Book Image

Incident Response Techniques for Ransomware Attacks

Book Image

Incident Response Techniques for Ransomware Attacks

Overview of this book

Ransomware attacks have become the strongest and most persistent threat for many companies around the globe. Building an effective incident response plan to prevent a ransomware attack is crucial and may help you avoid heavy losses. Incident Response Techniques for Ransomware Attacks is designed to help you do just that. This book starts by discussing the history of ransomware, showing you how the threat landscape has changed over the years, while also covering the process of incident response in detail. You’ll then learn how to collect and produce ransomware-related cyber threat intelligence and look at threat actor tactics, techniques, and procedures. Next, the book focuses on various forensic artifacts in order to reconstruct each stage of a human-operated ransomware attack life cycle. In the concluding chapters, you’ll get to grips with various kill chains and discover a new one: the Unified Ransomware Kill Chain. By the end of this ransomware book, you’ll be equipped with the skills you need to build an incident response strategy for all ransomware attacks.

Related Content you might be interested in

Current Title:

Small book image
Incident Response Techniques for Ransomware Attacks
Apr, 2022 | 228 pages
Small book image
Aligning Security Operations with the MITRE ATT&CK Framework
Rebecca Blair
May, 2023 | 192 pages
Small book image
Practical Memory Forensics.
Svetlana Ostrovskaya | Oleg Skulkin
Mar, 2022 | 304 pages
Small book image
Digital Forensics and Incident Response.
Gerard Johansen
Dec, 2022 | 532 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
Download the color images
Conventions used
Get in touch
Disclaimer
Share Your Thoughts
1
Section 1: Getting Started with a Modern Ransomware Attack
Section 1: Getting Started with a Modern Ransomware Attack
Free Chapter
2
Chapter 1: The History of Human-Operated Ransomware Attacks
Chapter 1: The History of Human-Operated Ransomware Attacks
2016 – SamSam ransomware
2017 – BitPaymer ransomware
2018 – Ryuk ransomware
2019-present – ransomware-as-a-service
Summary
3
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Initial attack vectors
Post-exploitation
Data exfiltration
Ransomware deployment
Summary
4
Chapter 3: The Incident Response Process
Chapter 3: The Incident Response Process
Preparation for an incident
Threat detection and analysis
Containment, eradication, and recovery
Post-incident activity
Summary
5
Section 2: Know Your Adversary: How Ransomware Gangs Operate
Section 2: Know Your Adversary: How Ransomware Gangs Operate
6
Chapter 4: Cyber Threat Intelligence and Ransomware
Chapter 4: Cyber Threat Intelligence and Ransomware
Strategic cyber threat intelligence
Operational cyber threat intelligence
Tactical cyber threat intelligence
Summary
7
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Gaining initial access
Executing malicious code
Obtaining persistent access
Escalating privileges
Bypassing defenses
Accessing credentials
Moving laterally
Collecting and exfiltrating data
Ransomware deployment
Summary
8
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Threat research reports
Community
Threat actors
Summary
9
Section 3: Practical Incident Response
Section 3: Practical Incident Response
10
Chapter 7: Digital Forensic Artifacts and Their Main Sources
Chapter 7: Digital Forensic Artifacts and Their Main Sources
Volatile memory collection and analysis
Non-volatile data collection
Master file table
Prefetch files
LNK files
Jump lists
SRUM
Web browsers
Windows Registry
Windows event logs
Other log sources
Summary
11
Chapter 8: Investigating Initial Access Techniques
Chapter 8: Investigating Initial Access Techniques
Collecting data sources for an external remote service abuse investigation
Investigating an RDP brute-force attack
Collecting data sources for a phishing attack investigation
Investigating a phishing attack
Summary
12
Chapter 9: Investigating Post-Exploitation Techniques
Chapter 9: Investigating Post-Exploitation Techniques
Investigating credential access techniques
Investigating reconnaissance techniques
Investigating lateral movement techniques
Summary
13
Chapter 10: Investigating Data Exfiltration Techniques
Chapter 10: Investigating Data Exfiltration Techniques
Investigating web browser abuse for data exfiltration
Investigating cloud service client application abuse for data exfiltration
Investigating third-party cloud synchronization tool abuse for data exfiltration
Investigating the use of custom data exfiltration tools
Summary
14
Chapter 11: Investigating Ransomware Deployment Techniques
Chapter 11: Investigating Ransomware Deployment Techniques
Investigation of abusing RDP for ransomware deployment
Crylock ransomware overview
Investigation of Administrative shares for ransomware deployment
REvil ransomware overview
Investigation of Group Policy for ransomware deployment
LockBit ransomware overview
Summary
15
Chapter 12: The Unified Ransomware Kill Chain
Chapter 12: The Unified Ransomware Kill Chain
Cyber Kill Chain®
MITRE ATT&CK®
The Unified Kill Chain
The Unified Ransomware Kill Chain
Summary
Why subscribe?
16
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

2017 – BitPaymer ransomware

The BitPaymer ransomware is associated with Evil Corp – a cybercrime group believed to be of Russian origin. This ransomware strain introduced another trend in human-operated attacks – Big Game Hunting.

Everything started in August 2017, when BitPaymer operators successfully attacked a few hospitals from the NHS Lanarkshire board, demanding the astronomical ransom payment of $230,000 or 53 BTC.

To obtain the initial access to the target network, the group leveraged their long-standing tool – the Dridex trojan. The trojan allowed them to load PowerShell Empire – a popular post-exploitation framework – so the threat actor could move laterally through the network, and obtain elevated credentials, including with the use of Mimikatz, just like the SamSam operators.

To deploy the ransomware enterprise-wide, the threat actors leveraged a Group Policy modification, which allowed them to push a script on each host to run a piece of ransomware.

As the means of communication, the threat actors offered both emails and online chats; both could be found in the ransom note:

Figure 1.3 – BitPaymer ransom note example

Figure 1.3 – BitPaymer ransom note example

In June 2019, a new ransomware was born from BitPaymer, called DoppelPaymer. It is believed that this specific ransomware was operated by a spin-off group from Evil Corp (source: https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/).

The mastermind behind the BitPaymer ransomware

On November 13, 2019, the FBI released an indictment charging Maksim Viktorovich Yakubets and Igor Olegovich Turashev with managing Dridex trojan operations:

Figure 1.4 – Excerpts from FBI Wanted posters

Figure 1.4 – Excerpts from FBI Wanted posters

Maksim Viktorovich Yakubets is currently wanted for multiple counts of cybercriminal activity. According to various sources, it is stated that there is a $5 million reward for the apprehension of Maksim. Of course, Dridex was not the only trojan used in human-operated ransomware attacks. Another notable example is Trickbot, which is tightly connected to the Ryuk ransomware.

Previous Section
End of Section 3
Next Section