Incident Response Techniques for Ransomware Attacks
eBook - ePub

Incident Response Techniques for Ransomware Attacks

Oleg Skulkin

  1. 228 páginas
  2. English
  3. ePUB (apto para móviles)
  4. Disponible en iOS y Android
eBook - ePub

Incident Response Techniques for Ransomware Attacks

Oleg Skulkin

Detalles del libro
Vista previa del libro
Índice
Citas

Información del libro

Explore the world of modern human-operated ransomware attacks, along with covering steps to properly investigate them and collecting and analyzing cyber threat intelligence using cutting-edge methods and toolsKey Features• Understand modern human-operated cyber attacks, focusing on threat actor tactics, techniques, and procedures• Collect and analyze ransomware-related cyber threat intelligence from various sources• Use forensic methods and tools to reconstruct ransomware attacks and prevent them in the early stagesBook DescriptionRansomware attacks have become the strongest and most persistent threat for many companies around the globe. Building an effective incident response plan to prevent a ransomware attack is crucial and may help you avoid heavy losses. Incident Response Techniques for Ransomware Attacks is designed to help you do just that.This book starts by discussing the history of ransomware, showing you how the threat landscape has changed over the years, while also covering the process of incident response in detail. You'll then learn how to collect and produce ransomware-related cyber threat intelligence and look at threat actor tactics, techniques, and procedures. Next, the book focuses on various forensic artifacts in order to reconstruct each stage of a human-operated ransomware attack life cycle. In the concluding chapters, you'll get to grips with various kill chains and discover a new one: the Unified Ransomware Kill Chain.By the end of this ransomware book, you'll be equipped with the skills you need to build an incident response strategy for all ransomware attacks.What you will learn• Understand the modern ransomware threat landscape• Explore the incident response process in the context of ransomware• Discover how to collect and produce ransomware-related cyber threat intelligence• Use forensic methods to collect relevant artifacts during incident response• Interpret collected data to understand threat actor tactics, techniques, and procedures• Understand how to reconstruct the ransomware attack kill chainWho this book is forThis book is for security researchers, security analysts, or anyone in the incident response landscape who is responsible for building an incident response model for ransomware attacks. A basic understanding of cyber threats will be helpful to get the most out of this book.

Preguntas frecuentes

¿Cómo cancelo mi suscripción?
Simplemente, dirígete a la sección ajustes de la cuenta y haz clic en «Cancelar suscripción». Así de sencillo. Después de cancelar tu suscripción, esta permanecerá activa el tiempo restante que hayas pagado. Obtén más información aquí.
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Incident Response Techniques for Ransomware Attacks un PDF/ePUB en línea?
Sí, puedes acceder a Incident Response Techniques for Ransomware Attacks de Oleg Skulkin en formato PDF o ePUB, así como a otros libros populares de Informatique y Cybersécurité. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.

Información

Editorial
Packt Publishing
Año
2022
ISBN
9781803233994
Edición
1
Categoría
Informatique
Categoría
Cybersécurité

Section 1: Getting Started with a Modern Ransomware Attack

The first part of this book will help you to build a solid understanding of the modern ransomware threat landscape and how to properly plan your incident response activities.
This section comprises the following chapters:
  • Chapter 1, The History of Human-Operated Ransomware Attacks
  • Chapter 2, The Life Cycle of a Human-Operated Ransomware Attack
  • Chapter 3, The Incident Response Process

Chapter 1: The History of Human-Operated Ransomware Attacks

Just like COVID-19, human-operated ransomware attacks became the second pandemic in 2020. Unfortunately, this trend keeps evolving nowadays. Despite the fact some threat actors announce their retirement, their places in the cybercrime business are quickly occupied by the younger generation.
Such attacks are discussed a lot nowadays; however, they emerged even before well-known ransomware outbreaks, such as WannaCry and NotPetya. Unlike those uncontrolled ransomware outbreaks, this time it's under the full control of various ransomware operators and their affiliates. Careful reconnaissance of compromised infrastructure, preparing it for final ransomware deployment, can potentially bring them millions of dollars in cryptocurrency.
Of course, there are multiple notable examples of ransomware strains used in human-operated attacks. In this chapter, we'll focus on the most important examples from a historic point of view, finishing on what's most common for today's threat landscape – ransomware-as-a-service programs.
We'll look at the following examples:
  • 2016 – SamSam ransomware
  • 2017 – BitPaymer ransomware
  • 2018 – Ryuk ransomware
  • 2019-present – ransomware-as-a-service programs

2016 – SamSam ransomware

These ransomware operators emerged in early 2016 and changed the ransomware threat landscape drastically. They didn't focus on regular users and single devices; instead, they attacked various companies, focusing on a human-operated approach, moving laterally and encrypting as many devices as possible, including those with the most important data.
The targets were very different and included the healthcare industry, the education sector, and even whole cities. A notable example was the city of Atlanta, Georgia, which took place in March 2018. As the result, the city had to pay approximately $2.7 million to contractors to recover its infrastructure.
The group commonly exploited vulnerabilities in public-facing applications, for example, JBOSS systems, or just brute-forced RDP-servers to gain the initial foothold to the target network.
To elevate privileges, the threat actors used a number of common hacking tools and exploits, including the notorious Mimikatz, so they could obtain domain administrator credentials.
Having elevated credentials, SamSam operators just scanned the network to obtain information about available hosts, then copied a piece of ransomware to each of them and ran it with help of another very common dual-use tool – PsExec.
The attackers had a payment website in the dark web. A victim could find all the necessary information on file decryption in the ransom note generated by the ransomware, as shown in Figure 1.1:
Figure 1.1 – SamSam ransom note example
Figure 1.1 – SamSam ransom note example
Being active from 2016 to 2018, the group earned approximately $6 million, according to Sophos (source: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf).

Who was behind the SamSam ransomware

On November 28, 2018, the FBI unsealed an indictment charging Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri with deploying SamSam ransomware internationally:
Figure 1.2 – An excerpt from an FBI Wanted poster
Figure 1.2 – An excerpt from an FBI Wanted poster
Both subjects are from Iran. After the indictment was unsealed, the threat actors managed to finish their malicious activities, at least under the name SamSam.
These threat actors showed others that enterprise ransomware attacks may be very profitable, so more and more groups emerged. One example is the BitPaymer ransomware.

2017 – BitPaymer ransomware

The BitPaymer ransomware is associated with Evil Corp – a cybercrime group believed to be of Russian origin. This ransomware strain introduced another trend in human-operated attacks – Big Game Hunting.
Everything started in August 2017, when BitPaymer operators successfully attacked a few hospitals from the NHS Lanarkshire board, demanding the astronomical ransom payment of $230,000 or 53 BTC.
To obtain the initial access to the target network, the group leveraged their long-standing tool – the Dridex trojan. The trojan allowed them to load PowerShell Empire – a popular post-exploitation framework – so the threat actor could move laterally through the network, and obtain elevated credentials, including with the use of Mimikatz, just like the SamSam operators.
To deploy the ransomware enterprise-wide, the threat actors leveraged a Group Policy modification, which allowed them to push a script on each host to run a piece of ransomware.
As the means of communication, the threat actors offered both emails and online chats; both could be found in the ransom note:
Figure 1.3 – BitPaymer ransom note example
Figure 1.3 – BitPaymer ransom note example
In June 2019, a new ransomware was born from BitPaymer, called DoppelPaymer. It is believed that this specific ransomware was operated by a spin-off group from Evil Corp (source: https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/).

The mastermind behind the BitPaymer ransomware

On November 13, 2019, the FBI released an indictment charging Maksim Viktorovich Yakubets and Igor Olegovich Turashev with managing Dridex trojan operations:
Figure 1.4 – Excerpts from FBI Wanted posters
Figure 1.4 – Excerpts from FBI Wanted posters
Maksim Viktorovich Yakubets is currently wanted for multiple counts of cybercriminal activity. According to various sources, it is stated that there is a $5 million reward for the apprehension of Maksim. Of course, Dridex was not the only trojan used in human-operated ransomware attacks. Another notable example is Trickbot, which is tightly connected to the Ryuk ransomware.

2018 – Ryuk ransomware

The Ryuk ransomware took Big Game Hunting to new heights. Associated with the Trickbot group, also known as Wizard Spider, this ransomware strain is st...

Índice

  1. Incident Response Techniques for Ransomware Attacks
  2. Contributors
  3. Preface
  4. Section 1: Getting Started with a Modern Ransomware Attack
  5. Chapter 1: The History of Human-Operated Ransomware Attacks
  6. Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
  7. Chapter 3: The Incident Response Process
  8. Section 2: Know Your Adversary: How Ransomware Gangs Operate
  9. Chapter 4: Cyber Threat Intelligence and Ransomware
  10. Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
  11. Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
  12. Section 3: Practical Incident Response
  13. Chapter 7: Digital Forensic Artifacts and Their Main Sources
  14. Chapter 8: Investigating Initial Access Techniques
  15. Chapter 9: Investigating Post-Exploitation Techniques
  16. Chapter 10: Investigating Data Exfiltration Techniques
  17. Chapter 11: Investigating Ransomware Deployment Techniques
  18. Chapter 12: The Unified Ransomware Kill Chain
  19. Other Books You May Enjoy
Estilos de citas para Incident Response Techniques for Ransomware Attacks

APA 6 Citation

Skulkin, O. (2022). Incident Response Techniques for Ransomware Attacks (1st ed.). Packt Publishing. Retrieved from https://www.perlego.com/book/3468751/incident-response-techniques-for-ransomware-attacks-pdf (Original work published 2022)

Chicago Citation

Skulkin, Oleg. (2022) 2022. Incident Response Techniques for Ransomware Attacks. 1st ed. Packt Publishing. https://www.perlego.com/book/3468751/incident-response-techniques-for-ransomware-attacks-pdf.

Harvard Citation

Skulkin, O. (2022) Incident Response Techniques for Ransomware Attacks. 1st edn. Packt Publishing. Available at: https://www.perlego.com/book/3468751/incident-response-techniques-for-ransomware-attacks-pdf (Accessed: 15 October 2022).

MLA 7 Citation

Skulkin, Oleg. Incident Response Techniques for Ransomware Attacks. 1st ed. Packt Publishing, 2022. Web. 15 Oct. 2022.