means opening tickets, notifying general IT and security teams, isolating the infected host to prevent additional network spread, creating backups and beginning the reimaging process. Of course, response actions may be complicated by work-from-home and quarantine, so you will want to ensure a process is in place for reaching and restoring infected devices that are not on site.

5) Close the Loop

Once you’ve finally resolved a ransomware incident – and your blood pressure has returned to normal – you will want to determine lessons learned while building a closed loop. This will help you drive continuous improvement; after all, this likely will not be your last ransomware incident. An automated playbook, for example, can update your threat intelligence feeds or tweak processes based on what worked and didn’t work during the identification and response process.

What Else Can You Do?

While automation will present a reliable and predictable blueprint for alert handling, nothing delivers confidence quite like a cohesive and well-trained team. Tabletop exercises are a viable way to practice ransomware incident scenarios, especially during COVID-19, which has likely introduced newfound complications to the response, recovery and restoration process, including something as critical as the ability to travel to an infected site.

Finally, while not part of an automated playbook per se, crisis management can help you consolidate and streamline cross-functional responsibilities, actions and messaging into a single view, key organizational stakeholders to remain in consistent communication regarding the incident, something which will be vital if a ransomware negotiation is occurring. (The on-demand webinar below discusses everything you need to know about the ransomware negotiation process.)