Intelligent CISO Issue 61 | Page 75

5 . Identify all infected systems and accounts ( scope )
Identify any active malware or persistent leftovers on systems that are still communicating to the commandand-control ( C2 ) server . Common persistence techniques include creating new processes running the malicious payload , using run registry keys , or creating new scheduled tasks .
6 . Determine if data was exfiltrated
Oftentimes , ransomware attacks not only encrypt your files but also exfiltrate your data . They will do this to increase the chances of ransom payment by threatening to post things like proprietary or embarrassing data online .
They may even contact your business partners if they identify any of their data that was stolen and threaten them as well . Look for signs of data exfiltration , such as large data transfers , on your firewall Edge devices . Search for odd communications from servers going to cloud storage applications .
7 . Locate your backups and determine integrity
A ransomware attack will attempt to wipe your online backups and volume shadow copies to decrease the chances of data recovery . Because of this , ensure your backup technology was not affected by the incident and is still operational . With many ransomware attacks , attackers have usually been in your network for days , if not weeks , before deciding to encrypt your files . This means that you may have backups that contain malicious payloads that you do not want to restore to a clean system . Scan your backups to determine their integrity .
8 . Sanitise systems or create new builds
If you feel confident in your ability to identify all of the active malware and incidents of persistence in your systems , then you may be able to save some time by not rebuilding . However , it may just be easier and safer to create new , clean systems . You may even consider building an entirely separate , clean environment that you can then migrate to . This should not take too long if you are running a virtual environment . When rebuilding or sanitising your network , ensure the www . intelligentciso . com