Professional Documents
Culture Documents
KB4-RansomwareStepbyStep_1.1.pptx
KB4-RansomwareStepbyStep_1.1.pptx
Roger A. Grimes
Data-Driven Security Evangelist
rogerg@knowbe4.com
About Roger
• 30 years plus in computer security, 20 years pen testing
3
About Us
• Provider of the world's largest integrated
Security Awareness Training and
Simulated Phishing platform
2
• Preventing a Ransomware Attack
Agenda • Step-by-Step Incidence Response
5
KnowBe4 Ransomware Hostage Rescue
Manual
https://info.knowbe4.com/ransomware-hostage-rescue-manual-0
6
7
• Preventing a Ransomware Attack
Agenda • Step-by-Step Incidence Response
8
What Ransomware Looks Like Now
Today’s Ransomware Workflow 1. Victim tricked into executing “stager” trojan
horse program, modifies host system
2. After executing, it immediately downloads
updates and additional malware &
instructions from C&C servers
3. Updates itself to keep ahead of AV/EDR
detection, new payloads, spreads
4. Collects as many passwords as it can
5. Notifies C&C/hacker about new intrusion
6. Dwells (sometimes up to 8 to 12 months)
7. Hackers come in, assess and analyze target
8. Steal whatever they want
9. Launch encryption and ask for ransom
9
Ransomware Today
Not Just Encryption
• Steals Credentials (company, employee, customer)
• Steals Intellectual Property/Leaks Data
• Threatens Victim’s Employees & Customers
• Other Things (e.g., cryptomining, DDoS, etc.)
• Public Shaming
10
Defenses
Recognize What The Real Problem Really Is
• Ransomware is not the real problem
• It’s how ransomware got in
• It’s how ransomware got admin
• If you don’t stop hackers and malware from breaking in and getting admin,
you’re never going to stop the nuclear badness
• They will always be able to do very bad things
11
Data-Driven Computer Defense
How Ransomware Attacks
% s/w related Password-attacks
https://info.knowbe4.com/wp-root-causes-ransomware
13
How Ransomware Attacks
Ransomware Root Exploit Causes (Other)
• USB keys
• Google Ads
• Bribed Employees
14
How Ransomware Attacks
Ransomware Root Exploit Causes (Other)
• Voice calls
https://us-cert.cisa.gov/ncas/alerts/aa21-265a
15
Best Defenses
Top Defenses for Most Organizations
(in order of importance)
• Focus on Mitigating Social Engineering
• Patch Internet-Accessible Software
• Use Multifactor Authentication (MFA)/Non-guessable passwords
• Use phishing resistant MFA where you can in order to protect valuable data, where you
can’t:
• Use different passwords for every website and service
• Enable account lockout policies on login portals/APIs
• Teach Users How to Spot Rogue URLs
• https://blog.knowbe4.com/top-12-most-common-rogue-url-tricks
• https://info.knowbe4.com/rogue-urls
• Great, complete, tested, secure, 3-2-1 backup
16
All Anti-Phishing Defenses
Everything You Can Try to Prevent Phishing
• Webinar
• https://info.knowbe4.com/webinar-stay-out-of-the-net
• E-book
• https://info.knowbe4.com/comprehensive-anti-phishing-guide
17
Other KnowBe4 Ransomware Resources
• KnowBe4 Ransomware Portal
https://www.knowbe4.com/ransomware
18
• Preventing a Ransomware Attack
Agenda • Step-by-Step Incidence Response
19
KnowBe4 Ransomware Resources
• Ransomware Hostage Rescue Manual
https://info.knowbe4.com/ransomware-hostage-rescue-manual-0
• Ransomware Response Step-by-Step Checklist
https://www.knowbe4.com/ransomware#ransomwarechecklist
20
Ransomware Response
Preparation
• Create, communicate and practice a ransomware response plan
21
Ransomware Response
Preparation – Multiple Plans Should Already Be in Place
Ransomware Incident Response Plan should be a subcomponent of your:
• Disaster Recovery Plan
• Business Continuity Plan
• Incident Response Plan
22
OK
So, You Got Hit
By
Ransomware
23
Ransomware Response
First Things First
24
Ransomware Response
Next
25
Ransomware Response
Next
Try to stop further:
• Spread
• Damage
• Communication to and from
ransomware hackers
• Disable networking at hubs, switches and routers, if possible
• Know commands and practice ahead of time
• Easier to restore network access when needed
• Know ahead of time what you can and can’t disable
• When in doubt of wiperware vs. ransomware, power-off
26
Ransomware Response
Next
Impact
• What locations?
• What OS’s
• What apps
• What types of files
• What isn’t impacted?
• If ransom extortion message has a link, don’t click it!
• Could start timer countdown and notify ransomware hackers of new conquest
27
Ransomware Response
Next
Assume until otherwise disproven:
• Months of ransomware dwell time
• Multiple malware programs and tools involved
• Data exfiltration
• Emails eavesdropped on
• All passwords known
• Ransomware attacker will publicly post about compromise
• Backups potentially compromised
28
Ransomware Response
Next
•x
29
Ransomware Response
Credential Theft Checks
30
Ransomware Response
Next
• Extortion message and treatment of encrypted file are usually the easiest
identification methods
• Some incident responders/ransomware experts are familiar with particular
ransomware strains and can help you better than people who aren’t familiar with
a particular strain
31
Ransomware Response
Next
33
Ransomware Response
Next
34
Ransomware Response
Notifying Authorities
• Notifying legal authorities may result in them taking control over actions and
investigation (usually not, but there is an increased chance)
• In the U.S., there is some additional legal protection by notifying CISA and/or FBI
(or Secret Service)
• Depending on regulations that apply to your organization, you may need to notify
customers and other stakeholders
• May need to declare official “data breach”
• Don’t do this lightly, let sr. management legal decide and declare
35
Ransomware Response
Contacting Ransomware Attacker
Usually:
• May need to establish new email account/TOR account, etc.
• Starts timer countdown
• Hacker wants to be paid within one week
• Requested ransom extortion payment is negotiable within certain parameters
• Paying half the initial requested ransom is not uncommon
• Don’t antagonize ransomware hacker
• If you use a professional ransomware negotiator, make sure they are reputable
36
Ransomware Response
Paying Ransom
37
Ransomware Response
Next
•x
38
Ransomware Response
Next
• Determine what mission-critical apps you need to get back up and working
first (should know this ahead of time)
• Know critical dependencies ahead of time (or determine)
39
Ransomware Response
Next
41
Ransomware Response
Next
• Preserving evidence
• If not sure, assume this is necessary
• Take memory and disk snapshots before modifying existing devices
• Build new instances on new devices
42
Ransomware Response
Next
• Restoring Data
• From recovered encrypted files with hacker’s help or trusted, tested backups?
43
Ransomware Response
Next
• Restoring Data from Encrypted Files Using Hacker Decryption Keys
• If using ransomware decryption keys, get “proof of life” from hacker that decryption
keys they supply will actually work (ransomware gangs are used to this request)
• Usually, multiple decryption keys involved
• Usually, you have to pay a little up front to get test decryption key
• Do not test on only instance of encrypted data
• Copy encrypted files/disk copy (get secondary instance)
• Test decryption keys/programs on secondary instance
44
Ransomware Response
Next
• Unit Testing
• After restoring networking, systems and data, test
• Create and test all possible inputs into system
• Have expected pre-determined outputs
• Compare inputs and expected outputs
• Note any unexpected results
• Have supervisor sign-off on application as fully tested and ready to go
45
Ransomware Response
Turn Network/Internet Back On
When all systems are known clean, all possible malware removed, all
possibly compromised passwords reset, etc.:
• Turn on network
• Turn on Internet
• Should be done slowly
• Monitor Internet, network, devices and applications heavily
46
Ransomware Response
Next
• Most Organizations Hit By Ransomware Buy New Stuff and Fix Old Stuff
• Now is a great time to fix those old security issues you couldn’t fix because it would
possibly cause too much downtime
• What new stuff is needed?
• Will it really help to prevent the next attack?
• What new people and roles are needed?
• Never covered by insurance
47
Ransomware Response
Review Ransomware Incident Response
• Review the good, the bad, the ugly
• What went wrong?
• Update ransomware response plan accordingly
48
Ransomware Response
Prevent Next Time
49
KnowBe4 Security Awareness Training
Baseline Testing
We provide baseline testing to assess the Phish-Prone™
percentage of your users through a free simulated phishing attack.
50
Generating Industry-Leading Results and ROI
• Reduced Malware and Ransomware
Infections