You're reading from Incident Response Techniques for Ransomware Attacks Understand modern ransomware attacks and build an incident response strategy to work through them

Product type Paperback

Published in Apr 2022

Publisher Packt

ISBN-13 9781803240442

Length 228 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Oleg Skulkin

View More author details

Table of Contents (17) Chapters

Preface

1. Section 1: Getting Started with a Modern Ransomware Attack

2. Chapter 1: The History of Human-Operated Ransomware Attacks FREE CHAPTER

3. Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack

4. Chapter 3: The Incident Response Process

5. Section 2: Know Your Adversary: How Ransomware Gangs Operate

6. Chapter 4: Cyber Threat Intelligence and Ransomware

7. Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures

8. Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence

9. Section 3: Practical Incident Response

10. Chapter 7: Digital Forensic Artifacts and Their Main Sources

11. Chapter 8: Investigating Initial Access Techniques

12. Chapter 9: Investigating Post-Exploitation Techniques

13. Chapter 10: Investigating Data Exfiltration Techniques

14. Chapter 11: Investigating Ransomware Deployment Techniques

15. Chapter 12: The Unified Ransomware Kill Chain

16. Other Books You May Enjoy

2016 – SamSam ransomware

These ransomware operators emerged in early 2016 and changed the ransomware threat landscape drastically. They didn't focus on regular users and single devices; instead, they attacked various companies, focusing on a human-operated approach, moving laterally and encrypting as many devices as possible, including those with the most important data.

The targets were very different and included the healthcare industry, the education sector, and even whole cities. A notable example was the city of Atlanta, Georgia, which took place in March 2018. As the result, the city had to pay approximately $2.7 million to contractors to recover its infrastructure.

The group commonly exploited vulnerabilities in public-facing applications, for example, JBOSS systems, or just brute-forced RDP-servers to gain the initial foothold to the target network.

To elevate privileges, the threat actors used a number of common hacking tools and exploits, including the notorious Mimikatz, so they could obtain domain administrator credentials.

Having elevated credentials, SamSam operators just scanned the network to obtain information about available hosts, then copied a piece of ransomware to each of them and ran it with help of another very common dual-use tool – PsExec.

The attackers had a payment website in the dark web. A victim could find all the necessary information on file decryption in the ransom note generated by the ransomware, as shown in Figure 1.1:

Figure 1.1 – SamSam ransom note example

Being active from 2016 to 2018, the group earned approximately $6 million, according to Sophos (source: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf).

Who was behind the SamSam ransomware

On November 28, 2018, the FBI unsealed an indictment charging Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri with deploying SamSam ransomware internationally:

Figure 1.2 – An excerpt from an FBI Wanted poster

Both subjects are from Iran. After the indictment was unsealed, the threat actors managed to finish their malicious activities, at least under the name SamSam.

These threat actors showed others that enterprise ransomware attacks may be very profitable, so more and more groups emerged. One example is the BitPaymer ransomware.

You're reading from Incident Response Techniques for Ransomware Attacks Understand modern ransomware attacks and build an incident response strategy to work through them

Table of Contents (17) Chapters

2016 – SamSam ransomware

Who was behind the SamSam ransomware

Authors (1)

Personalised recommendations for you