Book Image

Incident Response Techniques for Ransomware Attacks

Book Image

Incident Response Techniques for Ransomware Attacks

Overview of this book

Ransomware attacks have become the strongest and most persistent threat for many companies around the globe. Building an effective incident response plan to prevent a ransomware attack is crucial and may help you avoid heavy losses. Incident Response Techniques for Ransomware Attacks is designed to help you do just that. This book starts by discussing the history of ransomware, showing you how the threat landscape has changed over the years, while also covering the process of incident response in detail. You’ll then learn how to collect and produce ransomware-related cyber threat intelligence and look at threat actor tactics, techniques, and procedures. Next, the book focuses on various forensic artifacts in order to reconstruct each stage of a human-operated ransomware attack life cycle. In the concluding chapters, you’ll get to grips with various kill chains and discover a new one: the Unified Ransomware Kill Chain. By the end of this ransomware book, you’ll be equipped with the skills you need to build an incident response strategy for all ransomware attacks.

Related Content you might be interested in

Current Title:

Small book image
Incident Response Techniques for Ransomware Attacks
Apr, 2022 | 228 pages
Small book image
Aligning Security Operations with the MITRE ATT&CK Framework
Rebecca Blair
May, 2023 | 192 pages
Small book image
Practical Memory Forensics.
Svetlana Ostrovskaya | Oleg Skulkin
Mar, 2022 | 304 pages
Small book image
Digital Forensics and Incident Response.
Gerard Johansen
Dec, 2022 | 532 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
Download the color images
Conventions used
Get in touch
Disclaimer
Share Your Thoughts
1
Section 1: Getting Started with a Modern Ransomware Attack
Section 1: Getting Started with a Modern Ransomware Attack
Free Chapter
2
Chapter 1: The History of Human-Operated Ransomware Attacks
Chapter 1: The History of Human-Operated Ransomware Attacks
2016 – SamSam ransomware
2017 – BitPaymer ransomware
2018 – Ryuk ransomware
2019-present – ransomware-as-a-service
Summary
3
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Initial attack vectors
Post-exploitation
Data exfiltration
Ransomware deployment
Summary
4
Chapter 3: The Incident Response Process
Chapter 3: The Incident Response Process
Preparation for an incident
Threat detection and analysis
Containment, eradication, and recovery
Post-incident activity
Summary
5
Section 2: Know Your Adversary: How Ransomware Gangs Operate
Section 2: Know Your Adversary: How Ransomware Gangs Operate
6
Chapter 4: Cyber Threat Intelligence and Ransomware
Chapter 4: Cyber Threat Intelligence and Ransomware
Strategic cyber threat intelligence
Operational cyber threat intelligence
Tactical cyber threat intelligence
Summary
7
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Gaining initial access
Executing malicious code
Obtaining persistent access
Escalating privileges
Bypassing defenses
Accessing credentials
Moving laterally
Collecting and exfiltrating data
Ransomware deployment
Summary
8
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Threat research reports
Community
Threat actors
Summary
9
Section 3: Practical Incident Response
Section 3: Practical Incident Response
10
Chapter 7: Digital Forensic Artifacts and Their Main Sources
Chapter 7: Digital Forensic Artifacts and Their Main Sources
Volatile memory collection and analysis
Non-volatile data collection
Master file table
Prefetch files
LNK files
Jump lists
SRUM
Web browsers
Windows Registry
Windows event logs
Other log sources
Summary
11
Chapter 8: Investigating Initial Access Techniques
Chapter 8: Investigating Initial Access Techniques
Collecting data sources for an external remote service abuse investigation
Investigating an RDP brute-force attack
Collecting data sources for a phishing attack investigation
Investigating a phishing attack
Summary
12
Chapter 9: Investigating Post-Exploitation Techniques
Chapter 9: Investigating Post-Exploitation Techniques
Investigating credential access techniques
Investigating reconnaissance techniques
Investigating lateral movement techniques
Summary
13
Chapter 10: Investigating Data Exfiltration Techniques
Chapter 10: Investigating Data Exfiltration Techniques
Investigating web browser abuse for data exfiltration
Investigating cloud service client application abuse for data exfiltration
Investigating third-party cloud synchronization tool abuse for data exfiltration
Investigating the use of custom data exfiltration tools
Summary
14
Chapter 11: Investigating Ransomware Deployment Techniques
Chapter 11: Investigating Ransomware Deployment Techniques
Investigation of abusing RDP for ransomware deployment
Crylock ransomware overview
Investigation of Administrative shares for ransomware deployment
REvil ransomware overview
Investigation of Group Policy for ransomware deployment
LockBit ransomware overview
Summary
15
Chapter 12: The Unified Ransomware Kill Chain
Chapter 12: The Unified Ransomware Kill Chain
Cyber Kill Chain®
MITRE ATT&CK®
The Unified Kill Chain
The Unified Ransomware Kill Chain
Summary
Why subscribe?
16
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

2016 – SamSam ransomware

These ransomware operators emerged in early 2016 and changed the ransomware threat landscape drastically. They didn't focus on regular users and single devices; instead, they attacked various companies, focusing on a human-operated approach, moving laterally and encrypting as many devices as possible, including those with the most important data.

The targets were very different and included the healthcare industry, the education sector, and even whole cities. A notable example was the city of Atlanta, Georgia, which took place in March 2018. As the result, the city had to pay approximately $2.7 million to contractors to recover its infrastructure.

The group commonly exploited vulnerabilities in public-facing applications, for example, JBOSS systems, or just brute-forced RDP-servers to gain the initial foothold to the target network.

To elevate privileges, the threat actors used a number of common hacking tools and exploits, including the notorious Mimikatz, so they could obtain domain administrator credentials.

Having elevated credentials, SamSam operators just scanned the network to obtain information about available hosts, then copied a piece of ransomware to each of them and ran it with help of another very common dual-use tool – PsExec.

The attackers had a payment website in the dark web. A victim could find all the necessary information on file decryption in the ransom note generated by the ransomware, as shown in Figure 1.1:

Figure 1.1 – SamSam ransom note example

Figure 1.1 – SamSam ransom note example

Being active from 2016 to 2018, the group earned approximately $6 million, according to Sophos (source: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf).

Who was behind the SamSam ransomware

On November 28, 2018, the FBI unsealed an indictment charging Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri with deploying SamSam ransomware internationally:

Figure 1.2 – An excerpt from an FBI Wanted poster

Figure 1.2 – An excerpt from an FBI Wanted poster

Both subjects are from Iran. After the indictment was unsealed, the threat actors managed to finish their malicious activities, at least under the name SamSam.

These threat actors showed others that enterprise ransomware attacks may be very profitable, so more and more groups emerged. One example is the BitPaymer ransomware.

Previous Section
End of Section 2
Next Section