Incident Response - Eradication

The Eradication phase involves removing the ransomware from infected systems across the organization. Depending on the scope of the attack, this operation can be lengthy and may involve both user devices and more pivotal machines and services that have been impacted. X-Force recommends that any system that has been identified as infected with ransomware should be rebuilt from a trusted source, relying on trusted templates and safely-kept settings. Additionally, root cause analyses (RCA) may reveal that the ransomware infiltrated the organization through email or other mechanisms to which other users have access, and those should be examined.

• If the RCA revealed the malware initially arrived through an email message, the organization should search and purge all existing messages still pending within the mail store. Also consider isolating any systems that received the email (or opened it) until is it verified that the ransomware was not executed on those systems.
• If the RCA revealed that the ransomware arrived via a web browser exploit, those sites should be blocked and monitored. The organization should then assess the need to update or remove any vulnerable browser components.
• Passwords for all affected users should be changed as a precaution. This step should be taken carefully and strategically to avoid alerting the attackers. It’s likely an attacker has a number of credential sets and may attempt to use them and pivot the attack if their initial access is suddenly revoked.

News and Resources