Ransomware Protection Playbook

ROGER A. GRIMES is a 34-year computer security expert and author on the subject of hacking, malware, and ransomware attacks. He was the weekly security columnist at InfoWorld and CSO Magazines between 2005 and 2019. He is frequently interviewed and quoted, including by Newsweek, CNN, NPR, and the WSJ.

• Acknowledgments xiIntroduction xxiPart I: Introduction 1Chapter 1: Introduction to Ransomware 3How Bad is the Problem? 4Variability of Ransomware Data 5True Costs of Ransomware 7Types of Ransomware 9Fake Ransomware 10Immediate Action vs. Delayed 14Automatic or Human-Directed 17Single Device Impacts or More 18Ransomware Root Exploit 19File Encrypting vs. Boot Infecting 21Good vs. Bad Encryption 22Encryption vs. More Payloads 23Ransomware as a Service 30Typical Ransomware Process and Components 32Infiltrate 32After Initial Execution 34Dial-Home 34Auto-Update 37Check for Location 38Initial Automatic Payloads 39Waiting 40Hacker Checks C&C 40More Tools Used 40Reconnaissance 41Readying Encryption 42Data Exfiltration 43Encryption 44Extortion Demand 45Negotiations 46Provide Decryption Keys 47Ransomware Goes Conglomerate 48Ransomware Industry Components 52Summary 55Chapter 2: Preventing Ransomware 57Nineteen Minutes to Takeover 57Good General Computer Defense Strategy 59Understanding How Ransomware Attacks 61The Nine Exploit Methods All Hackers and Malware Use 62Top Root-Cause Exploit Methods of All Hackers and Malware 63Top Root-Cause Exploit Methods of Ransomware 64Preventing Ransomware 67Primary Defenses 67Everything Else 70Use Application Control 70Antivirus Prevention 73Secure Configurations 74Privileged Account Management 74Security Boundary Segmentation 75Data Protection 76Block USB Keys 76Implement a Foreign Russian Language 77Beyond Self-Defense 78Geopolitical Solutions 79International Cooperation and Law Enforcement 79Coordinated Technical Defense 80Disrupt Money Supply 81Fix the Internet 81Summary 84Chapter 3: Cybersecurity Insurance 85Cybersecurity Insurance Shakeout 85Did Cybersecurity Insurance Make Ransomware Worse? 90Cybersecurity Insurance Policies 92What’s Covered by Most Cybersecurity Policies 93Recovery Costs 93Ransom 94Root-Cause Analysis 95Business Interruption Costs 95Customer/Stakeholder Notifications and Protection 96Fines and Legal Investigations 96Example Cyber Insurance Policy Structure 97Costs Covered and Not Covered by Insurance 98The Insurance Process 101Getting Insurance 101Cybersecurity Risk Determination 102Underwriting and Approval 103Incident Claim Process 104Initial Technical Help 105What to Watch Out For 106Social Engineering Outs 107Make Sure Your Policy Covers Ransomware 107Employee’s Mistake Involved 107Work-from-Home Scenarios 108War Exclusion Clauses 108Future of Cybersecurity Insurance 109Summary 111Chapter 4: Legal Considerations 113Bitcoin and Cryptocurrencies 114Can You Be in Legal Jeopardy for Paying a Ransom? 123Consult with a Lawyer 127Try to Follow the Money 127Get Law Enforcement Involved 128Get an OFAC License to Pay the Ransom 129Do Your Due Diligence 129Is It an Official Data Breach? 129Preserve Evidence 130Legal Defense Summary 130Summary 131Part II: Detection and Recovery 133Chapter 5: Ransomware Response Plan 135Why Do Response Planning? 135When Should a Response Plan Be Made? 136What Should a Response Plan Include? 136Small Response vs. Large Response Threshold 137Key People 137Communications Plan 138Public Relations Plan 141Reliable Backup 142Ransom Payment Planning 144Cybersecurity Insurance Plan 146What It Takes to Declare an Official Data Breach 147Internal vs. External Consultants 148Cryptocurrency Wallet 149Response 151Checklist 151Definitions 153Practice Makes Perfect 153Summary 154Chapter 6: Detecting Ransomware 155Why is Ransomware So Hard to Detect? 155Detection Methods 158Security Awareness Training 158AV/EDR Adjunct Detections 159Detect New Processes 160Anomalous Network Connections 164New, Unexplained Things 166Unexplained Stoppages 167Aggressive Monitoring 169Example Detection Solution 169Summary 175Chapter 7: Minimizing Damage 177Basic Outline for Initial Ransomware Response 177Stop the Spread 179Power Down or Isolate Exploited Devices 180Disconnecting the Network 181Disconnect at the Network Access Points 182Suppose You Can’t Disconnect the Network 183Initial Damage Assessment 184What is Impacted? 185Ensure Your Backups Are Still Good 186Check for Signs of Data and Credential Exfiltration 186Check for Rogue Email Rules 187What Do You Know About the Ransomware? 187First Team Meeting 188Determine Next Steps 189Pay the Ransom or Not? 190Recover or Rebuild? 190Summary 193Chapter 8: Early Responses 195What Do You Know? 195A Few Things to Remember 197Encryption is Likely Not Your Only Problem 198Reputational Harm May Occur 199Firings May Happen 200It Could Get Worse 201Major Decisions 202Business Impact Analysis 202Determine Business Interruption Workarounds 203Did Data Exfiltration Happen? 204Can You Decrypt the Data Without Paying? 204Ransomware is Buggy 205Ransomware Decryption Websites 205Ransomware Gang Publishes Decryption Keys 206Sniff a Ransomware Key Off the Network? 206Recovery Companies Who Lie About Decryption Key Use 207If You Get the Decryption Keys 207Save Encrypted Data Just in Case 208Determine Whether the Ransom Should Be Paid 209Not Paying the Ransom 209Paying the Ransom 210Recover or Rebuild Involved Systems? 212Determine Dwell Time 212Determine Root Cause 213Point Fix or Time to Get Serious? 214Early Actions 215Preserve the Evidence 215Remove the Malware 215Change All Passwords 217Summary 217Chapter 9: Environment Recovery 219Big Decisions 219Recover vs. Rebuild 220In What Order 221Restoring Network 221Restore IT Security Services 223Restore Virtual Machines and/or Cloud Services 223Restore Backup Systems 224Restore Clients, Servers, Applications, Services 224Conduct Unit Testing 225Rebuild Process Summary 225Recovery Process Summary 228Recovering a Windows Computer 229Recovering/Restoring Microsoft Active Directory 231Summary 233Chapter 10: Next Steps 235Paradigm Shifts 235Implement a Data-Driven Defense 236Focus on Root Causes 238Rank Everything! 239Get and Use Good Data 240Heed Growing Threats More 241Row the Same Direction 241Focus on Social Engineering Mitigation 242Track Processes and Network Traffic 243Improve Overall Cybersecurity Hygiene 243Use Multifactor Authentication 243Use a Strong Password Policy 244Secure Elevated Group Memberships 246Improve Security Monitoring 247Secure PowerShell 247Secure Data 248Secure Backups 249Summary 250Chapter 11: What Not to Do 251Assume You Can’t Be a Victim 251Think That One Super-Tool Can Prevent an Attack 252Assume Too Quickly Your Backup is Good 252Use Inexperienced Responders 253Give Inadequate Considerations to Paying Ransom 254Lie to Attackers 255Insult the Gang by Suggesting Tiny Ransom 255Pay the Whole Amount Right Away 256Argue with the Ransomware Gang 257Apply Decryption Keys to Your Only Copy 257Not Care About Root Cause 257Keep Your Ransomware Response Plan Online Only 258Allow a Team Member to Go Rogue 258Accept a Social Engineering Exclusion in Your Cyber-Insurance Policy 259Summary 259Chapter 12: Future of Ransomware 261Future of Ransomware 261Attacks Beyond Traditional Computers 262IoT Ransoms 264Mixed-PurposeHacking Gangs 265Future of Ransomware Defense 267Future Technical Defenses 267Ransomware Countermeasure Apps and Features 267AI Defense and Bots 268Strategic Defenses 269Focus on Mitigating Root Causes 269Geopolitical Improvements 269Systematic Improvements 270Use Cyber Insurance as a Tool 270Improve Internet Security Overall 271Summary 271Parting Words 272Index 273