The Ransomware Hostage

Rescue Checklist: Your

Step-by-Step Guide To
Preventing and Surviving a
Ransomware Attack

Roger A. Grimes
Data-Driven Security Evangelist
rogerg@knowbe4.com
 About Roger
• 30 years plus in computer security, 20 years pen testing

• Expertise in host and network security, IdM, crypto, PKI,

APT, honeypot, cloud security

• Consultant to world’s largest companies and militaries for

decades

• Previous worked for Foundstone, McAfee, Microsoft

• Written 13 books and over 1,200 magazine articles

• InfoWorld and CSO weekly security columnist 2005 -

2019

Roger A. Grimes • Frequently interviewed by magazines (e.g., Newsweek)

Certification exams
and radio shows passed
(e.g., include:
NPR’s All Things Considered)
Data-Driven Defense Evangelist
KnowBe4, Inc. • CPA
• CISSP
e: rogerg@knowbe4.com • CISM, CISA
Twitter: @RogerAGrimes • MCSE: Security, MCP, MVP
• CEH, TISCA, Security+, CHFI
LinkedIn: https://www.linkedin.com/in/rogeragrimes/
• yada, yada
Roger’s Books

3
About Us
• Provider of the world's largest integrated
Security Awareness Training and
Simulated Phishing platform

• Based in Tampa Bay, Florida, founded in

2010

• CEO & employees are ex-antivirus, IT

Security pros

• We help tens of thousands of

organizations manage the ongoing
problem of social engineering

• Winner of numerous industry awards

2
 • Preventing a Ransomware Attack
Agenda • Step-by-Step Incidence Response

5
KnowBe4 Ransomware Hostage Rescue
Manual

https://info.knowbe4.com/ransomware-hostage-rescue-manual-0
6
7
 • Preventing a Ransomware Attack
Agenda • Step-by-Step Incidence Response

8
 What Ransomware Looks Like Now
Today’s Ransomware Workflow
1. Victim tricked into executing “stager” trojan
horse program, modifies host system
2. After executing, it immediately downloads
updates and additional malware &
instructions from C&C servers
3. Updates itself to keep ahead of AV/EDR
detection, new payloads, spreads
4. Collects as many passwords as it can
5. Notifies C&C/hacker about new intrusion
6. Dwells (sometimes up to 8 to 12 months)
7. Hackers come in, assess and analyze target
8. Steal whatever they want
9. Launch encryption and ask for ransom
9
 Ransomware Today
Not Just Encryption
• Steals Credentials (company, employee, customer)
• Steals Intellectual Property/Leaks Data
• Threatens Victim’s Employees & Customers
• Other Things (e.g., cryptomining, DDoS, etc.)
• Public Shaming

Good luck having a good backup alone save you!

10
 Defenses
Recognize What The Real Problem Really Is
• Ransomware is not the real problem
• It’s how ransomware got in
• It’s how ransomware got admin

• If you don’t stop hackers and malware from breaking in and getting admin,
you’re never going to stop the nuclear badness
• They will always be able to do very bad things

11
Data-Driven Computer Defense
 How Ransomware Attacks
% s/w related Password-attacks

% s/e or s/w related

Top Ransomware Root
Exploit Causes (in order)
• Social Engineering
• RDP Attacks
• Unpatched Software
• Password Attacks
• Other

https://info.knowbe4.com/wp-root-causes-ransomware

13
 How Ransomware Attacks
Ransomware Root Exploit Causes (Other)
• USB keys
• Google Ads
• Bribed Employees

14
 How Ransomware Attacks
Ransomware Root Exploit Causes (Other)
• Voice calls

https://us-cert.cisa.gov/ncas/alerts/aa21-265a

15
 Best Defenses
Top Defenses for Most Organizations
(in order of importance)
• Focus on Mitigating Social Engineering
• Patch Internet-Accessible Software
• Use Multifactor Authentication (MFA)/Non-guessable passwords
• Use phishing resistant MFA where you can in order to protect valuable data, where you
can’t:
• Use different passwords for every website and service
• Enable account lockout policies on login portals/APIs
• Teach Users How to Spot Rogue URLs
• https://blog.knowbe4.com/top-12-most-common-rogue-url-tricks
• https://info.knowbe4.com/rogue-urls
• Great, complete, tested, secure, 3-2-1 backup

16
 All Anti-Phishing Defenses
Everything You Can Try to Prevent Phishing
• Webinar
• https://info.knowbe4.com/webinar-stay-out-of-the-net

• E-book
• https://info.knowbe4.com/comprehensive-anti-phishing-guide

17
Other KnowBe4 Ransomware Resources
• KnowBe4 Ransomware Portal
https://www.knowbe4.com/ransomware

• Ransomware Simulator (Ransim)

https://www.knowbe4.com/ransomware-simulator

18
 • Preventing a Ransomware Attack
Agenda • Step-by-Step Incidence Response

19
 KnowBe4 Ransomware Resources
• Ransomware Hostage Rescue Manual
https://info.knowbe4.com/ransomware-hostage-rescue-manual-0
• Ransomware Response Step-by-Step Checklist
https://www.knowbe4.com/ransomware#ransomwarechecklist

20
 Ransomware Response
Preparation
• Create, communicate and practice a ransomware response plan

• Table practice it at least once per year

• Educate to remove any staff “cowboy/cowgirl” tendencies
• Have alternative communication method known and distributed
• Have call sheet
• Decide ahead of time if you are going to pay the ransom

21
 Ransomware Response
Preparation – Multiple Plans Should Already Be in Place
Ransomware Incident Response Plan should be a subcomponent of your:
• Disaster Recovery Plan
• Business Continuity Plan
• Incident Response Plan

22
 OK
So, You Got Hit
By
Ransomware

23
 Ransomware Response
First Things First

• There are fake “scareware”

ransomware attacks
• Is it possibly wiperware?
• Weird file extensions?
• Ransom note?
• Are files really modified?
• What appears impacted?

• Start documentation trail on previously agreed upon wiki

24
 Ransomware Response
Next
• Notify organization’s communications team
• Will need to communicate to staff,
customers, regulators, investors, etc.
• Everyone should know their
predefined roles and
expectations
• Early tasks include looking for
more signs of spread
• What is and isn’t impacted?
• Legal should communicate
with any outside parties
• Don’t usually have to involve
insurance co’s yet unless
they help with response
25
 Ransomware Response
Next
Try to stop further:
• Spread
• Damage
• Communication to and from
ransomware hackers
• Disable networking at hubs, switches and routers, if possible
• Know commands and practice ahead of time
• Easier to restore network access when needed
• Know ahead of time what you can and can’t disable
• When in doubt of wiperware vs. ransomware, power-off

26
 Ransomware Response
Next

Impact
• What locations?
• What OS’s
• What apps
• What types of files
• What isn’t impacted?
• If ransom extortion message has a link, don’t click it!
• Could start timer countdown and notify ransomware hackers of new conquest

27
 Ransomware Response
Next
Assume until otherwise disproven:
• Months of ransomware dwell time
• Multiple malware programs and tools involved
• Data exfiltration
• Emails eavesdropped on
• All passwords known
• Ransomware attacker will publicly post about compromise
• Backups potentially compromised

28
 Ransomware Response
Next

•x

84% or more of ransomware does data exfiltration

29
 Ransomware Response
Credential Theft Checks

• Look for unusual logins

• Times, Dates, Places
• Check password “dump” sites and services
• www.haveibeenpwnd.com
• https://www.knowbe4.com/password-exposure-test
• Use password dump checking tools like recon-ng

30
 Ransomware Response
Next

• Extortion message and treatment of encrypted file are usually the easiest
identification methods
• Some incident responders/ransomware experts are familiar with particular
ransomware strains and can help you better than people who aren’t familiar with
a particular strain

31
 Ransomware Response
Next

• No one should assume that everyone knows all the facts

• Share what you know
• Document, document, document
• Share with others and make sure everyone agrees with initial assessment
32
 Ransomware Response
Next

• Assume initial assessment may have mistakes

• Try to avoid initial assessment mistakes
• But don’t be shocked if new information changes initial assessment

33
 Ransomware Response
Next

• If you decide to pay ransom,

make sure it is legal to do so
• New or complete rebuild is
always the safer choice
• Repair option is usually
faster, but riskier
• Senior mgmt. and legal
should make these decisions

34
 Ransomware Response
Notifying Authorities

• Notifying legal authorities may result in them taking control over actions and
investigation (usually not, but there is an increased chance)
• In the U.S., there is some additional legal protection by notifying CISA and/or FBI
(or Secret Service)
• Depending on regulations that apply to your organization, you may need to notify
customers and other stakeholders
• May need to declare official “data breach”
• Don’t do this lightly, let sr. management legal decide and declare

35
 Ransomware Response
Contacting Ransomware Attacker

Usually:
• May need to establish new email account/TOR account, etc.
• Starts timer countdown
• Hacker wants to be paid within one week
• Requested ransom extortion payment is negotiable within certain parameters
• Paying half the initial requested ransom is not uncommon
• Don’t antagonize ransomware hacker
• If you use a professional ransomware negotiator, make sure they are reputable

36
 Ransomware Response
Paying Ransom

• Make sure legal, senior mgmt. decide

• Usually payment is in bitcoin, but can be other cryptocurrency
• If you don’t have established cryptocurrency exchange/wallet to use:
• Can take days to set up new cryptocurrency account and establish funds
• Many services exist to help you get/pay cryptocurrency faster, but will charge a percentage
fee
• May be tax deductible

37
 Ransomware Response
Next

•x

38
 Ransomware Response
Next

• Determine what mission-critical apps you need to get back up and working
first (should know this ahead of time)
• Know critical dependencies ahead of time (or determine)

39
 Ransomware Response
Next

• Usually, infrastructure is first before everything else

• DNS, IP, DHCP, Active Directory
• Get IT security back up and running, then apps
• Start re-enabling needed network ports and pathways
• When in doubt, rebuild
40
 Ransomware Response
Next

• Clean apps and before running apps or opening network/Internet:

• Reset all possibly compromised passwords

41
 Ransomware Response
Next

• Preserving evidence
• If not sure, assume this is necessary
• Take memory and disk snapshots before modifying existing devices
• Build new instances on new devices

42
 Ransomware Response
Next

• Restoring Data
• From recovered encrypted files with hacker’s help or trusted, tested backups?

43
 Ransomware Response
Next
• Restoring Data from Encrypted Files Using Hacker Decryption Keys
• If using ransomware decryption keys, get “proof of life” from hacker that decryption
keys they supply will actually work (ransomware gangs are used to this request)
• Usually, multiple decryption keys involved
• Usually, you have to pay a little up front to get test decryption key
• Do not test on only instance of encrypted data
• Copy encrypted files/disk copy (get secondary instance)
• Test decryption keys/programs on secondary instance

44
 Ransomware Response
Next
• Unit Testing
• After restoring networking, systems and data, test
• Create and test all possible inputs into system
• Have expected pre-determined outputs
• Compare inputs and expected outputs
• Note any unexpected results
• Have supervisor sign-off on application as fully tested and ready to go

45
 Ransomware Response
Turn Network/Internet Back On
When all systems are known clean, all possible malware removed, all
possibly compromised passwords reset, etc.:
• Turn on network
• Turn on Internet
• Should be done slowly
• Monitor Internet, network, devices and applications heavily

• Be prepared for emergency re-lockdown, if needed

46
 Ransomware Response
Next
• Most Organizations Hit By Ransomware Buy New Stuff and Fix Old Stuff
• Now is a great time to fix those old security issues you couldn’t fix because it would
possibly cause too much downtime
• What new stuff is needed?
• Will it really help to prevent the next attack?
• What new people and roles are needed?
• Never covered by insurance

47
 Ransomware Response
Review Ransomware Incident Response
• Review the good, the bad, the ugly
• What went wrong?
• Update ransomware response plan accordingly

48
 Ransomware Response
Prevent Next Time

You Are More Likely To Be Hit Again, If:

• You don’t determine the initial root
cause
• You don’t pay the ransom
• You repair versus rebuild
• Don’t harden your environment
against future attacks

49
 KnowBe4 Security Awareness Training
Baseline Testing
We provide baseline testing to assess the Phish-Prone™
percentage of your users through a free simulated phishing attack.

Train Your Users

The world's largest library of security awareness training content;
including interactive modules, videos, games, posters and
newsletters. Automated training campaigns with scheduled
reminder emails.

Phish Your Users

Best-in-class, fully automated simulated phishing attacks,
thousands of templates with unlimited usage, and community
phishing templates.

See the Results

Enterprise-strength reporting, showing stats and graphs for both
training and phishing, ready for management. Show the great ROI!

50
 Generating Industry-Leading Results and ROI
• Reduced Malware and Ransomware
Infections

• Reduced Data Loss

• Reduced Potential Cyber-theft

• Increased User Productivity

• Users Have Security Top of Mind

84% Average Improvement

Across all industries and sizes from baseline testing to one
year or more of ongoing training and testing
Note: The initial Phish-Prone percentage is calculated on the basis of all users evaluated. These users had not received
any training with the KnowBe4 platform prior to the evaluation. Subsequent time periods reflect Phish-Prone percentages
for the subset of users who received training with the KnowBe4 platform.
Source: 2021 KnowBe4 Phishing by Industry Benchmarking Report
 Questions?
Roger A. Grimes– Data-Driven Defense Evangelist, KnowBe4
rogerg@knowbe4.com
Twitter: @rogeragrimes
https://www.linkedin.com/in/rogeragrimes/

Tel: 855-KNOWBE4 (566-9234) | www.KnowBe4.com | Sales@KnowBe4.com