This document is provided for informational purposes only. It represents the current product offerings and practices from Amazon Web Services (AWS) as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.
© 2024 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. This work is licensed under a Creative Commons Attribution 4.0 International License.
This AWS Content is provided subject to the terms of the AWS Customer Agreement available at http://aws.amazon.com/agreement or other written agreement between the Customer and either Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both.
Author: Author Name
Approver: Approver Name
Last Date Approved:
This playbook outlines the process for responses to Ransom attacks against EC2 instances.
For additional information, please review the AWS Security Incident Response Guide
Throughout the execution of the playbook, focus on the desired outcomes, taking notes for enhancement of incident response capabilities.
- Vulnerabilities exploited
- Exploits and tools observed
- Actor's intent
- Actor's attribution
- Damage inflicted to the environment and business
- Return to original and hardened configuration
AWS Cloud Adoption Framework Security Perspective
- Directive
- Detective
- Responsive
- Preventative
- [PREPARATION] Use AWS Config to view configuration compliance
- [PREPARATION] Identify, document, and test escalation Procedures
- [CONTAINMENT] Isolate Affected Resources Immediately
- [DETECTION AND ANALYSIS] Use procedures found in the Microsoft 365 Defender Threat Intelligence Team
- [DETECTION AND ANALYSIS] Use CloudWatch metrics determine if data may have been exfiltrated
- [DETECTION AND ANALYSIS] Use VPCFlowLogs to identify inappropriate database access from external IP addresses
- [CONTAINMENT AND ERADICATION] Remove any compromised systems from the network.
- [CONTAINMENT AND ERADICATION] Enforce NACLs based on network IoCs to prevent further traffic
- [CONTAINMENT AND ERADICATION] Other Items of Interest
- [RECOVERY] Execute recovery procedures as appropriate
***The response steps follow the Incident Response Life Cycle from NIST Special Publication 800-61r2 Computer Security Incident Handling Guide
- Tactics, techniques, and procedures: Ransom & Data Destruction
- Category: Ransom Attack
- Resource: EC2
- Indicators: Cyber Threat Intelligence, Third Party Notice, Cloudwatch Metrics
- Log Sources: CloudTrail, CloudWatch, AWS Config
- Teams: Security Operations Center (SOC), Forensic Investigators, Cloud Engineering
- Preparation
- Detection & Analysis
- Containment & Eradication
- Recovery
- Post-Incident Activity
- Assess the security posture of the account to identify and remediate security gaps
- AWS developed a new open source Self-Service Security Assessment (https://aws.amazon.com/blogs/publicsector/assess-your-security-posture-identify-remediate-security-gaps-ransomware/) tool that provides customers with a point-in-time assessment to gain valuable insights into the security posture of their AWS account
- To protect your organization, Microsoft recommends that you use the information in the Human-Operated Ransomware Mitigation Project Plan PowerPoint presentation, which includes securing privileged access
- Maintain a complete asset inventory of all resources including domain controllers, Microsoft Windows EC2 instances, Microsoft Windows Servers and Databases, and any integration with external identity providers
- Perform recurring vulnerability analysis of your hosts using utilities such as Amazon Inspector
- Turn on and update Windows Defender Antivirus - commercial, subscription paid Endpoint Detection and Response (EDR) solutions are preferred
- Perform backups of EC2 instances
- Consider using AWS Backup or AWS CloudEndure
- Back up your files with File History
- Verify your backups and ensure the infection has not spread into them
- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite
- Apply the latest updates to your operating systems and apps
- Educate your employees so they can identify social engineering and spear-phishing attacks
- Implement controlled folder access. It can stop ransomware from encrypting files and holding the files for ransom
- Block Macros in Office Documents
- Block Known Ransomware File Types
- In Windows 10 turn on Controlled Folder Access to protect your important local folders from unauthorized programs like ransomware or other malware
- Follow Best Practices for securing your Active Directory Services
- Follow Top 10 Most Important Group Policy Settings for Preventing Security Breaches
- The Microsoft 365 Defender Threat Intelligence Team has provided a comprehensive report identifying actions to secure your Microsoft resources prior to a ransomware event
- Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activities.
- Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA)
- Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords
- Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625)
- Monitor for clearing of Event Logs, especially the Security Event log and PowerShell Operational logs. Microsoft Defender ATP raises the alert “Event log was cleared” and Windows generates an Event ID 1102 when this occurs
- Turn on tamper protection features to prevent attackers from stopping security services
- Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Domain admin accounts and other accounts with high privilege should not be present on workstations
- Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats
- Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode
- Turn on AMSI for Office VBA if you have Office 365
- Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities
- Use Systems Manager and Amazon Inspector to check if EC2 instances running Microsoft Windows contain any common vulnerabilities and exposures (CVEs)
- Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/
- In the AWS Management Console menu, verify that the region selector is set to a region that supports AWS Config rules. For the list of supported regions, see AWS Config Regions and Endpoints in the Amazon Web Services General Reference
- In the navigation pane, choose Resources. On the Resource inventory page, you can filter by resource category, resource type, and compliance status. Choose Include deleted resources if appropriate. The table displays the resource identifier for the resource type and the resource compliance status for that resource. The resource identifier might be a resource ID or a resource name
- Choose a resource from the resource identifier column
- Choose the Resource Timeline button. You can filter by Configuration events, Compliance events, or CloudTrail Events
- Specifically focus on the following events:
- ebs-in-backup-plan
- ebs-optimized-instance
- ebs-snapshot-public-restorable-check
- ec2-ebs-encryption-by-default
- ec2-imdsv2-check
- ec2-instance-detailed-monitoring-enabled
- ec2-instance-managed-by-systems-manager
- ec2-instance-multiple-eni-check
- ec2-instance-no-public-ip
- ec2-instance-profile-attached
- ec2-managedinstance-applications-blacklisted
- ec2-managedinstance-applications-required
- ec2-managedinstance-association-compliance-status-check
- ec2-managedinstance-inventory-blacklisted
- ec2-managedinstance-patch-compliance-status-check
- ec2-managedinstance-platform-check
- ec2-security-group-attached-to-eni
- ec2-stopped-instance
- ec2-volume-inuse-check
I need a business decision on when EC2 forensics should be conducted
Who is monitoring the logs/alerts, receiving them and acting upon each?
Who gets notified when an alert is discovered?
When do public relations and legal get involved in the process?
When would you reach out to AWS Support for help?
Look for data exfiltration “spikes.” It is possible an attacker performed data destruction and left a ransom note, and in these cases there is no opportunity for data recovery by working with the malicious actor
- Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
- In the navigation pane, choose Metrics then All Metrics
- On the All metrics tab, select the region the instance is deployed in
- On the All metrics tab, enter the search term
NetworkPacketsOut
and press Enter - Select one of the results for your search to view the metrics
- To graph one or more metrics, select the check box next to each metric. To select all metrics, select the check box in the heading row of the table
- (Optional) To change the type of graph, choose Graph options. You can then choose between a line graph, stacked area chart, bar chart, pie chart, or number
- (Optional) To add an anomaly detection band that shows expected values for the metric, choose the anomaly detection icon under Actions next to the metric
The team has provided a comprehensive report (https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) identifying things to look for against multiple ransomware variants
- Use the AWS Security Analytics Bootstrap to analyze log data
- Get a summary with the number of bytes for each src_ip,src_port,dst_ip,dst_port quad across all records to or from a specific IP
SELECT sourceaddress, destinationaddress, sourceport, destinationport, sum(numbytes) as byte_count FROM vpcflow
WHERE (sourceaddress = '192.0.2.1' OR destinationaddress = '192.0.2.1')
AND date_partition >= '2020/07/01'
AND date_partition <= '2020/07/31'
AND account_partition = '111122223333'
AND region_partition in ('us-east-1','us-east-2','us-west-2', 'us-west-2')
GROUP BY sourceaddress, destinationaddress, sourceport, destinationport
ORDER BY byte_count DESC
- Other example queries are provided in the vpcflow_demo_queries.sql
NOTE: Ensure you have a process in place to request escalation and approval to isolate resources to ensure a business impact analysis is conducted first on how the isolation will impact current operations and revenue streams.
- Determine if the instance is part of an Auto Scaling group or attached to a load balancer
- Autoscaling Group: detach the instance from the group
- Elastic Load Balancer: deregister the instance from the ELB, and delete the instance from target groups
- Create a new security group that blocks all ingress and egress traffic; ensure you remove the default
allow all
rule for egress traffic - Attach the new security group to the impacted instance(s)
- Open the Amazon VPC console
- In the navigation pane, choose Network ACLs
- Choose Create Network ACL
- In the Create Network ACL dialog box, optionally name your network ACL, and select the ID of your VPC from the VPC list. Then choose Yes, Create
- In the details pane, choose either the Inbound Rules or Outbound Rules tab, depending on the type of rule that you need to add, and then choose Edit
- In Rule #, enter a rule number (for example, 100). The rule number must not already be in use in the network ACL. We process the rules in order, starting with the lowest number
- We recommend that you leave gaps between the rule numbers (such as 100, 200, 300), rather than using sequential numbers (101, 102, 103). This makes it easier add a new rule without having to renumber the existing rules
- Select a rule from the Type list. For example, to add a rule for HTTP, choose HTTP. To add a rule to allow all TCP traffic, choose All TCP. For some of these options (for example, HTTP), we fill in the port for you. To use a protocol that's not listed, choose Custom Protocol Rule
- (Optional) If you're creating a custom protocol rule, select the protocol's number and name from the Protocol list. For more information, see IANA List of Protocol Numbers
- (Optional) If the protocol you selected requires a port number, enter the port number or port range separated by a hyphen (for example, 49152-65535).
- In the Source or Destination field (depending on whether this is an inbound or outbound rule), enter the CIDR range that the rule applies to
- From the Allow/Deny list, select ALLOW to allow the specified traffic or DENY to deny the specified traffic
- (Optional) To add another rule, choose Add another rule, and repeat the previous steps as required
- When you are done, choose Save
- In the navigation pane, choose Network ACLs, and then select the network ACL
- In the details pane, on the Subnet Associations tab, choose Edit. Select the Associate check box for the subnet to associate with the network ACL, and then choose Save
- Follow regulatory requirements or internal company policy to determine if forensics of the EC2 instance is required
- If forensics of the instances are required OR data needs to be recovered, then follow the Playbook: EC2 Forensics
- Remove compromised Domain Controller metadata from the domain
- Inspect backups for potential infection
- It is recommended not pay the ransom
- Paying the ransom is a gamble as to whether the criminal will honor the transaction after receiving payment
- If no data backups exist, then you should do a cost benefit analysis and weigh the value of the data/reputational compromise against the payment to the attacker
- You directly enable the attacker to continue their operations against your company or others if you choose to pay the ransom
- Visit https://www.nomoreransom.org/ to identify if a decryptor is available for the malware variant the infected your data
- Delete or rotate IAM User Keys and Root User Keys; you may wish to rotate all keys in your account if you cannot identify a specific key or keys that has been exposed
- Delete unauthorized IAM Users
- Delete unauthorized policies
- Delete unauthorized roles
- Revoke temporary credentials. Temporary credentials can also be revoked by deleting the IAM User. NOTE: Deleting IAM Users may impact production workloads and should be done with care * Use CloudEndure Disaster Recovery to select the latest recovery point before the ransomware attack or data corruption to restore your workloads on AWS
- If using an alternate data backup strategy, validate the backups have not been infected and restore from the last scheduled event prior to the ransomware event
- Create new EC2 instances from a trusted AMI
- Use CloudEndure Disaster Recovery to select the latest recovery point before the ransomware attack or data corruption to restore your workloads on AWS
- If using an alternate data backup strategy, validate the backups have not been infected and restore from the last scheduled event prior to the ransomware event
This is a place to add items specific to your company that do not necessarilly need "fixing", but are important to know when executing this playbook in tandem with operational and business requirements.
- As an Incident Responder I need a runbook to conduct EC2 Forensics
- As an Incident Responder I need a business decision on when EC2 forensics should be conducted
- As an Incident Responder I need to have logging enabled in all regions that are enabled regardless of intention of use
- As an Incident Responder I need to be able to detect crypto mining on my existing EC2 instances