Incident Response - Containment

The Containment phase is a critical part of the response plan. Once a system has been identified as potentially having ransomware, the suspected infected computer should be immediately removed from your networks (including WiFi connections), and either shut down, or ideally hibernated to assist in forensic and sample analysis while minimizing the risk of the ransomware continuing the encryption process. Failure to quickly isolate infected systems from the network may contribute to augmenting the incident by allowing the malware to continue to encrypt more files on the local system or network shares, thereby increasing recovery efforts.

Run endpoint detection and response (EDR or MDR) Security automation is critical in any attack, especially in cases of a ransomware infection. Your organization should have an endpoint detection and response (EDR) solution in place beyond basic antivirus protection. An EDR solution is helpful in cases of malware attacks in a few ways: [Talk to your CITS representative about our EDR solution we automatically implement for all our clients]

1. It can help detect an attack in its earlier stages. Sometimes that can mean detecting in the first 2 days versus 4 days, averting more expansive impact to the infrastructure.
2. It can help quarantine infected devices completely, keeping thempowered on, but disconnecting them from anything on the network. This way, infected devices retain important forensic data but can’t continue to cause damage outside the local system.
3. It can help with forensics as remediation continues. If you do not already and regularly run a designated EDR solution, your organization will have to deploy one at the onset of finding out about a ransomware attack. This can also be done by your external service provider, if you enlist assistance from incident response experts. <

Last resort containment — Terminate access If the organization cannot quickly determine the source of the ransomware infection and where the encryption process originated, as a last resort, the organization should consider taking the file share(s) offline to help minimize risk and impact to the business. The file server(s) do not need to be shut down, but all access to the file shares should be terminated (remove the share, restrict by network or host based firewall ACL, etc.).

It is not recommended to change permissions on the files within a shared location when restricting access. Depending on the number of files, permission propagation could take hours and would allow the encryption process to continue. If you use Microsoft’s Common Internet File System (CIFS) protocol/Server Message Block (SMB) protocol on other operating systems, including UNIX, Linux, etc. remember to protect these as well. This can help greatly reduce the chance of these shares being encrypted because ransomware can exploit these protocols to move through networks and find more places with data to encrypt.