Ransomware: Develop and Test your Response Strategy Using Simulation

In this blog I want to take a look at Simulating a Ransomware Attack and how you would go about developing and testing a Response Strategy. I’ve already covered the basics of a Ransomware attack in this blog article: https://elasticito.com/ransomware-do-you-have-a-tried-and-tested-strategy-in-place/

The object of this exercise is twofold:

  1. Maintain business continuity – or in other words a ransomware attack should have little to no disruption to business;
  2. Contain and eliminate the attack quickly with minimal effort;

Throughout this blog I am going to focus on behaviour rather than specific IoCs. Please also note that the information provide here is a high-level guide and not an exhaustive task list and is focused on the endpoint only. In a future blog post I will cover network security controls. While User Awareness Training is recommended is hasn’t been included as part of validating security controls.

I have divided the simulations up into the three major MITRE Techniques for a Ransomware Attack. I have not included Remote Desktop Protocol (Exploit Public-Facing Application – T1190) as this can be resolved by closing the RDP Port and making use of numerous more secure solutions that are on offer.

Spear Phishing Attachment (T1566.001)

Let us begin by examining the MITRE ATT&CK Initial Access technique Spear Phishing Attachment (T1566.001). For this type of Ransomware to trigger the email containing the attachment first needs to enter the organisation and then someone needs to click on the attachment which then needs to execute.

Once triggered it has the potential to encrypt data, application and operating system files on the local machine along with any files it can access via network shares. In addition, it could use worm like behaviour to replicate via the network or replicate via email.

Mitigation:

  1. Add an inbound content rule to block all executable files;
  2. Do not allow any apps or executables besides the standard build to run on the local machine. This can be accomplished in multiple ways depending on whether the machine is Windows or Mac. As examples:
    1. Enable Controlled Folder Access in Windows Security App or in Microsoft Endpoint Configuration Manager
    2. System Preferences: Allow apps downloaded from App Store

Simulation (Protect, Detect, Respond):

  1. Use a Breach and Attack Simulation solution or similar to verify that the inbound content rule works and that a corresponding event is created which notifies the SOC and or triggers an automated SOAR playbook;
  2. Use a Breach and Attack Simulation solution or similar to verify that foreign apps / executables cannot run on the local machine and that a corresponding event is created which notifies the SOC and or triggers an automated SOAR playbook;

Other:

Should a Ransomware incident occur, and you want to lock down your environment while you establish the details regarding the incident you might want to have the following tried and tested in advance:

  1. Add an inbound content rule to block all files attachment and simulate to verify;
  2. Add an internal content rule to block all files attachment and simulate to verify;
  3. Add an outbound content rule to block all files attachment and simulate to verify;

The above will ensure that mail can continue to flow enabling business continuity and communication even with decreased functionality.

Spear Phishing Link (T1566.002)

Next up is the MITRE ATT&CK Initial Access technique Spear Phishing Link (T1566.002). For this type of Ransomware to trigger the email containing a link first needs to enter the organisation and then someone needs to be persuaded to click on the link.

A malicious application will now be downloaded and executed.

Once triggered it has the potential to encrypt data, application and operating system files on the local machine along with any files it can access via network shares. In addition, it could use worm like behaviour to replicate via the network or replicate via email.

Mitigation:

  1. Add an inbound content rule to re-write or remove all links in emails and attachments or similar depending on the functionality available in the Secure Email Gateway (SEG);
  2. Do not allow any apps or executables besides the standard build to run on the local machine. This can be accomplished in multiple ways depending on whether the machine is Windows or Mac. As examples:
    1. Enable Controlled Folder Access in Windows Security App or in Microsoft Endpoint Configuration Manager;
    2. System Preferences: Allow apps downloaded from App Store;
  3. Make use of a whitelist Secure Web Gateway (SWG) solution that only allows connections to know good and is also able to filter malicious content.

Simulation (Protect, Detect, Respond):

  1. Use a Breach and Attack Simulation solution or similar to verify that the inbound content rule works and that a corresponding event is created which notifies the SOC and or triggers an automated SOAR playbook;
  2. Use a Breach and Attack Simulation solution or similar to verify that foreign apps / executables cannot run on the local machine and that a corresponding event is created which notifies the SOC and or triggers an automated SOAR playbook;
  3. Use a Breach and Attack Simulation solution or similar to verify that the SWG solution only allows connection to know good and filters malicious content.

Other:

Should a Ransomware incident occur, and you want to lock down your environment while you establish the details regarding the incident you might want to have the following tried and tested in advance:

  1. Add an inbound content rule to re-write or remove all links in emails and attachments and simulate to verify;
  2. Add an internal content rule to re-write or remove all links in emails and attachments and simulate to verify;
  3. Add an outbound content rule to re-write or remove all links in emails and attachments and simulate to verify;
  4. Block any type of file download via the SWG.

The above will ensure that mail can continue to flow enabling and the it is still possible to browse while enabling business continuity and communication even with decreased functionality.

Replication Through Removable Media (T1091)

Threat Actors may gain access to local machines, possibly those on disconnected or air-gapped networks, by copying Ransomware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.

Once triggered it has the potential to encrypt data, application and operating system files on the local machine along with any files it can access via network shares. In addition, it could use worm like behaviour to replicate via the network or replicate via email.

Mitigation:

  1. Add a Group Policy that disables the use of Removable Media;
  2. Do not allow any apps or executables besides the standard build to run on the local machine. This can be accomplished in multiple ways depending on whether the machine is Windows or Mac. As examples:
    1. Enable Controlled Folder Access in Windows Security App or in Microsoft Endpoint Configuration Manager
    2. System Preferences: Allow apps downloaded from App Store

Simulation (Protect, Detect, Respond):

  1. Test that it is not possible to make use of removable media across a selection of endpoints.
  2. Use a Breach and Attack Simulation solution or similar to verify that foreign apps / executables cannot run on the local machine and that a corresponding event is created which notifies the SOC and or triggers an automated SOAR playbook;

Other:

Should a Ransomware incident occur, and you want to lock down your environment while you establish the details regarding the incident you might want to have the following tried and tested in advance:

  1. Add an inbound content rule to block all files attachment and simulate to verify;
  2. Add an internal content rule to block all files attachment and simulate to verify;
  3. Add an outbound content rule to block all files attachment and simulate to verify;

The above will ensure that mail can continue to flow enabling business continuity and communication even with decreased functionality.

Drive-By Downloads from a Compromised Website (T1189)

MITRE ATT&CK Initial Access technique Drive-By Downloads from a Compromised Website (T1189) is about and adversaries gaining access to a system through a user visiting a website over the normal course of browsing.

A malicious application will now be downloaded and executed. These malicious applications may be delivered through popups on legitimate websites.

Once triggered it has the potential to encrypt data, application and operating system files on the local machine along with any files it can access via network shares. In addition, it could use worm like behaviour to replicate via the network or replicate via email.

Mitigation:

  1. Make use of a whitelist Secure Web Gateway (SWG) solution that only allows connections to know good and is also able to filter malicious content.
  2. Do not allow any apps or executables besides the standard build to run on the local machine. This can be accomplished in multiple ways depending on whether the machine is Windows or Mac. As examples:
    1. Enable Controlled Folder Access in Windows Security App or in Microsoft Endpoint Configuration Manager;
    2. System Preferences: Allow apps downloaded from App Store;

Simulation (Protect, Detect, Respond):

  1. Use a Breach and Attack Simulation solution or similar to verify that the SWG solution only allows connection to know good and filters malicious content.
  2. Use a Breach and Attack Simulation solution or similar to verify that foreign apps / executables cannot run on the local machine and that a corresponding event is created which notifies the SOC and or triggers an automated SOAR playbook;

Other:

Should a Ransomware incident occur, and you want to lock down your environment while you establish the details regarding the incident you might want to have the following tried and tested in advance:

  1. Add an inbound content rule to re-write or remove all links in emails and attachments and simulate to verify;
  2. Add an internal content rule to re-write or remove all links in emails and attachments and simulate to verify;
  3. Add an outbound content rule to re-write or remove all links in emails and attachments and simulate to verify;
  4. Block any type of file download via the SWG.

The above will ensure that mail can continue to flow enabling and the it is still possible to browse while enabling business continuity and communication even with decreased functionality.

Other Hints and Tips

If you’re look for further information of how to defend against a specific cyber threat the take a look at MITRE Shield https://shield.mitre.org.  Click on Using ATT&CK Mapping>Initial Access>Technique (T1xxx) to view MITRE recommended remediation.

Test and verify that the endpoint can easily be re-imaged which might involve the replacement of the drive depending on what strain of Ransomware has attacked the machine.

Verify that data is backed up and can be easily restored.

Wherever possible remove all network shares.