Ransomware Response

This playbook handles ransomware alerts based on the Cortex XDR Traps module signature 'Suspicious File Modification' **Attacker’s Goals:** An attacker is attempting to encrypt the victim files for either extortion or destruction purposes. **Investigative Actions:** Investigate the executed process image and verify if it is malicious using: XDR trusted signers VT trusted signers VT detection rate NSRL DB **Response Actions:** The playbook’s first response action is a remediation plan which includes two sub-playbooks, **Containment Plan** and **Eradication Plan**, which is based on the initial data provided within the alert. In that phase, the playbooks will execute: Auto endpoint isolation Auto block indicators Auto file quarantine Auto user disable Auto process termination Next, the playbook executes an enrichment and response phase which includes two sub-playbooks, **Ransomware Enrich and Contain** & **Account Enrichment - Generic v2.1**. The Ransomware Enrich and Contain playbook does the following: 1.Checks if the initiator is a remote attacker and allows isolating the remote host, if possible. 2.Retrieves the WildFire sandbox report and extracts the indicators within it. * The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation. 3.Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints. Next, an advanced analysis playbook, which is currently done mostly manually, will be executed. This sub-playbook, **Ransomware Advanced Analysis** allows the analyst to upload the ransomware note and for the ransomware identification. Using the **ID-Ransomware** service, the analyst will be able to get the ransomware type and the decryptor if available. When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes the Containment Plan sub-playbook, is executed. **This phase will execute the following containment actions:** Manual block indicators Manual file quarantine Auto endpoint isolation Finally, the recovery phase is executed. If the analysts decides to continue with the investigation rather than recover and close the alert, a manual task with **CISA** official ransomware investigation checklist is provided for further investigation. **External resources:** [MITRE Technique T1486](https://attack.mitre.org/techniques/T1486/) [CISA Ransomware Guide](https://www.cisa.gov/stopransomware/ransomware-guide)

Core · 30 tasks · 29 inputs · 0 outputs

Inputs

  • earlyRemediation — Whether to execute the early remediation phase.
  • AutoContainment — Whether to execute the containment actions automatically.
  • AutoEradication — Whether to execute the eradication actions automatically.
  • isolateRemoteAttacker — Whether to isolate the remote endpoint if the attack has been triggered remotely.
  • isolateSimilarEndpoints — Whether to isolate the endpoints identified with similar IoCs to the ransomware alert.
  • RunAdvancedAnalysis — Whether to execute the Ransomware Advanced Analysis playbook. Note that advanced analysis contains manual tasks which will stop the playbook's flow until the analysts's response.
  • ShouldCloseAutomatically — Whether to close the alert automatically.
  • FileSHA256 — The file SHA256 to investigate.
  • FilePath — The file path to investigate.
  • IP — The IP address to investigate.
  • ShouldOpenTicket — Whether to open a ticket automatically in a ticketing system. (True/False).
  • serviceNowShortDescription — A short description of the ticket.
  • serviceNowImpact — The impact for the new ticket. Leave empty for ServiceNow default impact.
  • serviceNowUrgency — The urgency of the new ticket. Leave empty for ServiceNow default urgency.
  • serviceNowSeverity — The severity of the new ticket. Leave empty for ServiceNow default severity.
  • serviceNowTicketType — The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
  • serviceNowCategory — The category of the ServiceNow ticket.
  • serviceNowAssignmentGroup — The group to which to assign the new ticket.
  • ZendeskPriority — The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
  • ZendeskRequester — The user who requested this ticket.
  • ZendeskStatus — The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
  • ZendeskSubject — The value of the subject field for this ticket.
  • ZendeskTags — The array of tags applied to this ticket.
  • ZendeskType — The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
  • ZendeskAssigne — The agent currently assigned to the ticket.
  • ZendeskCollaborators — The users currently CC'ed on the ticket.
  • description — The ticket description.
  • addCommentPerEndpoint — Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.
  • CommentToAdd — Comment for the ticket.

Commands used

closeInvestigation setParentIncidentFields

Flowchart

yes yes true yes yes yes False Positive True Positive yes Start Start Pre-Analysis Containment Pre-Analysis Containment Should execute early remediation? Should execute early reme... Identify and Respond Identify and Respond Advanced Analysis Advanced Analysis Investigation Investigation Remediation Remediation Done Done Containment Plan - Containment Plan Containment Plan Containment Plan Containment Plan - Containment Plan Containment Plan Containment Plan Ransomware Enrich and Contain - Ransomware Enrich and Contain Ransomware Enrich and Con... Ransomware Enrich and Contain Should run advanced analysis? Should run advanced analy... Handle False Positive Alerts - Handle False Positive Alerts Handle False Positive Alerts Handle False Positive Alerts Close alert - closeInvestigation Close alert closeInvestigation Should restore affected endpoint? Should restore affected e... Should close alert automatically? Should close alert automa... Ransomware investigation steps Ransomware investigation ... Recovery Plan - Recovery Plan Recovery Plan Recovery Plan Recovery Recovery Handle False Positive Handle False Positive Found relevant information? Found relevant information? Enrichment for Verdict - Enrichment for Verdict Enrichment for Verdict Enrichment for Verdict Got possible verdict? Got possible verdict? Endpoint Investigation Plan - Endpoint Investigation Plan Endpoint Investigation Plan Endpoint Investigation Plan Eradication Plan - Eradication Plan Eradication Plan Eradication Plan Account Enrichment - Generic v2.1 - Account Enrichment - Generic v2.1 Account Enrichment - Gene... Account Enrichment - Generic ... Ransomware Advanced Analysis - Ransomware Advanced Analysis Ransomware Advanced Analysis Ransomware Advanced Analysis Set Incident Severity to High - setParentIncidentFields Set Incident Severity to ... setParentIncidentFields Should open a ticket automatically in a ticketing system? Should open a ticket auto... Ticket Management - Generic - Ticket Management - Generic Ticket Management - Generic Ticket Management - Generic