Appendix IV:

CISA MS-ISAC #StopRansomware
Guide — Part 2: Ransomware
Response Checklist

CISA, the Cybersecurity and Infrastructure Security Agency, is a US federal agency with Department of Homeland Security (DHS) oversight. The Multi-State Information Sharing & Analysis Center (MS-ISAC) is a voluntary, collaborative effort designated by the DHS to provide cyber threat services for state, local, tribal, and territorial governments (SLTTs). CIS (see appendix III) is home to MS-ISAC.

The #StopRansomware Guide is an update of the CISA MS-ISAC Ransomware Guide released in September 2020. This Guide includes two primary resources:

Part 1: Ransomware and Data Extortion Best Practices

Part 2: Ransomware and Data Extortion Response Checklist’⁴¹

This updated guidance includes additional recommendations for preventing common initial infection vectors, recommendations to address cloud backups and zero trust architecture, and added threat-hunting tips for detection and analysis.⁴²Following is an excerpt of the steps in the #StopRansomware Guide that address detection and analysis of impacted systems in the event of a ransomware attack.⁴³

The authoring organizations do not recommend paying ransom. Paying ransom will not ensure your data is decrypted, that your systems or data will no longer be compromised, or that your data will not be leaked. Additionally, paying ransoms may pose sanctions risks.

Cybersecurity & Infrastructure Security Agency and Multi-State Information Sharing & Analysis Center (MS-ISAC), October 2023, #StopRansomware Guide

Detection and analysis Refer to the best practices and references below to help manage the risk posed by ransomware and support your organization’s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest extent possible based on availability of organizational resources.

Determine which systems were affected and immediately isolate them.

If several systems or subnets appear impacted, take the network offline at the switch level. It may not be feasible to disconnect individual systems during an incident.
Prioritize isolating critical systems that are essential to daily operations.
If taking the network temporarily offline is not immediately possible, locate the network cable (e.g., ethernet) and unplug affected devices from the network or remove them from Wi-Fi to contain the infection.
For cloud resources, take a snapshot of volumes to get a point-in-time copy for reviewing later for forensic investigation.
After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Isolate systems in a coordinated manner and use out-of-band communication methods such as phone calls to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken. Not doing so could cause actors to move laterally to preserve their access or deploy ransomware widely prior to networks being taken offline.

Power down devices if you are unable to disconnect them from the network to avoid further spread of the ransomware infection.

Note: This step will prevent your organization from maintaining ransomware infection artifacts and potential evidence stored in volatile memory. It should be carried out only if it is not possible to temporarily shut down the network or disconnect affected hosts from the network using other means.

Triage affected systems for restoration and recovery.

Identify and prioritize critical systems for restoration on a clean network and confirm the nature of data housed on impacted systems.
- Prioritize restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on.
Keep track of systems and devices that are not perceived to be affected so they can be deprioritized for restoration and recovery. This enables your organization to get back to business in a more efficient manner.

Examine existing organizational detection or prevention systems (e.g., antivirus, EDR, IDS, Intrusion Prevention System) and logs. Doing so can highlight evidence of additional systems or malware involved in earlier stages of the attack.

Look for evidence of precursor “dropper” malware, such as Bumblebee, Dridex, Emotet, QakBot, or Anchor. A ransomware event may be evidence of a previous, unresolved network compromise.
- Operators of these advanced malware variants will often sell access to a network. Malicious actors will sometimes use this access to exfiltrate data and then threaten to release the data publicly before ransoming the network to further extort the victim and pressure them into paying.
- Malicious actors often drop ransomware variants to obscure post-compromise activity. Care must be taken to identify such dropper malware before rebuilding from backups to prevent continuing compromises.

Confer with your team to develop and document an initial understanding of what has occurred based on initial analysis.

Initiate threat hunting activities.

For enterprise environments, check for:
- Newly created AD accounts or accounts with escalated privileges and recent activity related to privileged accounts such as Domain Admins
- Anomalous VPN device logins or other suspicious logins
- Endpoint modifications that may impair backups, shadow copy, disk journaling, or boot configurations — Look for anomalous usage of built-in Windows tools such as bcdedit.exe, fsutil.exe (deletejournal), vssadmin.exe, wbadmin.exe, and wmic.exe (shadowcopy or shadowstorage). Misuse of these tools is a common ransomware technique to inhibit system recovery.
- Signs of the presence of Cobalt Strike beacon/client — Cobalt Strike is a commercial penetration testing software suite. Malicious actors often name Cobalt Strike Windows processes with the same names as legitimate Windows processes to obfuscate their presence and complicate investigations.
- Signs of any unexpected usage of remote monitoring and management (RMM) software (including portable executables that are not installed) — RMM software is commonly used by malicious actors to maintain persistence.
- Any unexpected PowerShell execution or use of PsTools suite
- Signs of enumeration of AD and/or LSASS credentials being dumped (e.g., Mimikatz or NTDSutil.exe)
- Signs of unexpected endpoint-to-endpoint (including servers) communications
- Potential signs of data being exfiltrated from the network — Common tools for data exfiltration include Rclone, Rsync, various web-based file storage services (also used by threat actors to implant malware/tools on the affected network), and FTP/SFTP.
- Newly created services, unexpected scheduled tasks, unexpected software installed, etc.
For cloud environments:
- Enable tools to detect and prevent modifications to IAM, network security, and data protection resources.
- Use automation to detect common issues (e.g., disabling features, introduction of new firewall rules) and take automated actions as soon as they occur. For example, if a new firewall rule is created that allows open traffic (0.0.0.0/0), an automated action can be taken to disable or delete this rule and send notifications to the user that created it as well as the security team for awareness. This will help avoid alert fatigue and allow security personnel to focus on critical issues.

The remaining sections in the checklist address issues related to reporting and notification, containment and eradication, and recovery and post-incident response activity. The reporting and notification section refers users to contact information at the end of the guide. It also suggests you consider requesting assistance from CISA, the FBI, or the nearest US Secret Service field office.