Talos IR ransomware engagements and the significance of timeliness in incident response

Cisco Talos routinely responds to ransomware engagements where the impact could have been mitigated or wholly prevented if the victim organization had initiated remediation efforts earlier in the attack lifecycle. The significance of early intervention in ransomware attacks is particularly exemplified by two recent Talos Incident Response (Talos IR) ransomware engagements. In one incident, the victim engaged Talos IR immediately after discovering malicious activity alerts. Talos IR worked swiftly to combat additional malicious activity and prevented the execution of any encryption in the environment. Conversely, in a second incident, the victim ignored alerts of malicious activity and did not contact Talos IR until after the ransomware binary began to execute. Talos IR was then not provided network access for analysis for over a day, during which time the actors achieved nearly 100% host encryption. While there are many factors that can impact the success and severity of a ransomware attack, such as an actor's sophistication and advanced tooling, close similarities between these two ransomware engagements led us to negate that these variables significantly influenced the disparate outcomes between these two attacks. Introduction As ransomware threat actors continuously decrease their dwell time — here defined as the duration between initial access and encryption — it is increasingly imperative to be mindful of timeliness in incident response engagements (Infosecurity…Read More