
DADAA & DUNLAP RANSOMWARE PLAYBOOK
DADAA & DUNLAP RANSOMWARE PLAYBOOK
July 6, 2021
As the IT team of the DADDAA & Dunlap, we just received a rather panic call from a respected PI carrying on an CFI funded project detailing that her computer has been infected by ransomware. This ransomware seems to have encrypted all her data, including her external hard drive backups. According to the ransom message she received, she can contact the specified email address, two files will be unencrypted for her. For the rest of the data, she must pay the $XXXX ransom in a week or the encryption key will be deleted and the data lost forever.
With this report on hand, the following playbook should be followed.
Identification:
- Immediate action: isolate the system and limit damage to other systems, physically disconnect the affected machine from the network, wired or wireless. Disable the shares the infected computer has access to.
- Preliminary data assessment: talk to the PI and scope the data class and identify the data nature. Be sensitive to confidentiality or legal responsibility.
- Quick documentation of the situation. From here on all activities should be logged in the incident report.
Containment:
- Notify the unit’s leadership: Incident response team may be formed under the direction of Chair or Director. ITS security response personnel may be involved.
- Verify scope and assurance on containment. Probe infection vector (email, browsing, usb key, etc.) to help with containment.
o Email: make sure suspicious email containing the malware not lost and archived if possible. Immediately report to phishing response team of ITS, security.response@utoronto.ca, and warn possibility for wide spread damage.
o Browsing: check browser cache and history to catch any evidence.
o USB Key: any USB key used on the affected machine should not be reused until fully formatted.
- Detailed assessment of information: detail the scale, data type, data structure, IP, computer name, OS etc. In this case, a large volume of important research data is likely affected.
o Report to ISEA of the ransomware incident: security.response@utoronto.ca
o Report to Departmental Chair or Director on findings.
o Follow contractual reporting requirements to see if CFI or other stake holders should be notified.
- Evidence collection
o Contact ISEA security team to obtain a copy of perimeter log specific to this computer.
o Check server log to see if there is any evidence.
o Gather as much other evidence as possible: other system logs, WIFI logs, associated network traffic logs etc.
o Attempt to get a copy of the malicious file(s), knowing flavor of crypto locker is key to recovery.
Eradication:
- Verify with PI if there are other backup copies.
- If no good copy of backup, investigate and search online to see if there are readily available solutions for this flavour of ransomware.
Recovery:
- Depending on method of infection, similar systems need to be checked out and verified clean and secure. (patching, security hardening, phishing, etc.)
- Restore system: clean rebuild the system and restore data with known good backups. Fully patch the new system.
- Keep the infected copy of the hard drive for further study and forensic evidence.
Follow up:
- Complete documentation for the incident, including chronology of events.
o Depending on particulars, instigate a future control plan and implement lessons learned.
o Ask questions: what was the flaw of the backup setup? why was the system configured or used as it was? What is the root cause of the compromise?
o Record who is responsible for each of the remediation steps.
- Initiate remediation plans, assign deliverables.
- Securely store all incident documentation, logs, and other evidence.