iso27diy-corp/Corpus/Sparks/Ransomware Playbook.md

Also see:
- [Mitigation steps for businesses](https://www.nomoreransom.org/en/prevention-advice-for-businesses.html) from the Europol [No More Ransom project](https://www.nomoreransom.org/nl/index.html).
- [Nationaal Cyber Security Centrum](https://www.ncsc.nl/onderwerpen/ransomware)

See also:
- [a-5.30-ICT-readiness-for-business-continuity](../Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md)
- [BCP_Bedrijfscontinuïteitsplanning](../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)
- [Disaster Recovery Planning](ISMS/Disaster%20Recovery%20Planning.md)

3 Phases:
- Prevention
- During the attack
- After the attack

# Prevention
- Identify specific techniques attackers are using [A 5.7](../Standards/ISO27x/OST/27002/EN/a-5.7-Threat-intelligence.md)
- Workforce education
- Remove vulnerabilities / Attack surface reduction
- Business Continuity Planning (BCP)
- Ransom payment policy

## Workforce education

[ISO 27002 A 6.3](../iso27diy-corp/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/ISO_27002_2022_6.3_OT%20Information%20security%20awareness%2C%20education%20and%20training.md)

Education programs should address the following:

- Use caution when opening links or attachments by considering:
	- Do I know the sender?
	- Does this look suspicious?
	- Is this something that I should open or a link I should follow?

- Use a Virtual Private Network (VPN) to gain the benefits of implemented security controls.
- Do not provide personal details when answering emails, phone calls, texts, or other messages, 
- Contact the IT department as soon as possible if you receive suspicious communication.
- Validate IT resources and communications to ensure communications from new contacts are not an attempt at social engineering.
- Alert the IT department before traveling internationally.

See also the [Guidelines for Regular Users](https://www.nomoreransom.org/en/prevention-advice-for-users.html) from the Europol No More Ransom project.

## Attack surface reduction

**Backup and restore**
- Regularly back up your systems, online and offline. Up to date backups are the most effective way of recovering from a ransomware attack.
- Ensure that you create offline backups that are kept in a different location (ideally offsite), from your network and systems, and/or in a cloud service designed for this purpose.
- Perform tests on the critical information restoring process

**Coverage**
- Periodically check your coverage (know what you are *not* monitoring) as part of your vulnerability management (VM) program [A 8.8](../Standards/ISO27x/OST/27002/EN/a-8.8-Management-of-technical-vulnerabilities.md)
- Identify critical information assets
	- Store sensitive data in compartmented locations.
	- Ensure that critical assets are isolated through network segmentation [A 8.22](../Standards/ISO27x/OST/27002/EN/a-8.22-Segregation-of-networks.md)

**Testing and plugging for vulnerabilities**
- Regularly run penetration tests
- Scan for vulnerabilities in installed software
- Scan your operating systems
- See that all software is up to date and available patches are installed [A 8.8](../Standards/ISO27x/OST/27002/EN/a-8.8-Management-of-technical-vulnerabilities.md)
- Know indicators of ransomware and block them from executing (e.g. by scanning mails for executable attachments)
- Disable the execution of email attachments
- block malicious websites, applications, protocols, etc. through content inspection
- Implement blacklisting/whitelisting rules based on live threat intelligence feeds
- Use anti-spear-phishing software that inspects links and attachments at the mail server
- Keep antivirus and anti-malware products up to date
- Disable scripting and macro's (e.g. MS Office macros)
- preventing activation of OLE packages in Microsoft Word
- Disable Windows PowerShell
- Use RDP (Remote Desktop Protocols) only when absolutely necessary, and then only with MFA
- Block access to high-risk category websites (adult material, games, gambling, advertisements, peer-to-peer file sharing)
- Monitor data exfiltration: many ransomware campaigns come with the threat of releasing data to encourage businesses to pay the ransom
- Implement measures such as hard disk encryption, inactivity timeouts, privacy screens, strong authentication, Bluetooth disability and removable media control and encryption (e.g. USB drives).
- Disable (or constrict) use of removable media
-  Implement a process to remotely disable access to a device that has been lost or stolen.
- permit the installation of apps from official sources only
- Turn on local firewalls
- develop effective use policies for use of public Wi-Fi networks

**Identity and Access Management**
- Manage account permissions, especially for administrative rights on endpoints ([A 5.15](../Standards/ISO27x/OST/27002/EN/a-5.15-Access-control.md), [A 5.18](../Standards/ISO27x/OST/27002/EN/a-5.18-Access-rights.md)). This includes:
	- Restricting write permissions for servers
	- Restricting admin users and privileged accounts
	- Granting users the lowest-level system permissions that still allow them to do their job
	- Removing abilities for users to install and run unapproved software applications / use Application whitelisting
	- Limiting administrative tools on workstations
	- creating separate user accounts for privileged and non-privileged activities
	- Organise access rights based on the principles of least privilege, need to know principle and segregation of duties
- ensure the use of unique passwords, esp. for accounts with elevated rights
- Use enhanced passwords and change them on a regular basis
- Use multi-factor authentication (MFA)





- Train your staff
- Consider cyber liability insurance



## Business Continuity Planning (BCP)
[A 5.29](../Standards/ISO27x/OST/27002/EN/a-5.29-Information-security-during-disruption.md), [A 5.30](../Standards/ISO27x/OST/27002/EN/a-5.30-ICT-readiness-for-business-continuity.md)

- Employ a comprehensive data backup and recovery plan for all high-value data
- Backups should be isolated on external storage devices or in the cloud, disconnected and inaccessible from any potentially infected computer once the backup is completed.
See also [BCP_Bedrijfscontinuïteitsplanning](../📚️%20Literature%20notes/BCP_Bedrijfscontinuïteitsplanning.md)

## Ransom payment policy
if your files are encrypted, what do you do?


# During the attack
Remove infected systems from the environment, by disabling physical network ports or removing the network cable.

Check the Europol [No More Ransom project ](https://www.nomoreransom.org), specifically to see if a decryption solution is available with the [Crypto Sheriff ](https://www.nomoreransom.org/crypto-sheriff.php?lang=en)tool or on their [Decryption Tools](https://www.nomoreransom.org/en/decryption-tools.html) page.

## Infected… What to do next?

1. Immediately disconnect, but don’t switch off the infected device(s) from all network connections, whether wired, wireless or mobile phone based.
2. In very serious cases, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
3. Reset credentials, including passwords (especially for administrator and other system accounts), but verify that you are not locking yourself out of systems that are needed for recovery.
4. [Report the incident](https://www.nomoreransom.org/en/report-a-crime.html) to your national police or other competent authority.
5. Preserve any evidence, in coordination with the competent authorities investigating the attack: create a forensic image of affected systems (or a system snapshot), create a RAM dump of the affected systems, and preserve any netflow or other network traffic logs.
6. Visit [www.nomoreransom.org](https://www.nomoreransom.org/) to check whether your business was infected with one of the ransomware variants for which we have [decryption tools](https://www.nomoreransom.org/en/decryption-tools.html) available free of charge. If that’s not the case, proceed with the recovery steps.
7.  Safely wipe the infected devices and reinstall the OS.
8.  Before you restore from a backup, verify that it is free from any malware. You should only restore if you are very confident that the backup and the device you are connecting it to are clean.
9.  Connect devices to a clean network to download, install and update the OS and all other software.
10. Install, update, and run antivirus software.
11. Reconnect to your network.
12. Monitor network traffic and run antivirus scans to identify if any infection remains.

# After the attack
Inspect your environment to:
- confirm the attackers no longer have a presence in your system
- know if they have stolen data or caused other harm

Harden your systems against a similar attack
rebuild or recover systems impacted by the attack.

- rebuild systems from known-good baseline images to counter undetected threats.
- scan systems with an up-to-date anti-malware solution to remove malware and related artifacts.
- block malicious domain(s) and IP addresses. This should be performed at all appropriate network filtering and domain name server devices such as firewalls, web proxies, switches, and DNS servers.
- terminate malicious processes on the compromised endpoint(s) identified.
- quarantine affected endpoints from the network.
- lock affected compromised account(s) until the credentials can be rotated.
- changing affected account(s) password(s) as soon as possible to prevent an attacker from leveraging the credentials to access services.
- determining whether other users received malicious communications and removing them from all mailboxes.
- blocking the sender’s email address (if applicable).