Pearson’s Commitment to Diversity, Equity, and Inclusion
Pearson is dedicated to creating bias-free content that reflects the diversity of all learners. We embrace the many dimensions of diversity, including but not limited to race, ethnicity, gender, socioeconomic status, ability, age, sexual orientation, and religious or political beliefs.
Education is a powerful force for equity and change in our world. It has the potential to deliver opportunities that improve lives and enable economic mobility. As we work with authors to create content for every product and service, we acknowledge our responsibility to demonstrate inclusivity and incorporate diverse scholarship so that everyone can achieve their potential through learning. As the world’s leading learning company, we have a duty to help drive change and live up to our purpose to help more people create a better life for themselves and to create a better world.
Our ambition is to purposefully contribute to a world where:
Everyone has an equitable and lifelong opportunity to succeed through learning.
Our educational products and services are inclusive and represent the rich diversity of learners.
Our educational content accurately reflects the histories and experiences of the learners we serve.
Our educational content prompts deeper discussions with learners and motivates them to expand their own learning (and worldview).
While we work hard to present unbiased content, we want to hear from you about any concerns or needs with this Pearson product so that we can investigate and address them.
Please contact us with concerns about any potential bias at https://www.pearson.com/report-bias.xhtml.
To my husbandandbest friend, Tom.
– Sherri
To my caring, loving, andPATIENTwife Karah.
– Matt
To my mom, my dad, andmy sister, for love and supportthroughallofmy adventures.
– Karen
Contents
Preface
Acknowledgments About the Authors
Chapter 1 Impact
1.1 A Cyber Epidemic
1.2 What Is Cyber Extortion?
1.2.1 CIA Triad
1.2.2 Types of Cyber Extortion
1.2.3 Multicomponent Extortion
1.3 Impacts of Modern Cyber Extortion
1.3.1 Operational Disruption
1.3.2 Financial Loss
1.3.3 Reputational Damage
1.3.4 Lawsuits
1.4 Victim Selection
1.4.1 Opportunistic Attacks
1.4.2 Targeted Attacks
1.4.3 Hybrid Attacks
1.5 Scaling Up
1.5.1 Managed Service Providers
1.5.2 Technology Manufacturers
1.5.3 Software Vulnerabilities
1.5.4 Cloud Providers
1.6 Conclusion
1.7 Your Turn!
Step 1: Build Your Victim
Step 2: Choose Your Incident Scenario
Step 3: Discussion Time
Chapter 2 Evolution
2.1 Origin Story
2.2 Cryptoviral Extortion
2.3 Early Extortion Malware
2.4 Key Technological Advancements
2.4.1 Asymmetric Cryptography
2.4.2 Cryptocurrency
2.4.3 Onion Routing
2.5 Ransomware Goes Mainstream
2.6 Ransomware-as-a-Service
2.7 Exposure Extortion
2.8 Double Extortion
2.9 An Industrial Revolution
2.9.1 Specialized Roles
2.9.2 Paid Staff
2.9.3 Automated Extortion Portals
2.9.4 Franchising
2.9.5 Public Relations Programs
2.9.6 Standardized Playbooks and Toolkits
2.10 Conclusion
2.11 Your Turn!
Step 1: Build Your Victim
Step 2: Choose Your Incident Scenario
Step 3: Discussion Time
Chapter 3 Anatomy of an Attack
3.1 Anatomy Overview
3.2 Entry
3.2.1 Phishing
3.2.2 Remote Logon
3.2.3 Software Vulnerability
3.2.4 Technology Supplier Attack
3.3 Expansion
3.3.1 Persistence
3.3.2 Reconnaissance
3.3.3 Broadening
3.4 Appraisal
3.5 Priming
3.5.1 Antivirus and Security Software
3.5.2 Running Processes and Applications
3.5.3 Logging and Monitoring Software
3.5.4 Accounts and Permissions
3.6 Leverage
3.6.1 Ransomware Detonation
3.6.2 Exfiltration
3.7 Extortion
3.7.1 Passive Notification
3.7.2 Active Notification
3.7.3 Third-Party Outreach
3.7.4 Publication
3.8 Conclusion
3.9 Your Turn!
Step 1: Build Your Victim
Step 2: Choose Your Incident Scenario
Step 3: Discussion Time
Chapter 4 The Crisis Begins!
4.1 Cyber Extortion Is a Crisis
4.2 Detection
4.3 Who Should Be Involved?
4.4 Conduct Triage
4.4.1 Why Is Triage Important?
4.4.2 Example Triage Framework
4.4.3 Assess the Current State
4.4.4 Consider Recovery Objectives
4.4.5 Determine Next Steps
4.5 Assess Your Resources
4.5.1 Financial
4.5.2 Insurance
4.5.3 Evidence
4.5.4 Staff
4.5.5 Technology Resources
4.5.6 Documentation
4.6 Develop the Initial Response Strategy
4.6.1 Establish Goals
4.6.2 Create an Action Plan
4.6.3 Assign Responsibilities
4.6.4 Estimate Timing, Work Effort, and Costs
4.7 Communicate
4.7.1 Response Team
4.7.2 Affected Parties
4.7.3 The Public
4.8 Conclusion
4.9 Your Turn!
Step 1: Build Your Victim
Step 2: Choose Your Incident Scenario
Step 3: Discussion Time
Chapter 5 Containment
5.1 The Need for Speed
5.2 Gain Access to the Environment
5.3 Halting Encryption/Deletion
5.3.1 Change File Access Permissions
5.3.2 Remove Power
5.3.3 Kill the Malicious Processes
5.4 Disable Persistence Mechanisms
5.4.1 Monitoring Process
5.4.2 Scheduled Tasks
5.4.3 Automatic Startup
5.5 Halting Data Exfiltration
5.6 Resolve Denial-of-Service Attacks
5.7 Lock Out the Hackers
5.7.1 Remote Connection Services
5.7.2 Reset Passwords for Local and Cloud Accounts
5.7.3 Audit Accounts
5.7.4 Multifactor Authentication
5.7.5 Restrict Perimeter Communications
5.7.6 Minimize Third-Party Access
5.7.7 Mitigate Risks of Compromised Software
5.8 Hunt for Threats
5.8.1 Methodology
5.8.2 Sources of Evidence for Threat Hunting
5.8.3 Tools and Techniques
5.8.4 Staffing
5.8.5 Results
5.9 Taking Stock
5.10 Conclusion
5.11 Your Turn!
Step 1: Build Your Victim
Step 2: Choose Your Incident Scenario
Step 3: Discussion Time
Chapter 6 Investigation
6.1 Research the Adversary
6.1.2 Actionable Intelligence
6.1.3 Identification Techniques
6.1.4 Malware Strains
6.1.5 Tactics, Techniques, and Procedures
6.2 Scoping
6.2.1 Questions to Answer
6.2.2 Process
6.2.3 Timing and Results
6.2.4 Deliverables
6.3 Breach Investigation or Not?
6.3.1 Determine Legal, Regulatory, and Contractual Obligations
6.3.2 Decide Whether to Investigate Further
6.3.3 Moving Forward
6.3.4 Outcomes
6.4 Evidence Preservation
6.4.1 Sources of Evidence
6.4.2 Order of Volatility
6.4.3 Third-Party Evidence Preservation
6.4.4 Storing Preserved Evidence
6.5 Conclusion
6.6 Your Turn!
Step 1: Build Your Victim
Step 2: Choose Your Incident Scenario
Step 3: Discussion Time
Chapter 7 Negotiation
7.1 It’s a Business
7.2 Establish Negotiation Goals
7.2.1 Budget
7.2.2 Time Frame
7.2.3 Information Security
7.3 Outcomes
7.3.1 Purchasing a Decryptor
7.3.2 Preventing Publication or Sale of Data
7.4 Communication Methods
7.4.1 Email
7.4.2 Web Portal
7.4.3 Chat Application
7.5 Pressure Tactics
7.6 Tone, Timeliness, and Trust
7.6.1 Tone
7.6.2 Timeliness
7.6.3 Trust
7.7 First Contact
7.7.1 Initial Outreach
7.7.2 Initial Response
7.8 Sharing Information
7.8.1 What Not to Share
7.8.2 What to Share
7.8.3 What to Hold Back for Later Use
7.9 Common Mistakes
7.10 Proof of Life
7.10.1 Goals and Limitations
7.10.2 Denial Extortion Cases
7.10.3 Exposure Extortion Cases
7.10.4 What If the Adversary Refuses to Provide Proof of Life?
7.11 Haggling
7.11.1 Discounts
7.11.2 Setting the Price
7.11.3 Making Your Counteroffer
7.11.4 Tradeoffs
7.12 Closing the Deal
7.12.1 How to Close the Deal
7.12.2 Changing Your Mind
7.12.3 After the Deal Is Closed
7.13 Conclusion
7.14 Your Turn!
Step 1: Build Your Victim
Step 2: Choose Your Incident Scenario
Step 3: Discussion Time
Chapter 8 Payment
8.1 To Pay or Not to Pay?
8.1.1 Is Payment Even an Option?
8.1.2 The Argument Against Paying
8.1.3 The Argument for Paying
8.2 Forms of Payment
8.3 Prohibited Payments
8.3.1 Compliance
8.3.2 Exceptions
8.3.3 Mitigating Factors
8.4 Payment Intermediaries
8.5 Timing Issues
8.5.1 Funds Transfer Delays
8.5.2 Insurance Approval Process
8.5.3 Fluctuating Cryptocurrency Prices
8.6 After Payment
8.7 Conclusion
8.8 Your Turn!
Step 1: Build Your Victim
Step 2: Choose Your Incident Scenario
Step 3: Discussion Time
Chapter 9 Recovery
9.1 Back up Your Important Data
9.2 Build Your Recovery Environment
9.2.1 Network Segments
9.2.2 Network Devices
9.3 Set up Monitoring and Logging
9.3.1 Goals of Monitoring
9.3.2 Timing
9.3.3 Components
9.3.4 Detection and Response Processes
9.4 Establish Your Process for Restoring Individual Computers
9.5 Restore Based on an Order of Operations
9.5.1 Domain Controllers
9.5.2 High-Value Servers
9.5.3 Network Architecture
9.5.4 Workstations
9.6 Restoring Data
9.6.1 Transferring Data
9.6.2 Restoring from Backups
9.6.3 Current Production Systems
9.6.4 Re-creating Data
9.7 Decryption
9.7.1 Overview of the Decryption Process
9.7.2 Types of Decryption Tools
9.7.3 Risks of Decryption Tools
9.7.4 Test the Decryptor
9.7.5 Decrypt!
9.7.6 Verify Integrity
9.7.7 Check for Malware
9.7.8 Transfer Data to the Production Network
9.8 It’s Not Over
9.9 Adapt
9.10 Conclusion
9.11 Your Turn!
Step 1: Build Your Victim
Step 2: Choose Your Incident Scenario
Step 3: Discussion Time
Chapter 10 Prevention
10.1 Running an Effective Cybersecurity Program
10.1.1 Know What You’re Trying to Protect
10.1.2 Understand Your Obligations
10.1.3 Manage Your Risk
10.1.4 Monitor Your Risk
10.2 Preventing Entry
10.2.1 Phishing Defenses
10.2.2 Strong Authentication
10.2.3 Secure Remote Access Solutions
10.2.4 Patch Management
10.3 Detecting and Blocking Threats
10.3.1 Endpoint Detection and Response
10.3.2 Network Detection and Response
10.3.3 Threat Hunting
10.3.4 Continuous Monitoring Processes
10.4 Operational Resilience
10.4.1 Business Continuity Plan
10.4.2 Disaster Recovery
10.4.3 Backups
10.5 Reducing Risk of Data Theft
10.5.1 Data Reduction
10.5.2 Data-Loss Prevention Systems
10.6 Solving the Cyber Extortion Problem
10.6.1 Get Visibility
10.6.2 Incentivize Detection and Monitoring
10.6.3 Encourage Proactive Solutions
10.6.4 Reduce Adversaries’ Leverage
10.6.5 Increase Risk for the Adversary
10.6.6 Decrease Adversary Revenue
10.7 Conclusion
10.8 Your Turn!
Step 1: Build Your Victim
Step 2: Choose Your Incident Scenario
Step 3: Discussion Time
Afterword
Checklist A Cyber Extortion Response
Checklist B Resources to Create in Advance
Checklist C Planning Your Response
Checklist D Running an Effective Cybersecurity Program
Index
I want to devise a virus
To bring dire straits to your environment
Crush your corporations with a mild touch
Trash your whole computer system and revert you to papyrus
—Deltron 3030, “Virus,” May 23, 2000
Preface
No one realized when the hip hop song “Virus,” was released in 2000 that it would turn out to be prophetic. Featuring a protagonist (Deltron Zero) who wanted to “develop a super virus,” the lyrics describe his plans to infect and destroy computers around the world: “Crush your corporations with a mild touch / Trash your whole computer system and revert you to papyrus.”1
1. Deltron 3030, “Virus,” Deltron 3030, May 23, 2000, https://genius.com/Deltron3030-virus-lyrics.
More than two decades later, ransomware has reached epidemic proportions, shutting down hospitals, schools, law firms, municipalities, manufacturers, and organizations in every sector. Victims around the globe are routinely infected and forced to revert to pen and paper (for those lucky enough to still maintain supplies).2,3 Worse, cyber attackers have discovered that threatening to publish information can give them similar leverage, leading to enormous—and purposeful—data leaks.
2. www.beckershospitalreview.com/cybersecurity/georgia-health-system-revertsto-paper-records-after-ransomware-attack-5-details.xhtml.
3. www.forbes.com/sites/tommybeer/2020/09/28/report-big-us-hospital-systemstruck-by-cyberattack-forcing-staff-to-resort-to-paper-and-pen/.
Today, data is wielded as a weapon. By threatening the confidentiality, integrity, and availability of data, criminals reap profits and force victims to bend to their will. After years of escalating ransomware attacks, brazen data publication, and a daily barrage of new victims touted in the headlines, they have honed their strategies and developed a scalable, successful business model.
The impacts of cyber extortion are far-reaching. Business operations have been halted, both temporarily and in some cases permanently. Medical records have been destroyed and patients’ lives put in jeopardy. Key intellectual property has been sold to competitors. Private emails and personal details are routinely dumped so that they become visible to the public eye.
Court cases resulting from ransomware and data leaks are multiplying, even as victims and insurers pour funds into victim compensation and corrective action. Law enforcement agencies around the world are working every day to dismantle cyber extortion rackets, even as the criminals themselves crow to the media that they are not afraid.
“Extortion fatigue” is real. The problem is so pervasive that people can’t digest the full scope and impact. At the same time, cyber extortion is wildly underreported. After all, no victim purposefully calls the media when they find out they’ve been hacked. Cases are routinely negotiated quietly, in secret. As a result, the true extent of cyber extortion cannot be known but is undoubtedly far greater than any statistics indicate.
Response is crucial. The steps taken by a victim organization in the hours, days, and months after a cyber extortion attack can dramatically impact the outcome.
This book is a practical guide to responding to cyber extortion threats, including ransomware, exposure extortion, denial-of-service attacks, and more. Throughout the book, we’ll draw heavily from real-world case studies, as well as the vast library of unpublished cases handled by the authors during their work as response professionals. Readers will emerge better prepared to handle a cyber extortion attack properly, which will help minimize damage and expedite recovery.
As highlighted throughout the book, cyber extortion is typically the last and most visible phase of an intrusion. Often, cybercriminals have access to a victim’s environment or data for an extended period of time, siphoning off key information, researching the victim, and installing malware and other tools that will maximize their leverage.
By employing effective cybersecurity prevention measures throughout society, we can reduce the risk of cyber extortion and cybercrime more generally. In the last chapter of this book, we delve into the underlying causes of cyber extortion and provide recommendations for reducing this risk.
Since cyber extortion actors, tools, and tactics evolve constantly, throughout this book we emphasize response and prevention techniques that will stand the test of time.
How This Book Is Organized
This book is designed to be a practical guide for response and prevention of ransomware and cyber extortion threats. Here is a summary of our journey in this book:
Chapter 1, Impact: Cyber extortionists threaten the confidentiality, integrity, and availability of information in an effort to gain leverage over a victim. The four types of cyber extortion are denial, modification, exposure, and faux extortion. Impacts of cyber extortion range from operational disruption to financial loss, reputational damage, lawsuits, and more. In addition to targeting victims directly, adversaries compromise technology suppliers such as managed services providers (MSPs), cloud providers, and software vendors.
Chapter 2, Evolution: Ransomware and cyber extortion attacks have been around longer than most people realize and come in a variety of forms. In this chapter, we cover the history of ransomware and its impact on affected organizations, and then follow its evolution into the bustling criminal economy that drives it today.
Chapter 3, Anatomy of an Attack: Extortion is the last phase of a cyber extortion attack. Adversaries first gain access to the victim’s technology environment and then take steps to expand their access, assess the victim, and prepare prior to extortion. In this chapter, we step through the phases of a cyber extortion attack. Along the way, we identify indicators of compromise and provide response tips that can mitigate or even stop the attack in progress.
Chapter 4, The Crisis Begins: The early stages of cyber extortion response signifi cantly impact how quickly an organization recovers and is able to resume its normal operations. In this chapter, we provide insight on recognizing the common early indicators of a cyber extortion attack. We also walk through the concept of triage and explain how development of a clear and effective response strategy is critical early in the response process.
Chapter 5, Containment: When a cyber extortionist strikes, quick action can reduce the damage and help speed recovery. In this chapter, we discuss techniques for halting data exfiltration and file encryption/deletion, resolving denial-ofservice attacks, and locking the adversary out of the victim’s environment. We end the chapter by talking about threat hunting, including methodology, sources of evidence, tools and techniques, staffing, and results.
Chapter 6, Investigation: Taking the time to conduct an investigation is critical for both short- and long-term resolution of cyber extortion incidents. In this chapter, we discuss reasons for investigating, techniques for identifying the adversary, methods for scoping an attack and tracking down “patient zero,” and the fundamentals of data breach investigations. We also cover evidence preservation, which has the potential to reduce the long-term damage of cyber extortion attacks.
Chapter 7, Negotiation: How do you reach an agreement with criminals? This chapter is a practical guide to initiating, managing, and completing a ransom negotiation. You’ll learn about haggling, proof of life, and closing the deal. We also discuss common mistakes made during cyber extortion negotiations and ways to avoid them.
Chapter 8, Payment: Although paying a ransom may be undesirable or even unthinkable for some, in many cases it is the victim’s chosen path forward. In this chapter, we discuss the pros and cons of paying a ransom, and then the
practicalities of the payment process, including forms of payment, types of intermediaries, timing issues, and what to do after payment has been made. We also discuss payments prohibited due to sanctions and consider the due diligence that victims should conduct before any payment is made.
Chapter 9, Recovery: The goal of every incident is to return to normal operations. In this chapter, we cover the process of recovery, as well as strategies for reducing the risk of data loss and reinfection, which can enable the victim to resume operations with confidence. Along the way, we also describe key improvements for your environment that can reduce future risk and increase defensive capabilities.
Chapter 10, Prevention: Cyber extortion is typically the last phase of a cyberattack. Fundamentally, prevention is best accomplished by implementing a strong, holistic cybersecurity program. In this chapter, we highlight the keys to building such a cybersecurity program, and then delve into specific defensive steps that help to reduce the risk of cyber extortion attacks or mitigate their impact. We conclude by discussing broad-scale, macro changes that are needed to effectively combat the cyber extortion epidemic.
Other Chapter Elements
Throughout each chapter we have included other elements meant to highlight important information, concepts, or examples, some with graphical icons to easily identify each element:
Learning Objectives: A bulleted list of the material covered in that chapter
Case Studies: Real-world cyber extortion cases that demonstrate the concepts being discussed