May 25, 2021
Anatomy of a
Ransomware Attack
Heather Egan Sussman
Orrick, Herrington & Sutcliffe, LLP
Steve Elovitz FireEye Mandiant
Scott Godes
Barnes & Thornburg LLP Adam Abresch
National Cyber Risk Practice Leader Acrisure
Agenda
• Introductions
• A Brief History of Ransomware
• Insurance and Risk Transfer
• Ransomware Scenario
• Pre-mediation
Speakers
Heather Egan Sussman
Cyber, Privacy & Data Innovation Orrick Herrington & Sutcliffe LLP
Heather Egan Sussman is head of Orrick's global Cyber, Privacy & Data Innovation Group and is ranked by Chambers USA, Chambers Global and The Legal 500 United States as a leader in her field.
Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes. She drafts online privacy notices for global rollout and implements data transfer mechanisms for the free flow of data worldwide.
Heather also helps clients develop and achieve their data innovation strategies, so they can leverage the incredible value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs and solidify brand and consumer trust. Heather devotes a significant part of her practice to helping clients reduce the risk of privacy and security incidents. In the event of a privacy or security breach, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries.
Heather frequently writes on current privacy and information security issues before trade and legal organizations and has been quoted in hundreds of major news outlets.
Speakers
Steve Elovitz
Managing Director FireEye Mandiant
As a Managing Director of FireEye Mandiant’s Incident Response team, Steve is responsible for guiding his clients through cyber security crises: advising executive decision making, overseeing investigations, remediations, and enterprise hardening efforts. In this role, Steve has led the investigations into some of the most notable incidents in history and has ample experience responding to both nation-state sponsored cyber espionage as well as financially motivated attacks.
Steve also helps enable his clients develop their security programs by proactively identifying, prioritizing, and mitigating security risks. His role on the front lines enables him to see the latest tools, tactics, and procedures in use by attackers, as well as what security controls are effective at preventing, detecting, and disrupting attacks.
Speakers
Scott Godes
Partner, Co-Chair – Insurance Recovery and Counseling Practice
Barnes & Thornburg LLP
Described as the “most interesting insurance lawyer in the world,” Scott Godes is a Chambers-rated insurance recovery attorney who has assisted clients recover more than $1 billion in insurance coverage. He focused his insurance recovery work on coverage for cybersecurity and privacy claims in 2008 and is one of the few lawyers in the country who has litigated the scope of insurance coverage available for data breach claims under cyberinsurance policies. He also has helped clients recover millions for data privacy incidents and cyberattacks under cyber, crime, CGL, first party property, and Tech E&O insurance policies, as well as in connection with professional liability claims.
He has provided strategic coverage advice for companies that have had cloud-based privacy and cybersecurity events.
Speakers
Adam Abresch
National Cyber Risk Practice Leader
Acrisure
A Brief History of
Ransomware
Ransomware Landscape
• Significant threat to global organizations
• We continue to see an increase in ransomware-related intrusions
• Shift by more sophisticated financially motivated actors towards use of
ransomware/extortion
Evolution of Ransomware
CryptoLocker
2013
SamSam
2015 2016
WannaCry / NotPetya
2017 2018
Victim Naming and Shaming Trend
Begins in Q4
2019
Revil, DopplePaymer, Conti, Netwalker and others create
public shaming sites
2020
Indictment and Sanctions of
SamSam operators
Indictment and Sanctions of Dridex operators
(“EvilCorp”)
Targeting of Healthcare Organizations
2014
Ryuk
FIN6 incorporates ransomware
2021
Continued Diversification of Extortive Tactics
Post-Compromise Targeting
• Majority recent Mandiant investigations involved post- compromise approach
• Key advantages associated with post-compromise
operations versus traditional
indiscriminate targeting
Typical Ransomware Attack Lifecycle
Attacker
Credential Theft
Internal Reconnaissance Lateral Movement Tools Escalate Privileges Delete Backups
1STSTAGE
Victim Organization
3RDSTAGE
Ransomware POST COMPROMISE APPROACH
2NDSTAGE
Data Theft (Sometimes)
Typical Ransomware Attack Lifecycle
• Single Factor Perimeter Compromise
• Email Phishing
• Software Vulnerabilities
Common Initial Access Vectors:
• Human Actors
• Ransomware-As-A-Service (RaaS)
• Quick Deployments
• Data Theft and extortion
Special considerations:
Exploitation Model
Access
+ Credentials + Connectivity
_______________
PROFIT
=
Preparation
Insurance and Risk Transfer
Insurance and Risk Transfer
• Some Best Practices When Buying Insurance
• Is cyberextortion coverage included?
• Is business interruption and extra expense coverage included?
• Is bricking coverage included?
• Is betterment coverage included?
• Is your choice of forensic firms and law firms included in the policy? At what hourly rate?
• How does the policy cover non-litigated
resolutions with customers?
Insurance and Risk Transfer
• Other Risk Transfer Questions
• What limits (and sublimits) are in the tower of coverage?
• What policies does the company have that might respond to ransomware?
• Cyberinsurance
• Kidnap, ransom, and extortion
• Crime insurance
• Property insurance
• Who is filling out the application?
• What is the retroactive date?
Attack Scenario
Scenario: Day 0 (Friday evening)
• At 4:00pm ET on Friday afternoon, InfoSec receives alerts that certain systems are
unavailable and it appears to be a ransomware event.
• Email does not appear to be disrupted.
• InfoSec undertakes initial containment efforts.
• A number of server instances appear not to be
available.
Day 0 (Friday evening)
A ransom note is discovered:
Day 0-1 (Overnight to Saturday)
• Decision needs to be made on shutting down the network
Day 1 (Saturday)
• After following the instructions, and
inputting the key, a timer begins to count down.
• Price will be doubled if you don’t pay on time
• Ransom negotiator establishes contact:
• threat actor claims to have 30GB of data
• threatens to publish in 7 days unless full payment
received
Day 3 (Monday)
• Company notifies key regulators with 72-hour deadlines
• Existing IT and security tools were impacted by the ransomware and unusable
• Competing priorities of Forensic Agent
deployment / System restoration and Recovery
• Active Directory and Network Hardening Ensues
Day 5 (Wednesday)
• Confirmed: Data cannot be decrypted without the key
• Confirmed: Some backups exist, but no reliable understanding of coverage
• Confirmed: A data sample was decrypted per instructions and it is highly sensitive company information
• Unconfirmed: Technicians cannot precisely say how long a data recovery from backup will take. Best estimate is 72 – 96 hours
• Confirmed: Data was exfiltrated from the network
• Unconfirmed: What full scope of data was stolen? What are the
obligations based on the sample set? Based on the rest of the
data?
Day 7 (Friday)
• Company negotiates with the carrier regarding payment
• Company has notified law enforcement, reviewed facts with OFAC counsel, and secured approval by the carrier for payment of a certain amount
• Company initiates wire payment to the negotiator
• Negotiator performs sanctions check
• After the check clears, negotiator makes the payment
Next three to twelve weeks
• After brief delay while bitcoin is converted to Monaro, the key is obtained
• The technical teams work methodically to bring affected systems back online
• IT and OT support services retained to assist
• Communications plan continues to unfold
• Company responds to regulator and customer inquiries, clearing all comms with outside counsel
• Forensic analysis continues and feeds findings to the legal team to
provide legal advice regarding notification obligations, if any based
on the available evidence.
Pre·mediation: noun
Proactively implementing common
remediation-focused initiatives
Exploitation Model
Access
+ Credentials + Connectivity
_______________
PROFIT
=
Proactive Measures – Access Hardening
Regularly scan externally facing systems for common
ports and protocols open
Enhance Vulnerability Management for
systems that are external
Train end-users on spotting Phishing
emails and regularly perform phishing campaign
exercises
Harden external access capabilities
with Multifactor Authentication
(MFA)
Proactive Measures – Credential Hardening
Minimize privileged credential exposure!
Harden systems so that privileged and/or service accounts cannot be
used for logons to standard endpoints
Remove the capability for local
administrative accounts to be used for remote
logons to other endpoints
Randomize the password for built-
in local administrative
accounts on endpoints
Harden endpoints so that clear-text passwords are not
stored in memory
Proactive Measures – Connectivity Hardening
Restrict egress access, ports, and protocols
Remove the capability for
privileged accounts to be used for remote
logon purposes
Disable unnecessary
services on endpoints
Leverage dedicated privileged access workstations (PAWs)
for performing administrative tasks Restrict
system-to-system communications
