Anatomy of a Ransomware Attack

Full text


May 25, 2021

Anatomy of a

Ransomware Attack

Heather Egan Sussman

Orrick, Herrington & Sutcliffe, LLP

Steve Elovitz FireEye Mandiant

Scott Godes

Barnes & Thornburg LLP Adam Abresch

National Cyber Risk Practice Leader Acrisure



• Introductions

• A Brief History of Ransomware

• Insurance and Risk Transfer

• Ransomware Scenario

• Pre-mediation



Heather Egan Sussman

Cyber, Privacy & Data Innovation Orrick Herrington & Sutcliffe LLP

Heather Egan Sussman is head of Orrick's global Cyber, Privacy & Data Innovation Group and is ranked by Chambers USA, Chambers Global and The Legal 500 United States as a leader in her field.

Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes. She drafts online privacy notices for global rollout and implements data transfer mechanisms for the free flow of data worldwide.

Heather also helps clients develop and achieve their data innovation strategies, so they can leverage the incredible value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs and solidify brand and consumer trust. Heather devotes a significant part of her practice to helping clients reduce the risk of privacy and security incidents. In the event of a privacy or security breach, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries.

Heather frequently writes on current privacy and information security issues before trade and legal organizations and has been quoted in hundreds of major news outlets.



Steve Elovitz

Managing Director FireEye Mandiant

As a Managing Director of FireEye Mandiant’s Incident Response team, Steve is responsible for guiding his clients through cyber security crises: advising executive decision making, overseeing investigations, remediations, and enterprise hardening efforts. In this role, Steve has led the investigations into some of the most notable incidents in history and has ample experience responding to both nation-state sponsored cyber espionage as well as financially motivated attacks.

Steve also helps enable his clients develop their security programs by proactively identifying, prioritizing, and mitigating security risks. His role on the front lines enables him to see the latest tools, tactics, and procedures in use by attackers, as well as what security controls are effective at preventing, detecting, and disrupting attacks.



Scott Godes

Partner, Co-Chair – Insurance Recovery and Counseling Practice

Barnes & Thornburg LLP

Described as the “most interesting insurance lawyer in the world,” Scott Godes is a Chambers-rated insurance recovery attorney who has assisted clients recover more than $1 billion in insurance coverage. He focused his insurance recovery work on coverage for cybersecurity and privacy claims in 2008 and is one of the few lawyers in the country who has litigated the scope of insurance coverage available for data breach claims under cyberinsurance policies. He also has helped clients recover millions for data privacy incidents and cyberattacks under cyber, crime, CGL, first party property, and Tech E&O insurance policies, as well as in connection with professional liability claims.

He has provided strategic coverage advice for companies that have had cloud-based privacy and cybersecurity events.



Adam Abresch

National Cyber Risk Practice Leader



A Brief History of



Ransomware Landscape

• Significant threat to global organizations

• We continue to see an increase in ransomware-related intrusions

• Shift by more sophisticated financially motivated actors towards use of



Evolution of Ransomware




2015 2016

WannaCry / NotPetya

2017 2018

Victim Naming and Shaming Trend

Begins in Q4


Revil, DopplePaymer, Conti, Netwalker and others create

public shaming sites


Indictment and Sanctions of

SamSam operators

Indictment and Sanctions of Dridex operators


Targeting of Healthcare Organizations



FIN6 incorporates ransomware


Continued Diversification of Extortive Tactics


Post-Compromise Targeting

• Majority recent Mandiant investigations involved post- compromise approach

• Key advantages associated with post-compromise

operations versus traditional

indiscriminate targeting


Typical Ransomware Attack Lifecycle


Credential Theft

Internal Reconnaissance Lateral Movement Tools Escalate Privileges Delete Backups


Victim Organization




Data Theft (Sometimes)


Typical Ransomware Attack Lifecycle

• Single Factor Perimeter Compromise

• Email Phishing

• Software Vulnerabilities

Common Initial Access Vectors:

• Human Actors

• Ransomware-As-A-Service (RaaS)

• Quick Deployments

• Data Theft and extortion

Special considerations:


Exploitation Model


+ Credentials + Connectivity






Insurance and Risk Transfer


Insurance and Risk Transfer

• Some Best Practices When Buying Insurance

• Is cyberextortion coverage included?

• Is business interruption and extra expense coverage included?

• Is bricking coverage included?

• Is betterment coverage included?

• Is your choice of forensic firms and law firms included in the policy? At what hourly rate?

• How does the policy cover non-litigated

resolutions with customers?


Insurance and Risk Transfer

• Other Risk Transfer Questions

• What limits (and sublimits) are in the tower of coverage?

• What policies does the company have that might respond to ransomware?

• Cyberinsurance

• Kidnap, ransom, and extortion

• Crime insurance

• Property insurance

• Who is filling out the application?

• What is the retroactive date?


Attack Scenario


Scenario: Day 0 (Friday evening)

• At 4:00pm ET on Friday afternoon, InfoSec receives alerts that certain systems are

unavailable and it appears to be a ransomware event.

• Email does not appear to be disrupted.

• InfoSec undertakes initial containment efforts.

• A number of server instances appear not to be



Day 0 (Friday evening)

A ransom note is discovered:


Day 0-1 (Overnight to Saturday)

• Decision needs to be made on shutting down the network


Day 1 (Saturday)

• After following the instructions, and

inputting the key, a timer begins to count down.

Price will be doubled if you don’t pay on time

• Ransom negotiator establishes contact:

• threat actor claims to have 30GB of data

• threatens to publish in 7 days unless full payment



Day 3 (Monday)

• Company notifies key regulators with 72-hour deadlines

• Existing IT and security tools were impacted by the ransomware and unusable

• Competing priorities of Forensic Agent

deployment / System restoration and Recovery

• Active Directory and Network Hardening Ensues


Day 5 (Wednesday)

• Confirmed: Data cannot be decrypted without the key

• Confirmed: Some backups exist, but no reliable understanding of coverage

• Confirmed: A data sample was decrypted per instructions and it is highly sensitive company information

• Unconfirmed: Technicians cannot precisely say how long a data recovery from backup will take. Best estimate is 72 – 96 hours

• Confirmed: Data was exfiltrated from the network

• Unconfirmed: What full scope of data was stolen? What are the

obligations based on the sample set? Based on the rest of the



Day 7 (Friday)

• Company negotiates with the carrier regarding payment

• Company has notified law enforcement, reviewed facts with OFAC counsel, and secured approval by the carrier for payment of a certain amount

• Company initiates wire payment to the negotiator

• Negotiator performs sanctions check

• After the check clears, negotiator makes the payment


Next three to twelve weeks

• After brief delay while bitcoin is converted to Monaro, the key is obtained

• The technical teams work methodically to bring affected systems back online

• IT and OT support services retained to assist

• Communications plan continues to unfold

• Company responds to regulator and customer inquiries, clearing all comms with outside counsel

• Forensic analysis continues and feeds findings to the legal team to

provide legal advice regarding notification obligations, if any based

on the available evidence.


Pre·mediation: noun

Proactively implementing common

remediation-focused initiatives


Exploitation Model


+ Credentials + Connectivity





Proactive Measures – Access Hardening

Regularly scan externally facing systems for common

ports and protocols open

Enhance Vulnerability Management for

systems that are external

Train end-users on spotting Phishing

emails and regularly perform phishing campaign


Harden external access capabilities

with Multifactor Authentication



Proactive Measures – Credential Hardening

Minimize privileged credential exposure!

Harden systems so that privileged and/or service accounts cannot be

used for logons to standard endpoints

Remove the capability for local

administrative accounts to be used for remote

logons to other endpoints

Randomize the password for built-

in local administrative

accounts on endpoints

Harden endpoints so that clear-text passwords are not

stored in memory


Proactive Measures – Connectivity Hardening

Restrict egress access, ports, and protocols

Remove the capability for

privileged accounts to be used for remote

logon purposes

Disable unnecessary

services on endpoints

Leverage dedicated privileged access workstations (PAWs)

for performing administrative tasks Restrict

system-to-system communications


Questions + Contact

Steve Elovitz Managing Director FireEye Mandiant 201-602-0115


Scott Godes Partner, Co-Chair – Insurance Recovery Barnes & Thornburg 202-408-6928 Heather Egan Sussman

Partner, Head of Global Cyber, Privacy & Data Innovation Group

Orrick, Herrington & Sutcliffe 617-880-1830

Adam Abresch

National Cyber Risk Practice Leader​

Acrisure 516-672-2514





Related subjects :