Incident Response Techniques for Ransomware Attacks
eBook - ePub

Incident Response Techniques for Ransomware Attacks

Oleg Skulkin

  1. 228 pagine
  2. English
  3. ePUB (disponibile sull'app)
  4. Disponibile su iOS e Android
eBook - ePub

Incident Response Techniques for Ransomware Attacks

Oleg Skulkin

Dettagli del libro
Anteprima del libro
Indice dei contenuti
Citazioni

Informazioni sul libro

Explore the world of modern human-operated ransomware attacks, along with covering steps to properly investigate them and collecting and analyzing cyber threat intelligence using cutting-edge methods and toolsKey Features• Understand modern human-operated cyber attacks, focusing on threat actor tactics, techniques, and procedures• Collect and analyze ransomware-related cyber threat intelligence from various sources• Use forensic methods and tools to reconstruct ransomware attacks and prevent them in the early stagesBook DescriptionRansomware attacks have become the strongest and most persistent threat for many companies around the globe. Building an effective incident response plan to prevent a ransomware attack is crucial and may help you avoid heavy losses. Incident Response Techniques for Ransomware Attacks is designed to help you do just that.This book starts by discussing the history of ransomware, showing you how the threat landscape has changed over the years, while also covering the process of incident response in detail. You'll then learn how to collect and produce ransomware-related cyber threat intelligence and look at threat actor tactics, techniques, and procedures. Next, the book focuses on various forensic artifacts in order to reconstruct each stage of a human-operated ransomware attack life cycle. In the concluding chapters, you'll get to grips with various kill chains and discover a new one: the Unified Ransomware Kill Chain.By the end of this ransomware book, you'll be equipped with the skills you need to build an incident response strategy for all ransomware attacks.What you will learn• Understand the modern ransomware threat landscape• Explore the incident response process in the context of ransomware• Discover how to collect and produce ransomware-related cyber threat intelligence• Use forensic methods to collect relevant artifacts during incident response• Interpret collected data to understand threat actor tactics, techniques, and procedures• Understand how to reconstruct the ransomware attack kill chainWho this book is forThis book is for security researchers, security analysts, or anyone in the incident response landscape who is responsible for building an incident response model for ransomware attacks. A basic understanding of cyber threats will be helpful to get the most out of this book.

Domande frequenti

Come faccio ad annullare l'abbonamento?
È semplicissimo: basta accedere alla sezione Account nelle Impostazioni e cliccare su "Annulla abbonamento". Dopo la cancellazione, l'abbonamento rimarrà attivo per il periodo rimanente già pagato. Per maggiori informazioni, clicca qui
È possibile scaricare libri? Se sì, come?
Al momento è possibile scaricare tramite l'app tutti i nostri libri ePub mobile-friendly. Anche la maggior parte dei nostri PDF è scaricabile e stiamo lavorando per rendere disponibile quanto prima il download di tutti gli altri file. Per maggiori informazioni, clicca qui
Che differenza c'è tra i piani?
Entrambi i piani ti danno accesso illimitato alla libreria e a tutte le funzionalità di Perlego. Le uniche differenze sono il prezzo e il periodo di abbonamento: con il piano annuale risparmierai circa il 30% rispetto a 12 rate con quello mensile.
Cos'è Perlego?
Perlego è un servizio di abbonamento a testi accademici, che ti permette di accedere a un'intera libreria online a un prezzo inferiore rispetto a quello che pagheresti per acquistare un singolo libro al mese. Con oltre 1 milione di testi suddivisi in più di 1.000 categorie, troverai sicuramente ciò che fa per te! Per maggiori informazioni, clicca qui.
Perlego supporta la sintesi vocale?
Cerca l'icona Sintesi vocale nel prossimo libro che leggerai per verificare se è possibile riprodurre l'audio. Questo strumento permette di leggere il testo a voce alta, evidenziandolo man mano che la lettura procede. Puoi aumentare o diminuire la velocità della sintesi vocale, oppure sospendere la riproduzione. Per maggiori informazioni, clicca qui.
Incident Response Techniques for Ransomware Attacks è disponibile online in formato PDF/ePub?
Sì, puoi accedere a Incident Response Techniques for Ransomware Attacks di Oleg Skulkin in formato PDF e/o ePub, così come ad altri libri molto apprezzati nelle sezioni relative a Informatique e Cybersécurité. Scopri oltre 1 milione di libri disponibili nel nostro catalogo.

Informazioni

Editore
Packt Publishing
Anno
2022
ISBN
9781803233994
Edizione
1
Argomento
Informatique
Categoria
Cybersécurité

Section 1: Getting Started with a Modern Ransomware Attack

The first part of this book will help you to build a solid understanding of the modern ransomware threat landscape and how to properly plan your incident response activities.
This section comprises the following chapters:
  • Chapter 1, The History of Human-Operated Ransomware Attacks
  • Chapter 2, The Life Cycle of a Human-Operated Ransomware Attack
  • Chapter 3, The Incident Response Process

Chapter 1: The History of Human-Operated Ransomware Attacks

Just like COVID-19, human-operated ransomware attacks became the second pandemic in 2020. Unfortunately, this trend keeps evolving nowadays. Despite the fact some threat actors announce their retirement, their places in the cybercrime business are quickly occupied by the younger generation.
Such attacks are discussed a lot nowadays; however, they emerged even before well-known ransomware outbreaks, such as WannaCry and NotPetya. Unlike those uncontrolled ransomware outbreaks, this time it's under the full control of various ransomware operators and their affiliates. Careful reconnaissance of compromised infrastructure, preparing it for final ransomware deployment, can potentially bring them millions of dollars in cryptocurrency.
Of course, there are multiple notable examples of ransomware strains used in human-operated attacks. In this chapter, we'll focus on the most important examples from a historic point of view, finishing on what's most common for today's threat landscape – ransomware-as-a-service programs.
We'll look at the following examples:
  • 2016 – SamSam ransomware
  • 2017 – BitPaymer ransomware
  • 2018 – Ryuk ransomware
  • 2019-present – ransomware-as-a-service programs

2016 – SamSam ransomware

These ransomware operators emerged in early 2016 and changed the ransomware threat landscape drastically. They didn't focus on regular users and single devices; instead, they attacked various companies, focusing on a human-operated approach, moving laterally and encrypting as many devices as possible, including those with the most important data.
The targets were very different and included the healthcare industry, the education sector, and even whole cities. A notable example was the city of Atlanta, Georgia, which took place in March 2018. As the result, the city had to pay approximately $2.7 million to contractors to recover its infrastructure.
The group commonly exploited vulnerabilities in public-facing applications, for example, JBOSS systems, or just brute-forced RDP-servers to gain the initial foothold to the target network.
To elevate privileges, the threat actors used a number of common hacking tools and exploits, including the notorious Mimikatz, so they could obtain domain administrator credentials.
Having elevated credentials, SamSam operators just scanned the network to obtain information about available hosts, then copied a piece of ransomware to each of them and ran it with help of another very common dual-use tool – PsExec.
The attackers had a payment website in the dark web. A victim could find all the necessary information on file decryption in the ransom note generated by the ransomware, as shown in Figure 1.1:
Figure 1.1 – SamSam ransom note example
Figure 1.1 – SamSam ransom note example
Being active from 2016 to 2018, the group earned approximately $6 million, according to Sophos (source: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf).

Who was behind the SamSam ransomware

On November 28, 2018, the FBI unsealed an indictment charging Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri with deploying SamSam ransomware internationally:
Figure 1.2 – An excerpt from an FBI Wanted poster
Figure 1.2 – An excerpt from an FBI Wanted poster
Both subjects are from Iran. After the indictment was unsealed, the threat actors managed to finish their malicious activities, at least under the name SamSam.
These threat actors showed others that enterprise ransomware attacks may be very profitable, so more and more groups emerged. One example is the BitPaymer ransomware.

2017 – BitPaymer ransomware

The BitPaymer ransomware is associated with Evil Corp – a cybercrime group believed to be of Russian origin. This ransomware strain introduced another trend in human-operated attacks – Big Game Hunting.
Everything started in August 2017, when BitPaymer operators successfully attacked a few hospitals from the NHS Lanarkshire board, demanding the astronomical ransom payment of $230,000 or 53 BTC.
To obtain the initial access to the target network, the group leveraged their long-standing tool – the Dridex trojan. The trojan allowed them to load PowerShell Empire – a popular post-exploitation framework – so the threat actor could move laterally through the network, and obtain elevated credentials, including with the use of Mimikatz, just like the SamSam operators.
To deploy the ransomware enterprise-wide, the threat actors leveraged a Group Policy modification, which allowed them to push a script on each host to run a piece of ransomware.
As the means of communication, the threat actors offered both emails and online chats; both could be found in the ransom note:
Figure 1.3 – BitPaymer ransom note example
Figure 1.3 – BitPaymer ransom note example
In June 2019, a new ransomware was born from BitPaymer, called DoppelPaymer. It is believed that this specific ransomware was operated by a spin-off group from Evil Corp (source: https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/).

The mastermind behind the BitPaymer ransomware

On November 13, 2019, the FBI released an indictment charging Maksim Viktorovich Yakubets and Igor Olegovich Turashev with managing Dridex trojan operations:
Figure 1.4 – Excerpts from FBI Wanted posters
Figure 1.4 – Excerpts from FBI Wanted posters
Maksim Viktorovich Yakubets is currently wanted for multiple counts of cybercriminal activity. According to various sources, it is stated that there is a $5 million reward for the apprehension of Maksim. Of course, Dridex was not the only trojan used in human-operated ransomware attacks. Another notable example is Trickbot, which is tightly connected to the Ryuk ransomware.

2018 – Ryuk ransomware

The Ryuk ransomware took Big Game Hunting to new heights. Associated with the Trickbot group, also known as Wizard Spider, this ransomware strain is st...

Indice dei contenuti

  1. Incident Response Techniques for Ransomware Attacks
  2. Contributors
  3. Preface
  4. Section 1: Getting Started with a Modern Ransomware Attack
  5. Chapter 1: The History of Human-Operated Ransomware Attacks
  6. Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
  7. Chapter 3: The Incident Response Process
  8. Section 2: Know Your Adversary: How Ransomware Gangs Operate
  9. Chapter 4: Cyber Threat Intelligence and Ransomware
  10. Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
  11. Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
  12. Section 3: Practical Incident Response
  13. Chapter 7: Digital Forensic Artifacts and Their Main Sources
  14. Chapter 8: Investigating Initial Access Techniques
  15. Chapter 9: Investigating Post-Exploitation Techniques
  16. Chapter 10: Investigating Data Exfiltration Techniques
  17. Chapter 11: Investigating Ransomware Deployment Techniques
  18. Chapter 12: The Unified Ransomware Kill Chain
  19. Other Books You May Enjoy
Stili delle citazioni per Incident Response Techniques for Ransomware Attacks

APA 6 Citation

Skulkin, O. (2022). Incident Response Techniques for Ransomware Attacks (1st ed.). Packt Publishing. Retrieved from https://www.perlego.com/book/3468751/incident-response-techniques-for-ransomware-attacks-pdf (Original work published 2022)

Chicago Citation

Skulkin, Oleg. (2022) 2022. Incident Response Techniques for Ransomware Attacks. 1st ed. Packt Publishing. https://www.perlego.com/book/3468751/incident-response-techniques-for-ransomware-attacks-pdf.

Harvard Citation

Skulkin, O. (2022) Incident Response Techniques for Ransomware Attacks. 1st edn. Packt Publishing. Available at: https://www.perlego.com/book/3468751/incident-response-techniques-for-ransomware-attacks-pdf (Accessed: 15 October 2022).

MLA 7 Citation

Skulkin, Oleg. Incident Response Techniques for Ransomware Attacks. 1st ed. Packt Publishing, 2022. Web. 15 Oct. 2022.