Anatomy of a Ransomware Attack

Full text

(1)

May 25, 2021

Anatomy of a

Ransomware Attack

Heather Egan Sussman

Orrick, Herrington & Sutcliffe, LLP

Steve Elovitz FireEye Mandiant

Scott Godes

Barnes & Thornburg LLP Adam Abresch

National Cyber Risk Practice Leader Acrisure

(2)

Agenda

• Introductions

• A Brief History of Ransomware

• Insurance and Risk Transfer

• Ransomware Scenario

• Pre-mediation

(3)

Speakers

Heather Egan Sussman

Cyber, Privacy & Data Innovation Orrick Herrington & Sutcliffe LLP

Heather Egan Sussman is head of Orrick's global Cyber, Privacy & Data Innovation Group and is ranked by Chambers USA, Chambers Global and The Legal 500 United States as a leader in her field.

Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes. She drafts online privacy notices for global rollout and implements data transfer mechanisms for the free flow of data worldwide.

Heather also helps clients develop and achieve their data innovation strategies, so they can leverage the incredible value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs and solidify brand and consumer trust. Heather devotes a significant part of her practice to helping clients reduce the risk of privacy and security incidents. In the event of a privacy or security breach, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries.

Heather frequently writes on current privacy and information security issues before trade and legal organizations and has been quoted in hundreds of major news outlets.

(4)

Speakers

Steve Elovitz

Managing Director FireEye Mandiant

As a Managing Director of FireEye Mandiant’s Incident Response team, Steve is responsible for guiding his clients through cyber security crises: advising executive decision making, overseeing investigations, remediations, and enterprise hardening efforts. In this role, Steve has led the investigations into some of the most notable incidents in history and has ample experience responding to both nation-state sponsored cyber espionage as well as financially motivated attacks.

Steve also helps enable his clients develop their security programs by proactively identifying, prioritizing, and mitigating security risks. His role on the front lines enables him to see the latest tools, tactics, and procedures in use by attackers, as well as what security controls are effective at preventing, detecting, and disrupting attacks.

(5)

Speakers

Scott Godes

Partner, Co-Chair – Insurance Recovery and Counseling Practice

Barnes & Thornburg LLP

Described as the “most interesting insurance lawyer in the world,” Scott Godes is a Chambers-rated insurance recovery attorney who has assisted clients recover more than $1 billion in insurance coverage. He focused his insurance recovery work on coverage for cybersecurity and privacy claims in 2008 and is one of the few lawyers in the country who has litigated the scope of insurance coverage available for data breach claims under cyberinsurance policies. He also has helped clients recover millions for data privacy incidents and cyberattacks under cyber, crime, CGL, first party property, and Tech E&O insurance policies, as well as in connection with professional liability claims.

He has provided strategic coverage advice for companies that have had cloud-based privacy and cybersecurity events.

(6)

Speakers

Adam Abresch

National Cyber Risk Practice Leader

Acrisure

(7)

A Brief History of

Ransomware

(8)

Ransomware Landscape

• Significant threat to global organizations

• We continue to see an increase in ransomware-related intrusions

• Shift by more sophisticated financially motivated actors towards use of

ransomware/extortion

(9)

Evolution of Ransomware

CryptoLocker

2013

SamSam

2015 2016

WannaCry / NotPetya

2017 2018

Victim Naming and Shaming Trend

Begins in Q4

2019

Revil, DopplePaymer, Conti, Netwalker and others create

public shaming sites

2020

Indictment and Sanctions of

SamSam operators

Indictment and Sanctions of Dridex operators

(“EvilCorp”)

Targeting of Healthcare Organizations

2014

Ryuk

FIN6 incorporates ransomware

2021

Continued Diversification of Extortive Tactics

(10)

Post-Compromise Targeting

• Majority recent Mandiant investigations involved post- compromise approach

• Key advantages associated with post-compromise

operations versus traditional

indiscriminate targeting

(11)

Typical Ransomware Attack Lifecycle

Attacker

Credential Theft

Internal Reconnaissance Lateral Movement Tools Escalate Privileges Delete Backups

1STSTAGE

Victim Organization

3RDSTAGE

Ransomware POST COMPROMISE APPROACH

2NDSTAGE

Data Theft (Sometimes)

(12)

Typical Ransomware Attack Lifecycle

• Single Factor Perimeter Compromise

• Email Phishing

• Software Vulnerabilities

Common Initial Access Vectors:

• Human Actors

• Ransomware-As-A-Service (RaaS)

• Quick Deployments

• Data Theft and extortion

Special considerations:

(13)

Exploitation Model

Access

+ Credentials + Connectivity

_______________

PROFIT

=

(14)

Preparation

Insurance and Risk Transfer

(15)

Insurance and Risk Transfer

• Some Best Practices When Buying Insurance

• Is cyberextortion coverage included?

• Is business interruption and extra expense coverage included?

• Is bricking coverage included?

• Is betterment coverage included?

• Is your choice of forensic firms and law firms included in the policy? At what hourly rate?

• How does the policy cover non-litigated

resolutions with customers?

(16)

Insurance and Risk Transfer

• Other Risk Transfer Questions

• What limits (and sublimits) are in the tower of coverage?

• What policies does the company have that might respond to ransomware?

• Cyberinsurance

• Kidnap, ransom, and extortion

• Crime insurance

• Property insurance

• Who is filling out the application?

• What is the retroactive date?

(17)

Attack Scenario

(18)

Scenario: Day 0 (Friday evening)

• At 4:00pm ET on Friday afternoon, InfoSec receives alerts that certain systems are

unavailable and it appears to be a ransomware event.

• Email does not appear to be disrupted.

• InfoSec undertakes initial containment efforts.

• A number of server instances appear not to be

available.

(19)

Day 0 (Friday evening)

A ransom note is discovered:

(20)

Day 0-1 (Overnight to Saturday)

• Decision needs to be made on shutting down the network

(21)

Day 1 (Saturday)

• After following the instructions, and

inputting the key, a timer begins to count down.

Price will be doubled if you don’t pay on time

• Ransom negotiator establishes contact:

• threat actor claims to have 30GB of data

• threatens to publish in 7 days unless full payment

received

(22)

Day 3 (Monday)

• Company notifies key regulators with 72-hour deadlines

• Existing IT and security tools were impacted by the ransomware and unusable

• Competing priorities of Forensic Agent

deployment / System restoration and Recovery

• Active Directory and Network Hardening Ensues

(23)

Day 5 (Wednesday)

• Confirmed: Data cannot be decrypted without the key

• Confirmed: Some backups exist, but no reliable understanding of coverage

• Confirmed: A data sample was decrypted per instructions and it is highly sensitive company information

• Unconfirmed: Technicians cannot precisely say how long a data recovery from backup will take. Best estimate is 72 – 96 hours

• Confirmed: Data was exfiltrated from the network

• Unconfirmed: What full scope of data was stolen? What are the

obligations based on the sample set? Based on the rest of the

data?

(24)

Day 7 (Friday)

• Company negotiates with the carrier regarding payment

• Company has notified law enforcement, reviewed facts with OFAC counsel, and secured approval by the carrier for payment of a certain amount

• Company initiates wire payment to the negotiator

• Negotiator performs sanctions check

• After the check clears, negotiator makes the payment

(25)

Next three to twelve weeks

• After brief delay while bitcoin is converted to Monaro, the key is obtained

• The technical teams work methodically to bring affected systems back online

• IT and OT support services retained to assist

• Communications plan continues to unfold

• Company responds to regulator and customer inquiries, clearing all comms with outside counsel

• Forensic analysis continues and feeds findings to the legal team to

provide legal advice regarding notification obligations, if any based

on the available evidence.

(26)

Pre·mediation: noun

Proactively implementing common

remediation-focused initiatives

(27)

Exploitation Model

Access

+ Credentials + Connectivity

_______________

PROFIT

=

(28)

Proactive Measures – Access Hardening

Regularly scan externally facing systems for common

ports and protocols open

Enhance Vulnerability Management for

systems that are external

Train end-users on spotting Phishing

emails and regularly perform phishing campaign

exercises

Harden external access capabilities

with Multifactor Authentication

(MFA)

(29)

Proactive Measures – Credential Hardening

Minimize privileged credential exposure!

Harden systems so that privileged and/or service accounts cannot be

used for logons to standard endpoints

Remove the capability for local

administrative accounts to be used for remote

logons to other endpoints

Randomize the password for built-

in local administrative

accounts on endpoints

Harden endpoints so that clear-text passwords are not

stored in memory

(30)

Proactive Measures – Connectivity Hardening

Restrict egress access, ports, and protocols

Remove the capability for

privileged accounts to be used for remote

logon purposes

Disable unnecessary

services on endpoints

Leverage dedicated privileged access workstations (PAWs)

for performing administrative tasks Restrict

system-to-system communications

(31)

Questions + Contact

Steve Elovitz Managing Director FireEye Mandiant 201-602-0115

Steve.Elovitz@mandiant.com

@SElovitz

Scott Godes Partner, Co-Chair – Insurance Recovery Barnes & Thornburg 202-408-6928

Scott.Godes@btlaw.com Heather Egan Sussman

Partner, Head of Global Cyber, Privacy & Data Innovation Group

Orrick, Herrington & Sutcliffe 617-880-1830

hsussman@orrick.com

Adam Abresch

National Cyber Risk Practice Leader​

Acrisure 516-672-2514

AAbresch@Acrisure.com

Figure

Updating...

References

Updating...

Related subjects :