Acknowledgments xi
Introduction xxi
Part I: Introduction 1
Chapter 1: Introduction to Ransomware 3
How Bad is the Problem? 4
Variability of Ransomware Data 5
True Costs of Ransomware 7
Types of Ransomware 9
Fake Ransomware 10
Immediate Action vs. Delayed 14
Automatic or Human-Directed 17
Single Device Impacts or More 18
Ransomware Root Exploit 19
File Encrypting vs. Boot Infecting 21
Good vs. Bad Encryption 22
Encryption vs. More Payloads 23
Ransomware as a Service 30
Typical Ransomware Process and Components 32
Infiltrate 32
After Initial Execution 34
Dial-Home 34
Auto-Update 37
Check for Location 38
Initial Automatic Payloads 39
Waiting 40
Hacker Checks C&C 40
More Tools Used 40
Reconnaissance 41
Readying Encryption 42
Data Exfiltration 43
Encryption 44
Extortion Demand 45
Negotiations 46
Provide Decryption Keys 47
Ransomware Goes Conglomerate 48
Ransomware Industry Components 52
Summary 55
Chapter 2: Preventing Ransomware 57
Nineteen Minutes to Takeover 57
Good General Computer Defense Strategy 59
Understanding How Ransomware Attacks 61
The Nine Exploit Methods All Hackers and Malware Use 62
Top Root-Cause Exploit Methods of All Hackers and Malware 63
Top Root-Cause Exploit Methods of Ransomware 64
Preventing Ransomware 67
Primary Defenses 67
Everything Else 70
Use Application Control 70
Antivirus Prevention 73
Secure Configurations 74
Privileged Account Management 74
Security Boundary Segmentation 75
Data Protection 76
Block USB Keys 76
Implement a Foreign Russian Language 77
Beyond Self-Defense 78
Geopolitical Solutions 79
International Cooperation and Law Enforcement 79
Coordinated Technical Defense 80
Disrupt Money Supply 81
Fix the Internet 81
Summary 84
Chapter 3: Cybersecurity Insurance 85
Cybersecurity Insurance Shakeout 85
Did Cybersecurity Insurance Make Ransomware Worse? 90
Cybersecurity Insurance Policies 92
What's Covered by Most Cybersecurity Policies 93
Recovery Costs 93
Ransom 94
Root-Cause Analysis 95
Business Interruption Costs 95
Customer/Stakeholder Notifications and Protection 96
Fines and Legal Investigations 96
Example Cyber Insurance Policy Structure 97
Costs Covered and Not Covered by Insurance 98
The Insurance Process 101
Getting Insurance 101
Cybersecurity Risk Determination 102
Underwriting and Approval 103
Incident Claim Process 104
Initial Technical Help 105
What to Watch Out For 106
Social Engineering Outs 107
Make Sure Your Policy Covers Ransomware 107
Employee's Mistake Involved 107
Work-from-Home Scenarios 108
War Exclusion Clauses 108
Future of Cybersecurity Insurance 109
Summary 111
Chapter 4: Legal Considerations 113
Bitcoin and Cryptocurrencies 114
Can You Be in Legal Jeopardy for Paying a Ransom? 123
Consult with a Lawyer 127
Try to Follow the Money 127
Get Law Enforcement Involved 128
Get an OFAC License to Pay the Ransom 129
Do Your Due Diligence 129
Is It an Official Data Breach? 129
Preserve Evidence 130
Legal Defense Summary 130
Summary 131
Part II: Detection and Recovery 133
Chapter 5: Ransomware Response Plan 135
Why Do Response Planning? 135
When Should a Response Plan Be Made? 136
What Should a Response Plan Include? 136
Small Response vs. Large Response Threshold 137
Key People 137
Communications Plan 138
Public Relations Plan 141
Reliable Backup 142
Ransom Payment Planning 144
Cybersecurity Insurance Plan 146
What It Takes to Declare an Official Data Breach 147
Internal vs. External Consultants 148
Cryptocurrency Wallet 149
Response 151
Checklist 151
Definitions 153
Practice Makes Perfect 153
Summary 154
Chapter 6: Detecting Ransomware 155
Why is Ransomware So Hard to Detect? 155
Detection Methods 158
Security Awareness Training 158
AV/EDR Adjunct Detections 159
Detect New Processes 160
Anomalous Network Connections 164
New, Unexplained Things 166
Unexplained Stoppages 167
Aggressive Monitoring 169
Example Detection Solution 169
Summary 175
Chapter 7: Minimizing Damage 177
Basic Outline for Initial Ransomware Response 177
Stop the Spread 179
Power Down or Isolate Exploited Devices 180
Disconnecting the Network 181
Disconnect at the Network Access Points 182
Suppose You Can't Disconnect the Network 183
Initial Damage Assessment 184
What is Impacted? 185
Ensure Your Backups Are Still Good 186
Check for Signs of Data and Credential Exfiltration 186
Check for Rogue Email Rules 187
What Do You Know About the Ransomware? 187
First Team Meeting 188
Determine Next Steps 189
Pay the Ransom or Not? 190
Recover or Rebuild? 190
Summary 193
Chapter 8: Early Responses 195
What Do You Know? 195
A Few Things to Remember 197
Encryption is Likely Not Your Only Problem 198
Reputational Harm May Occur 199
Firings May Happen 200
It Could Get Worse 201
Major Decisions 202
Business Impact Analysis 202
Determine Business Interruption Workarounds 203
Did Data Exfiltration Happen? 204
Can You Decrypt the Data Without Paying? 204
Ransomware is Buggy 205
Ransomware Decryption Websites 205
Ransomware Gang Publishes Decryption Keys 206
Sniff a Ransomware Key Off the Network? 206
Recovery Companies Who Lie About Decryption Key Use 207
If You Get the Decryption Keys 207
Save Encrypted Data Just in Case 208
Determine Whether the Ransom Should Be Paid 209
Not Paying the Ransom 209
Paying the Ransom 210
Recover or Rebuild Involved Systems? 212
Determine Dwell Time 212
Determine Root Cause 213
Point Fix or Time to Get Serious? 214
Early Actions 215
Preserve the Evidence 215
Remove the Malware 215
Change All Passwords 217
Summary 217
Chapter 9: Environment Recovery 219
Big Decisions 219
Recover vs. Rebuild 220
In What Order 221
Restoring Network 221
Restore IT Security Services 223
Restore Virtual Machines and/or Cloud Services 223
Restore Backup Systems 224
Restore Clients, Servers, Applications, Services 224
Conduct Unit Testing 225
Rebuild Process Summary 225
Recovery Process Summary 228
Recovering a Windows Computer 229
Recovering/Restoring Microsoft Active Directory 231
Summary 233
Chapter 10: Next Steps 235
Paradigm Shifts 235
Implement a Data-Driven Defense 236
Focus on Root Causes 238
Rank Everything! 239
Get and Use Good Data 240
Heed Growing Threats More 241
Row the Same Direction 241
Focus on Social Engineering Mitigation 242
Track Processes and Network Traffic 243
Improve Overall Cybersecurity Hygiene 243
Use Multifactor Authentication 243
Use a Strong Password Policy 244
Secure Elevated Group Memberships 246
Improve Security Monitoring 247
Secure PowerShell 247
Secure Data 248
Secure Backups 249
Summary 250
Chapter 11: What Not to Do 251
Assume You Can't Be a Victim 251
Think That One Super-Tool Can Prevent an Attack 252
Assume Too Quickly Your Backup is Good 252
Use Inexperienced Responders 253
Give Inadequate Considerations to Paying Ransom 254
Lie to Attackers 255
Insult the Gang by Suggesting Tiny Ransom 255
Pay the Whole Amount Right Away 256
Argue with the Ransomware Gang 257
Apply Decryption Keys to Your Only Copy 257
Not Care About Root Cause 257
Keep Your Ransomware Response Plan Online Only 258
Allow a Team Member to Go Rogue 258
Accept a Social Engineering Exclusion in Your Cyber-Insurance Policy 259
Summary 259
Chapter 12: Future of Ransomware 261
Future of Ransomware 261
Attacks Beyond Traditional Computers 262
IoT Ransoms 264
Mixed-Purpose
Hacking Gangs 265
Future of Ransomware Defense 267
Future Technical Defenses 267
Ransomware Countermeasure Apps and Features 267
AI Defense and Bots 268
Strategic Defenses 269
Focus on Mitigating Root Causes 269
Geopolitical Improvements 269
Systematic Improvements 270
Use Cyber Insurance as a Tool 270
Improve Internet Security Overall 271
Summary 271
Parting Words 272
Index 273
