Summary:
Ransomware is malware programmed to encrypt files on a users computer, phone and/or network that can only be recovered after a payment is made to obtain the key needed to decrypt the key (http://www.zdnet.com/pictures/a-guide-to-ransomware-and-ways-to-protect-yourself/). In this particular incident, the malware slipped through the antivirus and other protections/processes that were in place and caused a significant number of files to become unavailable as a result of the infection. After tracking down the infected users, and remediating the situation, the files were recovered, but there were several lessons learned as a result.
Response:
Upon notification of scrambled files, an immediate lockdown was initiated that locked all users who had access to the discovered files/folders. This was done to try to reduce the impact the ransomware would have as it was making thousands of files unavailable to the victims.
Finding the infected user proved to be relatively easy as there were AV alerts of the infection, but as it turned out the ransomware was still running in memory (Lesson 1). The challenge was tieing the infected user to the encrypted folder as they were not part of the list of users who had obvious access to the folder. As it turned out, the user had been granted access via a nested and misconfigured group that inadvertently had allowed them access (Lesson 2). Once this connection was found, we remained on high alert for any similar infection alerts and their tell tale signs (Lesson 3) of HELP_DECRYPT files left behind to instruct victims on how to get their files decrypted.
A couple days later, we had another encrypted folder incident occur due to a related but different piece of malware. In this case, there were no HELP_DECRYPT files that we could check the permissions on to see who created it, thus point us toward the source of infection. Instead, we spent a bit of time looking for the source, and finally landed on MSC Windows Folders of the File Server to see who had the most files open. Fortunately, it was very clear where the infection was coming from, and subsequent isolation remediation occurred.
Now that we have updated our malware response strategy and have put more controls and alerts in place, ransomware is little more than a nuisance - but what if the malware sent the data out to the bad guys and they held the data for ransom based on the value of it not becoming public information? I feel the worst is yet to come...(Lesson 5).
Lessons Learned:
Lesson 1 - When a really nasty piece of malware infects a PC, you can't trust the reported cleaned logs. For all truly malicious malware, a full remove and wipe is the only real way to guarantee a clean environment.
Lesson 2 - Human error can turn a contained issue into a huge one. Permissions should be validated on privileged groups that are granted access to resources on a regular basis, if not constantly with alerting when a change occurs.
Lesson 3 - Antivirus detection can only go so far. There are situations where it makes sense to have layers of detection in place to ensure that faulty or new malware doesn't slip through the cracks. Putting alerts that make sense in place will go a long when when they start to go off. Consider a honeypot style of share, or a system wide trigger for known file names that indicate an infection occurred.
Lesson 4 - There are several ways to track ransomware down when finding the infected system is illusive. Looking for HELP_DECRYPT type of files, monitoring excessive share access, noting ALL antivirus alerts, reviewing firewall/DNS logs, and more will help. While security systems are useful, they can only do so much - sometimes traditional system administrator tools will serve you better.
Lesson 5 - Ransomware is in its third revision, but you can expect it to evolve to become even worse. What if the ransomware infected and then uploaded a lawyers data or healthcare related files and then the bad guys turned the ransomware into blackmailware? This has happened in the past on a small scale, but the bad guys are turning this into big business and you can expect that where there is money to be earned, there will be someone trying to 'earn' it.