Book Image

Incident Response Techniques for Ransomware Attacks

Book Image

Incident Response Techniques for Ransomware Attacks

Overview of this book

Ransomware attacks have become the strongest and most persistent threat for many companies around the globe. Building an effective incident response plan to prevent a ransomware attack is crucial and may help you avoid heavy losses. Incident Response Techniques for Ransomware Attacks is designed to help you do just that. This book starts by discussing the history of ransomware, showing you how the threat landscape has changed over the years, while also covering the process of incident response in detail. You’ll then learn how to collect and produce ransomware-related cyber threat intelligence and look at threat actor tactics, techniques, and procedures. Next, the book focuses on various forensic artifacts in order to reconstruct each stage of a human-operated ransomware attack life cycle. In the concluding chapters, you’ll get to grips with various kill chains and discover a new one: the Unified Ransomware Kill Chain. By the end of this ransomware book, you’ll be equipped with the skills you need to build an incident response strategy for all ransomware attacks.

Related Content you might be interested in

Current Title:

Small book image
Incident Response Techniques for Ransomware Attacks
Apr, 2022 | 228 pages
Small book image
Aligning Security Operations with the MITRE ATT&CK Framework
Rebecca Blair
May, 2023 | 192 pages
Small book image
Practical Memory Forensics.
Svetlana Ostrovskaya | Oleg Skulkin
Mar, 2022 | 304 pages
Small book image
Digital Forensics and Incident Response.
Gerard Johansen
Dec, 2022 | 532 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
Download the color images
Conventions used
Get in touch
Disclaimer
Share Your Thoughts
1
Section 1: Getting Started with a Modern Ransomware Attack
Section 1: Getting Started with a Modern Ransomware Attack
Free Chapter
2
Chapter 1: The History of Human-Operated Ransomware Attacks
Chapter 1: The History of Human-Operated Ransomware Attacks
2016 – SamSam ransomware
2017 – BitPaymer ransomware
2018 – Ryuk ransomware
2019-present – ransomware-as-a-service
Summary
3
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Initial attack vectors
Post-exploitation
Data exfiltration
Ransomware deployment
Summary
4
Chapter 3: The Incident Response Process
Chapter 3: The Incident Response Process
Preparation for an incident
Threat detection and analysis
Containment, eradication, and recovery
Post-incident activity
Summary
5
Section 2: Know Your Adversary: How Ransomware Gangs Operate
Section 2: Know Your Adversary: How Ransomware Gangs Operate
6
Chapter 4: Cyber Threat Intelligence and Ransomware
Chapter 4: Cyber Threat Intelligence and Ransomware
Strategic cyber threat intelligence
Operational cyber threat intelligence
Tactical cyber threat intelligence
Summary
7
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Gaining initial access
Executing malicious code
Obtaining persistent access
Escalating privileges
Bypassing defenses
Accessing credentials
Moving laterally
Collecting and exfiltrating data
Ransomware deployment
Summary
8
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Threat research reports
Community
Threat actors
Summary
9
Section 3: Practical Incident Response
Section 3: Practical Incident Response
10
Chapter 7: Digital Forensic Artifacts and Their Main Sources
Chapter 7: Digital Forensic Artifacts and Their Main Sources
Volatile memory collection and analysis
Non-volatile data collection
Master file table
Prefetch files
LNK files
Jump lists
SRUM
Web browsers
Windows Registry
Windows event logs
Other log sources
Summary
11
Chapter 8: Investigating Initial Access Techniques
Chapter 8: Investigating Initial Access Techniques
Collecting data sources for an external remote service abuse investigation
Investigating an RDP brute-force attack
Collecting data sources for a phishing attack investigation
Investigating a phishing attack
Summary
12
Chapter 9: Investigating Post-Exploitation Techniques
Chapter 9: Investigating Post-Exploitation Techniques
Investigating credential access techniques
Investigating reconnaissance techniques
Investigating lateral movement techniques
Summary
13
Chapter 10: Investigating Data Exfiltration Techniques
Chapter 10: Investigating Data Exfiltration Techniques
Investigating web browser abuse for data exfiltration
Investigating cloud service client application abuse for data exfiltration
Investigating third-party cloud synchronization tool abuse for data exfiltration
Investigating the use of custom data exfiltration tools
Summary
14
Chapter 11: Investigating Ransomware Deployment Techniques
Chapter 11: Investigating Ransomware Deployment Techniques
Investigation of abusing RDP for ransomware deployment
Crylock ransomware overview
Investigation of Administrative shares for ransomware deployment
REvil ransomware overview
Investigation of Group Policy for ransomware deployment
LockBit ransomware overview
Summary
15
Chapter 12: The Unified Ransomware Kill Chain
Chapter 12: The Unified Ransomware Kill Chain
Cyber Kill Chain®
MITRE ATT&CK®
The Unified Kill Chain
The Unified Ransomware Kill Chain
Summary
Why subscribe?
16
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Investigating a phishing attack

We will use Volatility 3 to examine the memory image we obtained with Live Response Collection. As we remember from Chapter 5, Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures, one of the most common techniques used by commodity malware is process injection. Let's start from low-hanging fruits, running the malfind plugin against the memory image.

Figure 8.7 – A part of the malfind output

This Volatility plugin helps to find hidden or injected code or DLLs, so it's very useful for the detection of process injection techniques.

There are a few artifacts extracted by malfind, but the most interesting one is related to the rundll32.exe process with the 9772 PID, which you can see in the preceding screenshot. Based on the output, most likely there's code injection. Very often, IT professionals and junior security analysts disregard rundll32.exe, but this legitimate executable should...

Previous Section
End of Section 5
Next Section