Webinar Recording

Lessons From a Journey Into a Real-World Ransomware Attack

Log in and watch the full video!

Ransomware Attacks have become the biggest single cyber risk for enterprises of any size and industry. Research indicates a steep rise not only in the number of attacks, but as well in the average damage per incident. It is therefore essential that organizations are prepared for these attacks.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Hello, welcome and welcome to this latest web webinar today supported by psychotic Centrify. My name is Paul Fisher. I'm a senior Analyst with KuppingerCole and I'm delighted to be joined by Joseph Carson, who you can see there as well, who is advisory CSO with PCOS. And, and we'll be talking a lot about ransomware today and also looking at lessons from a journey into a real world ransomware attack. Before we get going, just a quick reminder of some other events that will be coming up in 2022. Can't believe it's already 2022, but it is. And we have a virtual event on the February, the 16th becoming a better privilege. Access manager sounds good. Then virtual event, March 23rd, zeroing in on zero trust. And then also hopefully the, the, the hybrid event, the biggest event of the year for us will be taking place on May 10th, 13th, this time for the first time in Berlin.
So looking forward to seeing many of you at that, just some house notes, we mute all of you centrally. So you don't need to worry about muting or muting yourself. We'll be doing a couple of polls during the webinar, and then we'll discuss the results during the Q and a, and then we also, it's an opportunity to, for you to pose some questions. You can pose questions anytime during the webinar, by using the control panel that you'll see on your screen. And finally, we will obviously record the webinar. So for any of your colleagues or anyone else that may wish to view it, it'll be available on our website. So what are we talking about? Ransomware unlimited. That's what I'll be talking about in a minute, and then quite quickly, how some tools can help you fight against ransomware. Then Joseph takes over with the kind of the meat of today's webinar when he be looking at a real world ransomware attack. And as I said, question and answers after all of that.
First of all, first poll poll, number one, what are the, what are your three biggest challenges that you consider implementing cybersecurity? So is it number one, the budget or lack of number two, a siloed organization, number three, the skills shortage for too many tools or too many applications, vendor tools, et cetera, and finally stakeholder management. So we'll just give you about 30 seconds to vote on that before we get going with the main webcast, as I said, we'll look at the results and discuss the responses in the Q and a section at the end. So the three options are budget siloed, organization skills, shortage, too many tools and stakeholder management.
So let's crack on. So ransomware unlimited. It is everywhere. And indeed it is if you've been looking at the headlines over the last year or so, you'll know that ransomware has really exploded, unfortunately, and it, the pandemic also gave a boost well, well, to, to the criminal gangs that are using ransomware while the rest of the world was doing its bit to try and beat the pandemic, get the world back on its feet. The criminal gangs were enjoying bumper harvesters, and you can see some of the stats there between January and June this year, where there was 1000, nearly 1500 ransomware attacks, which was a, even that was an increase of December, sorry, July, December, 2020, the Target's been mainly north America, Europe as well and other regions. So it's not, it's not specific to any region. Obviously north America is always the most attractive to cyber criminals simply because it's the world's biggest economy and there's more rich pickings out there, ransoms paid, which we'll talk about a little bit more in, in the webcast increased 33% from 2018 in 2019, and a quite staggering amount of money.
10.1 billion euros was paid out in, in ransoms. And of course these being criminal gangs with no morals or compunction about, they also decided to twist the knife by increasing the amount of ransom that they ask three times from $115,000 average in 2019 to over $312,000 in 2020. And I'm sure that is a trend, which is unfortunately going to continue. So let's just see how in a fairly simple schematic here, how attackers can get access to your systems. You may know some of this, but they generally do their homework by identifying a target individual or coworkers. And one of the ways they do this is obviously to look at professional networking sites, such as LinkedIn. And they will usually start after attack with some kind of email. It may be a phishing attack where the recipient gets an email, which says something like missing invoice or invoice outstanding or something that looks when the U the end user is in the middle of a busy day. Doesn't think too much about, I think, oh yes. And opens the attachment. There's also quite often the use of zero direct exploits or known vulnerabilities in an operating system. And these can be used in conjunction with the Aing attack.
Once the unsuspecting user is downloaded the payload, then it goes into action. The insulation of a remote control device, possibly, which the attackers can then command and control from their own systems. Don't forget, of course, that these guys are very sophisticated themselves. We're not talking about amateur organizations here. We're talking about highly organized gangs. Some of them are state sponsored and have access to the kind of resources that actually most legitimate organizations would have. So we're not talking about the favored kids in the basement anymore. We're talking about serious organized crime, and then they will start looking around your infrastructure going, moving literally as, as it's called and they will try and get access to privilege accounts or to more higher value accounts. And privilege accounts is another target area for, for these guys. And they will use privilege accounts that have been forgotten or are not properly protected by privilege access management systems, and then begins the process of doing back in the old days before ransomware, that these guys would probably steal data, or they would steal harvest passwords and email addresses, and then use those for future attacks. But they realize that by encrypting your data and your machines, it's a much more lucrative financial model for them. So they will encrypt your data, encrypt your machines, that you then get the dreaded message thing that your organization is now locked up and you are ex will, well, you'll be threatened with the pay, the ransom, or you don't get your data back. They will also go for the backup data as well.
So what are the implications straight away of an attack on a business on business? Continuity will indeed the business community as well. So the immediate implications course is that your data is now no longer available to you. It doesn't necessarily mean a total halt of operations, but if we look at some of the biggest ransomware cases in history, the shipping line me, it did indeed severely affect that, that company. And it was almost a total shutdown of its operations. And that has happened to other businesses as well. Some businesses have managed to carry on with other parts, but there is if, if a giant organization like that can be brought to its knees, then it's not unlikely that it can do the same to a smaller organization.
Computer weekly has reported something like 66% of organizations attacked report a significant revenue loss. And then there is all this boring stuff that happens, which means that you probably have now breached some kind of compliance ruling. Your supply chain is disrupted, and you don't know how long the operations, the critical operations are going to be disrupted. And then it's reputational damage. Although I would say consumers and customers will probably be more sympathetic to a ware attack than an organization that's say has just been negligent in the way that it stores data in, in, and has suffered from attacks like that. But it's still gonna hit you. It's still gonna be in the headlines if you are a well-known business. And even if you're not, you will probably be subject to some kind of negative publicity, you know, through social media, et cetera.
So what if you paid the ransoms, according to Aisa 45% of attacked organizations who paid the ransom didn't even get their data back. There is still the lengthy, decryption and restoration. You have no idea what these people have done to the data while they've been messing around with it. And then 80%, according to cyber reason, 80% of those attacked, sorry, 80% who pay rent, some get attacked again, probably because they know that you are an easy target. So Joseph will probably say a bit more about this, but the industry view is you do not pay a rent.
You operate a crisis organization, you check and implement backups or backups or backups respond and recover. But as many people would tell you that have been hit by such attacks, that's easier said than done, but how, what can you do to minimize the attack surface? Well, like everything in cybersecurity and identity and access management, you need to know your critical data and your critical processes. You need to know your risk position and the threats and vulnerabilities against you. And you need to know what the attack surface is like. And you need to understand that the more complex your environment is if you have hybrid or architecture, multi-cloud et cetera, then your attack service is wider. It's also more vulnerable. So be prepared as, as, as much as you can increase your organization's ability to detect and respond in a timely manner and based on metrics and playbooks, you need to manage this. Somehow the budget is not unlimited as, as, as most people will know, but you need to identify the risk appetite and create security strategies that you can do within the budget to ensure sufficient levels of confidentiality and availability. But ultimately prevention is better than cure, like in most things in life.
And you need to, oh, I'm sorry. That's actually got the same, a slight problem with my slides there. But anyway, so prevention is, is definitely one thing you need to be is prepared. And that goes right back to understanding your organization. So just quickly, a few words about how identity access management privilege action management and multifactor access can, can help with preventing ransomware attacks from being successful. And I, I just, if you are relying on sort of traditional defenses only that can do only so much, particularly when the attackers offer developing more and more types of attack, they're using better and better fishing attacks and better payload techniques with even with hidden payloads. So you don't even know what's happening. And if, and if you don't think that the attacks are getting better, then witness the millions of people around the world that have been fallen victim to, and these are not actually ransomware attacks, but they are sort of domestic fishing attacks where ordinary consumers are getting very convincing, looking texts and emails from what looks like FedEx or ups, for example, which says you have Mr.
Parcel, you need to rearrange delivery. And then within that very convincing email or text message is a link. And when you go to that link, it then asks you just to add in your name and address. And before you know, it, you've also added in some payment details and your email, your date of birth, et cetera. And I'm saying that because I fell for one of those attacks myself. So I'm not saying that I'm the smartest guy around, but I, I didn't realize until I was halfway through it, that I was actually evicted. So also awareness security awareness training can only do so much. It's either ignored or forgotten or not attended to people don't really pay attention. And you have to do it on a regular basis to keep reiterating the message cybersecurity that you have may indeed have flaws in it. The patching is not kept up to date.
And the vulnerability management is, is not automated or is not managed by best in class vulnerability management software. As I mentioned earlier, the guys increasingly use social media to find key targets and people continue to be very casual about the information that they put out on. For example, LinkedIn, because LinkedIn people love to boast. They love to say what they do, and they tend to give out quite a lot of information, your firewall, your endpoint detection and intrusion protection may not work. And of course, as we said earlier, that the attackers will also find your backup and they will go for that as well. And in the end, people do pay the ransom because they hope even though that some don't even get their data back, but they will get it back. And they'd rather pay the ransom and try and recover and get back to business than anything else.
So traditional defenses are not good enough on their own. So we need something to manage digital identities and digital resources and access management to all of those. And increasingly that's what we talk about now is seeing infrastructures as a dynamic environment, where we are matching identities with resources. And those identities of course are no longer just human identities. They are machine identities. There can be OT, there can be applications. And then within that, what we call the identity identity fabric. We have a mixture of keys. We have biometrics multifactor access, identity governance. So you have a record of how, why identity is being distributed or being managed throughout your organization. And then within that, we need identity and access management privilege, access management. And increasingly we're now looking at just in time or ephemeral access to systems so that we don't have what is called standing privileges, which again is a vulnerability that ransomware attackers will look for.
Well, they'll look for accounts with standing privileges. If standing privileges no longer exist, if everybody, or everything only has access to what they need on a, just in time basis, it does actually remove one layer from the risk attack surface, not all of it, but it does actually improve things, but of course, making everything just in time relies on speed. It relies on automation and it relies on management that in, in many systems isn't quite there yet, which is why some organizations will not move to just in time. They still like to have a password management system or a vault for the systems because they at least know that processes will get done. And then we have our identity providers who are all working to improve the way that we manage identity. And those identity providers are increasingly being integrated with identity, access management systems and privilege access management systems. And around that, you can't just sit there and think again, well, I've got my identity fabric, it's all working tickety, boo, because nothing is as good today as it was yesterday. So you need to do continuous audit and discovery of what's happening, continuous audit of privilege, accounts of identities, and of course, data so that you know, who is accessing what, and that's where IGA is hugely valuable.
And with that, I'll come to the second poll, which is what or which three cybersecurity topics are gonna be most important to you in 2022. So number one, zero, trust number two, sassy passwordless or authentication, which is another way or another, a form of just in time identity and access management platforms or privilege access management platform. So again, we'll give you a about 30 seconds to revoke. And once we have done that, I'll hand over to Joseph. So that's which three topics are most important to you? Zero trust sassy, passwordless authentication, identity, access management, or privilege access management. So great. So now I'll hand over to Joseph, who, as I said, is the advisory CISO at PCO cent five. So welcome Joe.
So Paul many things for the introduction and also the great insights into rent some and some of the security kinda trends and focuses that many organizations can really kinda get on the, the track become more resilient. And you know, this part of the, the session itself is I'm really gonna take you through a lot of my real world and real life experiences. Nine. Again, I get called for help for many organizations who have had a security incident and several and many of those in case I've been ran somewhere victims. And several, sometimes many organizations don't like to share the kind of the insights they try, try to make sure they stay as quiet and don't want to reveal too much as possible, but sometimes organizations will allow me to share the details without naming the company. So I I'm unfortunately not able to name the company or the location or when it occurred.
But one of the things that allowed me to do is take you through the journey about what happened to their organization, which basically, you know, came to complete stop in the case of a ransomware attack. And they want to kinda show those lessons so that you can really, you know, get the point where you can learn from this in order to help other organizations become resilient and reduce the likeliness of them becoming victims of ransomware. And also if you do become a victim giving the right knowledge and experience, so you can actually recover quickly, efficiently, and also make sure that you actually make the impact of a ransomware attack as minimal as possible. So I'm gonna take you through their journey and share some of the insights and experiences that they had from becoming a victim of ransomware. So this particular incident basically, or was a variant, no one as cry luck, and it was cry luck, 2.0 and cry luck.
Previous versions of this was known as cackle crackle was up to about version 1.6 kind of disappeared around 2019 cuz first it came out with some research and also were able to find a decryption key for that variant. And they kind of, that version kind disappeared for some time, of course, early in 2020, it resurfaced known as cryo 2.0 and had much improved encryption capability. So the variant here that I was dealing with in this particular incident was the cryop version. And there was a very nasty piece of ransomware. And also one of those ransomware that actually was more known as an affiliate or ransomware as a service you end up today. One of the things we have to deal with in many incidents in here, incidents is that we have to deal with basically the criminals are becoming experts in certain areas. You either have experts, basically who just specialize in gaining access.
You have the experts who specialize in creating cryptos experts who specialize in actually the hands on keyboard, gaining access to organizations, deploying the Ranser. And then you've also then experts who actually are part of the negotiation or help desk team to make sure that they're able to communicate effectively. And a lot of cases, sometimes those Ranser attackers do not communicate or speak English. So they have sometimes intermediaries who will help do that. So this is something that we see is basically from an organized cyber crime perspective and something that we have to be a aware of that we're now dealing with specialists in many different areas. And this is something that organizations really will struggle to defend against and something, what we have to become more resilient and better responding. So in this particular incident, of course, this was one of the things that many of the employees seen on their desktop once they switched them on and including the servers meant that it triggered, of course, the ins response now ins response, you have to respond quickly.
And this is something, you know, time is, you know, is critical in responding to ransomware secur security incident. And it's something you have to within, you know, minutes. You already have to activate your in response plan. So this is something you wanna make sure you've already got an in response plan in place. And this is one of the templates that I use my own in response checklist. And, you know, really make sure that you wanna have this prepared. You do wanna be creating this in the middle of an incident. The last thing you wanna be doing is trying to understand about how you deal with the renter case. You wanna make sure that you're prepared, you're knowledgeable about what things you need to be thinking about. And this things means that you have to think about who's gonna be, you know, the ownership of different areas.
Who's got owner, the ownership of actually doing the digital forensics and evidence gathering. Who's gonna be the ownership of actually dealing with press. Who's gonna be the ownership of actually having to communicate with basically customers, employees. So you wanna make sure you've got really defined ownership at the beginning and basically having those roles and responsibilities already defined. You wanna make sure who's gonna be dealing with communications, which is also critical communications internally and also communications externally. You wanna make sure you have an up to date maintain contact. Let's that's offline. A lot of cases what's really interesting is victims. When they go to the response plan word is, are kept in SharePoint, what's been encrypted their SharePoint. So the last thing you wanna be doing is actually trying to find your risk response plan, especially if you've actually also been encrypted as well. So make sure you also have up to date offline copies or printed copies just in case you need to go to, to make sure you have those capabilities.
So making sure that valid contact list is also, you know, employees change roles, you wanna make sure you've got up to date context list of your third parties or your suppliers who will help you deal with ins response. So you make sure that that's always maintained, kept up to date. And also when you're responding to ransomware, you wanna make sure you're also responding to it accordingly. I've seen a lot of cases where responding to a ransomware case, basically, you know, not actually doing it in a correct way. They, they look at it from basically that integrity perspective, but actually don't really consider sometimes the confidentiality, which is the data loss. A lot of ransoms evolved into actually data exfiltration, which means that you're not only dealing with basically systems which have been encrypted, but you're also dealing with the potential that your data is now out in the public domain.
So also you wanna make sure you actually have a clear definition of the threat you're dealing with and responding with it accordingly. I wanna make sure that your press statements has already been prepared for those different types of attacks and also the different types of when you actually discover you've been a victim in a lot of cases, it's either from third parties, customers, employees notify you, the attackers actually reach out and communicate directly to the it team. So depending on those different types of actually notifications or breach, you know, when you finally find out, you wanna also make sure your press statements customized for those different types of notifications also wanna make sure you understand you've got your in-house capabilities and also make sure you've got, you know, definitely expertise, third party capabilities to help you respond accordingly, who actually make sure that they're actually up to date on the different techniques.
For example, for evidence gathering for actually looking at actually following the attack path documentation, communicating with law enforcement. So you wanna make sure you understand about what your capabilities are internally and also externally, and actually highly recommend to have a retainer ship with the company who expertise in this area. You also wanna go through your evidence gathering container process. Also, you wanna understand your legal assessment, making sure that whether you actually have to deal with things like GDPR or cyber essentials or NS or different types of compliance, whether being PCI or ISO, you wanna understand about what your legal situation is specifically to the actually definition of that threat and whether you have actually due diligence to report it to your data protection authorities as well. You wanna focus around how you actually recover the eradication. How do you determine basically where's that baseline you wanna start and actually build the new environment from you wanna understand about that recovery steps and process, and also how long it potentially will take.
And you'll always want to make sure you learn from the lessons from this experience and put them in the practice to make sure you update and prevent it from the future. As Paul mentioned, a lot of victims who pay ransomware basically ultimately become victims. Again, you wanna make sure you actually make sure you close the door permanently or actually as best as you can to prevent you from becoming a victim. Again, which more often is the case. One thing I highly recommend is not only having in response plan. One thing that was very clear, we're responding. This particular variant of cry lock was that the team was not in response ready. They did have a plan. They did have a checklist, but they were not ready. They were not trained. They were not actually kept up to date. They were not basically prepared. So it's really important to make sure that the difference between having a plan and being instant response ready is very different.
This means that when you're actually going through and practice drills, practice the plan, do different scenarios. Do simulations do role playing because it's really important to understand that if you're an organization across multiple time zones, what time format, what naming convention are gonna be using as your base. And this means that organizations who have multiple time zones when you're actually doing basically imaging and doing forensics evidence gathering is what's that base timezone you're gonna be actually working off what's the naming convention to make sure you understand about what images of the machines you're taking. So it's really important to make sure that all of this has been prepared, understanding about policies from different departments, the HR team, legal team, law enforcement, sales teams, marketing teams, what policies do they have, and also have, they also went through the preparations to be able to go back to manual, back to paper, if they really need to and understand those critical systems in the case of actually becoming a victim, understanding the evidence gathering process, where you gonna store logs, what logs do you have?
Do you actually have centralization of logs, correlation of logs, where you're gonna be storing the images in the case of basically, you know, the future that you might get the description key or for evidence gathering of processes, to be able to scrape those for data in the future or for legal situations as well, understanding about how the actually digital forensics team in its response team will access systems will have entities provisioned, will they have access specific user accounts that are there for its response? What about service accounts infused have the ability to actually rotate those or actually reset them back to a previous state? And one thing that's always critical, always do have a go bug. That's ready. I can tell you how many times going into a data center that you need to have something warm to wear. You need earmuffs, you need ear earplugs.
You wanna have the chocolate bar in your bag because it's very long days and nights you will be there for a long time. So making sure you've got something to stay, keep your energy going. You might also want to make sure that, you know, the answer response team have food, you know, ordering pizzas and having basically the prepared for that understand about how you're gonna make sure that the team are able to stay focused and be able to get the things they need to respond. Alternative means of communication. A lot of times the victims, their email way may be offline. They might have voice phone systems. So voice systems might also be offline. Their messaging systems might be offline. So make sure you got alternative means of communicating at a band to make sure your team can be stay communicated, stay basically on the plan and going through and respond, having your help desk team ready as well.
One thing that was very clear on this particular instant was that the help desk team were not ready. They were not ready to receive calls, especially when it went public into Twitter, feeds into the public domain. That they'd become a victim that they had up having to go and actually do a public announcement to the press as well. So make sure help desk team were able to respond and be effective when those calls do come in and they will come in. A lot of them, very, very fast of worried employees, worried customers, worried partners and even shareholders. So make sure you have that instant response plan, keep it updated, but do practice. The drills do go through these scenarios and be prepared, not just have a plan, but be ready. And that action plan also means that when you put it into action, it's so critical to make sure you have defined roles.
Who's gonna do the documentation. Who's gonna go through and make sure that everything's coordinated. So have somebody who's gonna project manage this. You wanna make sure that somebody understands about what actions are happening. Who's doing what task what's internally happening, what's externally happening. And these are some of the good definitions that I go through in the answer responses. What's the mandatory requirements. What's the things that you must have in place. Who's gonna be responsible for managing that. Having executive summary all the time, having that updated. So at least the executive team are the board when they're going to do their next updates to the public or to the employees or partners and so forth that they actually have the latest information that they know what to say. They know what stage of the process is in. So having that clear executive summary available to them, keeping instant response timeline from the first notification, the first being time you actually, you know, were informed and alerted on the incident to what's happening at that time, keep documentation of the attack path.
And I use heavily the MIT framework, which really helps you understand about what techniques and tools and processes and what things the attackers used to do. Those lateral moves going through malware analysis, using tools likes in response framework, using tools like fire eyes flare, or even basically your own static or dynamic malware analysis. You really under wanna understand what it is you're dealing with. Does it have a command and control? Does it ladder remove? Does it steal credentials? So making sure you understand about what the threat is, you're dealing with to make sure you understand how you can contain it and also go through the process of finding that attack path and pays and zero what's your data recovery process and how you're gonna store evidence. When you're taking images, you're gonna be taking a lot of disc space and it's really important to make sure you've got that prepared.
You don't wanna be running through the shelf, looking for hard discs in order to store, you know, terabytes of data. So make sure you've already got that in place and ready looking threat intelligence going in the dark web and trying to find if there's any chatter or noise that may have been, you know, preemptive plans or that there's chatter afterwards of basically people bragging about you becoming a victim. Also look at what security was in place and what medications basically do you need to actually prevent it. You know, that the incident further. So a lot of times, you know, organizations who become victims, they had security in place. This organization had antivirus installed. They had malware protection, they had different types of tools. They had VPNs in place. They had pass rotation. So really making sure they understand what security was in place and why did it not prevent?
Why did it not stop the attack in the first place and get to find that baseline? What was, what was the reasons why your existing security didn't prevent it in the first place, looking how they actually got data exfiltration out? How did they extract the data, how much data? So looking at your network activity, getting your asset inventory, and also getting again, the network activity to understand about work what's machines were communicating were, were data was transferring. This is something you wanna, you wanna have a really good documentation of this. Ultimately this will actually result in your actually in response report. And this is something that, you know, this, I highly recommend having this template or plan in place to be, make sure you're prepared the next step. Of course, as you mentioned, using the mattertype framework, this is a really great interactive tool to really allow you to go through things like understanding about what scanning techniques was used, how they gained the initial access going through basically executing the ransomware.
Did they create any backdoor for persistence? What privilege elevation was used? Did they actually use things like mini cats or did they find vulnerabilities or zero days or exploits on the network? So really understanding about these different techniques that was used. And ultimately this will allow you to make sure you understand and define and document the indicators of compromise. You understand about looking, you know, going and auditing your logs to find out. Maybe there was suspicious activity that you could have actually detected beforehand. And this incident, this ransomware incident, by going into the logs, it was clear that something was happening. There was lots of noise in the logs about application failures, network scanning happening. PsExec being executed, lots of new accounts being created out of ours. So it was very, very noisy. So actually going through and understand by what was those indicators? What was the timestamps of those?
Was there anything happened after process rotation? Did there have basically, you know, password failure, logins after accounts were, were rotated, looking about any accounts was actually created and added to local administrator groups or domain administrator groups look for devices or IP addresses that were not from common locations. That's a really good indicator, especially when you look through things like terminal services, logs, what IP address ranges appear that are suspicious from countries where you may not have employees looking at that increased network bandwidth. What about out of ours activity was things occurring on Thursday nights or Saturday nights or Sunday mornings? What time of those activities, and was it common to your employees at normal activities? What about actually having employee notifications? Did they see anything suspicious and also any suspicious applications being executed in the environment? So really look through and get, you know, document the indicators to compromise that could be related.
You want to gather as much as possible in order to try and relate these through that might attack framework. And that will help you understand about the attack path and the flow. The next question I get into asking all the time is about what did the attackers have access to and you know, how did they do it and how long would in the environment. This gives me really good understanding about potentially what is the recovery operations or recovery plan. So looking at, did they have domain admin access or domain controller access? Which of course, if that does happen, you're really looking at the complete active directory rebuilt. If that was the case, what systems did they have access to? What data was access does that, you know, depending on the data might determine about whether you have to trigger the data protection authority, you might actually have to notify employees of sensitive data laws, what applications, and that also allows you to understand when you know, what applications has been accessed to potentially what data those applications are associated to.
Was it limited to on-premise or did it also move to the cloud? And the particular incident that I had dealt with, it was limited to the on premise environment. So fortunate enough, they were using things like office 365, and they were able to continue using email and other means of communication. And also that hybrid environment did actually preserve some of the data that they were able to recover as well. The attack itself, how long was the attack going on for this particular instant? It actually was about hands on keyboard for just around two weeks time. And actually the initial access happened seven months prior to it, the actually compromise of credentials to get that initial food hold luckily by a, or, you know, cyber crime group who specialize in access. And they had sold it onto other cyber criminals who ultimately did the hands on keyboard side of things.
So it was about seven months from timeline, but the hands on keyboard was around a two week period. The types of tools that they used was a combination of their own tools that they brought in and also tools that existed in the network. So they did live off the land quite a bit. They also did create back doors. They also took a large portion of data and the timelines events when we did the digital forensics in looking at those timelines, one thing we did to go back was we, we went back something like four to five years of logs and data. And one thing that was really interesting was you do tend to, when you're going through doing your digital forensics and response, sometimes you uncover other incidents that were from other attackers. And this case was other attackers that we did discover that didn't do anything malicious.
They just gained access. And also we did find other types of activities such as crypto mining that had actually been deployed in some systems that was actually using their energy and resources to do crypto mining. So sometimes you do uncover other incidents during this types of response. And it's really important to understand, you know, what is the big picture? What is it you're dealing with? And also what evidences are remaining. One thing that you're dealing with, especially when it's ransomware is that a lot of the evidence is destroyed and contaminated and you know, I always call it, you know, it's a bit like, you know, you've got a JCE puzzle, which is 10,000 pieces originally, but you've only 200 pieces remaining. And you need to put that puzzle together and understand what the entire picture was with only 200 pieces remaining of 10,000 piece jigsaw puzzle.
That's difficult. That's really challenging. And that's what many responders had to deal with, especially when they're dealing with ransomware. So most organizations who become a victim, you tend to have pretty much limited responses and choices. You will either restore from a backup. If you do have one and many victims, unfortunately they actually their backup strategy. Isn't tailored to ransomware. That's tailored to fault tolerance, hardware, failure, integrity, corruption, but not ransomware. Unfortunately, many organizations don't protect against ransomware for the backup strategy. They have an online backup that's available. That's using the same credentials as production, which is for me, is not a good strategy to protect against ransomware. You wanna have segregation, you wanna have offline backups. You don't wanna have the same credentials been used for production as your actually backup systems. So in this case, the actually victim, their backups were encrypted as well and unavailable.
They were considering paying the ransom. The third option, you, of course you do nothing and you hope to rebuild from scratch. So in this particular incident, they were looking at the paying the ransom. They decided not to get down that path. And it's something I don't recommend because ultimately what you're doing is you're, you know, you're fueling future cyber crime. You're giving basically paying for the criminals to invest in actually better techniques and make it more difficult to protect in the future. So fortunate enough, they were able to actually find that they actually had a migration that occurred one year prior and they used that migration system as a baseline to rebuild. So they didn't have to rebuild completely from scratch. They had a baseline fortunately enough from a system that was actually due to be con decommissioned and fortunate enough, you know, that one year old system was available and they were able to use that to actually restart and do their bill rebuild program.
And that took about pretty much a two to three month period to rebuild that entire system, to get them operational completely. But you're gonna be faced with this choice is do you shut down systems and pull the plug? How do you prevent, how do you limit the actual, the spread of the attack? Do, can you go back to manual as part of that ins response plan and the readiness plan, you wanna test your manual systems in the case that systems do go offline. What is still operational? What systems do you still have available fortune left in this victim? They actually had, it happened on the weekend and a lot of the systems were actually turned off the employee systems. They shut them down. They took their laptops home with them. So quite a large amount of the endpoint set of things was still operational was still available.
The data on those systems was still accessible and fortunately the server side was completely eliminated. And that's something that was basically had to be looked at. And what the rebuild process focused on was the server side. And you also wanna understand the attacker still have access. What are the accessing and how do you eliminate that in this incident, we actually shut down the internet to the entire business. We pull the pull to the ISP in order to contain and maintain and gather evidence to stop the attackers, having that persistent access. So the next step you go into is you really find, you wanna find a sample of the crypto. You wanna find that what you're dealing with to really understand what its capabilities are. So you can actually understand about what's your restoration, what's your recovery process? How do you eliminate and eradicate? So, one thing I use heavily is Joe sandbox.
So basically Joe sandbox is a way that you can actually upload a sample of the crypto typically where you'll find it in temporary files, or you'll find it on the desktop. You'll find it hidden somewhere in download program files. So, you know, you'll find somewhere in the system and finding that and uploading there's Joe sandbox will allow it to run a dynamic analysis on that and give you an indication about basically what it's doing, what its capabilities are, how severe is it, what's the indicators a compromise and really understand help you determine what you need to do in order to recover. So this is critical is a great tool, heavily recommend even going and taking a look and you can actually, it's very interactive and allows you to go through and see about previous vari variations. The next thing you'll end up doing is taking a look at virus total to see, well, why did my existing tools not work?
Why did they not prevent it? And this particular incident, of course, they had antivirus and anti-malware and you know, so forth installed in their systems. But the variant that was used was actually quite a fresh variant of cry lock. And actually only, I think it was two or three at the time antivirus software were detecting it and actually interesting enough as it was, I was going through the, the logs and the evidence gathering. I did find that they actually had other variants of ware available to use, but they chose the cry lock version because it was the one that was not been detected at the time. It was the one that would allow to be successful and bypass their existing security controls and actually create as much havoc as possible. So it's really important to understand about why your security controls didn't work at the time and understand about what you need to do in order to actually evolve and become more proactive and li and limit the ability of success of those attacks.
The next thing I go through is understanding what was the attack path? What was the footprints? How did the attacker gain that initial foothold? What was that initial access that they gained and what was the staging systems that they use? So this is really where you actually gather as much basically images as possible of victim machines. You wanna gather all of them, you just wanna gather some specific ones and then you'll create what is a super timeline of the actually logs and evidence remaining. And that will allow you to see about how they move the running network. Ultimately, how did they hydro tracks sometimes actually the clearing of logs will give you an understanding by where they moved around, where they basically started and which logs they deleted. Also, you wanna look at the types of logs. Sometimes you'll find that partial was erased. The remote desktop services Rose May erased the VPN.
So you'll understand about basically from the logs that was actually cleared and erased to giving you an indication of what, what types of things they were doing on the systems. But, you know, ultimately trying to find out what evidence is remaining. And unfortunately, rents are, were a really good way, basically hiding their tracks. So you also wanna understand about lateral moves. And as I mentioned, you know, licking a look, taking a look at the logs and finding things like PS exact was being run. And of course, being run on Sunday evening, early Saturday morning is not normal employee activity. So being able to look through and find those victim machines and finding out basically, where was these peers exact coming from? And that will allow you to find out the specific staging machines that was potentially used because the old meat will find a few machines that will correlate back to up that tree, which was basically used to deploy the Rensselaer.
And this is exactly similar command that was used in order to actually deploy this particular nasty ransomware itself. So looking for those later moves, the next thing you wanna find out is what automation was done when you get access to the staging machines. Fortunately, we were able to sever the access before the attackers. We were able to completely clean up the, the, the tools that they used. And we will define that in this particular incident, one of their favorite tools was actually soft, perfect network scanner, and that highly customized this in order to actually create back doors, to deploy other staging machines. And one of the things here to note is that actually I've translated a lot of these. These were originally in acrylic Russian language text, and I've translated them into English. So you can actually see them much more easier, but these are the real types of scripts that was used in order to actually create the staging machines and move around the network.
So something that kind of, you know, it was a Russian language attackers, not necessarily based in Russia, but could be from countries such as Russian speaking countries. So attribution wasn't completely fined, but it was Russian speaking criminals who actually did deploy this particular ransomware itself. So moving into one of the things, when you find the automation and how they moved around and created those staging machines, the next thing you wanna find out is how did they elevate privileges? And one of the things they tend to do is they get access to these machines, these staging machines, and then they initial access. And what they'll do is they'll basically the sessions, maybe last five, 10 minutes for these very short sessions, they'll again, access maybe as a local administrator or an elevated user. And what they'll end up doing is they'll actually disable security, they'll disable security, and they'll end up using tools like MI cats to elevate privileges, or to actually change configurations, such as actually add this DWORD in place use log credential.
And what that will do is actually enable the ability for MI cats to extract passwords and clear text for memory, which is actually what happened in this case itself. And this relatively meant that basically they would disable that security make those changes and then re enable security, hydro tracks, and leave, and then come back a few days later to find out were they able to discover and gain access to cred? So sometimes even causing problems in those machines in order for the attackers or the local administrators or domain administrators to log on, to fix those problems in order to capture the credentials and interesting here, when I was doing the research, sometimes I actually did find other trace of other victims in some of the logs and the evidence was, was remaining. So one of the interesting thing was that you, when you're actually doing this response, and you're actually looking through the audits and the tools that was left behind, sometimes you do find other scripts and other names and conventions and other traces of other crimes that occurred in other organizations and victims of ransom itself.
So sometimes you something to be aware off as well, when you're doing this, you also wanna make sure that you understand what backdoor or persistence they created. It's very common. What they'll do is they'll get access to a compromise account and they don't want to, you know, the user, it changes that password. It would eliminate the access. So a very common technique, which is known as sticky keys is to actually make those configuration changes to the systems, which means that even if the user changes the password from a remote desktop login prompt, they can actually simply click on the utility helper and they'll get a command prompt up. So this is example of basically some of the techniques that they used in order to maintain that persistence. So it's really important to make sure you're actually looking for these types of tech activities as well.
A very common techniques was used in, in this particular case. They'd used it several times. One thing is that the biggest mistake that this organization is used was they'd actually given employees, local administrator rights and local administrator rights literally means there's two steps away from the attackers elevating permissions. They're able to use local admin rights to disable security, to make system configuration changes, even if it's only for a short amount of time, if you're looking at your AV and it basically drops off for 10 minutes and then reappears back online, that's something you should investigate. And in this case, that's what they were doing were disabling security, making configuration changes, scamming the environment and then real enabling it disappearing. So it's really important to understand, but we need to move away from giving employees local minister rights. It's a, it's a very serious, very high risk thing to do.
So you should actually be detecting it ultimately after all of the research, all of the digital evidence, all of the instant response ultimately find that ultimately it all resulted from a public facing remote desktop machine that was enabled for an accountant in another country in order to do their work. This is basically that initial access, that area where basically security was lapsed. Of course, they had other types. They had multifactor authentication in place. They had security in place. They had VPN in place, but this was one machine that was enabled quickly in order to keep employees productive. And this was security was lapsed in this area. So it's really important to understand that this is ultimately very common area that attackers will scan and look for. And ultimately resulting from a brute force attack, weak, selective credentials that employees chose given the attackers, the ability to access the systems.
So some of the things, what can we do in order to reduce the risk of these types of attacks? How can you become more resilient from basically incidents that are brands are related? So these are some of my top tips to avoid becoming a victim. And it's really about one is good education, cyber hygiene, get the basics, right, make sure that you have a good visibility, good asset management, and good understanding about the risks and your critical assets and the environment. Next thing you know, also about password hygiene makes sure the employees are actually choosing wiser. You reward your employees with the password management solution. And that will definitely put you on the path to becoming more resilient, to attacks that actually bruteforce or stolen credentials related, having a good backup and test plan, having a zero trust or least privileged approach, looking for a privileged access management to actually make it more difficult, to be able to actually get to where you don't need employees to have local administrative rights getting to where it's actually, you know, going from persistent privileges to non-persistent privileges, having good application control in place to prevent, you know, applications which can be used for good or bad that actually you have control over them that you actually have to provide additional security controls or verification, or that it's time based or approval checkout process, or that it's not allowed to run out of hours out of business hours and also having a good patch and update strategy as well.
So one thing that I do recommend, you know, we'll open up for questions shortly, but I do recommend is understanding the hacker techniques that we're used in this particular ransomware case. We'll actually help you defend against future cyber attacks and become more resilient. But focusing on the business risks is the best way to help you get the security budget. So this is really kind of, you know, take these lessons. This is from a real victim of a ransomware case. This is their experience. These were the techniques that was used. Take the lessons and make sure that you learn from them and put them in place in your organization to make sure that you actually put the controls that will make attackers jobs more difficult. Ultimately, my goal is to force the attackers to take more risk, the more risk they take, the more noise they'll create in your networks. The more noise they'll create, the more chance you have to detect them much earlier and giving you a chance to defend and make sure your organizations are more resilient. So happy to open up for any questions we might have Paul, if you have any things coming in,
Joe, Joe, that was fantastic. And I, if any of your colleagues, I really recommended if they didn't see that today, then they look at the recording, cuz there was so much in there. Thank you, Joe. We have a tiny bit of time. I'll just run through the results of the surveys quick. And then we got a couple of questions, no surprise. Then that the three biggest challenges were in order skill, shortage budget, which you just touched on and then equal too many tools and stakeholder management, but school shortage by far is the biggest worry.
Yeah. And highly recommend in that case, you know, for that skill stories, definitely, you know, have a combination of having a service provider, support you in these, you know, types of, you know, cases from an answer response and, and also, you know, make sure that you, you balance between internal skills and business knowledge with those external skills as well.
Okay. I can't see the, the first poll results now, but no mind, we have a question, two questions, actually both from Peter Keller who ask specifically, I think on what you're describing, how did the attackers initially get into the network? I think you actually said that towards the end and what specific techniques did the attackers use for lateral movement?
Yeah. So, so to answer that question, that's a great question. So the initial access we noticed that they, all of a sudden there was a brute force on attack. We don't know if they were, they already had stolen credentials prior to it, but all of a sudden there was an IP address that appeared to have a successful login and that initiated. So we knew that credentials had been abused and stolen. We weren't quite sure into the source of that and that initial access. We weren't quite sure if it was from, for example, that person had used the credentials in other systems and it was from a, another, you know, data breach that resulted, you know, from reusing of credentials. We weren't quite sure if it was, for example, maybe a fishing campaign that happened or that basically the employee was tricked into giving up the credentials or it was just, the credentials were weak to begin with and would be guests, you know, from a, you know, a proper, you know, password cracking technique.
So we only saw the only thing we have from an evidence perspective was that there was a successful log using stolen credentials, how the credentials are obtained. We still don't know to date. So that's one thing is always kind, it's always difficult to, to find out what happened on the outside, but you can only see when that first incident or, or, or successful login occurred. The second part into the lateral move, the way they moved the around the network was is that unfortunately that credential that had compromised was a local administrator. And we were able to use that local administrator to elevate up to domain rights using Mimi cats and disabling security. When they did that, they used PS exec to lateral move around the network. So PsExec was a tool that was being used and also being used internally by the security team and system administrator team to manage the network. The attackers we use PsExec to, with those total and credentials to move around the network. Great question.
Okay, Joe, I think, unfortunately we are actually now right our time. We did have some other questions, but you can follow up with Joe I'm short directly. If you want to follow up on anything that he brought up. But as I said, I thought that was a superb, it will not introduction, but a superb description of what it sware attack is like and a huge amount of information. So I fully recommend that you download the, the deck when you get it, but for now, Joe, again, thanks very much. Absolutely.
And any of the questions people then get to, they can reach out to you in social. Yeah. I'm happy to answer them. So,
Yeah. Fantastic. And thanks to you for, for listening today. Really appreciate your time. So bye now.
Thanks everyone. All the best.