Details

<p>Acknowledgments xi</p> <p>Introduction xxi</p> <p><b>Part I: </b><b>Introduction 1</b></p> <p><b>Chapter 1: </b><b>Introduction to Ransomware 3</b></p> <p>How Bad is the Problem? 4</p> <p>Variability of Ransomware Data 5</p> <p>True Costs of Ransomware 7</p> <p>Types of Ransomware 9</p> <p>Fake Ransomware 10</p> <p>Immediate Action vs. Delayed 14</p> <p>Automatic or Human-Directed 17</p> <p>Single Device Impacts or More 18</p> <p>Ransomware Root Exploit 19</p> <p>File Encrypting vs. Boot Infecting 21</p> <p>Good vs. Bad Encryption 22</p> <p>Encryption vs. More Payloads 23</p> <p>Ransomware as a Service 30</p> <p>Typical Ransomware Process and Components 32</p> <p>Infiltrate 32</p> <p>After Initial Execution 34</p> <p>Dial-Home 34</p> <p>Auto-Update 37</p> <p>Check for Location 38</p> <p>Initial Automatic Payloads 39</p> <p>Waiting 40</p> <p>Hacker Checks C&C 40</p> <p>More Tools Used 40</p> <p>Reconnaissance 41</p> <p>Readying Encryption 42</p> <p>Data Exfiltration 43</p> <p>Encryption 44</p> <p>Extortion Demand 45</p> <p>Negotiations 46</p> <p>Provide Decryption Keys 47</p> <p>Ransomware Goes Conglomerate 48</p> <p>Ransomware Industry Components 52</p> <p>Summary 55</p> <p><b>Chapter 2: </b><b>Preventing Ransomware 57</b></p> <p>Nineteen Minutes to Takeover 57</p> <p>Good General Computer Defense Strategy 59</p> <p>Understanding How Ransomware Attacks 61</p> <p>The Nine Exploit Methods All Hackers and Malware Use 62</p> <p>Top Root-Cause Exploit Methods of All Hackers and Malware 63</p> <p>Top Root-Cause Exploit Methods of Ransomware 64</p> <p>Preventing Ransomware 67</p> <p>Primary Defenses 67</p> <p>Everything Else 70</p> <p>Use Application Control 70</p> <p>Antivirus Prevention 73</p> <p>Secure Configurations 74</p> <p>Privileged Account Management 74</p> <p>Security Boundary Segmentation 75</p> <p>Data Protection 76</p> <p>Block USB Keys 76</p> <p>Implement a Foreign Russian Language 77</p> <p>Beyond Self-Defense 78</p> <p>Geopolitical Solutions 79</p> <p>International Cooperation and Law Enforcement 79</p> <p>Coordinated Technical Defense 80</p> <p>Disrupt Money Supply 81</p> <p>Fix the Internet 81</p> <p>Summary 84</p> <p><b>Chapter 3: </b><b>Cybersecurity Insurance 85</b></p> <p>Cybersecurity Insurance Shakeout 85</p> <p>Did Cybersecurity Insurance Make Ransomware Worse? 90</p> <p>Cybersecurity Insurance Policies 92</p> <p>What’s Covered by Most Cybersecurity Policies 93</p> <p>Recovery Costs 93</p> <p>Ransom 94</p> <p>Root-Cause Analysis 95</p> <p>Business Interruption Costs 95</p> <p>Customer/Stakeholder Notifications and Protection 96</p> <p>Fines and Legal Investigations 96</p> <p>Example Cyber Insurance Policy Structure 97</p> <p>Costs Covered and Not Covered by Insurance 98</p> <p>The Insurance Process 101</p> <p>Getting Insurance 101</p> <p>Cybersecurity Risk Determination 102</p> <p>Underwriting and Approval 103</p> <p>Incident Claim Process 104</p> <p>Initial Technical Help 105</p> <p>What to Watch Out For 106</p> <p>Social Engineering Outs 107</p> <p>Make Sure Your Policy Covers Ransomware 107</p> <p>Employee’s Mistake Involved 107</p> <p>Work-from-Home Scenarios 108</p> <p>War Exclusion Clauses 108</p> <p>Future of Cybersecurity Insurance 109</p> <p>Summary 111</p> <p><b>Chapter 4: </b><b>Legal Considerations 113</b></p> <p>Bitcoin and Cryptocurrencies 114</p> <p>Can You Be in Legal Jeopardy for Paying a Ransom? 123</p> <p>Consult with a Lawyer 127</p> <p>Try to Follow the Money 127</p> <p>Get Law Enforcement Involved 128</p> <p>Get an OFAC License to Pay the Ransom 129</p> <p>Do Your Due Diligence 129</p> <p>Is It an Official Data Breach? 129</p> <p>Preserve Evidence 130</p> <p>Legal Defense Summary 130</p> <p>Summary 131</p> <p><b>Part II: </b><b>Detection and Recovery 133</b></p> <p><b>Chapter 5: </b><b>Ransomware Response Plan 135</b></p> <p>Why Do Response Planning? 135</p> <p>When Should a Response Plan Be Made? 136</p> <p>What Should a Response Plan Include? 136</p> <p>Small Response vs. Large Response Threshold 137</p> <p>Key People 137</p> <p>Communications Plan 138</p> <p>Public Relations Plan 141</p> <p>Reliable Backup 142</p> <p>Ransom Payment Planning 144</p> <p>Cybersecurity Insurance Plan 146</p> <p>What It Takes to Declare an Official Data Breach 147</p> <p>Internal vs. External Consultants 148</p> <p>Cryptocurrency Wallet 149</p> <p>Response 151</p> <p>Checklist 151</p> <p>Definitions 153</p> <p>Practice Makes Perfect 153</p> <p>Summary 154</p> <p><b>Chapter 6: </b><b>Detecting Ransomware 155</b></p> <p>Why is Ransomware So Hard to Detect? 155</p> <p>Detection Methods 158</p> <p>Security Awareness Training 158</p> <p>AV/EDR Adjunct Detections 159</p> <p>Detect New Processes 160</p> <p>Anomalous Network Connections 164</p> <p>New, Unexplained Things 166</p> <p>Unexplained Stoppages 167</p> <p>Aggressive Monitoring 169</p> <p>Example Detection Solution 169</p> <p>Summary 175</p> <p><b>Chapter 7: </b><b>Minimizing Damage 177</b></p> <p>Basic Outline for Initial Ransomware Response 177</p> <p>Stop the Spread 179</p> <p>Power Down or Isolate Exploited Devices 180</p> <p>Disconnecting the Network 181</p> <p>Disconnect at the Network Access Points 182</p> <p>Suppose You Can’t Disconnect the Network 183</p> <p>Initial Damage Assessment 184</p> <p>What is Impacted? 185</p> <p>Ensure Your Backups Are Still Good 186</p> <p>Check for Signs of Data and Credential Exfiltration 186</p> <p>Check for Rogue Email Rules 187</p> <p>What Do You Know About the Ransomware? 187</p> <p>First Team Meeting 188</p> <p>Determine Next Steps 189</p> <p>Pay the Ransom or Not? 190</p> <p>Recover or Rebuild? 190</p> <p>Summary 193</p> <p><b>Chapter 8: </b><b>Early Responses 195</b></p> <p>What Do You Know? 195</p> <p>A Few Things to Remember 197</p> <p>Encryption is Likely Not Your Only Problem 198</p> <p>Reputational Harm May Occur 199</p> <p>Firings May Happen 200</p> <p>It Could Get Worse 201</p> <p>Major Decisions 202</p> <p>Business Impact Analysis 202</p> <p>Determine Business Interruption Workarounds 203</p> <p>Did Data Exfiltration Happen? 204</p> <p>Can You Decrypt the Data Without Paying? 204</p> <p>Ransomware is Buggy 205</p> <p>Ransomware Decryption Websites 205</p> <p>Ransomware Gang Publishes Decryption Keys 206</p> <p>Sniff a Ransomware Key Off the Network? 206</p> <p>Recovery Companies Who Lie About Decryption Key Use 207</p> <p>If You Get the Decryption Keys 207</p> <p>Save Encrypted Data Just in Case 208</p> <p>Determine Whether the Ransom Should Be Paid 209</p> <p>Not Paying the Ransom 209</p> <p>Paying the Ransom 210</p> <p>Recover or Rebuild Involved Systems? 212</p> <p>Determine Dwell Time 212</p> <p>Determine Root Cause 213</p> <p>Point Fix or Time to Get Serious? 214</p> <p>Early Actions 215</p> <p>Preserve the Evidence 215</p> <p>Remove the Malware 215</p> <p>Change All Passwords 217</p> <p>Summary 217</p> <p><b>Chapter 9: </b><b>Environment Recovery 219</b></p> <p>Big Decisions 219</p> <p>Recover vs. Rebuild 220</p> <p>In What Order 221</p> <p>Restoring Network 221</p> <p>Restore IT Security Services 223</p> <p>Restore Virtual Machines and/or Cloud Services 223</p> <p>Restore Backup Systems 224</p> <p>Restore Clients, Servers, Applications, Services 224</p> <p>Conduct Unit Testing 225</p> <p>Rebuild Process Summary 225</p> <p>Recovery Process Summary 228</p> <p>Recovering a Windows Computer 229</p> <p>Recovering/Restoring Microsoft Active Directory 231</p> <p>Summary 233</p> <p><b>Chapter 10: </b><b>Next Steps 235</b></p> <p>Paradigm Shifts 235</p> <p>Implement a Data-Driven Defense 236</p> <p>Focus on Root Causes 238</p> <p>Rank Everything! 239</p> <p>Get and Use Good Data 240</p> <p>Heed Growing Threats More 241</p> <p>Row the Same Direction 241</p> <p>Focus on Social Engineering Mitigation 242</p> <p>Track Processes and Network Traffic 243</p> <p>Improve Overall Cybersecurity Hygiene 243</p> <p>Use Multifactor Authentication 243</p> <p>Use a Strong Password Policy 244</p> <p>Secure Elevated Group Memberships 246</p> <p>Improve Security Monitoring 247</p> <p>Secure PowerShell 247</p> <p>Secure Data 248</p> <p>Secure Backups 249</p> <p>Summary 250</p> <p><b>Chapter 11: </b><b>What Not to Do 251</b></p> <p>Assume You Can’t Be a Victim 251</p> <p>Think That One Super-Tool Can Prevent an Attack 252</p> <p>Assume Too Quickly Your Backup is Good 252</p> <p>Use Inexperienced Responders 253</p> <p>Give Inadequate Considerations to Paying Ransom 254</p> <p>Lie to Attackers 255</p> <p>Insult the Gang by Suggesting Tiny Ransom 255</p> <p>Pay the Whole Amount Right Away 256</p> <p>Argue with the Ransomware Gang 257</p> <p>Apply Decryption Keys to Your Only Copy 257</p> <p>Not Care About Root Cause 257</p> <p>Keep Your Ransomware Response Plan Online Only 258</p> <p>Allow a Team Member to Go Rogue 258</p> <p>Accept a Social Engineering Exclusion in Your Cyber-Insurance Policy 259</p> <p>Summary 259</p> <p><b>Chapter 12: </b><b>Future of Ransomware 261</b></p> <p>Future of Ransomware 261</p> <p>Attacks Beyond Traditional Computers 262</p> <p>IoT Ransoms 264</p> <p>Mixed-Purpose</p> <p>Hacking Gangs 265</p> <p>Future of Ransomware Defense 267</p> <p>Future Technical Defenses 267</p> <p>Ransomware Countermeasure Apps and Features 267</p> <p>AI Defense and Bots 268</p> <p>Strategic Defenses 269</p> <p>Focus on Mitigating Root Causes 269</p> <p>Geopolitical Improvements 269</p> <p>Systematic Improvements 270</p> <p>Use Cyber Insurance as a Tool 270</p> <p>Improve Internet Security Overall 271</p> <p>Summary 271</p> <p>Parting Words 272</p> <p>Index 273</p>

<p><b>ROGER A. GRIMES</b> is a 34-year computer security expert and author on the subject of hacking, malware, and ransomware attacks. He was the weekly security columnist at <i>InfoWorld</i> and <i>CSO</i> Magazines between 2005 and 2019. He is frequently interviewed and quoted, including by <i>Newsweek</i>, <i>CNN</i>, <i>NPR</i>, and the <i>WSJ</i>.</p>

<p><b>DISCOVER SIMPLE STEPS TO AVOID BECOMING TOMORROW’S NEXT RANSOMWARE VICTIM</b></p> <p>From Colonial Pipeline to CWT Global, Brenntag, and Travelex, the list of ransomware victims around the world is as long as it is disheartening. The good news is that there's a lot you can do to protect yourself from these bad actors and secure your own systems against this malicious software.</p> <p>In <i>Ransomware Protection Playbook,</i> cybersecurity veteran and pentester Roger A. Grimes delivers a practical roadmap to protecting your networks against one of the most insidious and damaging cyber threats currently in the wild. You'll discover concrete steps you can take <i>right now</i> to fortify your defenses and prepare for an attack.</p> <p>The author describes the preventative measures you can take to stop an attack before it starts. He also discusses how to quickly detect an attack, limit the damage when one does occur, and how to decide whether to pay the ransom. You'll be prepared to implement a pre-set gameplan in the event of a security breach and limit the financial and reputational damage your organization suffers as a result. You'll also learn how to create a solid foundation of cybersecurity insurance and legal protection to mitigate potential disruption to your business activities.</p> <p>With this game-changing security framework, you'll also:</p> <ul> <li>Create pre-fab crisis response plans to implement during an attack</li> <li>Evaluate and select cybersecurity insurance and legal protection plans</li> <li>Lay down thick walls of information security to prevent an attack</li> <li>Learn lessons from some of the most high-profile ransomware attacks so far</li> <li>Mitigate your odds of becoming a cautionary tale for the next generation</li> </ul>

US