Unit 4: Ransomware

ransomware as a serve (RaaS)

designed for people who are not technical to set up attacks

What should you do if you are infected with ransomware?

disconnect determine the scope determine the strain get others involved

The downloader silently communicates with control servers to

download and install malware/ ransomware and secure an encryption key

When the exploit is executed

downloader is placed on the system

Ransomware starts to encrypt the

entire hard disk content, personal files and sensitive information.

Email payload Flow

fake invoice email installs locky ransomware

A warning is displayed on the screen with

instructions on how to pay for the decryption key.

File Server Resource Manager

is a set of tools that allows administrators to manage and control the amount and type of data stored on the organization's servers

What is ransomware?

malicious software that prevents you from accessing your computer or data

Client education

monthly newsletters, security training

Secure IIS and SSL web facing Servers

patch against weak encryption ciphers and known exploits, i.e. Drown and poodle

Common Attack Vectors

• Social engineering • Unsafe web browsing • Malvertising • Email campaigns • Web exploits • Phishing scams • Infected removable media • Exploited accounts • Out of date, end of life, un-patched Vulnerable computing systems

Questions to Ask Crisis Communications Team

• What's required for customer breach notifications, and by whom? • What audience groups (employees, customers, partners, investors, etc.) take priority in • your communications outreach? • What are the messages you'll convey? • Under what circumstances will you proactively disseminate information? • Under what circumstances will you wait to respond to queries before releasing • information? • Who will act as a spokesperson for the organization, and to which audiences? • How will you field inquiries?

Questions to Ask Legal

• Who will initiate the forensics investigation? • How will the process unfold and when? • How will relationships with appropriate law enforcement agencies be established and maintained? • What is the company's posture on negotiating with the threat actors/ransomware thieves? • Who will initiate the negotiations with the threat actor if a decision is made to do so? • Who will initiate and coordinate the required breach notification to third parties?

Early Detection

Deploy FSRM to monitor, detect, and alert when known ransomware files are detected

Fake pop ups and exploits

Trick users into downloading malware while disguised as installations or error messages

Ransomware is a Data Breach (T/F)

true

ANTI RANSOMWARE TOOLS

- BitDefender Vaccine - BitDefender Security EndPoint - CryptoPrevent - Hitman Pro Alert - OpenDns - Malwarebytes Endpoint Security - RansomWare Prevention Kit - ShadowExplorer

the new normal in ransomware

- Conti, CLOP, Darkside, REvil & DoppelPaymer & others -double encryption/double extortion (exfiltrate data & extort if orgs do not pay the ransom if orgs don't pay, they target the victims from the data collected) -triple extortion (target the patients and customers)

no matter what you end up doing in response to a ransomware attack

- wipe the machine and reload -possible remaining malware artifacts undetectable to EDR -consider the risks of unknown remnant for future attacks -organizations have been known to hit twice

how is ransomware a data breach?

-criminal hackers infiltrate the network -install trojans/other malware -delete backups -steal data before encryption -hold the data for ransom -leak data, intellectual property -public shaming/threatening victim's customers

what is a standard process for planning prevention of ransomware for employees?

-implement baseline training -train the users -simulate phishing attacks and test them -see the results, analyze for improvements

Create file screens to

1. control the types of files that users can save 2. generate notifications when users attempt to save unauthorized files

Evaluate your different responses

1. restore from a recent backup 2. decrypt your files using a third party decrypter 3. do nothing (lose your data) 4. negotiate/pay the ransom

Cryptolocker

A specific form of ransomware that encrypts critical files or data until the victim pays a ransom to obtain the decryption keys.

hash value

A unique number produced by a hash function to create a unique digital "fingerprint" that can be used to allow or deny access to a software application; encoding one or more data sets, such as names, serial numbers, and validation codes

STEP 4: Determine the Scope of the Exploitation

Check the Following for Signs: a. Mapped or shared drives b. Cloud-based storage: DropBox, Google Drive, OneDrive, etc. c. Network storage devices of any kind d. External hard drives e. USB storage devices of any kind (USB sticks, memory sticks, attached phones/cameras) f. Mapped or shared folders from other computers

STEP 5: Limit Initial Damage

Initial investigators should try to stop/reduce any damage they discover, if possible

Malvertising

Involves injecting malware or malicious code into advertisements on legitimate online webpages.

What to know about backups with ransomware?

Maintain regularly updated "gold images" of critical systems in the event they need to be rebuilt.

STEP 6: Gather Team to Share Information

The goal is to make sure the team correctly understands all information, including scope and extent of damage

Are My Synced Files Safe?

The simple answer - NO they can all be encrypted and synced as encrypted files

The Three Commandments

Thou shall backup Thou shall backup Again Thou shall backup once More

Questions to Ask Human Resources

What employee policies and practices cover information security and IT investigations involving employees? • Who will conduct those investigations? • What communication tools are used by HR to communicate on a regular basis? • Who among the HR team is responsible for disseminating that information?

Step 4: Determine Ransomware Strain

What strain/type of ransomware? For example: Ryuk, Dharma, SamSam, etc.

Ransomware can originate from

a malicious website that exploits a known vulnerability, phishing email campaigns, social engineering, or web based drive by malware injections

Splash Pages

a page that site visitors encounter first before reaching the home page

Step 4: Determine if data or credentials have been stolen

a. Check logs and DLP software for signs of data leaks b. Look for unexpected large archival files (e.g., zip, arc, etc.) containing confidential data that could have been used as staging files c. Look for malware, tools and scripts that could have been used to look for and copy data d. Of course, one of the most accurate signs of ransomware data theft is a notice from the involved ransomware gang announcing that your data and/or credentials have been stolen

step 2: declare ransomware event and start incident response

a. Declare ransomware event b. Begin using predefined, alternate communications c. Notify team members, senior management and legal

step 1: Initial Investigation

a. Determine if it is a real ransomware attack b. Determine if more than one device is exploited

step 3: disconnect network

a. Disable networking (from network devices, if possible) b. Power off devices if wiperware is suspected

Step 9: Prevent the Next Cyber Attack

a. Mitigate social engineering b. Patch software c. Use multifactor authentication (MFA) where you can d. Use strong, unique passwords e. Use antivirus or endpoint detection and response software f. Use anti-spam/anti-phishing software g. Use data leak prevention (DLP) software h. Have a good back up and regularly test

STEP 7: Determine Response

a. Pay the ransom or not? b. Repair or rebuild? c. Invite in additional external parties? d. Notify regulator bodies, law enforcement, CISA, FBI, etc.?

STEP 8: Recover Environment

a. Repair only or rebuild b. Need to preserve evidence? c. Use business impact analysis to determine what devices and systems to recover and the associated timing d. Restore critical infrastructure first

The contacted C&C (command and control) server responds by

sending back the requested Encryption Key and provide payment methods

Ransomware attack response checklist

step 1: Initial Investigation step 2: declare ransomware event and start incident response step 3: disconnect network STEP 4: Determine the Scope of the Exploitation, Determine if data or credentials have been stolen, Determine Ransomware Strain STEP 5: Limit Initial Damage STEP 6: Gather Team to Share Information STEP 7: Determine Response STEP 8: Recover Environment Step 9: Prevent the Next Cyber Attack:

If your computer is infected with ransomware

the computer itself may become locked, or the data on it might be stolen, deleted or encrypted.

human layer represents a high value and probability target because the _________________ required by attackers is low

time and cost

KnowBe4 best practices and tips

train your users backups segment the network principle of least privilege remove internet facing RDP keep up with patches

Ransomware Prevention Tips

• Client/employee Education • Disable macros within MS office applications VIA GPOs • SPAM filtering / attachment blocking - zip, *.resume, vbs, scr, etc. • Transport rules/extension blocking • Application control - block anon/proxy/tor networks • Patching - adobe flash/reader, java, operating systems • Managed endpoint protection • Dns filtering/URL filtering • Software restriction policies/application white listing • Third party prevention utilities • File server resource manager • Iis/ssl vulnerability patching • Ssl vpn with two factor authentication • GEO IP LOCATION BASED Filtering

Questions to Ask InfoSec and IT Teams

• How can you identify the origin of the infiltration, or "patient zero"? • How will the forensics investigation be conducted? • How will backup systems be placed online or the current system decrypted? • How will the security holes get patched? • How will you coordinate efforts with legal and the rest of the team?

Cost of Ransomware attacks

• Loss of Data and Information • Employee Downtime and Loss of Production • Ransom Costs • IT Consultant Time and Labor • Forensic Investigation Cost • Data Leak and Compliance Issues • HIPPA FINES • Impact on Reputation and Loss of Business Relationships • IT Infrastructure Upgrades/Overhaul

Backups with ransomware

• On and offsite full system imaging • Hourly incremental snapshots • Avoid using external usb drives • Only single guarantee to recovering data • Appliance based offering with virtualization • Cost effective alternatives