Skip to main content

Ransomware Triage

Ransomware Triage

STOP
If you think you are the victim of Ransomware,
STOP what you are doing and call the IT Helpdesk at
(337) 475-5995.

General Triage when Dealing with Ransomware

Immediate Action (Containment)

Mid-incident Action (Assessment & Recovery)

  • Identify the type and sensitivity of data which has been compromised
  • Initiate data restoration procedures from backups if a decision is made to restore
  • Assume all passwords on the affected devices have been compromised and change them using a non-affected device
  • Consider shutting down remote access or implementing more secure measures such as two factor authentication (Remote Access Protocol is common threat entry point)
  • If other restore attempts do not work, attempt to recover using tools such as:
  • If in doubt, wipe the disk clean and reload the OS — Don’t take chances
  • If Personally Identifiable Information (PII) is affected:
    • If PII is involved, consider student/personnel data breached - All affected tokens, passwords, etc MUST be reset or re-issued immediately
    • If student/personnel data is breached, watch out for fraud or impersonation. Some level of fraud detection/control should be offered
    • Inform appropriate regulators (if necessary)

Post-Incident Action (Long term remediation)

  • Set up a proper backup strategy and test it
  • Continue security awareness training for end users - (UCS)
  • Evaluate network segmentation - (Network Services)
  • Conduct penetration tests - (UCS)
  • Evaluate incident response planning and assessment - (IT)
  • Continue on-going threat detection - (UCS)
  • Evaluate identification and classification of data within the university
  • Evaluate Identification of technical controls and their respective effectiveness - (IT)
  • Consider generating playbooks for response and hardening (e.g., Playbook for Handling Ransomware Infections) - (UCS)
  • Collect workable threat intelligence or at least data from abuse.ch, Alienvault OTX, etc. - (UCS)
Note: If the data must be recovered (i.e., data is mission critical), ensure that the systems are hardened and defenses are working prior to paying any ransom; you don’t want to get blindsided by another attack the moment you pay.
Source: adapted from https://github.com/0xswap/guides/blob/master/ransomware-triage.txt, Security without Borders, Contributors: Rorybyrne, Swap (accessed: January 26, 2017)
Osterman Research Inc., (2016).Understanding the Depth of the Ransomware Problem in the United States. [online] Available at: https://www.malwarebytes.com/surveys/ransomware/?aliId=13242065 [Accessed 26 January 2017].