Академический Документы
Профессиональный Документы
Культура Документы
1 Identification
2 Identification
2
■ A good knowledge of the usual operating systems General signs of ransomware presence Host based identification
security policies is needed.
■ Look for unusual executable binaries in users’
■ A good knowledge of the usual users’ profile Several leads might hint that the system could be
compromised by ransomware:
profiles (%ALLUSERSPROFILE% or %APPDATA%) and
policies is needed. %SystemDrive%
■ Ensure that the endpoint and perimetric (email
■ Odd professional emails (often masquerading as
■ Look for the aforementioned extensions or ransom
gateway, proxy caches) security products are up to notes
invoices) containing attachments are being
date
received ■ Capture a memory image of the computer (if
■ Since this threat is often detected by end-users, ■ A ransom message explaining that the documents
possible)
raise your IT support awareness regarding the have been encrypted and asking for money is ■ Look for unusual processes
ransomware threat displayed on user’s desktop ■ Look for unusual email attachment patterns
■ Make sure to have exhaustive, recent and ■ Look for unusual network or web browsing activities;
reliable backups of local and network users’ especially connections to Tor or I2P IP, Tor gateways
data (tor2web, etc) or Bitcoin payment websites
E-Mail: cert.sg@socgen.com
Web: https://cert.societegenerale.com
Twitter: @CertSG
Remediation
4
Abstract
■ Remove the binaries and the related registry entries
This Incident Response Methodology is a cheat sheet dedicated
(if any) from compromised profiles to handlers investigating on a precise security issue.
(%ALLUSERSPROFILE% or %APPDATA%) and
■
%SystemDrive%
If the above step is not possible reimage the Report
Aftermath
6 Who should use IRM sheets?
Administrators
Security Operation Center
computer with a clean install CISOs and deputies
An incident report should be written and made available CERTs (Computer Emergency Response Team)
to all of the stakeholders.
Remember: If you face an incident, follow IRM, take notes.
Keep calm and contact your business line’s Incident
The following themes should be described:
Response team or CERT immediately if needed.
■ Initial detection.
■ Actions and timelines.
■ What went right. Incident handling steps
■ What went wrong. 6 steps are defined to handle security Incidents