Here is a quick, high-level checklist for responding to a cyber extortion incident. The steps are meant as a guide; specific response needs will vary from case to case. Tasks in this checklist often occur simultaneously and should not be taken as a linear process. Immediately following each item on the checklist, you’ll find the section number (in parentheses) where you can find more detailed information. Note that this checklist will evolve over time; see the authors’ website for the latest version.
The following activities are normally initiated immediately after an incident is discovered.
Activate incident response processes. (4.2)
Involve the appropriate people and appoint an incident manager who will maintain responsibility for oversight of the response, communication, and status. (4.3)
Conduct triage to evaluate and assess the current state, understand the victim’s recovery objectives, and determine appropriate next steps. (4.4)
Assess your resources, including budget, insurance coverage, sources of evidence, staff, technology, and documentation. (4.5)
Develop an initial response strategy, a living document that will guide your process. (4.6)
Establish goals that are realistic and aligned with the organization’s priorities. (4.6.1)
Create an action plan, by enumerating key milestones and tasks. (4.6.2)
Assign responsibilities for each task in the action plan. (4.6.3)
Estimate timing, work effort, and costs and share these with the leadership team. (4.6.4)
Communicate with stakeholders including the response team, affected parties, and the public. (4.7)
During the containment phase, responders need to halt malicious activities and ensure the adversary is locked out of the environment as quickly as possible. Here are common actions taken during the containment process:
Gain access to the environment, either through physical means or carefully restricted remote access.
Halt malicious encryption/data deletion.
Change file access permissions. (5.3.2.1)
Remove power from the impacted hosts. (5.3.2.2)
Kill the malicious processes. (5.3.2.3)
Disable persistence mechanisms such as monitoring processes, scheduled tasks, and automatic startup scripts. (5.4)
Halt data exfiltration. (5.5)
Check alerts, logs, and outbound network traffic for signs of suspicious outbound communications.
Block suspicious outbound network traffic at the perimeter firewall, or an intermediary internal firewall if available.
Block access to any cloud services or file-sharing sites used by the adversary to transfer data.
Disallow the use of utilities such as FTP applications, PowerShell, and Win-SCP if not necessary.
Restrict data repository access by modifying permissions, roles, and application configurations as appropriate.
Remove any email forwarding rules that were created by an adversary.
Consider cutting off all network traffic as a temporary measure.
Take other steps to block data exfiltration as appropriate.
Resolve denial-of-service attacks. (5.6)
Lock out the hackers. (5.7)
Kill remote connection services. (5.7.1)
Reset passwords for local and cloud accounts. (5.7.3)
Audit and remove any newly created accounts. (5.7.3)
Roll out multifactor authentication. (5.7.4)
Restrict perimeter communications. (5.7.5)
Minimize third-party access. (5.7.6)
Mitigate risks of compromised software. (5.7.7)
Hunt for threats. (5.8)
Use threat hunting tools such as endpoint detection and response (EDR), security information and event management (SIEM), and vulnerability scanners to hunt for signs of suspicious activity.
Remove suspicious hosts or virtual machines (VMs) from the environment.
Deactivate unexplained or malicious user accounts.
Disable newly installed or suspicious software applications.
Eradicate any other sources of potential threats.
Generate signature data for any identified threats and update security solutions to leverage new information.
“Investigation” refers to the process of systematically uncovering facts about the incident, so as to inform response processes, reduce risk, and ensure that the victim meets obligations. In cyber extortion cases, this typically includes the following tasks:
Research the adversary to gather actionable intelligence that may guide the response. (6.1)
Scope the incident to understand the full extent and impact; document your findings for use by the team and third parties involved in the response. (6.2)
Determine if a formal breach investigation will be required, based on legal, regulatory, and contractual obligations. (6.3)
Preserve evidence from sources such as security software and devices, ransom notes, system artifacts, and authentication logs. (6.4)
Victims might decide to communicate with the adversary in an effort to reduce ransom amounts, buy time to recover data, reveal information about the adversary, and bring the extortion attack to a resolution. Here is a guide to the negotiation process, along with tips for the negotiator:
Establish negotiation goals before you start so that communications are aligned with your budget, timeline, and information security needs. (7.2)
Consider possible outcomes and how you would respond to each. (7.3)
Identify and prepare the communication medium(s) you will be using, based on the information shared by the adversary. (7.4)
Understand common pressure tactics and prepare stakeholders for possible communications from the adversary outside of normal channels. (7.5)
Choose an experienced negotiator who understands the importance of tone, timeliness, and trust. (7.6)
Make first contact with the adversary. (7.7)
Identify which information the victim will (and will not) share with the adversary. (7.8)
Review and avoid common mistakes. (7.9)
Obtain “proof of life” that demonstrates the adversary is able to deliver on their promises. (7.10)
Ask for discounts (respectfully). Most cyber extortionists expect to haggle over the price. (7.11)
Close the deal, by agreeing on a price, form of payment, timing, and deliverables received in return. (7.12)
TIP: Tips for Cyber Extortion Negotiators
Maintain a neutral professional tone throughout all communications.
Provide brief but factual information.
Require “proof of life.”
Don’t pretend the victim is someone they are not.
Don’t try to trick the adversary.
Don’t respond with anger or blame.
Don’t make unrealistic promises.
If the victim considers making a payment, here is a general overview of the process:
Decide whether to pay, considering the pros and cons of both. (8.1)
Notify the appropriate parties of a potential ransom payment, such as the victim’s insurance company, and identify any requirements or constraints. (8.1)
Understand the forms of payment accepted by the adversary, as well as any surcharges for nonpreferred currency types. (8.2)
Ensure payment is not prohibited. Conduct due diligence to determine whether the recipient is associated with a sanctions nexus, and document carefully. (8.3)
Engage a payment intermediary to facilitate the ransom payment. (8.4)
Be aware of common timing issues, including funds transfer delays, insurance approval hurdles, and fluctuating cryptocurrency prices. Plan carefully to minimize the risk of timing impacts. (8.5)
After the payment is made, confirm receipt, request the promised deliverables, notify government agencies or other parties as appropriate, and properly account for the payment. (8.6)
As the victim restores their environment, it’s important to follow a carefully planned process to prevent permanent loss of data or reinfection. These steps are a guide to work toward fully restored operations:
Back up important data, such as configuration files and data repositories (including encrypted data in ransomware cases). (9.1)
Build your recovery environment using a segmented network to avoid cross-contamination. (9.2)
Set up monitoring and logging to ensure that you have visibility to detect signs of malicious activity, both during the recovery process and long term. (9.3)
Establish your process for restoring individual computers, making sure to address evidence preservation, restoration of functionality, malware eradication, risk mitigation, and monitoring. (9.4)
Restore the production environment based on a prioritized plan. (9.5)
Restore data (carefully), whether from backups, collection from production systems, re-creation, or decrypted files. (9.6)
Decrypt encrypted data if necessary, using a methodical process designed to minimize risk. (9.7)
Maintain an effective response on a long-term basis as needed, to address lawsuits, regulatory investigations, public relations needs, and other chronic effects. (9.8)
Adapt by conducting a postmortem, updating documentation, and improving the cybersecurity program. (9.9)