Ransomware Protection Playbook

Acknowledgments xi Introduction xxi Part I: Introduction 1 Chapter 1: Introduction to Ransomware 3 How Bad is the Problem? 4 Variability of Ransomware Data 5 True Costs of Ransomware 7 Types of Ransomware 9 Fake Ransomware 10 Immediate Action vs. Delayed 14 Automatic or Human-Directed 17 Single Device Impacts or More 18 Ransomware Root Exploit 19 File Encrypting vs. Boot Infecting 21 Good vs. Bad Encryption 22 Encryption vs. More Payloads 23 Ransomware as a Service 30 Typical Ransomware Process and Components 32 Infiltrate 32 After Initial Execution 34 Dial-Home 34 Auto-Update 37 Check for Location 38 Initial Automatic Payloads 39 Waiting 40 Hacker Checks C&C 40 More Tools Used 40 Reconnaissance 41 Readying Encryption 42 Data Exfiltration 43 Encryption 44 Extortion Demand 45 Negotiations 46 Provide Decryption Keys 47 Ransomware Goes Conglomerate 48 Ransomware Industry Components 52 Summary 55 Chapter 2: Preventing Ransomware 57 Nineteen Minutes to Takeover 57 Good General Computer Defense Strategy 59 Understanding How Ransomware Attacks 61 The Nine Exploit Methods All Hackers and Malware Use 62 Top Root-Cause Exploit Methods of All Hackers and Malware 63 Top Root-Cause Exploit Methods of Ransomware 64 Preventing Ransomware 67 Primary Defenses 67 Everything Else 70 Use Application Control 70 Antivirus Prevention 73 Secure Configurations 74 Privileged Account Management 74 Security Boundary Segmentation 75 Data Protection 76 Block USB Keys 76 Implement a Foreign Russian Language 77 Beyond Self-Defense 78 Geopolitical Solutions 79 International Cooperation and Law Enforcement 79 Coordinated Technical Defense 80 Disrupt Money Supply 81 Fix the Internet 81 Summary 84 Chapter 3: Cybersecurity Insurance 85 Cybersecurity Insurance Shakeout 85 Did Cybersecurity Insurance Make Ransomware Worse? 90 Cybersecurity Insurance Policies 92 What’s Covered by Most Cybersecurity Policies 93 Recovery Costs 93 Ransom 94 Root-Cause Analysis 95 Business Interruption Costs 95 Customer/Stakeholder Notifications and Protection 96 Fines and Legal Investigations 96 Example Cyber Insurance Policy Structure 97 Costs Covered and Not Covered by Insurance 98 The Insurance Process 101 Getting Insurance 101 Cybersecurity Risk Determination 102 Underwriting and Approval 103 Incident Claim Process 104 Initial Technical Help 105 What to Watch Out For 106 Social Engineering Outs 107 Make Sure Your Policy Covers Ransomware 107 Employee’s Mistake Involved 107 Work-from-Home Scenarios 108 War Exclusion Clauses 108 Future of Cybersecurity Insurance 109 Summary 111 Chapter 4: Legal Considerations 113 Bitcoin and Cryptocurrencies 114 Can You Be in Legal Jeopardy for Paying a Ransom? 123 Consult with a Lawyer 127 Try to Follow the Money 127 Get Law Enforcement Involved 128 Get an OFAC License to Pay the Ransom 129 Do Your Due Diligence 129 Is It an Official Data Breach? 129 Preserve Evidence 130 Legal Defense Summary 130 Summary 131 Part II: Detection and Recovery 133 Chapter 5: Ransomware Response Plan 135 Why Do Response Planning? 135 When Should a Response Plan Be Made? 136 What Should a Response Plan Include? 136 Small Response vs. Large Response Threshold 137 Key People 137 Communications Plan 138 Public Relations Plan 141 Reliable Backup 142 Ransom Payment Planning 144 Cybersecurity Insurance Plan 146 What It Takes to Declare an Official Data Breach 147 Internal vs. External Consultants 148 Cryptocurrency Wallet 149 Response 151 Checklist 151 Definitions 153 Practice Makes Perfect 153 Summary 154 Chapter 6: Detecting Ransomware 155 Why is Ransomware So Hard to Detect? 155 Detection Methods 158 Security Awareness Training 158 AV/EDR Adjunct Detections 159 Detect New Processes 160 Anomalous Network Connections 164 New, Unexplained Things 166 Unexplained Stoppages 167 Aggressive Monitoring 169 Example Detection Solution 169 Summary 175 Chapter 7: Minimizing Damage 177 Basic Outline for Initial Ransomware Response 177 Stop the Spread 179 Power Down or Isolate Exploited Devices 180 Disconnecting the Network 181 Disconnect at the Network Access Points 182 Suppose You Can’t Disconnect the Network 183 Initial Damage Assessment 184 What is Impacted? 185 Ensure Your Backups Are Still Good 186 Check for Signs of Data and Credential Exfiltration 186 Check for Rogue Email Rules 187 What Do You Know About the Ransomware? 187 First Team Meeting 188 Determine Next Steps 189 Pay the Ransom or Not? 190 Recover or Rebuild? 190 Summary 193 Chapter 8: Early Responses 195 What Do You Know? 195 A Few Things to Remember 197 Encryption is Likely Not Your Only Problem 198 Reputational Harm May Occur 199 Firings May Happen 200 It Could Get Worse 201 Major Decisions 202 Business Impact Analysis 202 Determine Business Interruption Workarounds 203 Did Data Exfiltration Happen? 204 Can You Decrypt the Data Without Paying? 204 Ransomware is Buggy 205 Ransomware Decryption Websites 205 Ransomware Gang Publishes Decryption Keys 206 Sniff a Ransomware Key Off the Network? 206 Recovery Companies Who Lie About Decryption Key Use 207 If You Get the Decryption Keys 207 Save Encrypted Data Just in Case 208 Determine Whether the Ransom Should Be Paid 209 Not Paying the Ransom 209 Paying the Ransom 210 Recover or Rebuild Involved Systems? 212 Determine Dwell Time 212 Determine Root Cause 213 Point Fix or Time to Get Serious? 214 Early Actions 215 Preserve the Evidence 215 Remove the Malware 215 Change All Passwords 217 Summary 217 Chapter 9: Environment Recovery 219 Big Decisions 219 Recover vs. Rebuild 220 In What Order 221 Restoring Network 221 Restore IT Security Services 223 Restore Virtual Machines and/or Cloud Services 223 Restore Backup Systems 224 Restore Clients, Servers, Applications, Services 224 Conduct Unit Testing 225 Rebuild Process Summary 225 Recovery Process Summary 228 Recovering a Windows Computer 229 Recovering/Restoring Microsoft Active Directory 231 Summary 233 Chapter 10: Next Steps 235 Paradigm Shifts 235 Implement a Data-Driven Defense 236 Focus on Root Causes 238 Rank Everything! 239 Get and Use Good Data 240 Heed Growing Threats More 241 Row the Same Direction 241 Focus on Social Engineering Mitigation 242 Track Processes and Network Traffic 243 Improve Overall Cybersecurity Hygiene 243 Use Multifactor Authentication 243 Use a Strong Password Policy 244 Secure Elevated Group Memberships 246 Improve Security Monitoring 247 Secure PowerShell 247 Secure Data 248 Secure Backups 249 Summary 250 Chapter 11: What Not to Do 251 Assume You Can’t Be a Victim 251 Think That One Super-Tool Can Prevent an Attack 252 Assume Too Quickly Your Backup is Good 252 Use Inexperienced Responders 253 Give Inadequate Considerations to Paying Ransom 254 Lie to Attackers 255 Insult the Gang by Suggesting Tiny Ransom 255 Pay the Whole Amount Right Away 256 Argue with the Ransomware Gang 257 Apply Decryption Keys to Your Only Copy 257 Not Care About Root Cause 257 Keep Your Ransomware Response Plan Online Only 258 Allow a Team Member to Go Rogue 258 Accept a Social Engineering Exclusion in Your Cyber-Insurance Policy 259 Summary 259 Chapter 12: Future of Ransomware 261 Future of Ransomware 261 Attacks Beyond Traditional Computers 262 IoT Ransoms 264 Mixed-Purpose Hacking Gangs 265 Future of Ransomware Defense 267 Future Technical Defenses 267 Ransomware Countermeasure Apps and Features 267 AI Defense and Bots 268 Strategic Defenses 269 Focus on Mitigating Root Causes 269 Geopolitical Improvements 269 Systematic Improvements 270 Use Cyber Insurance as a Tool 270 Improve Internet Security Overall 271 Summary 271 Parting Words 272 Index 273