Ransomware Prevention & Response Guide

Ransomware Prevention & Response

RID:

Category:

wdt_ID	RID	Category	Recommendation	Guidance
1	1	Ransomware Prevention	Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server. Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. - Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images. In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.	It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization.
2	2	Ransomware Prevention	Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface.
3	3	Ransomware Prevention	Prioritize timely patching of internet-facing servers—as well as software processing internet data, such as web browsers, browser plugins, and document readers—for known vulnerabilities.
4	4	Ransomware Prevention	Ensure devices are properly configured and that security features are enabled. For example, disable ports and protocols that are not being used for a business purpose (e.g., Remote Desktop Protocol [RDP] – Transmission Control Protocol [TCP] Port 3389).
5	5	Ransomware Prevention	Audit the network for systems using RDP, close unused RDP ports, enforce account lockouts after a specified number of attempts, apply multi-factor authentication (MFA), and log RDP login attempts.	Employ best practices for use of RDP and other remote desktop services. Threat actors often gain initial access to a network through exposed and poorly secured remote services, and later propagate ransomware.
6	6	Ransomware Prevention	Based on this specific threat, organizations should consider the following actions to protect their networks: ➖ Disable SMBv1 and v2 on your internal network after working to mitigate any existing dependencies (on the part of existing systems or applications) that may break when disabled. (Remove dependencies through upgrades and reconfiguration: Upgrade to SMBv3 (or most current version) along with SMB signing.) ➖ Block all versions of SMB from being accessible externally to your network by blocking TCP port 445 with related protocols on User Datagram Protocol ports 137–138 and TCP port 139.	Threat actors use SMB to propagate malware across organizations. Disable or block Server Message Block (SMB) protocol outbound and remove or disable outdated versions of SMB.
7	7	Ransomware Prevention	Implement a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity (e.g., phishing) or incidents. Conduct organization-wide phishing tests to gauge user awareness and reinforce the importance of identifying potentially malicious emails.
8	8	Ransomware Prevention	Implement filters at the email gateway to filter out emails with known malicious indicators, such as known malicious subject lines, and block suspicious Internet Protocol (IP) addresses at the firewall.
9	9	Ransomware Prevention	To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification.	DMARC builds on the widely deployed sender policy framework and Domain Keys Identified Mail protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.
10	10	Ransomware Prevention	Consider disabling macro scripts for Microsoft Office files transmitted via email.	These macros can be used to deliver ransomware.
11	11	Ransomware Prevention	Ensure antivirus and anti-malware software and signatures are up to date. Additionally, turn on automatic updates for both solutions. It is recommended to use a centrally managed antivirus solution. This enables detection of both “precursor” malware and ransomware.	A ransomware infection may be evidence of a previous, unresolved network compromise. For example, many ransomware infections are the result of existing malware infections, such as TrickBot, Dridex, or Emotet. In some cases, ransomware deployment is just the last step in a network compromise and is dropped as a way to obfuscate previous post-compromise activities.
12	12	Ransomware Prevention	Use application directory allowlisting on all assets to ensure that only authorized software can run, and all unauthorized software is blocked from executing. ➖ Enable application directory allowlisting through Microsoft Software Restriction Policy or AppLocker. ➖ Use directory allowlisting rather than attempting to list every possible permutation of applications in a network environment. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and SYSTEM32. Disallow all other locations unless an exception is granted.	With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in Constrained Language Mode.
13	13	Ransomware Prevention	Consider implementing an intrusion detection system (IDS) to detect command and control activity and other potentially malicious network activity that occurs prior to ransomware deployment.
14	14	Ransomware Prevention	Take into consideration the risk management and cyber hygiene practices of third parties or managed service providers (MSPs) your organization relies on to meet its mission. MSPs can be an infection vector for ransomware impacting client organizations.	Adversaries may target MSPs with the goal of compromising MSP client organizations; they may use MSP network connections and access to client organizations as a key vector to propagate malware and ransomware.
15	15	Ransomware Prevention	If a third party or MSP is responsible for maintaining and securing your organization’s backups, ensure they are following the applicable best practices. Using contract language to formalize your security requirements is a best practice.	Adversaries may spoof the identity of—or use compromised email accounts associated with—entities your organization has a trusted relationship with in order to phish your users, enabling network compromise and disclosure of information.
16	16	Ransomware Prevention	Employ MFA for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
17	17	Ransomware Prevention	If you are using passwords, use strong passwords and do not reuse passwords for multiple accounts. Change default passwords. Enforce account lockouts after a specified number of login attempts. Password managers can help you develop and manage secure passwords.	There are several programs attackers can use to help guess or crack passwords. By choosing good passwords and keeping them confidential, you can make it more difficult for an unauthorized person to access your information.
18	18	Ransomware Prevention	Apply the principle of least privilege to all systems and services so that users only have the access they need to perform their jobs.	Threat actors often seek out privileged accounts to leverage to help saturate networks with ransomware.
19	19	Ransomware Prevention	Limit the ability of a local administrator account to log in from a local interactive session (e.g., “Deny access to this computer from the network.”) and prevent access via an RDP session.	Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data. Assign the Deny access to this computer from the network user right to the following accounts: Anonymous logon Built-in local Administrator account Local Guest account All service accounts
20	20	Ransomware Prevention	Make use of the Protected Users Active Directory group in Windows domains to further secure privileged user accounts against pass-the-hash attacks.	The Protected Users Group is designed as part of a strategy to manage credential exposure within the enterprise. Members of this group automatically have non-configurable protections applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify these protections for an account is to remove the account from the security group.
21	21	Ransomware Prevention	Audit user accounts regularly, particularly Remote Monitoring and Management accounts that are publicly accessible—this includes audits of third-party access given to MSPs.
22	22	Ransomware Prevention	Develop and regularly update a comprehensive network diagram that describes systems and data flows within your organization’s network. The diagram should include depictions of covered major networks, any specific IP addressing schemes, and the general network topology (including network connections, interdependencies, and access granted to third parties or MSPs).	An updated network diagram can help incident responders understand where to focus their efforts in the event of a breach.
23	23	Ransomware Prevention	Employ logical or physical means of network segmentation to separate various business unit or departmental IT resources within your organization as well as to maintain separation between IT and operational technology.	This will help contain the impact of any intrusion affecting your organization and prevent or limit lateral movement on the part of malicious actors. Network segmentation can be rendered ineffective if it is breached through user error or non-adherence to organizational policies (e.g., connecting removable storage media or other devices to multiple segments).
24	24	Ransomware Prevention	Understand and inventory your organization’s IT assets, both logical (e.g., data, software) and physical (e.g., hardware).	Understand which data or systems are most critical for health and safety, revenue generation, or other critical services, as well as any associated interdependencies (i.e., “critical asset or system list”). This will aid your organization in determining restoration priorities should an incident occur. Apply more comprehensive security controls or safeguards to critical assets. This requires organization-wide coordination.
25	25	Ransomware Prevention	Restrict usage of PowerShell, using Group Policy, to specific users on a case-by-case basis.	PowerShell is a cross-platform, command-line, shell and scripting language that is a component of Microsoft Windows. Threat actors use PowerShell to deploy ransomware and hide their malicious activities. Typically, only those users or administrators who manage the network or Windows OSs should be permitted to use PowerShell.
26	26	Ransomware Prevention	Update PowerShell instances to version 5.0 or later, enable enhanced logging and uninstall all earlier PowerShell versions. Logs from PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities.	PowerShell logs contain valuable data, including historical OS and registry interaction and possible tactics, techniques, and procedures of a threat actor’s PowerShell use.
27	27	Ransomware Prevention	Ensure PowerShell instances (use most current version) have module, script block, and transcription logging enabled (enhanced logging).	PowerShell logs details about PowerShell operations, such as starting and stopping the engine and providers, and executing PowerShell commands. The two logs that record PowerShell activity are the “PowerShell” Windows Event Log and the “PowerShell Operational” Log. When you enable Script Block Logging, PowerShell records the content of all script blocks that it processes. Once enabled, any new PowerShell session logs this information. It is recommended to turn on these two Windows Event Logs with a retention period of 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible. Note It's recommended to enable Protected Event Logging when using Script Block Logging for anything other than diagnostics purposes.
28	28	Ransomware Prevention	Ensure that DCs are regularly patched. This includes the application of critical patches as soon as possible.	Threat actors often target and use DCs as a staging point to spread ransomware network-wide.
29	29	Ransomware Prevention	Ensure the most current version of the Windows Server OS is being used on DCs.	Security features are better integrated in newer versions of Windows Server OSs, including Active Directory security features.
30	30	Ransomware Prevention	Ensure that no additional software or agents are installed on DCs, as these can be leveraged to run arbitrary code on the system.
31	31	Ransomware Prevention	Access to DCs should be restricted to the Administrators group. Users within this group should be limited and have separate accounts used for day-to-day operations with non-administrative permissions.
32	32	Ransomware Prevention	DC host firewalls should be configured to prevent internet access. Usually, these systems do not have a valid need for direct internet access. Update servers with internet connectivity can be used to pull necessary updates in lieu of allowing internet access for DCs.
33	33	Ransomware Prevention	Retain and adequately secure logs from both network devices and local hosts. This supports triage and remediation of cybersecurity events. Logs can be analyzed to determine the impact of events and ascertain whether an incident has occurred.
34	34	Ransomware Prevention	Set up centralized log management using a security information and event management tool. This enables an organization to correlate logs from both network and host security devices. By reviewing logs from multiple sources, an organization can better triage an individual event and determine its impact to the organization as a whole.
35	35	Ransomware Prevention	Maintain and back up logs for critical systems for a minimum of one year, if possible.
36	36	Ransomware Prevention	Baseline and analyze network activity over a period of months to determine behavioral patterns so that normal, legitimate activity can be more easily distinguished from anomalous network activity (e.g., normal vs anomalous account activity).	Business transaction logging—such as logging activity related to specific or critical applications—is another useful source of information for behavioral analytics.
37	37	Perimeter Protections	Firewall - While a firewall at the perimeter is probably already in place for most organizations, it is important to verify that your firewall is configured for egress filtering as well as ingress filtering. Ingress filtering controls what communications are allowed into the organization’s network, while egress filtering controls what communications are allowed to leave the organization’s network. Both egress and ingress access controls should be based on a least privilege model. Systems that do not need access to external information sources and systems should be blocked from communicating with external entities. Logging should also be turned on on the firewall as repeated access attempts being logged to known malicious IP addresses can serve as an indicator of a problem.	A system without access to any external entities is far less likely to become an entry point for malware than an internet connected system. Moreover, in the event that a ransomware infection takes place it will not be able to phone home if proper egress filtering is in place.
38	38	Perimeter Protections	Proxy Server/Web Filter - Internet connected systems should be configured to go through a proxy server that allows for Web content to be filtered, with firewall rules ensuring that proxied Web access is the only means of egress for http and https connections. While a whitelisting approach to Web access is most ideal, organizations should at a minimum use their filtering appliance to block access to known malicious sites, spam/phishing sites, proxy avoidance sites, pornography, and all other categories of sites deemed unnecessary for normal business operations. It is also strongly recommended to block access to personal email, file sharing sites, social media, instant messaging, and advertising networks at this level. Special exemptions for file sharing sites, social media, etc, can be added on an as needed basis. Prohibiting the download of executable files (e.g. .exe, .scr, etc) onto endpoints should also be put in place.	Many proxy servers/Web filtering appliances also have the ability to scan incoming web content with an AV engine. Where this is supported it is recommended that it be turned on and that where feasible a different AV engine than the one used internally used to enhance the likelihood that a signature exists for a relatively new threat. Web filters should be updated regularly to ensure that categorizations for malicious and other sites are always current.
39	39	Perimeter Protections	SPAM Filter - It is far better to block at the perimeter, known SPAM, mail containing malicious links, and mail containing malicious attachments, that to let other internal layers of defenses handle it. It is also recommended to block any message that contains executable attachments such as .exe or .vbs files. SPAM filters should always be kept up to date to ensure they have the latest block lists and that their AV engines have the latest signatures for analyzing attachments. Where feasible the AV engine used in the SPAM filter should be different than the AV engine used on endpoints where email will be accessed.	As a perimeter defense consider implementing SPAM filters that filter email before they hit your corporate mail server or if you are using hosted email ensuring that the SPAM filtering made available by your hosting provider is turned on.
40	40	Perimeter Protections	VPN/Remote Access - It is advised that organizations limit remote access to just necessary accounts and that an account lockout policy is in place the help prevent the brute forcing of credentials. Remote access should also make use of two-factor authentication wherever feasible to mitigate the damage that can be caused by a lost or stolen access credentials.	The SamSam ransomware is commonly reported as being spread through attempts to connect to organizations remotely through poorly secured publicly facing RDP services.
41	41	Network Defenses	DNS Sinkhole - While connectivity to malicious sites is ideally blocked at the perimeter, an extra layer of defense against establishing connections to malicious sites can be added by creating a DNS sinkhole which will prevent connections to certain domains by giving out false information when a DNS request comes in for one of the domains in the sinkhole.	As with perimeter defenses, preventing any system or person from accessing malicious content is always far preferable to mitigating it once it has been downloaded to or accessed by an endpoint. Ideally your sinkhole domain list will be from a different source than the one used on your Web filter to ensure more comprehensive coverage of malicious domains.
42	42	Network Defenses	Network Segmentation - Network Segmentation via VLANs and ACLs that control traffic between VLANs will not work to prevent a ransomware attack from gaining access to your systems, but will be invaluable if a malware infection is able to gain a foothold within your organization.	Network segmentation can help to ensure that a malware infection, or other security issue, stays isolated to just the network segment the infected endpoint is on and does not spread through the entirety of the organization. It is particularly important for organizations that maintain legacy systems which are no longer able to receive security updates.
43	43	Network Defenses	Virtual Machine Segmentation - For heavily virtualized environments it is advisable to deploy virtual machine segmentation technologies, such as VMware’s NSX or Microsoft’s HNV, to ensure that virtual machine communications can be controlled with network security mechanisms that are equivalent to that of physical systems.	Just as the network segmentation is key in ensuring that the number of systems a malware infection can spread to is minimized, it is important to remember that many virtual machine communications take place across the back plane of a server and do not transverse standard network equipment like switches.
44	44	Network Defenses	Network Intrusion Detection System (NIDS) - Having a network IDS in place will likely not be a highly effective way of preventing malware from gaining access to your system as most are geared more towards detecting exploit attempts than malware, but a NIDS system can be used to alert to potential outbreaks since they can be used to alert if communication attempts are being made to malicious IP addresses such as command and control centers for botnets and key generation sites for ransomware tools.	The earlier IT and infosec staff are alerted to the presence of malware outbreak, the better the chance there is at successfully containing the incident, and this is one such avenue of detection that can be employed. Depending on the deployment, NIDS systems may also help to pinpoint a system within the organization that is attempting to infect other systems.
45	45	Endpoint Protections	Fully Patched and Updated - Ransomware and other malware often use a variety of exploits to gain a foothold onto systems and ensuring that the OS and all applications on the system are fully patched and updated will minimize the number of ways that endpoints can be successfully exploited. With regards to ransomware keeping your email client, browser, and Flash fully updated is of critical importance.	Organizations should have robust procedures in place for ensuring proper patch management and the routine patching of software.
46	46	Endpoint Protections	No Unnecessary Applications and Services - If an application does not exist on the system it cannot be exploited so ensuring that endpoint configurations also follow a least privilege model is an effective way of reducing the attack surface of endpoints. It is particularly advisable to not run Java and Flash on computers that do not require it.
47	47	Endpoint Protections	No Administrative Rights - Administrative rights should only be used for administrative tasks and normal computer usage should never be performed from an account with administrative privilege. This will prevent many types of malware from gaining a foothold as they users account may simply not have the proper permissions to “install” the malware.
48	48	Endpoint Protections	Antivirus (AV) - Antivirus should be run on all endpoints and configured for on access scanning of files and other resources. Antivirus should be kept up to date and alerting should be configured to notify IT staff on any possible infections.	It is important to remember that AV is largely signature based and, as such, can only effectively detect known threats. AV may not provide any protection against a novel virus or a new malware variant. Ideally this is a different vendor than one used to scan for viruses at the perimeter defense level.
49	49	Endpoint Protections	Next Generation AV - These are Antivirus solutions that are signature-less in nature and as such have the potential to detect zero-day attacks and novel strains of malware. Next-gen AV uses methods like behavioral detection, machine learning, and cloud based file execution to try to identify exploit attempts and malware.	Some Next-gen AV packages are certified under PCI-DSS as AV replacements but not all are. In many cases they can be used as a potential compliment to traditional AV.
50	50	Endpoint Protections	Disable Support for Macros - Macros and other executable content can be embedded in documents used within office applications and PDF files. Odds are that most users in your organization have no legitimate need for such features and support for such features should be turned off by default.
51	51	Endpoint Protections	Software Restriction Policies/AppLocker - GPO policies can be set to blacklist certain applications from running and to blacklist applications from running in certain locations such as the AppData folder of a user's profile, which is a common malware target. Organizations can develop their own policies or use the anti-ransomware policies made available by organizations like Third Tier. Such policies are a nice compliment to AV software as they are not signature based and may prevent event novel malware variants from running successfully. Just be sure to test any such policies to ensure they do not interfere with any legitimate applications that are used within your environment.	A better approach than blacklisting would be an application whitelisting approach, but this is more challenging and time consuming project in order to ensure that no critical applications are broken once only whitelisted applications are allowed to run.
52	52	Endpoint Protections	Disable USB Access - While not as common as Web and email based transmission vectors there have been variants of the CryptoLocker ransomware that have been known to spread via USB drives. Wherever feasible, USB drive access should be blocked.
53	53	Endpoint Protections	Virtual Desktop Infrastructure - If the organizations endpoints are virtualized an additional option for malware defense is to ensure that all VDI desktops are non-persistent and that the systems revert back to a predefined state after each session. This ensures that any malware that infected a VDI desktop is eliminated once the users sessions ends, since the system reversion will restore the desktop to a “like new” pre-infection state.
54	54	Endpoint Protections	Local Administrator Password Solution (LAPS) - Use LAPS to automatically manage local administrator passwords on domain joined computers so that passwords are unique on each managed computer, randomly generated, and securely stored in Active Directory infrastructure.	The Local Administrator Password Solution (LAPS) provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
55	55	Endpoint Protections	Application Sandboxing - Sandboxing applications such as web browsers and their respective plugins can help to prevent certain forms of ransomware from impacting your system as the sandbox has the potential to keep the ransomware from accessing the files on your hard drive or network shares.	Application sandboxing is a method of isolating applications so that they only have access to a strict set of tightly controlled resources such as memory and disk space. Typically sandboxed applications are prevented from permanently committing any changes to disk.
56	56	Ransomware Response	➖ If several systems or subnets appear impacted, take the network offline at the switch level. It may not be feasible to disconnect individual systems during an incident. ➖ If taking the network temporarily offline is not immediately possible, locate the network (e.g., Ethernet) cable and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.	After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication methods like phone calls or other means to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken. Not doing so could cause actors to move laterally to preserve their access—already a common tactic—or deploy ransomware widely prior to networks being taken offline.
57	57	Ransomware Response	Only in the event you are unable to disconnect devices from the network, power them down to avoid further spread of the ransomware infection.	This will prevent you from maintaining ransomware infection artifacts and potential evidence stored in volatile memory. It should be carried out only if it is not possible to temporarily shut down the network or disconnect affected hosts from the network using other means.
58	58	Ransomware Response	Identify and prioritize critical systems for restoration, and confirm the nature of data housed on impacted systems. -Prioritize restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on.	Keep track of systems and devices that are not perceived to be impacted so they can be deprioritized for restoration and recovery. This enables your organization to get back to business in a more efficient manner.
59	59	Ransomware Response	Confer with your team to develop and document an initial understanding of what has occurred based on initial analysis.
60	60	Ransomware Response	Engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident.	Share the information you have at your disposal to receive the most timely and relevant assistance. Keep management and senior leaders informed via regular updates as the situation develops. Relevant stakeholders may include your IT department, managed security service providers, cyber insurance company, and departmental or elected leaders.
61	61	Containment and Eradication	Take a system image and memory capture of a sample of affected devices (e.g., workstations and servers). Additionally, collect any relevant logs as well as samples of any “precursor” malware binaries and associated observables or indicators of compromise (e.g., suspected command and control IP addresses, suspicious registry entries, or other relevant files detected). The contacts below may be able to assist you in performing these tasks.	Take care to preserve evidence that is highly volatile in nature—or limited in retention—to prevent loss or tampering (e.g., system memory, Windows Security logs, data in firewall log buffers).
62	62	Containment and Eradication	Consult your federal law enforcement regarding possible decryptors available, as security researchers have already broken the encryption algorithms for some ransomware variants.
63	63	Containment and Eradication	Research the trusted guidance (i.e., published by sources such as government, MS-ISAC, reputable security vendor, etc.) for the particular ransomware variant and follow any additional recommended steps to identify and contain systems or networks that are confirmed to be impacted.	Kill or disable the execution of known ransomware binaries; this will minimize damage and impact to your systems. Delete other known, associated registry values and files.
64	64	Containment and Eradication	Identify the systems and accounts involved in the initial breach. This can include email accounts.
65	65	Containment and Eradication	Based on the breach or compromise details determined above, contain any associated systems that may be used for further or continued unauthorized access. Breaches often involve mass credential exfiltration.	Disabling virtual private networks, remote access servers, single sign-on resources, and cloud-based or other public-facing assets.
66	66	Containment and Eradication	Conduct an examination of existing organizational detection or prevention systems (antivirus, Endpoint Detection & Response, IDS, Intrusion Prevention System, etc.) and logs.	Doing so can highlight evidence of additional systems or malware involved in earlier stages of the attack.
67	67	Containment and Eradication	Look for evidence of precursor “dropper” malware. A ransomware event may be evidence of a previous, unresolved network compromise. Many ransomware infections are the result of existing malware infections such as TrickBot, Dridex, or Emotet.	➖ Operators of these advanced malware variants will often sell access to a network. Malicious actors will sometimes use this access to exfiltrate data and then threaten to release the data publicly before ransoming the network in an attempt to further extort the victim and pressure them into paying. ➖ Malicious actors often drop manually deployed ransomware variants on a network to obfuscate their post-compromise activity. Care must be taken to identify such dropper malware before rebuilding from backups to prevent continuing compromise.
68	68	Containment and Eradication	Conduct extended analysis to identify outside-in and inside-out persistence mechanisms.	➖ Outside-in persistence may include authenticated access to external systems via rogue accounts, backdoors on perimeter systems, exploitation of external vulnerabilities, etc. ➖ Inside-out persistence may include malware implants on the internal network or a variety of living-off-the-land style modifications (e.g., use of commercial penetration testing tools like Cobalt Strike; use of PsTools suite, including PsExec, to remotely install and control malware and gather information regarding—or perform remote management of—Windows systems; use of PowerShell scripts). ➖ Identification may involve deployment of endpoint detection and response solutions, audits of local and domain accounts, examination of data found in centralized logging systems, or deeper forensic analysis of specific systems once movement within the environment has been mapped out.
69	69	Containment and Eradication	Rebuild systems based on a prioritization of critical services (e.g., health and safety or revenue generating services), using pre-configured standard images, if possible.	Once the environment has been fully cleaned and rebuilt (including any associated impacted accounts and the removal or remediation of malicious persistence mechanisms) issue password resets for all affected systems and address any associated vulnerabilities and gaps in security or visibility. This can include applying patches, upgrading software, and taking other security precautions not previously taken.
70	70	Recovery and Post-Incident Activity	Reconnect systems and restore data from offline, encrypted backups based on a prioritization of critical services.	Take care not to re-infect clean systems during recovery. For example, if a new Virtual Local Area Network has been created for recovery purposes, ensure only clean systems are added to it.
71	71	Recovery and Post-Incident Activity	Document lessons learned from the incident and associated response activities to inform updates to—and refine—organizational policies, plans, and procedures and guide future exercises of the same.
	RID	Category