Ransomware Protection Playbook

AVOID BECOMING THE NEXT RANSOMWARE VICTIM BY TAKING PRACTICAL STEPS TODAY

Colonial Pipeline. CWT Global. Brenntag. Travelex. The list of ransomware victims is long, distinguished, and sophisticated. And it's growing longer every day.

In Ransomware Protection Playbook, computer security veteran and expert penetration tester Roger A. Grimes delivers an actionable blueprint for organizations seeking a robust defense against one of the most insidious and destructive IT threats currently in the wild. You'll learn about concrete steps you can take now to protect yourself or your organization from ransomware attacks.

In addition to walking you through the necessary technical preventative measures, this critical book will show you how to:

* Quickly detect an attack, limit the damage, and decide whether to pay the ransom
* Implement a pre-set game plan in the event of a game-changing security breach to help limit the reputational and financial damage
* Lay down a secure foundation of cybersecurity insurance and legal protection to mitigate the disruption to your life and business

A must-read for cyber and information security professionals, privacy leaders, risk managers, and CTOs, Ransomware Protection Playbook is an irreplaceable and timely resource for anyone concerned about the security of their, or their organization's, data.

ROGER A. GRIMES is a 34-year computer security expert and author on the subject of hacking, malware, and ransomware attacks. He was the weekly security columnist at InfoWorld and CSO Magazines between 2005 and 2019. He is frequently interviewed and quoted, including by Newsweek, CNN, NPR, and the WSJ.

Acknowledgments xi

Introduction xxi

PART I: INTRODUCTION 1

CHAPTER 1: INTRODUCTION TO RANSOMWARE 3

How Bad is the Problem? 4

Variability of Ransomware Data 5

True Costs of Ransomware 7

Types of Ransomware 9

Fake Ransomware 10

Immediate Action vs. Delayed 14

Automatic or Human-Directed 17

Single Device Impacts or More 18

Ransomware Root Exploit 19

File Encrypting vs. Boot Infecting 21

Good vs. Bad Encryption 22

Encryption vs. More Payloads 23

Ransomware as a Service 30

Typical Ransomware Process and Components 32

Infiltrate 32

After Initial Execution 34

Dial-Home 34

Auto-Update 37

Check for Location 38

Initial Automatic Payloads 39

Waiting 40

Hacker Checks C&C 40

More Tools Used 40

Reconnaissance 41

Readying Encryption 42

Data Exfiltration 43

Encryption 44

Extortion Demand 45

Negotiations 46

Provide Decryption Keys 47

Ransomware Goes Conglomerate 48

Ransomware Industry Components 52

Summary 55

CHAPTER 2: PREVENTING RANSOMWARE 57

Nineteen Minutes to Takeover 57

Good General Computer Defense Strategy 59

Understanding How Ransomware Attacks 61

The Nine Exploit Methods All Hackers and Malware Use 62

Top Root-Cause Exploit Methods of All Hackers and Malware 63

Top Root-Cause Exploit Methods of Ransomware 64

Preventing Ransomware 67

Primary Defenses 67

Everything Else 70

Use Application Control 70

Antivirus Prevention 73

Secure Configurations 74

Privileged Account Management 74

Security Boundary Segmentation 75

Data Protection 76

Block USB Keys 76

Implement a Foreign Russian Language 77

Beyond Self-Defense 78

Geopolitical Solutions 79

International Cooperation and Law Enforcement 79

Coordinated Technical Defense 80

Disrupt Money Supply 81

Fix the Internet 81

Summary 84

CHAPTER 3: CYBERSECURITY INSURANCE 85

Cybersecurity Insurance Shakeout 85

Did Cybersecurity Insurance Make Ransomware Worse? 90

Cybersecurity Insurance Policies 92

What’s Covered by Most Cybersecurity Policies 93

Recovery Costs 93

Ransom 94

Root-Cause Analysis 95

Business Interruption Costs 95

Customer/Stakeholder Notifications and Protection 96

Fines and Legal Investigations 96

Example Cyber Insurance Policy Structure 97

Costs Covered and Not Covered by Insurance 98

The Insurance Process 101

Getting Insurance 101

Cybersecurity Risk Determination 102

Underwriting and Approval 103

Incident Claim Process 104

Initial Technical Help 105

What to Watch Out For 106

Social Engineering Outs 107

Make Sure Your Policy Covers Ransomware 107

Employee’s Mistake Involved 107

Work-from-Home Scenarios 108

War Exclusion Clauses 108

Future of Cybersecurity Insurance 109

Summary 111

CHAPTER 4: LEGAL CONSIDERATIONS 113

Bitcoin and Cryptocurrencies 114

Can You Be in Legal Jeopardy for Paying a Ransom? 123

Consult with a Lawyer 127

Try to Follow the Money 127

Get Law Enforcement Involved 128

Get an OFAC License to Pay the Ransom 129

Do Your Due Diligence 129

Is It an Official Data Breach? 129

Preserve Evidence 130

Legal Defense Summary 130

Summary 131

PART II: DETECTION AND RECOVERY 133

CHAPTER 5: RANSOMWARE RESPONSE PLAN 135

Why Do Response Planning? 135

When Should a Response Plan Be Made? 136

What Should a Response Plan Include? 136

Small Response vs. Large Response Threshold 137

Key People 137

Communications Plan 138

Public Relations Plan 141

Reliable Backup 142

Ransom Payment Planning 144

Cybersecurity Insurance Plan 146

What It Takes to Declare an Official Data Breach 147

Internal vs. External Consultants 148

Cryptocurrency Wallet 149

Response 151

Checklist 151

Definitions 153

Practice Makes Perfect 153

Summary 154

CHAPTER 6: DETECTING RANSOMWARE 155

Why is Ransomware So Hard to Detect? 155

Detection Methods 158

Security Awareness Training 158

AV/EDR Adjunct Detections 159

Detect New Processes 160

Anomalous Network Connections 164

New, Unexplained Things 166

Unexplained Stoppages 167

Aggressive Monitoring 169

Example Detection Solution 169

Summary 175

CHAPTER 7: MINIMIZING DAMAGE 177

Basic Outline for Initial Ransomware Response 177

Stop the Spread 179

Power Down or Isolate Exploited Devices 180

Disconnecting the Network 181

Disconnect at the Network Access Points 182

Suppose You Can’t Disconnect the Network 183

Initial Damage Assessment 184

What is Impacted? 185

Ensure Your Backups Are Still Good 186

Check for Signs of Data and Credential Exfiltration 186

Check for Rogue Email Rules 187

What Do You Know About the Ransomware? 187

First Team Meeting 188

Determine Next Steps 189

Pay the Ransom or Not? 190

Recover or Rebuild? 190

Summary 193

CHAPTER 8: EARLY RESPONSES 195

What Do You Know? 195

A Few Things to Remember 197

Encryption is Likely Not Your Only Problem 198

Reputational Harm May Occur 199

Firings May Happen 200

It Could Get Worse 201

Major Decisions 202

Business Impact Analysis 202

Determine Business Interruption Workarounds 203

Did Data Exfiltration Happen? 204

Can You Decrypt the Data Without Paying? 204

Ransomware is Buggy 205

Ransomware Decryption Websites 205

Ransomware Gang Publishes Decryption Keys 206

Sniff a Ransomware Key Off the Network? 206

Recovery Companies Who Lie About Decryption Key Use 207

If You Get the Decryption Keys 207

Save Encrypted Data Just in Case 208

Determine Whether the Ransom Should Be Paid 209

Not Paying the Ransom 209

Paying the Ransom 210

Recover or Rebuild Involved Systems? 212

Determine Dwell Time 212

Determine Root Cause 213

Point Fix or Time to Get Serious? 214

Early Actions 215

Preserve the Evidence 215

Remove the Malware 215

Change All Passwords 217

Summary 217

CHAPTER 9: ENVIRONMENT RECOVERY 219

Big Decisions 219

Recover vs. Rebuild 220

In What Order 221

Restoring Network 221

Restore IT Security Services 223

Restore Virtual Machines and/or Cloud Services 223

Restore Backup Systems 224

Restore Clients, Servers, Applications, Services 224

Conduct Unit Testing 225

Rebuild Process Summary 225

Recovery Process Summary 228

Recovering a Windows Computer 229

Recovering/Restoring Microsoft Active Directory 231

Summary 233

CHAPTER 10: NEXT STEPS 235

Paradigm Shifts 235

Implement a Data-Driven Defense 236

Focus on Root Causes 238

Rank Everything! 239

Get and Use Good Data 240

Heed Growing Threats More 241

Row the Same Direction 241

Focus on Social Engineering Mitigation 242

Track Processes and Network Traffic 243

Improve Overall Cybersecurity Hygiene 243

Use Multifactor Authentication 243

Use a Strong Password Policy 244

Secure Elevated Group Memberships 246

Improve Security Monitoring 247

Secure PowerShell 247

Secure Data 248

Secure Backups 249

Summary 250

CHAPTER 11: WHAT NOT TO DO 251

Assume You Can’t Be a Victim 251

Think That One Super-Tool Can Prevent an Attack 252

Assume Too Quickly Your Backup is Good 252

Use Inexperienced Responders 253

Give Inadequate Considerations to Paying Ransom 254

Lie to Attackers 255

Insult the Gang by Suggesting Tiny Ransom 255

Pay the Whole Amount Right Away 256

Argue with the Ransomware Gang 257

Apply Decryption Keys to Your Only Copy 257

Not Care About Root Cause 257

Keep Your Ransomware Response Plan Online Only 258

Allow a Team Member to Go Rogue 258

Accept a Social Engineering Exclusion in Your Cyber-Insurance Policy 259

Summary 259

CHAPTER 12: FUTURE OF RANSOMWARE 261

Future of Ransomware 261

Attacks Beyond Traditional Computers 262

IoT Ransoms 264

Mixed-Purpose

Hacking Gangs 265

Future of Ransomware Defense 267

Future Technical Defenses 267

Ransomware Countermeasure Apps and Features 267

AI Defense and Bots 268

Strategic Defenses 269

Focus on Mitigating Root Causes 269

Geopolitical Improvements 269

Systematic Improvements 270

Use Cyber Insurance as a Tool 270

Improve Internet Security Overall 271

Summary 271

Parting Words 272

Index 273