In this discussion, James Shank of Team Cymru and Ryan Chapman of SANS presented the top themes for ransomware preparedness. They were unable to answer all the questions live and have summarized them.
Listen to the full webcast here.
Question:
Yes. Secondary attacks are very common. They already KNOW you will pay to protect yourself. Are some of the Ransomware-as-a-service groups looking for cybersecurity insurance holders?
Answer:
Ryan Chapman: Groups have been found to be targeting insurance agency underwritten orgs. Yes. But overall, it’s not a major piece of the “who they target” puzzle.
James Shank: With the supply chain attacks I have been seeing lately, I doubt it will be long before insurance companies get targeted for the purposes of knowing the policies and determining lucrative parties. No, I have not seen this happening yet, but it could become a strategy for some actors in the future, whether they target the insurance data directly or just happen upon it as part of a data leak.
Question:
Paying the ransom isn't always a guarantee. We hear that quite a bit. Are you aware of any polls that have been done to see how often ransom is paid and the decryption key doesn't work or only works on "some" of the assets?
Answer:
Ryan Chapman: MANY polls are available, yet they all seem to point in different directions. It’s a visibility thing. I recommend checking out CoveWare’s blog. They have some solid resources, yet they also claim in their graphics that basically 100% of clients recover data, which is for sure not true.
James Shank: Remember that ransomware actors care about customer service, to an extent. If they develop a reputation of payment not resulting in decryption, this will influence future victim’s decision on whether to pay or not.
Question:
What do law enforcement do when you notify them? Is it just more people to keep informed and ask difficult questions, or do they actually help?
Answer:
Ryan Chapman: Oftentimes, the LE that will eventually take over is the FBI in the US at least. They open cases. They take them seriously. And if you look around at the rest of the world, look at what’s happened with Emotet. And with cl0p. LE is tracking these groups. The more intel they have, the better job they can do!
James Shank: Fully agree with Ryan! I would also add that the metrics and information they gather can result in a more informed coordinated government response. No one knows the true extent of the problem because there isn’t a central clearing house that will be certain to receive this data.
Question:
What are your thoughts on going after the actual payment vector in terms of Ransomware...ie... Banks/Bitcoin?
Answer:
Ryan Chapman: I believe that crypto is just an easy button for the ransomware actors right now. If that’s tossed out of the picture, then what? Bank xfers? What about physical money drops? Ooph. Going after the crypto payments right now is a great way to identify, associate, and shut down. But within X years, that will morph into something else. Most likely something even uglier. “Ship us physical gold bars, to this address, in this foreign nation…”
Question:
When you talk about relationships with law enforcement, should you contact local law enforcement, FBI, or others?
Answer:
James Shank: Both, but for different reasons. In the US, the FBI will be the right contact for most situations. Know your field agents in your local office. They are likely very friendly!
Question:
What's the view on Office 365s protection against ransomware e.g. Sharepoint etc?
Answer:
Ryan Chapman: Helpful. Not an “answer” though. And oftentimes, ransomware detection is detection for the actual encryption events. By that point, data has already been exfil’d, services have fallen over, systems are down, and then you’re alerted. “Hey. You’re already pwn’d.”
Question:
Any suggestions on offline backup solutions and what the architecture of such a solution looks like?
Answer:
Ryan Chapman: I tend to avoid specifying vendors. However, I recommend ensuring that the offline backup solution provider has a few things that could help immensely with ransomware. 1) Immutable storage that has a fast write time and isn’t super expensive. This storage method is sometimes referred to as Write-Once, Read Many (WORM) storage. The idea here is that your backups cannot be destroyed by the ransomware operator, as they cannot be overwritten. 2) PIN-based operations. As an example, Azure Blobs have a feature in which a PIN must be entered for administrative functionality. Should a ransomware operator attempt to delete backup data, they must know the PIN in order to enact the functionality.
Question:
How about a SaaS solution backing us up in case of an AD down scenario? Provided, the SaaS solution gives us least limited access to the critical systems?
Answer:
Ryan Chapman: SaaS can be useful when it comes to accessing critical systems, but the general issue with AD being down is that most functions and services somehow rely on AD being up and available. While a SaaS solution may provide access to products X, Y, or Z, general system availability and access will most likely not be available should AD still remain down. Ransomware actors are also reaching out to AzureAD and implementing their attacks in this space, especially when orgs are running a hybrid AD/AzureAD environment.
Question:
Does the industry find that if you pay the ransom, that you are a more likely target in the future because you are now known as a company that will pay?
Answer:
Ryan Chapman: We do see this, yes. We see clients also being hit by the same group that hit them previously. But most ransomware groups out now pride themselves on their reputations. The number of repeat victims is all over the place depending on where you obtain your stats. For example, ZDNet recently published this article: https://www.zdnet.com/google-amp/article/most-firms-face-second-ransomware-attack-after-paying-off-first/. No way 80% of businesses that paid the ransom experienced another ransomware attack. This number is very, very off from what myself and others in the industry are seeing. Sadly, it’s difficult to get actual percentages on these things due to visibility problems… let alone odd reporting such as this.
Question:
What should be more concentrated in IRP? Should it talk about different phases of response or how, when, and whom we are going to get involved during an active attack?
Answer:
Ryan Chapman: How, when, and whom is far more important in an IRP than the general phases of the attack! By far! Make sure to identify the WHO. Cannot stress that more :). And have backups. And better yet a pool of people for each role.
Question:
It is possible to negotiate with some ransom gangs. What is a good strategy for that? Can I expect to reduce the payment?
Answer:
Ryan Chapman: Absolutely! Ransomware negotiation is just that - Negotiation. Many ransomware groups will perform analysis of an organization’s financials. So they’ll know what can and cannot be paid. Oftentimes they’ll use this as a differentiator. For example, if they request 5 million, but your group is flush with 3.7 million, they may know this. So when you try to drop down below 3.7 million, it may not work.
Question:
Remediation is adding some IOC's to the firewall and updating the AV sig's, correct?
Answer:
Ryan Chapman: Most of the time IOCs are different between attacks. For example, here’s an article that discusses how most REvil attacks are unique: https://www.infosecurity-magazine.com/news/no-two-revil-attacks-are-the-same/. Adding IOCs to a firewall should not be viewed as an outright remediation. The same goes for AV signatures. Those signatures that you add will become obsolete fairly quickly. Rather, I recommend identifying the exact infection vector and patching the software, locking down the RDP resource, or disabling admin on the user’s host that was hit with phishing. Make that locking down all users from being admins on their boxes. True remediation involves knowing exactly how the ransomware attack began and addressing each and every item that could allow that particular event to occur in the future.
Question:
With Agile builds (Azure) how do you streamline the security reviews so that we are not the hindrance and holding up new app deployment?
Answer:
Ryan Chapman: Unfortunately, I’m not familiar enough with Agile builds in Azure. That is, if this is a platform specific question. If the question simply refers to agile builds and how security can be involved, I recommend having a few software developers dedicated to DevSecOps. Have these folks be a part of the code commit review crew. The big thing with agile is, well, being agile! Hah! But honestly it’s all about getting software out that works over bureaucracy. And what is security review anyhow? Yup! Bureaucracy! So the trick is to integrate security review into the general code review.
Any SDLC being followed, including agile, should include code review before pushing to production. Ensuring that someone with eyes on the code has a proper understanding of secure coding practices could do wonders for such groups. One example I often give involves user input sanitization. Should an agile group have a review process in which folks don’t care about input being sanitized, you’re going to have a bad day. But even when in a quick turnaround sprint, a general code review by someone who recognizes the importance of input sanitization could be a huge boon for the security of the resulting product.
Question:
If I understand correctly we should define which payment is okay and document that. But if I'm a victim of an attack the attacker could find this document and know what I'm willing to pay.
Answer:
Ryan Chapman: That is an astute observation!! Our point was more about where the payment would come from, but in order to determine that, you're right: You’d need to review potential payment amounts. We’ve seen plenty of ransomware actors who review financial info and respond with something akin to, “You say you cannot pay X, but we KNOW you can pay X, and here are the documents to prove it.” Imagine if those documents were our recommended documentation!! In this case, perhaps the trick is to ensure that the document itself is triple-encrypted on disk… or perhaps the real trick is to avoid spelling out the actual dollar value in such a vital document.
Question:
What are your thoughts on the future of cyber security insurance fraud, and cyber ransomware tax deductions? Does this not encourage nefarious behavior?
Answer:
Ryan Chapman: Oh 100%. To be dead honest, I’m personally very worried about the possibility of cyber insurance fraud. Think of it this way: Look at ANY type of insurance in existence right now. Is there not some form of fraud relating to X insurance? Of course there is. So what happens when a tax dedication incentives such fraud? The thought makes me shudder, and I don’t have a solid “here’s the fix.” I wish I did, but I don’t.
Question:
How did they recover the bitcoin, since it was not supposed to be traceable?
Answer:
Ryan Chapman: Bitcoin was designed to be public. That’s one of the funny things about the fact that ransomware operators use this particular crypto for payment. The bitcoin “ledger,” as it’s called, allows any entity (like me and you!) to trace transactions. For info, see https://support.blockchain.com/hc/en-us/articles/211160663-How-can-I-look-up-a-transaction-on-the-blockchain-. The trick for recovering bitcoin is usually taking over the infrastructure used by the threat actor on which the bitcoin is stored. Digital wallets for example. Or passwords to cloud-based wallets. One very large ransomware group in fact offered 10% discounts for using Monero, as this particular cryptocurrency is more difficult to trace: https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/.
Question:
Do you think that memory forensics is faster in getting to the bottom of the issue than disk forensics?
Answer:
Ryan Chapman: I think disk forensics is far more common for starters. Most consulting groups like us at BlackBerry don’t get memory images often. The client has usually done something to destroy the memory. That being said, disk forensics allows for review of the file system metadata intact. For example, the full $NTFS and $J files from a Windows box. Those aren’t always contained fully in memory.
Memory can often point to the ransomware itself, but the real issue is that the TAs have been in the environment for hours, days, or weeks. Trying to pull and analyze memory for every system to trace the path and identify what has been done, overall, does not scale well. But collected artifacts with a tool like CyLR or KAPE from all devices. That’s doable. So my money is in disk forensics in terms of “how did this start?
.png "SANS DFIR FOR478 Survey logo")
