Home

Search
Close this search box.
EPISODE 48
 
Anatomy of a Ransomware Attack
 
EPISODE 48
 
 
Anatomy of a Ransomware Attack
 

ANATOMY OF A RANSOMWARE ATTACK

About this episode

In this episode, special guests Jake Bernstein and Melinda Miller join us to discuss ransomware. This episode focuses on some real-world ransomware attacks, how they were handled by our team, and cybersecurity professionals often need to work with lawyers during a data breach or attack.

First, we discuss what ransomware really is, how it works, the problems it causes, whom it affects, and the risk it poses to an organization. We also focus on the potential causes of ransomware, where it comes from, and what the hackers want from an organization. There are also different types of ransomware, depending on the targeted organization and the attacker involved. 

The response process is also covered, as well as how different perspectives affect how the attack is combatted, how it is investigated, how it is contained, and how recovering and monitoring is performed. The biggest decision during a ransomware attack is often whether or not to pay up the ransom…and Jake provides some great suggestions and observations from his time in the field in regard to this decision.

What you’ll learn

  • What ransomware is
  • How to handle a ransomware attack
  • How to prevent a ransomware attack
  • What cyber hygiene is

Relevant websites for this episode

Other Relevant Episodes

Episode Transcript

Kip Boyle: 

Hi, this is Your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle, and I’m an experienced hiring manager of cybersecurity professionals. This episode is available as an audio only recording in your favorite podcast app, and it’s also a video that you can find on our YouTube channel. Just go to that website and search for Your Cyber Path Podcast.

Now, due to the recent Kaseya supply chain cyber attack, today I’m going to share with you a replay of a continuing legal education course that I recently put on with my friend and colleague, Jake Bernstein. And in this session, using ordinary language, we’re going to walk you through two actual ransomware incidents that we’ve handled, and this will include how the attack started, how the victim recovered, and the role of the attorney throughout the incident. So not only is this relevant because of the historic ransomware attack, but it will also help you understand one other really important thing. When you’re working in cybersecurity, at times you’ll find yourself working with lawyers who will be on the same team as you.

Okay, before we get to the training, I want you to consider grabbing our free guide. It’s called Play to Win: Getting Your Dream Cybersecurity Job, and it describes how taking a capture the flag approach is going to help you compete and win in your job hunting. It’s a really helpful 20 page visual guide, and you should check it out. Just go to yourcyberpath.com/pdf, that’s yourcyberpath.com/pdf. Check it out, tell me what you like, tell me what you don’t like so I can fix it. But in any event, I want you to remember that you’re just one path away from your dream cybersecurity job.

Thanks everybody for joining us. We really appreciate it, and we want to get started. Now I’ll just say upfront that we’re going to record the session, and you will receive a replay link shortly after we wrap today. Probably in the next day or two, right Melinda?

Melinda Miller: 

Yeah.

Kip Boyle: 

Okay, great. So yeah, so you’ll be able to watch it again, and feel free to share it with anybody else who would like to check it out who couldn’t be here. The only caveat is, is that we can give continuing legal education credits if you’re actually participating today. On the replay, we can’t do that, but that’s okay because I think our content’s going to be pretty helpful, and so even if you don’t get a CLE credit for it, I hope the replay is helpful. So that’s what’s going on with the replay.

So I’m Kip Boyle, and I’m the cohost of the Cyber Risk Management Podcast. Jake Bernstein’s here. He’s also the cohost, so thanks for being here, Jake.

Jake Bernstein: 

We’re both cohosts of the Cyber Risk, yes. Thank you very much.

Kip Boyle: 

We are. And then also with us today is Melinda Miller. Melinda is going to be our facilitator today, so welcome Melinda. And would you mind telling folks how we’re going to run things today in terms of questions and answers and so forth?

Melinda Miller:

Yeah, absolutely. So hi everyone, I’m really excited to be here with all of you. I gave Kip and Jake the hard part of doing the presenting, I’m just here to be the helper in the background. So if you have any questions during the presentation, feel free to put them in your chat, and I will answer all the ones that I can, and the ones that are better suited for Kip and Jake, I will save that for the open Q&A that we will be doing at the end of the presentation. I think that should be everything. Kip, am I missing anything important?

Kip Boyle:

Well I think when we do transition into Q&A, how would you like people to signal that they have a Q for us to A?

Melinda Miller: 

For any questions, you can raise your hand. There should be a little raise your hand button at the bottom of your screen, and then as soon as we answer your question, if you could just put your hand down so I can keep track of them better.

Kip Boyle: 

Great. Yeah, that’ll be fine. All right, so let’s get going here. So today, what we’re going to share with you all is two ransomware cases that Jake and I have worked on, and we’re going to do that in a way that we hope is going to be accessible to you. We’re not going to use any jargon. If we need to, we’re going to make sure we define terms, and we’re going to really focus on helping you as the attorney to know what to do if a client of yours finds themself in either, in a ransomware attack in progress, or if they get concerned about the idea that they could become the victim of a ransomware attack. How can you advise them, how can you help them and give them counsel. That’s right, Jake, isn’t it? That’s what we’re going to do today.

Jake Bernstein:

It is. I can’t promise that we won’t use some jargon-y language. It’s my favorite thing to do, other than be a podcast cohost. So we’ll define that as necessary.

Kip Boyle: 

Well you can use the legal jargon I think with complete impunity. I’m just talking about the tech jargon.

Jake Bernstein:

Fair enough.

Kip Boyle: 

Okay, cool. All right, so I’m a virtual chief information security officer. Jake is an attorney at law at K&L Gates. I work at my own company that I founded called Cyber Risk Opportunities, and just an open invitation. If anybody would like to reach out to us and have a conversation, we would love to hear from you. Our contact information is here. We’ll also provide you with these slides in the next day or two so that you can take a look at them later on if you’d like. And again, with our contact information on there. Okay. Oh, and then our podcast. So I encourage you if you’re not a podcast listener now, please go ahead and check it out. We’ve got some really great episodes there. We just recorded episode 83 the other day, and when we started this I was just like, “Oh man, I hope we can make it last a year.” And we’ve definitely done better than that, and so I just want to encourage you guys to go check out the podcast.

Okay, so let’s get started. So what is ransomware? And there’s a lot of technical aspects to what is ransomware. We can talk about how it actually gets into systems, we can talk about how technically it uses encryption algorithms, and how do the keys get used to encrypt data, and then why do you have to pay money to get a key back. We don’t want to go into all those technical details. We want to keep it understandable and relevant here, okay? So ransomware is a form of malicious code, or malware. Malware is a combination of malicious software. That’s kind of where that little term comes from. And you probably know this, but in case you don’t, the whole thing here, the way it works is, is that somehow a cyber criminal gets this malicious code onto a data network, and it finds all the data, all the sensitive data especially, and encrypts it and then hides the key from the owner of the data. So they still have possession of the data, but they can’t use it because it’s encrypted using a key that they don’t possess.

And that’s the basis for the ransom, right? So pay us money, typically a cryptocurrency, often Bitcoin, sometimes it’s Ethereum or something else. And then we’ll give you the key, and then you can use the key to decrypt the data. So that’s kind of the essence of it. I mean, this is just a modern day kidnapping or asset ransomware type of an approach, right? It’s a crime, and it’s just that today it can be done digitally and it can be done at a distance. Right Jake?

Jake Bernstein: 

Yes indeed. And so one of the problems, because it’s digital and it can be done at a distance, it can also be automated. And that is really one of the biggest problems with ransomware as opposed to old school bank robberies, right? In order to commit an old school bank robbery, you have to physically go to a bank and attempt to rob it. You can only do one of those, I think if you were really industrious, maybe you could hit a couple banks a day, but you’re really risking yourself every time. With ransomware on the other hand, you can sit back, push a button, and you can hit thousands, hundreds of thousands really depending on the circumstances, of victims all at once at no physical risk to yourself, and one of the problems that we’ll see is perhaps not a great deal of risk to yourself overall.

Ransomware, the numbers just continue to increase. Over the course of 2020 and into 2021, massive percentage increase. Targeting everybody, obviously large companies, but also medium and small. Really, everybody is at risk. If you have data that you would like to maintain access to and you’re connected to internet, you’re at risk of ransomware. And one of the things that I would say is kind of a somewhat new variation, at this point it’s less new, but this little flyer here calls it ransomware 2.0. and that is the idea that we’re going to combine the encryption with basically a data breach threat. So, “Oh, you have good backups? Well that’s just fine. If you don’t pay us the ransom, we’re going to go ahead and release the data anyway so it becomes a breach.” So it’s kind of a redundancy for the criminals.

Kip Boyle: 

Right. A redundancy in the sense that if you have great data backups and you say, “Well, I don’t need to purchase the decryption key from you,” well the cyber criminals have gotten wise to that. And so they’re like, “Okay, well we have other ways of torturing you to get a payment out of you.” So yeah, there’s a lot of permutations, and they continue to innovate the way that they attack us. So you can get taunted over Twitter, the executives of the company can be taunted. This can turn into a public relations nightmare, more than just a technology program. This can become a real business issue.

And of course not the least of which is the potential for bankruptcy or severe financial distress on a company. We’re going to talk about some of the details here in a moment, but one of the companies that Jake and I worked with earlier this year, a couple weeks after we had our last conversation with them, they reached out to us and confided that this was such a traumatic event combined with some other things that they were dealing with that they were going to dissolve the company. So this can change the trajectory of a company’s evolution.

Now, we also wanted to just really emphasize the fact that everybody’s at risk for this, and you can see some of the latest statistics here on the screen. Government organizations, and that would include cities. That would include just the police departments inside of cities, water districts and that sort of thing, that’s under utilities.

Jake Bernstein: 

Schools, school districts.

Kip Boyle: 

School districts, right. Well, education, right? Education is down there. But some of the highest profile ransomware attacks were against the city of Baltimore, the city of Atlanta and so forth. So think about your clients, think about who you serve, and take a look at this bar graph here and just get some idea about who’s most susceptible to a ransomware attack. One thing this bar graph doesn’t show is large organization versus medium versus small, and I just want to emphasize that it really doesn’t matter how big you are. The economies of scale that the attackers are using to come after us are so in their favor that they can afford to attack anybody, of any size, in any industry. So smaller organizations that think, “Well, I’m not a target,” that’s absolutely not the case.

All right, so with that preamble, let’s go ahead and talk about the two cases that we wanted to share with you. Now obviously, we’ve sanitized the information to protect client confidentiality. So we’re going to talk about a client X, and we’re going to talk about client Y, and they both went through pretty similar experiences. But we’re going to point out where they were the same, where they were different. And Jake’s going to take client X, I’m going to talk about client Y, and I’m going to hand it over to Jake here in a moment. But let’s begin at the beginning. How does a ransomware attack begin?

Jake Bernstein: 

So, and I think that’s one of the questions that everyone really should be asking themselves on a regular basis, because it often gets… I think it often gets ignored, or not investigated closely enough, right? Obviously if you have gone through an incident response process, you know that finding kind of patient zero is an important thing to do. You need to know how the bad guys got in so that you can make sure that they’re not still in, or that they don’t just come right back.

In this particular case, what was happening is that the client, one of client X’s customers, so there’s a third party involved here. Their website was itself compromised, and so what happened is, is that one of client X’s business folks went to the website of their customer and they saw this popup. “You’re using an older version of Chrome, you should update.” Well, Chrome updates fairly regularly. It’s not an implausible type of message. This is the type of thing that, with really strong cybersecurity awareness training, you would try to get people not to fall for. Unfortunately, this individual either was in a hurry or just didn’t realize, clicked update, and very, very quickly as you’ll see in a moment, the kind of malware was downloaded and its payload was released, and we’ll get into that.

Kip Boyle: 

Right. Now for client Y, due to the fact, due to the way the IT department responded to the problem, which is to say that they began to re-image machines immediately, thinking that that was the best way out of the situation, they destroyed so much evidence in the process of doing that, even when we came on the scene and we said, “Stop, we’re going to need some evidence here in order to help you out,” we really couldn’t determine the source of the infection with great certainty. But by looking at the different systems we believe, theorizing, that it was their remote access server that was the source of the infection. And that lines up pretty well with the statistics that we’re seeing now, as far as what are the common ways that malware’s getting delivered into organizations. So sometimes it’s a click, and sometimes it’s a compromised set of credentials that leads to a remote access situation.

So anyway, so these are two very common ways that ransomware attacks begin, and in this case that’s exactly what we experienced with these two clients. Now Jake, this was your ransom note, right?

Jake Bernstein: 

It is. So with client X, usually you get a ransom note. In the past, ransom notes would actually include the ransom. One of the things that made this Evil Corp example interesting was that it didn’t. Basically, they said your systems are encrypted, contact us to get details. That was it. And you can see, I suppose one can appreciate how short and to the point this is. You’ll note that they provided three separate, and these, if you happen to know these domains, these are untraceable. These are so called anonymous email addresses. And then the cryptographic key, that’s there so that you can identify… it’s there so that, basically it’s your customer identification number with the ransomware gang. It’s how they know who you are, and what kind of information to give you. So yep, this particular type of ransomware was called WastedLocker, and as far… attribution is a very complicated thing, but as best as anyone can tell, this one was a Russian gang called Evil Corp.

Kip Boyle: 

Yep. And this is a pretty typical ransom note that you’ll encounter. Let me go ahead and show you… oh. Lovely little animations in our slide deck, Jake. Did you mention the ransom amount?

Jake Bernstein: 

So in this case it actually was 75 Bitcoin. At the time when the ransom was made, that was worth about $975,000. A couple of weeks ago, or actually I think it was two weeks ago, I used this slide and I calculated that it was more like $2.7 million in today’s dollars. Bitcoin has fallen a little since then, so maybe it’s $2.3 million. Still a lot of money.

Kip Boyle: 

Yeah, quite a bit. And why would they ask such a high ransom? And it’s typically because once they get into your network, whether it’s somebody clicks on something they shouldn’t or a remote access server gets compromised, they’re getting in silently. And I think that’s really important for people to understand is, there’s no visible indicator that you’ve been compromised. A lot of people who’ve been using computers for a lot of years are kind of used to noisy malicious code, that comes in, and you know that you’ve been infected right away.

And this stuff isn’t like that at all, this is silent. And so they’ll be in your network anywhere from days to weeks preparing your network for the actual attack. One of the things that many of these ransomware gangs will do in fact is, they’ll have a group of people go off and locate your data backups and kind of do all the technical stuff, then they’ll have another team of people go off to your finance areas, and they’ll actually study your internal accounting systems to find out how much cash you have on hand and how much cash you can get quickly, and they’ll base the ransom amount on an actual analysis of your financials, which I think says a lot about the sophistication of the attackers that we’re dealing with here.

So the ransom note for client Y, it looked a little different. And so here you can see a screenshot, where we actually held a smartphone up to the monitor and actually took a picture of the ransom note. So in this case for client Y, it was a piece of ransomware called Sodinokibi, which is rampant now. And another thing, another term, a phrase that I want you to understand is called ransomware as a service. So if you know what software as a service is, right? Office 365 is software as a service. There’s all kinds of them out there, Salesforce. So the criminal gangs have borrowed that business model. They now provide malicious code on demand to their affiliates.

So you can be somebody who wants to commit digital crimes but doesn’t have any technical skills to actually write the software to do that, but that’s okay, because if you can sign up for a Netflix account, you can actually become an affiliate. And so by becoming an affiliate, they will supply you with all the technology that you need, and then you can go off and you can infect people. And when you get paid the ransom as the affiliate, the developers of Sodinokibi will retain 20 to 30% of the ransom, and they’ll share with you 70 to 80%, the lion’s share of the ransom. So it’s very much like an app store, right? So it’s very much like an app store, right? So Apple’s app store kind of does the same thing. It’s about a 70/30 split of revenue with the actual application publishers.

So in this particular ransom note, the criminals alleged that they stole 80 gigabytes of personal and company data. So not only were they saying you need to pay us to get the key to get access to your data again, but if you don’t pay us, then we’re going to auction off all of your sensitive data to the public. And yeah, and they’re not kidding. In this case, 39 Bitcoins, about $500,000. This was earlier in 2021. So big money.

And by the way, this is another screenshot that we took from The Happy Blog, an interesting and ironic name. So the cyber criminals that run the Sodinokibi ransomware as a service actually maintain on the so called dark web a website where they list the different victims of their schemes and where they will actually sell off the data for the companies that don’t pay the ransom. Here’s a screenshot. So we were checking this every day, sometimes twice a day, to find out if our client was going to actually show up on there. They never did, but while we were taking a look at it, we actually saw one of their victims was a law office who had some legal documents related to Jessica Simpson. So yes, even law firms can become the victims of a ransomware attack, and client files are at stake, and this is just awful. Just absolutely awful stuff. I hope nobody on this session today has to go through this, because it’s the worst.

Jake Bernstein: 

I would say especially law firms, but that’s not the focus of this particular CLE. We have a different one for that. So client X, this is really interesting. Their ransomware incident, you can learn a lot. This is a timeline from the forensic firm, and this required a lot of work to generate, right? This is weeks later. And it shows you what actually happens with the attack. And I think one of the really scary, but also important things to recognize is, the top… really, I guess almost 10, maybe a little bit under 10 entries, they’re all in the same day. And if you look at what happens here, the malware gets downloaded. And remember, that’s when the person clicked on the update chrome link. At 3:38 and 31 seconds, the malware is executed within nine seconds of being downloaded. What we’d call a section stage payload, basically another form of malware to kind of increase the sophistication of the control, was installed and going within another, call it five minutes. And then within seven minutes after that, the threat actor, the bad guys were literally inside doing network discovery.

And I think what’s almost worse is that less than half an hour later, the patient zero… the bad guys were able to escalate and get local credentials and admin credentials, which basically means that they are getting very close to control of that particular computer. And then oh look, it took them almost five hours longer to actually get domain admin accounts. This is frighteningly fast, and it shows that this victim’s server was affected within the first day. Really, within five hours of the attack. And then you can see that then they take a while, right? Then it’s all the way down to, really it’s the 25th of October when the actual ransomware attack is triggered. That would be the start of ransomware encryption, which is the last entry.

So what were they doing that whole time? Well one, let’s be honest. These are busy criminals, so they’re also dealing with other victims. Some of this now does require some human intervention, so that’s part of what they were doing is just going along. But they’re also doing a lot of internal scans, reconnaissance, and preparing. You can see that there’s a couple of different pink highlights of, kind of showing what they were, other actions they were taking in support of their attack. And that third to last one is important. Webroot is just an antivirus type of security program, and you can see that just before they started the ransomware, they instructed the whole network to uninstall Webroot, which means that everything was open to the attack.

My takeaway for the audience for this is, if you’re talking to a client and they say things like, “Well, I have an IT guy and they handle this kind of stuff. We’ve got antivirus. We’ve got our basic procedures.” They’re just not good enough. And that’s not the fault of the IT guy or the basic procedures, it’s about how sophisticated these threat actors are. So my hope is that you’ll look at this and you’ll go back to clients who ask you for basic advice on ransomware and say, push deeper than just, “Our IT guy is taking care of it.” Ultimately, it’s the business owner who suffers when this goes wrong.

Kip Boyle: 

Right. So it took four weeks roughly for the attackers to position themselves to actually launch the attack. And realize too, and this is important, they were not detected. Nobody at the victim company had any idea that this was going on until they struck. So this is absolutely insidious, and I think that it makes the point that we are outgunned. Think about the people, the IT staff that we’ve entrusted, the software that we’ve purchased and installed, and it’s impotent to deal with this.

Jake Bernstein: 

And I want to highlight Alec [Schreiders], who’s in the chat, he’s one of the attendees today. He says, “Webroot is an extremely effective piece of software.” And there’s nothing at all about Webroot that we’re disparaging. It’s a good piece of software. It doesn’t matter how good your software is, if the enemy… if the computer thinks the enemy is the administrator and listens to the command to uninstall the defenses, it doesn’t matter how good your defenses are. You’re done.

Kip Boyle: 

Yeah. I’m thinking of the old Star Trek movie Wrath of Khan, where Kirk figures out the code for Khan’s stolen star ship and he drops the shields while Khan is standing there, and suddenly becomes exposed, and then the Enterprise strikes. And I just think Hollywood isn’t very reliable for illustrating a lot of things having to do with cyber risk, but that was one of the times when I thought they did do a good job. So all right, let’s take a look at the client Y ransomware incident. You can see there’s an awful lot of redaction on here, but it’s really, follows a similar pattern okay? So we were able to, even though a lot of the evidence was destroyed, we were able to pick up the trail on December 13th. And you can see in here that the Windows server was exploited for the admin credentials. And then it wasn’t until early March, and then finally mid-March when the ransomware was activated.

And as Jake said, what’s the deal with the delay? Well it’s a combination of, they needed to prepare the victim to be fully exploited, but we also theorized that they had a lot of other victims that they had to attend to. And there’s really no rush, right? Because if they’re in and they’re silent and they’re undetected, then there’s really not a tremendous sense of urgency for them to get on with the attack. It’s very unlikely that they’re going to lose that access while they’re preparing for the attack.

Jake Bernstein: 

And just on this particular one, there were no forensic… there were very limited forensic records to review. So it’s also the case that we just don’t know what they did between mid to early December and March.

Kip Boyle: 

Right. Okay, so that’s kind of the summary of how it all started. Now at this point you might be wondering, well, who are these people that are conducting these attacks? And attribution for cyber attacks on the internet is very difficult generally speaking. Not only is it difficult to really pinpoint where attacks come from, because they can be shunted through multiple different computers before they actually arrive, and you can typically only trace them back one, to the last computer that the attack came from. But there are standard tactics, techniques, and procedures. So there are some signatures, there are some ways to figure this out with a reasonable amount of confidence. It’s difficult to get high or 100% confidence, but our believe is, is that Evil Corp, a Russian gang, was behind the client X attack. And how do they say that, Jake? Is it REvil?

Jake Bernstein:

REvil, it’s REvil.

Kip Boyle: 

Yeah. REvil. It’s funny, they brand all these attacks and all these gangs, but there’s no easy way to know how you’re supposed to pronounce this stuff. Anyway, REvil is a different Russian gang, so they’re both using evil. But those are monikers that we’ve given them, right? They didn’t come out and say, “This is our name.”

But what’s interesting to note is that these are individuals who are known to law enforcement in the United States, and we have sanctioned many of them, both in Russia and in China, but they’re really outside of our reach. We cannot apprehend them and bring them to any kind of trial, because we’re not… there’s no extradition treaty, there’s really no way for us to bring them to justice without the full cooperation of their governments, and their governments are really not interested in fully cooperating with us on this. In fact, their governments benefit quite a bit from this, both in terms of the economic disruption for us, but also because a lot of this data that’s being grabbed is not only used to get payments, but can also be handed over to the intelligence services in order to help them with their missions.

So this is one of the big problems with ransomware, is that the amount of arrests, I think the statistic around arrests is only three in 1,000 reported cyber crimes result in an arrest, and 1,000 cyber crimes, that’s the tip of the iceberg. Most, the vast majority of cyber crimes are actually never reported.

So okay, so there’s kind of how it happened, who was behind it. Let’s now talk about, how do you respond to this? Jake.

Jake Bernstein:

So the incident response process, there’s a number of different perspectives that you need to take with it. One is the technical perspective, and we’ll also talk about the legal perspective. With the technical perspective, you’re looking at basically four work streams that are kind of happening all at the same time, followed by, what we’ll kind of get to later, but you need to… the absolute most important thing is to start gathering information. If you don’t have the information, then you don’t know what to investigate, and you can’t eventually get to eradication. The second most important thing is to contain the response. If you haven’t contained it, then it’s going to just continue affecting you, and you don’t really know… you need to stop the bleeding, and that’s what the containment is doing. That’s putting on the bandages and getting that all kind of tied off.

And then it’s about recovery and then monitoring, which is really a part of recovery. And what you need to be doing there is possibly rebuilding your network. The monitoring is how do you make sure that you’re not getting reinfected again. I don’t know the exact statistic right this minute, I’m sure it changes, but it is not uncommon for victims to be re-victimized within days or weeks of thinking that they have solved the issue. So that’s a real, real problem.

Kip Boyle:

Ready for the next slide?

Jake Bernstein: 

Yes.

Kip Boyle: 

All right. So once you’ve contained the outbreak and you know how it started, you can now begin the recovery process. So how do you actually get back control of your systems, and how do you get back in business? Because this whole time that you’re reacting to the ransomware attack, you’re probably not serving customers. You’re probably not doing any of the things that you normally do. You could have an entire workforce that is idled, and not even doing anything. The payroll is running, but nobody’s being served.

So there’s a couple of different ways that you can get back from this. What you’re seeing here on the slide, this roadmap to production, this is showing you a situation where you’re going from the left to the right, and you’ve got this so called dirty production network, right? So these are the computers that you use to run your business. If they’re dirty, they’re invested with malicious code. So some people approach this by saying, “We’re just going to burn everything down.” In other words, just throw everything away, and we’re just going to buy new computers, and we’re going to start all over again. Because they feel like that’s the best path back to having a high integrity environment where they can do work and trust that their systems and their data are everything that they need to be.

Other people for various reasons can’t do that, or don’t feel like that’s the best way to go. You can have a situation like that where you have highly customized computers where you don’t have backups of the configurations, and so you find yourself in a situation where you’ve got to actually try to clean, somehow take compromised machines and turn them into clean machines. And there are ways to do that, and that’s what this is showing you here. So you take a compromised network, you quarantine it.

Then what you do is you pass it through what’s called a laundry network, and that’s where you are looking at the servers one by one, possibly in groups, and you are purging them of the malicious code as best you can. You’re installing updates, whether that means new operating systems or just missing patches. You might have some backup data that you can use, but you’re sort of piecing, using pieces and parts and in isolation, and then when you’re done with that you’re back into production again. You have a so called new normal, and then you can continue. So there’s a couple of different ways that you can recover from this. There may be other ways on top of that, but these are the two ways we’re seeing.

Jake Bernstein: 

You know what’s interesting Kip, as you were talking through that slide I thought to myself, gosh, that actually isn’t all that different than what the pandemic looked like in terms of a response. We had the infection and compromise, and then we went into quarantine, literally the same word, quarantine. And then the laundry was getting vaccinations and masks and all that stuff. Ew haven’t hit the new normal yet, but we will. So why should you-

Kip Boyle: 

Yeah. And by the way, there’s a reason why these are called viruses. They behave in strikingly similar ways to biology.

Jake Bernstein: 

Yep. That’s very true. That’s also where we get one of our favorite little terms cyber hygiene from. And I see the question in the chat, how would you defend yourself from an attack, that’s really a very different kind of presentation. We’re not going to cover that today. [crosstalk].

Kip Boyle: 

Well, we’re going to dive into it just a little bit towards the end.

Jake Bernstein: 

A little bit. Cyber hygiene, yes, to some degree cyber hygiene is part of that and we’ll get there. So why would you ever pay? Well the first reason is that if the bad guys did their job well, in other words if the encryption was effective, then with modern technology you can’t break it right? It’s going to take millions of years to get through any kind of legitimate modern encryption.

Another reason you might not pay is if you don’t have recent enough data to restore. Maybe you do have a backup, but it was three weeks old and you just closed a major deal a week ago, and you just cannot live without that information. Perhaps you think it’s going to be faster or cheaper or easier. The second to last one here is, maybe the cyber criminals won’t release my data. That’s a tough one. That’s actually a different set of considerations than the technical kind of recovery piece. And the last one is really interesting. Insurance companies possibly could insist that you pay, although I think that would be potentially less common. So there are, I think sometimes the incident responders and the cybersecurity industry can look at people who pay and say, “Oh, how could you ever pay? Don’t you know that paying just is a vote for more ransomware?” I know that’s what we often say.

Kip Boyle: 

That’s what I say.

Jake Bernstein: 

That’s what Kip says. But there are reasons why you might need to pay. I mean, all of this is assuming that it’s pay or your business goes away. That’s why you might pay.

Kip Boyle: 

Yeah. So why might you not pay? Well a free decryption key might be available. So it turns out that a lot of this malware is actually written in a very shoddy way. They actually didn’t do a very good job of implementing the encryption, and we can actually get samples of this malicious code, and we can actually reverse engineer it and figure out how to get around the lack of a key. So always be sure to look for the availability of a key, and we’ve got a URL down at the bottom of the slide there, nomoreransom.org, so go look for a key that would possibly allow you to not pay.

If you have enough recent data to return to business, so a lot of people do that. They just restore from backups, because they’ve done a good job either deliberately or accidentally. They’ve been able to keep the ransomware from encrypting their backups, which by the way, ransomware increasingly is getting more and more sophisticated at locating your online backups and encrypting them before they actually strike, or disabling them, the backups, and deleting so that when you go to get to them they’re not available.

You might not pay because you don’t trust the criminals to keep their promises. “If you pay us this much Bitcoin, we’ll give you a key.” It sounds like smacking the easy button, right? Just throw money at the problem and I get out of, and I escape from this awful situation. But what we’re finding is, roughly half the time, the criminals don’t keep their word. They either take the money and run, or they figure, “Well, you paid this much. You’ll pay again,” and they’ll try to extort you a second time.

Jake Bernstein: 

Or just to add something to that, sometimes the criminals do keep their word, but the fact is, is that the encryption wasn’t perfect, and so their key just doesn’t work all the way. That’s another reason why you might not bother paying, is that even if everyone does what they say they’re going to do and there’s some honor among thieves, still may not work. No guarantees.

Kip Boyle:

I mean, they’re criminals, not technologists, although they obviously have a lot of good tech people in their employ. But I understand, and only from reading what’s generally available in the press, that Colonial Pipeline paid, got the key, but the decryption rate was so slow, so obscenely slow that even though they thought restoring from their own backups were going to be time consuming, that’s what they ended up doing anyway. So that’s a terrible situation to get yourself into. I’m a bit of a Boy Scout, and my perspective is, is I don’t want to be paying ransoms, because it’s going to just reward cyber criminals. It’s going to give them more money to conduct new attacks, and I don’t want my business attacked with the money that somebody in another state paid to a criminal, who then turned it around and used it to attack me. It’s the tragedy of the commons. So if you’re familiar with that little turn of phrase, I think that’s what’s going on here.

And then another issue is that the cyber criminal could be on a sanctions list maintained by the US government through the Office of Foreign Asset Control, and if they are and you pay them, then you could actually find yourself in a world of hurt for violating US sanctions against either individuals by name or by nation states, and because that’s where a lot of this ransomware is actually coming from. This is a big source of hard currency for the North Koreans so that they can continue to pursue their nuclear ambitions, and so on and forth. So those are some of the reasons that we may not want to pay. Okay, so what are the consequences of this? [crosstalk] Jake.

Jake Bernstein: 

They’re bad. The consequences are bad, and they come in several flavors. You’ve got the direct kind of basic consequences. For this particular client, it was a total business shutdown for almost a month, right? So you just take into consideration what that would mean, right? No other… even if you take out all the other consequences, you’re taking a three or four week unplanned vacation. That’s not good. Then there are the incident response costs. This is mid to high six figures, really depending upon how deep you go. You’re paying for not only the investigation and the analysis, but also you might need to rebuild your entire network. You probably do need to. Some clients will literally go new out of box machines. If you have a virtual kind of infrastructure in place then it’s not quite as expensive, because you’re wiping the machines that run the machines.

Legal costs can add up pretty quickly. There’s a lot of notification obligations under various state law. You may need to pay for credit monitoring services. And think about this. Even just postage, if you have to mail a few hundred thousand letters, even postage begins to add up fairly quickly. And the printing costs. So all of that is a direct consequence, then obviously if you pay the ransom, that’s also a direct one.

Indirect consequences though are also quite scary and harder to measure. Staff can become exhausted. They may quit. They may miss something because they’re exhausted, which can cause more problems. You may have customer churn because you’re not able to deliver services, for example because you’re shut down for four and a half or three and a half weeks. And then there’s the unknown future liability once this happens. I mean, I think this is a traumatic event for the business and for all the people involved, and it takes a while to come out of it even if everything goes well for you.

Kip Boyle: Yup. So guess what? Client X, this is kind of what happened to them. Client Y, pretty similar, right? Total business shutdown. Different time period, but about a month, about four weeks of complete inability to serve customers. Now they did not pay the ransom, so they restored from backups. So while they’re avoiding the ransom costs, they still have to pay their teams to do the backups, and those poor folks were practically working 24 hours a day, day after day after day after day. I mean, it was a mountain of heroics in order to get them back up and running again. So Jake, why don’t you talk about the specific legal perspective?

Jake Bernstein: 

Right. So if a client calls you and you’re being asked to provide some kind of incident response process, this is what you need to think about. And yes, on one hand this is a very specialized practice area. I don’t think everyone needs to be able to do it. However, it’s also becoming so common that the odds of being a typical business lawyer and getting this type of request or this type of cry for help are really going up pretty high. And these are the things that you want to think about.

First and foremost, you want to maintain attorney client privilege with the incident response firm. There’s some case law on this. It’s an area of, let’s just say legal development. A little bit unclear. I would say if it happens is the time to do the research on that. You’ll want to find some kind of… find your Kip to lead recovery. You need someone to lead recovery, right? If you have someone in house great, if not, you really need an expert in the field to do it. And that can often be on the kind of lawyer/quarterback role.

You do oftentimes want to talk with law enforcement. There’s a couple of reasons for this. One is, and this is specific to ransomware, but if it’s a wire fraud issue you want to talk to law enforcement as soon as possible because if you do it quick enough, there’s a chance that funds can be recovered. And then otherwise, part of it is doing the right thing and getting the information out there to the right people so that they can work to try to increase that arrest percentage.

One of the largest components, and this does get to be more specialized, is what are the reporting obligations? You’ve got local, state, federal, you’ve got international law. How are you going to deal with it? Whether or not something is a breach is oftentimes a combination of both technical and legal analysis. You have to somehow obtain the facts. That obviously involves talking with the incident response firm, but also the client. What did you have? What could have been stolen, right? If all you have is a list of email addresses, that’s not that big of a deal, right? But if you happen to have the person’s email address, and their whole name, and their address, and their mother’s maiden name, and their social security number, and the name of their dog when they were a kid, this starts to get very bad. Because now there’s a ton of information. The more information the bad guys get, the more harm they can cause.

As we kind of mentioned about the risk of sanctions, that’s a legal issue. Certainly insurance coverage issues is a big problem, and then third party liability, and just generally kind of spotting the issues and looking around the doors and corners so to speak, of what’s coming next. So that’s all what the lawyer can do during the incident response process.

Kip Boyle: 

And that’s really important, because my job when I’m playing the role of recovery coordinator or an incident commander, I don’t have time to do any of that stuff. It’s not possible. Even if I was qualified to do those things, I would not be doing those things. I’m trying to get the business back into operation.

Okay, so there was a couple of key questions that you might get from a client. So what if they’re in the middle of a ransomware attack and they call you, probably on a Saturday or late at night or something like that? So how do you respond to that? And we’ve got some suggestions here. So Jake, you want to cover that?

Jake Bernstein:

Yeah. So the first thing, the first question you always ask is, do you have cyber liability insurance? If so call the insurance company, call your broker. The beauty of cyber insurance is that it has, it’s kind of a built in containment and recovery team. They will have people that you can call who will immediately be able to start this containment and recovery process. And good news, it may even be fully covered. You’re probably going to have the equivalent of the deductible, but you will have some support there. If you don’t have cyber liability insurance, tongue in cheek, call me then I’ll call Kip. But really, you do need to, you need to get in touch with someone who can help you through it as soon as possible.

Either way, please don’t destroy evidence. It makes it very, very hard to, one, contain and ultimately monitor for future attacks. Also, you need to know what your obligations look like. For example, if it turns out that the only thing that happened is they encrypted your information and left it locally, in other words there was no data exfiltration, then depending on the state, you may not have reporting obligations. On the other hand, if you know that data was stolen and taken from your systems, that changes your reporting obligations. So it gets complicated very quickly. It would be ideal if there was one clear federal standard, but there’s not. For now, we have the patchwork to deal with.

Kip Boyle:

Yeah, and that’s something that the cyber liability insurance teams are actually very good at. They actually have teams of people that know what the requirements are in all 50 states, and they can quickly get you those answers much faster than you can probably get on your own. So there’s a second question that you might get asked which is, a client may come to you and say, “Look, I’m not having a ransomware attack, but my friend who’s the chief operating officer over at this other company that’s very similar to ours, they did just go through one, or they’re going through one right now. What do we do?”

So in that case, what you’ve found yourself in is a prevention situation, right? So you’ve got a client saying, “I don’t want to go through that pain. Please help me avoid that.” So what you’re going to do is you’re going to need to offer them some kind of a prioritized mitigation roadmap, right? And that’s what cyber risk opportunities, that’s what I specialize in doing. So if it was my customer, if it was my client, then I would build them a cyber risk action plan, which would cover ransomware prevention, plus other things too like business email compromise, different financial frauds. I mean, there’s all kinds of things that are going on right now, not just ransomware.

And you can actually protect against a wide gamut of cyber attacks if you do it in a very smart way, and when we do it, we’re giving them a prioritized list of mitigations, a deployment plan, templates to let them do the mitigations as fast as possible. And the way we price it is based on the size and the sophistication of the company that we’re working with. So one of the things that I’ve been trying very, very, very hard to do is to figure out a way to help smaller companies. I mean, we work with companies on a regular basis upwards to about a billion dollars of annual revenue, but companies that are very small, under 100 employees, under 25 employees, it’s very difficult for them to know what to do. But we actually work with companies at that scale, and we’re working with them at price points that actually make sense for them. A lot of smaller companies are absolutely priced out of getting professional help on this, because they just simply cannot afford the fees.

So as we come to the end here, we had somebody ask about cyber hygiene. So this is the kinds of things that constitutes good cyber hygiene in this situation. So first is you’re going to want ransomware-proof data backups. And we have what we call the 3-2-1 rule to kind of guide you in creating backups that are ransomware proof, but you can do data backups with all kinds of different products. And really, what we tell people to do is, okay, we’re going to tell you the 3-2-1 rule, but you really need to call your vendor and you need to ask them, “How do I configure these systems so that I’m providing a ransomware-proof backup?”

So the 3-2-1 rule real quick, you want three copies of all your data. So you want one copy that you’re working with in your so called production environment, and then you want two backup copies on different media. By that I mean you might have one set of backups on hard drives, you might have another set of backups on tape drives, you might have another set of backups in some kind of a cloud system that’s offline. And one of those backups does need to be offline. In other words, something that the ransomware cannot find or that the criminals cannot find when they’re scouring your network and trying to prepare for the attack.

Two factor authentication on all your admin accounts, and really on every account if you can figure out how to do it. Two factor authentication is amazingly effective at preventing account takeover. You’re going to want a ransomware incident response playbook, because you do not want to make this up. At the time that you become infected is not the time to figure out how to respond to this. You’re going to want some kind of a crisis response plan, a business continuity plan, because if you think back to these two cases that we worked on, these are businesses that were shut down for four weeks give or take, more or less. And how do you maintain the trust and the confidence of your customers when you can’t serve them? You need a plan, and you need people who can do that. And then finally, a robust cyber liability insurance policy, which I think we’ve talked enough about that hopefully so that you understand there’s a lot of real value there even though it can be a difficult thing to purchase.

All right, so thank you very much. We’ve made it to the end. We’ve got some time. I’m happy to stick around past the top of the hour if you have questions, so if anybody does have questions, let’s go ahead and take them now. And Melinda, you are the facilitator, so would you remind people how you’d like them to ask questions?

Melinda Miller: 

Yeah, absolutely. So I have the chatroom open if you want to put your questions in there, and raise your hand afterwards and we’ll make sure we start going through all of your questions.

Jake Bernstein: 

We also take comments as long as they’re complimentary.

Kip Boyle:

You mean at no charge?

Jake Bernstein: 

Yeah. Good point, yeah. The questions are… puns, what are you going to do?

Kip Boyle: 

Yeah, I know. I gotcha. I gotcha again. That’s all right, you’ll get me again someday. So yeah, come on folks. Does anybody here today-

Jake Bernstein: 

And of course, you can email us at our email addresses as well.

Kip Boyle:

Of course, yeah. If there’s something you want to talk about but it’s not appropriate to be talked about in a group, you can reach out to us. Is there anybody who has actually gone through this already, has actually had a client call you with a ransomware attack in progress, or just with concerns about it and wanting to protect themselves?

Jake Bernstein: 

Okay, well seeing silence. Oh wait.

Kip Boyle: 

Here’s one.

Melinda Miller: 

We got one in from Jeffrey.

Jake Bernstein:

Go ahead.

Melinda Miller: 

Okay, I’m just going to ask it. Have you ever seen a global conglomerate instant response plan for each region, or are they separated by business units?

Kip Boyle: 

So I’ve seen it both ways. What it often turns out… yeah, the decision to do it one way versus the other often turns on how the conglomerate is currently structured. So if there’s a lot of centralized services, for example if the IT department is highly centralized and you’ve got other centralized headquarters services, then you’ll often see a monolithic response plan, maybe with some customizations for different business units. But if the IT is highly distributed along with legal and contracting and other services, then you’ll typically see business units will be responsible for having their own response plans. That’s what I’ve seen. Jake, any comment?

Jake Bernstein: 

I’ve seen something similar. Really it’s the business unit by business unit, depending upon how their operations differ or are the same. You can see both. What percentage of the network becomes infected before quarantine in company… okay, well I can, so 100% in both. Yeah. I mean, there was no detection. So I mean, the quarantine hypothetically could’ve become effective if someone was able to spot it as it was going and then cut it off, and that does happen. That does happen from time to time, but in both these incidents it was not seen. All files, all laptops, all desktops. So a lot of these, yes-

Kip Boyle: 

And all servers.

Jake Bernstein: 

For some. But I think the primary target for most of these was the servers, and then for the simple reason that these companies were all, they were… nobody was supposed to have local storage. So same effect, but yes.

Kip Boyle: 

Yeah, the thing is they’re going to go to where the data is, right? These are not low sophisticated brute force methods, right? These are highly sophisticated, highly targeted attacks, so they’re going to find where your data is and then they’re going to make sure that they’ll get it, and they’ll take time to do it. Other questions?

Jake Bernstein: 

I do actually have to run unfortunately, so if you have questions you can contact me, and I’ll be happy to take them offline. Or online, just via a different media.

Kip Boyle: 

And it is top of the hour, so we thank you for being here, and I would encourage everybody to let us know how we can support you. If you would like a consultation with Jake or myself, we’d be happy to do that, and we really appreciate you being here, and let us know if there’s anything else that we can do to support you. All right.

Jake Bernstein:

Looks like, Melinda if you could stay on briefly, there’s some people who are looking for your attention. But I’ve got to run, thanks everybody.

Melinda Miller:

No problem. Thank you everybody for coming, and I will reach out to you, Harold.

Kip Boyle:

All right everybody, bye.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

Jason Dion
Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!