Index
A
accounts, priming, 80
action plan, creating, 106
actionable intelligence, 139
active notification, 87
actors, incident response, 94–95
amateur, 143
communication content analysis, 142–143
decreasing their revenue, 273–274
decryption tools, 230
identification techniques, 140–143
masquerading, 141
persistence, 74
tactics, techniques and procedures, 146
affiliates
ransomware, 40
recruitment methods, 52
AIDS Information Diskette, 28–29
Akamai, 125
antianalysis, 47
asymmetric encryption, 30, 32–33, 34–35, 38, 51
Athens Orthopedic Clinic, 41
ATT&CK framework, 65
attacks
credential stuffing, 253
entry methods, 65–72. See also entry methods
expansion, 72–74. See also expansion
leverage, 80. See also leverage
no-malware, 133
notification methods, 85. See also notification
authentication
logs, 158
automation, 27
exfiltration, 83
awareness, cybersecurity, 246
B
backing up important data, 210–211
backups, 226
disaster recovery, 264
immutable, 266
key services and data, 265
offsite, 266
restoring data from, 226
Bates, J., 29
BCP (business continuity plan), 262–263
negotiating in, 186
as ransom payment, 198
BitDefender, 51
BleepingComputer.com, 145
Bloomberg, M., 42
branded data leak sites, 55–56
breach(es), 150
moving forward with the investigation, 152
outcomes of an investigation, 152
building your recovery environment, 211
improving technology, 213
network segments, 212
C
C2 (command-and-control) server, 74
chat application, as method of communication, 173
checklist
cybersecurity program, 293–295
investigation, 281
negotiation, 282
payment, 283
choosing your negotiator, 171
CIA Triad, 5
Cisco Talos, 21
Coalition, 11
Colonial Pipeline, 14–15, 19, 194, 196
communication, 107–108. See also negotiation(s)
with affected parties, 110–111
confidentiality, 111
email, 172
listening, 108
perimeter, 128
public relations, 111
template, 287
using a chat application, 173
compliance
confidentiality, 111
contact information, incident response team member, 287
disable persistence mechanisms, 121–122. See also persistence mechanisms
effective, 116
gain access to the environment, 117
halting data exfiltration, 123–124
halting encryption/deletion, 118. See also halting encryption/deletion
lock out the hackers, 125–129. See also locking out hackers
mistakes, consequences of, 116
resolve denial-of-service attacks, 124–125
taking stock, 133
threat hunting, 129–133. See also threat hunting
Conti, 59–60, 82, 130, 255, 272
continuous monitoring, 261
Coveware, 10
credential stuffing attacks, 253
crisis. See also incident response, phases, 92–93
cryptocurrency, 35
antianalysis, 47
blockchain, 36
cyber extortion and, 36
KYC (“know your customer”), 200
negotiating in, 186
payment intermediaries, 201–202
as ransom payment, 197–198, 199–200
cryptography, 32
Cuckoo, 232
cyber extortion, 3–4, 25–26. See also incident response; investigation(s); negotiation(s); payment
active notification, 87
adversary, 6
amateur, 143
crisis management, 92
cryptocurrency, 36
Dark Overlord group, 20
definition, 4
early, 42
hybrid attacks, 19
impacts. See impacts of modern cyber extortion
notification methods, 85
opportunistic attacks, 17
passive notification, 86
public relations programs, 54
published notification, 87
ransom note, 94
refusal of payment, 54
scaling up, 19
shutting down computers, 120
standardized playbooks and toolkits, 59–60
third-party outreach, 87
triple extortion, 44
victim selection, 17
cyber insurance, 2, 151, 174, 246–248
payment approval process, 203
payment intermediaries, 202
response services, 95, 103–104
role in ransom payment, 197
Cybereason, 8
cybersecurity program, 240. See also preventing entry
controls assessment, 249
funding your program, 246
incident tracking, 249
performing an inventory, 241
risk assessment, 249
risk management, 242–248. See also risk management
technical security testing, 249
training, 246
understand your obligations, 242
D
Dark Overlord group, 20, 40–42, 87
antianalysis, 47
onion routing, 37
Darkside cartel, 14, 53, 56, 57
Darwich, A., 15
data
-loss prevention systems, 268–269
re-creating, 227
sensitivity, assessing, 101
transferring, 225
transferring to production network, 234
DCs (domain controllers), restoring, 219–220
DDoS (distributed denial-of-service) attacks, resolving, 124–125
adversary tools, 230
check for malware, 234
transferring data to production network, 234
verifying integrity of decrypted data, 233
checking for malicious or unexpected behavior, 232
test functionality in an isolated environment, 232–233
denial cyber extortion, 6, 7–8
halting encryption/deletion, 118
detection
incentivizing, 270
Dharma ransomware, 71
digital coin, 36
DLP (data-loss prevention), 268–269
documentation, 105, 107. See also scoping
cybersecurity program, 244
file permission changes, 119
network, 224
updating, 235
downtime, 8
E
EDR (endpoint detection and response) software, 117–118, 216, 258–259
as method of communication, 172
spam filtering, 251
Emotet group, 19
encryption, 32
GandCrab software, 123
halting, 118
hash function, 34
symmetric, 33
entry methods
software vulnerability, 70
technology supplier attack, 71–72
EternalBlue vulnerability, 17, 21
event logging, priming, 79. See also logs
evidence, 104
authentication logs, 158
encrypted file extensions, 155–156
firewall logs, 157
flow records, 157
preservation, 152–153, 217–218, 221
ransom note metadata, 155
security software and devices, 154
storing, 160
volatile, 156
automated RAT, 83
indicators, 85
mass repository theft, 84
expansion
persistence, 74
exposure extortion, 5, 40–42, 185, 196, 241
extortion, 4. See also cyber extortion
exposure, 5, 40–42, 185, 196, 241
portals, 50
triple, 44
EZ Mart, 15
F
faux cyber extortion, 6
finance team, incident response role, 95
financial loss
remediation costs, 10
financial resource assessment, 103–105
firewall logs, 157
forensic investigation, phases, 148
framework
cybersecurity controls, 243–244
Mitre ATT&CK, 65
affiliate recruitment methods, 52
evolving technology, 50
funding your cybersecurity program, 246
G
ransomware-as-a-service model, 39–40
recruitment methods, 52
Gemini Advisory, 49
General Data Protection Regulation (GDPR), 15–16
Globe ransomware, 141
GlobeImposter group, 259
golden image, 223
Gostev, A., 30
Gpcode, 30
Group Policy, ransomware detonation, 81
H
“hacker court”, 53
haggling, 186
making your counteroffer, 187–188
setting the price, 187
halting encryption/deletion, 118
change file access permissions, 119
documentation, 119
kill the malicious processes, 120–121
remove power, 120
Harty, S., 205
hash function, 34
Hayes, D., Practical Guide to Digital Forensics Investigations, 150
high-value servers, restoring, 221
Hollywood Presbyterian Medical Center, 39, 196
Honda Motor Company, ransomware attack, 145
hostage negotiations, learning from, 177. See also negotiation(s)
human resources, incident response role, 95
I
identifying the adversary, 140
communication content analysis, 142–143
malware strain, 144
IDS/IPS (intrusion detection/intrusion prevention system), 215
impacts of modern cyber extortion
financial loss, 9–12. See also financial loss
incentivizing detection and monitoring, 270–271
incident response. See also investigation(s)
assess your resources, 102–105
assign responsibilities, 106
containment, 115–116. See also containment
create an action plan, 106
estimate timing, work effort, and costs, 107
gaining access to the environment, 117
informing affected parties, 110–111
public relations, 111
supporting technology, 288
team member responsibilities, 108–109
team members, contact information, 287
template, 287
triage, 98–100. See also triage
indicators
appraisal, 77
compromised service and network application, 78
detonation, 82
exfiltration, 85
logging and monitoring software priming, 79
network reconnaissance, 75
security software attack, 78
software vulnerability, 70
technology manufacturer attacks, 72
unauthorized accounts and permissions, 80
information sharing, 179
what to hold back for later use, 182
what to share, 182
infrastructure, restoring, 221–223
initial access brokers, 19, 46
insurance. See cyber insurance
inventory, performing, 241
investigation(s), 137–138. See also evidence
checklist, 281
decide whether to investigate further, 151
determine legal, regulatory, and contractual obligations, 150–151
evidence preservation, 152–153
forensic, 148
scoping, 146–150. See also scoping
IT, incident response role, 95
J-K
Johnson Community School District, 41, 87
Kaseya ransomware attacks, 22, 50–51, 245
Kaspersky, 30
key, 32
kill chain, 65
KYC (“know your customer”), 200
L
lateral movement, 75
law enforcement, incident response role, 97
Lazarus Bear Armada, 124
leadership, incident response role, 95
leverage, 80
exfiltration, 82–83. See also exfiltration
lockerware, 31
locking out hackers
audit accounts, 127
minimize third-party access, 128–129
mitigate risks of compromised software, 129
multifactor authentication, 127–128
remote connection services, 125–126
reset passwords for local and cloud accounts, 126–127
restrict perimeter communications, 128
logging and monitoring software, priming, 79
logs, 216. See also monitoring
authentication, 158
firewall, 157
time zone, 158
web proxy, 251
long-term storage, 216
M
Maersk, 9
malware
decryption and, 234
Gpcode, 30
lockerware, 31
NotPetya, 9
Reveton, 31
strains, 144
managed service providers (MSPs), 20–21
Marketo, 58
mass repository theft, 84
Mathewson, N., 38
metadata, ransom note, 155
methodology, threat hunting, 130
MFA (multifactor authentication), 127–128
Microsoft Exchange, 21–23, 255–256
mining, Bitcoin, 36
MITRE, ATT&CK framework, 65
modification, 5
Monero, 198
monitoring, 214. See also incident response
continuous, 261
detection and response processes, 216–217
goals of, 214
timing, 215
Motkowicz, S., 17
MSPs (managed service providers), 128–129
multifactor authentication, 253
N
NDR (network detection and response), 260
negotiation(s), 163–164, 181. See also payment
adversary pressure tactics, 173–175
business mindset of adversaries, 164–165
checklist, 282
choosing your negotiator, 171
cryptocurrency, 186
information security goals, 168–169
learning from hostage negotiations, 177
making a counteroffer, 187–188
preventing publication or sale of data, 170–171
proof of life, 183–185. See also proof of life
setting the price, 187
sharing information, 179. See also information sharing
tone, 176
trust and, 177
using a chat application, 173
using email, 172
NIST (U.S. National Institute for Security and Technology), 244
no-malware attacks, 133
notification, 85
active, 87
passive, 86
publication, 87
third-party outreach, 87
O
OFAC (Office of Foreign Assets Control), 199, 201
offsite backups, 266
one-way hash function, 32
onion routing, 37
operational impact assessment, 100–101
operational resilience, 261–262
BCP (business continuity plan), 262–263
operators, ransomware, 40
opportunistic attacks, cyber extortion, 17
P
paid staff, cyber extortion group, 47–49
passive notification, 86
password(s)
patient zero, 149
payment, 193
checklist, 283
cryptocurrency, 197–198, 199–200, 204–205
exceptions, 200
fluctuating cryptocurrency prices, 203–204
funds transfer delays, 203
insurance approval process, 203
legality of, 194
nonreversible transactions, 198
role of cyber insurers, 197
tax deductions, 205
timing issues, 202
transaction and processing fees, 202
penetration test reports, 175
permissions
auditing, 127
documentation, 119
priming, 80
persistence mechanisms
automatic startup, 122
monitoring process, 122
scheduled tasks, 122
Petya ransomware, 141
opportunities for detection, 67–68
RATs (remote access Trojans), 67
postmortem analysis, 235
power, removing, 120-
preserving evidence, 152–153, 217–218, 221
third-party evidence, 160
preventing entry, 250
detecting and blocking threats, 258–261
EDR (endpoint detection and response), 258–259
NDR (network detection and response), 260
secure remote access solutions, 254–255
strong authentication, 252–254
threat hunting, 260
priming, 77
accounts and permissions, 80
antivirus and security software, 77–78
logging and monitoring software, 79
running processes and applications, 78
privilege escalation, 75
proactive prevention, 271
procedures, 286
production systems, restoring, 227
proof of life, 183
denial extortion cases, 184–185
exposure extortion cases, 185
goals and limitations, 184
refusal to provide, 185
public relations, 54, 96, 111, 235
branded data leak sites, 55–56
third-party exposure extortion services, 58
published data, preventing, 170
published notification, 87
purchasing a decryptor, 169–170
Q-R
ransomware, 3, 9. See also impacts of modern cyber extortion
AIDS Information Diskette, 28–29
amateur, 143
asymmetric encryption, 33
Conti, 130
decryptor, 8
Dharma, 71
GandCrab loader, 17
Globe, 141
GlobeImposter, 259
operators, 40
opportunistic attacks, 17
payment systems, 31
refusal of payment, 54
scaling up, 19
-as-a-service, 17, 39–40, 50, 84, 140
SNAKE, 145
symmetric encryption, 33
Zorab, 119
RATs (remote access Trojans), 67, 83
RDP (Remote Desktop Protocol), 68–69, 71
recovery, 101–102, 209–210. See also restoring devices and data
backing up your important data, 210–211
build your recovery environment, 211–213. See also building your recovery environment
decryption, 227–234. See also decryption
postmortem analysis, 235
restore based on order of operations, 219
restoring individual computers, 217–218
set up monitoring and logging, 214–217. See also monitoring
re-creating data, 227
recruitment methods, 52
refusal of payment, 54
regulatory compliance, 235, 242, 270
SBOM (“software bill of materials”), 257
remediation costs, 10
remote access, 117
resources
documentation, 105
evidence, 104
staff, 104
technology, 104
restoring devices and data, 219, 224–225
from backups, 226
DCs (domain controllers), 219–220
high-value servers, 221
network infrastructure, 221–223
production systems, 227
re-creating data, 227
transferring data, 225
Reveton, 31
assign roles and responsibilities, 243
building your cybersecurity program, 244
choose and use a cybersecurity controls framework, 243–244
supply chain, 245
training and awareness, 246
RobbinHood, 51
RPO (recovery point objective), 101
RTO (recovery time objective), 101
S
sale of data, preventing, 170–171
SBOM (“software bill of materials”), 257
scaling up
managed service providers (MSPs), 20–21
software vulnerabilities, 22–23
technology manufacturers, 21–22
process, 148
timing and results, 149
servers, restoring, 221
shutting down power, 120
“smash-and-grab” data exfiltration, 84
SNAKE ransomware, 145
software vulnerabilities, 22–23, 70
mitigate risks of, 129-
opportunities for detection, 70
VPN, 71
Sophos, 8
spam filtering, 251
staff
incident response role, 104
threat hunting, 131
standardized playbooks and toolkits, 59–60
statistical bias, cyber extortion reports, 13–12
storing preserved evidence, 160
supply-chain risk management, 245
Swiss Army knives, 67
symmetric encryption, 33
Syverson, P., 38
T
tax deductions, for ransom payments, 205
technology manufacturers, 21–22, 71–72, 97
templates, 287
Tesla, 17
testing
technical security, 249
third-party
evidence, preserving, 160
exposure extortion services, 58, 87
methodology, 130
sources of evidence, 131
tools and techniques, 131
timeliness, negotiation, 176–177
timestamps, as evidence, 158
TOCRP (Transnational Organized Crime Rewards Program), 273
tone, negotiation, 176
Cuckoo, 232
Windows Sysinternals, 121
EDR (endpoint detection and response), 118
threat hunting, 131
TOR (The Onion Routing project), 38
training
cybersecurity, 246
phishing defenses, 252
assess the current state, 100–101
assessment of data sensitivity, 101
backing up important data, 211
determine next steps, 102
importance of, 99
triple extortion, 44
Trojan horse
AIDS Information Diskette, 28–29
Dridex, 259
trust, negotiations and, 177
TTPs (tactics, techniques, and procedures), 146
Twitter, 55
U
underreporting, cyber extortion, 13
United States
Cyber Incident Reporting for Critical Infrastructure Act (2022), 12
Health Information Technology for Economic and Clinical Health (HITECH), 15–16
HIPAA (Health Insurance Portability and Accountability Act), 15–16
TOCRP (Transnational Organized Crime Rewards Program), 273
user accounts, auditing, 127
V
victim selection
hybrid attacks, 19
opportunistic, 17
visibility, 270
volatile evidence, 156, 159–160
VPN (virtual private network), vulnerability, 71
W
wallet, private and public key, 36
web portal, as method of communication, 172–173, 179–180
web proxy, 251
William, C., 21
Williamson, D., 205
Wood Ranch Medical, 8
workstations, restoring, 223–224
Wyatt, N., 42
X-Y
Yandex, 31
Young, B.C.J., 195
Z
zero-day vulnerabilities, 22–23
zero-trust approach, 223
Zezev, O., 42
Zorab, 119