Ransomware Protection Playbook

Cover
Title Page
Copyright Page
About the Author
About the Technical Editor
Acknowledgments
Contents
Introduction
	Who This Book Is For
	What Is Covered in This Book?
	How to Contact Wiley or the Author
Part I Introduction
	Chapter 1 Introduction to Ransomware
		How Bad Is the Problem?
			Variability of Ransomware Data
			True Costs of Ransomware
		Types of Ransomware
			Fake Ransomware
			Immediate Action vs. Delayed
			Automatic or Human-Directed
			Single Device Impacts or More
			Ransomware Root Exploit
			File Encrypting vs. Boot Infecting
			Good vs. Bad Encryption
			Encryption vs. More Payloads
			Ransomware as a Service
			Typical Ransomware Process and Components
				Infiltrate
				After Initial Execution
				Dial-Home
				Auto-Update
				Check for Location
				Initial Automatic Payloads
				Waiting
				Hacker Checks C&C
				More Tools Used
				Reconnaissance
				Readying Encryption
				Data Exfiltration
				Encryption
				Extortion Demand
				Negotiations
				Provide Decryption Keys
			Ransomware Goes Conglomerate
			Ransomware Industry Components
		Summary
	Chapter 2 Preventing Ransomware
		Nineteen Minutes to Takeover
		Good General Computer Defense Strategy
		Understanding How Ransomware Attacks
			The Nine Exploit Methods All Hackers and Malware Use
			Top Root-Cause Exploit Methods of All Hackers and Malware
			Top Root-Cause Exploit Methods of Ransomware
		Preventing Ransomware
			Primary Defenses
			Everything Else
				Use Application Control
				Antivirus Prevention
				Secure Configurations
				Privileged Account Management
				Security Boundary Segmentation
				Data Protection
				Block USB Keys
				Implement a Foreign Russian Language
		Beyond Self-Defense
			Geopolitical Solutions
				International Cooperation and Law Enforcement
				Coordinated Technical Defense
				Disrupt Money Supply
			Fix the Internet
		Summary
	Chapter 3 Cybersecurity Insurance
		Cybersecurity Insurance Shakeout
		Did Cybersecurity Insurance Make Ransomware Worse?
		Cybersecurity Insurance Policies
			What’s Covered by Most Cybersecurity Policies
			Recovery Costs
			Ransom
			Root-Cause Analysis
			Business Interruption Costs
			Customer/Stakeholder Notifications and Protection
			Fines and Legal Investigations
			Example Cyber Insurance Policy Structure
			Costs Covered and Not Covered by Insurance
		The Insurance Process
			Getting Insurance
			Cybersecurity Risk Determination
			Underwriting and Approval
			Incident Claim Process
			Initial Technical Help
		What to Watch Out For
			Social Engineering Outs
			Make Sure Your Policy Covers Ransomware
			Employee’s Mistake Involved
			Work-from-Home Scenarios
			War Exclusion Clauses
		Future of Cybersecurity Insurance
		Summary
	Chapter 4 Legal Considerations
		Bitcoin and Cryptocurrencies
		Can You Be in Legal Jeopardy for Paying a Ransom?
			Consult with a Lawyer
			Try to Follow the Money
			Get Law Enforcement Involved
			Get an OFAC License to Pay the Ransom
			Do Your Due Diligence
		Is It an Official Data Breach?
		Preserve Evidence
		Legal Defense Summary
		Summary
Part II Detection and Recovery
	Chapter 5 Ransomware Response Plan
		Why Do Response Planning?
		When Should a Response Plan Be Made?
		What Should a Response Plan Include?
			Small Response vs. Large Response Threshold
			Key People
			Communications Plan
			Public Relations Plan
			Reliable Backup
			Ransom Payment Planning
			Cybersecurity Insurance Plan
			What It Takes to Declare an Official Data Breach
			Internal vs. External Consultants
			Cryptocurrency Wallet
			Response
			Checklist
			Definitions
		Practice Makes Perfect
		Summary
	Chapter 6 Detecting Ransomware
		Why Is Ransomware So Hard to Detect?
		Detection Methods
			Security Awareness Training
			AV/EDR Adjunct Detections
			Detect New Processes
			Anomalous Network Connections
			New, Unexplained Things
			Unexplained Stoppages
			Aggressive Monitoring
		Example Detection Solution
		Summary
	Chapter 7 Minimizing Damage
		Basic Outline for Initial Ransomware Response
		Stop the Spread
			Power Down or Isolate Exploited Devices
			Disconnecting the Network
				Disconnect at the Network Access Points
				Suppose You Can’t Disconnect the Network
		Initial Damage Assessment
			What Is Impacted?
			Ensure Your Backups Are Still Good
			Check for Signs of Data and Credential Exfiltration
			Check for Rogue Email Rules
			What Do You Know About the Ransomware?
		First Team Meeting
		Determine Next Steps
			Pay the Ransom or Not?
			Recover or Rebuild?
		Summary
	Chapter 8 Early Responses
		What Do You Know?
		A Few Things to Remember
			Encryption Is Likely Not Your Only Problem
			Reputational Harm May Occur
			Firings May Happen
			It Could Get Worse
		Major Decisions
			Business Impact Analysis
			Determine Business Interruption Workarounds
			Did Data Exfiltration Happen?
			Can You Decrypt the Data Without Paying?
				Ransomware Is Buggy
				Ransomware Decryption Websites
				Ransomware Gang Publishes Decryption Keys
				Sniff a Ransomware Key Off the Network?
				Recovery Companies Who Lie About Decryption Key Use
				If You Get the Decryption Keys
				Save Encrypted Data Just in Case
			Determine Whether the Ransom Should Be Paid
				Not Paying the Ransom
				Paying the Ransom
			Recover or Rebuild Involved Systems?
			Determine Dwell Time
			Determine Root Cause
			Point Fix or Time to Get Serious?
		Early Actions
			Preserve the Evidence
			Remove the Malware
			Change All Passwords
		Summary
	Chapter 9 Environment Recovery
		Big Decisions
			Recover vs. Rebuild
			In What Order
				Restoring Network
				Restore IT Security Services
				Restore Virtual Machines and/or Cloud Services
				Restore Backup Systems
				Restore Clients, Servers, Applications, Services
				Conduct Unit Testing
		Rebuild Process Summary
		Recovery Process Summary
			Recovering a Windows Computer
			Recovering/Restoring Microsoft Active Directory
		Summary
	Chapter 10 Next Steps
		Paradigm Shifts
			Implement a Data-Driven Defense
				Focus on Root Causes
				Rank Everything!
				Get and Use Good Data
				Heed Growing Threats More
				Row the Same Direction
				Focus on Social Engineering Mitigation
			Track Processes and Network Traffic
		Improve Overall Cybersecurity Hygiene
			Use Multifactor Authentication
			Use a Strong Password Policy
			Secure Elevated Group Memberships
			Improve Security Monitoring
			Secure PowerShell
			Secure Data
			Secure Backups
		Summary
	Chapter 11 What Not to Do
		Assume You Can’t Be a Victim
		Think That One Super-Tool Can Prevent an Attack
		Assume Too Quickly Your Backup Is Good
		Use Inexperienced Responders
		Give Inadequate Considerations to Paying Ransom
		Lie to Attackers
		Insult the Gang by Suggesting Tiny Ransom
		Pay the Whole Amount Right Away
		Argue with the Ransomware Gang
		Apply Decryption Keys to Your Only Copy
		Not Care About Root Cause
		Keep Your Ransomware Response Plan Online Only
		Allow a Team Member to Go Rogue
		Accept a Social Engineering Exclusion in Your Cyber-Insurance Policy
		Summary
	Chapter 12 Future of Ransomware
		Future of Ransomware
			Attacks Beyond Traditional Computers
			IoT Ransoms
			Mixed-PurposeHacking Gangs
		Future of Ransomware Defense
			Future Technical Defenses
				Ransomware Countermeasure Apps and Features
				AI Defense and Bots
			Strategic Defenses
				Focus on Mitigating Root Causes
				Geopolitical Improvements
				Systematic Improvements
				Use Cyber Insurance as a Tool
				Improve Internet Security Overall
		Summary
		Parting Words
Index
EULA