Ransomware Case Studies & Forensics Analysis
A particularly insidious type of malware is ransomware, which is secretly installed on your windows systems and locks the system down. That lockdown is inevitably accompanied by a message demanding payment if the systems owner ever wants to access the files again. Unless you are very lucky (or the hacker spectacularly incompetent), everything important on your hard drive will be effectively lost to you, unless you pay up.
Although earlier versions of ransomware sometimes had flawed encryption, recent iterations are better designed. Although you could pay the ransom, that’s not a guarantee that things will work out, as Hospital in Massachusetts discovered when hackers demanded a second ransom after locking down files.
The Case
The victim: Hospital with 680 networked windows 380 in a central office, with another 300 in a satellite offices. Upon arrival of the incident response team, we identify that the client had no protection in place. The network administrators had no idea has to what is going on in the network, no security tool, no forensic tool, and the perimeter had no IPS/IDS system in place.
We Then
All the orgainization’s endpoint systems are Windows 7, and Windows 10. Employees operate using Windows email systems which operates on Office 365 and MS Outlook. CyberSecOp team identified that the infection started with a phishing email.
The Malware
The ransomware was identified has RYUK, specifically a newer variant that resisted efforts by utility programs such as SpyHunter to remove it. the client also checked the registry settings as described by Malwarebytes, hoping to isolate the exact nature of the threat, but had no luck. RYUK has a nasty habit of deleting key files in its wake in order to confound attempts to stop it.
The company decided to restart the software and see how things went. While the server was down, though, the firm had to write down new orders on little slips of paper. It was chaos.
Each infected folder contained a three files: # Decrypt Read Me file, .txt. The ransomware encrypted any file on the target extension list, giving it a random filename with the .RYUK extension.
The malware infected all PCs at the central office and all the systems at satellite offices; The damage to these infected PCs was okay since they could be reimaged. The 26 servers hosting health information and databases was a big problem, since the client found out the backups has been failing: the log files (.log) were all encrypted, config files, as well as group polices files.
The Demand
The# Decrypt Read Me file contained a message asking for 150 Bitcoins (about $1,734,000) to recover the organization systems, including details on how to pay. The firm Managing Director decided that they have no other avenue but to pay the ransom.
CyberSecOp first tried to recover files from the physical servers but had no luck, due most of the flies where corrupted. The team proceed with forensic and ransomware negotiation, and was able to get the threat actor down to 3.9793 bitcoin.
Ransomware Payment
All communication with the client is covered by with attorney-client privilege
Before the ransomware negotiating, we request proof of life
We understand that ransomware negotiation is big deal to your business
We negotiation and collaborate you he client like any other business deal
We quick try to understand the ransomware attacker, then start the ransom negotiation
Our ransomware negotiation experts understand classic rules of hostage negotiation
Remediation
Forensics data gathering
Deploy CyberSecOp MDR
Pay the threat actor 3.9793 bitcoin
Received decryption tool from the threat actor
Complete malware analyst on the decryption tool
Work with the client technical team to decrypt the systems
Protecting Yourself
Large companies often have disaster plans in place that include ransomware infections. But what should individuals or small businesses do when confronted with this issue? Crossing your fingers is probably not the best option.
Frequent offsite backups are the obvious first step, although the automation comes with a downside: if your files are maliciously encrypted, the encrypted files might accidentally get backed up, as well. If you take this route, make sure that the backup vendor offers a 30-day recovery period or versioning, so you can get your backed-up files intact.
For individuals, even something as simple as copying files to an external memory stick or drive is better than nothing. If you take this route, keep your USB storage unplugged from your machines when not copying to it.
As email attachments are a prime source of infections, having an email scanner is probably the best way to eliminate that particular vector of attack.
Security training awareness to help them stop phishing email
Conclusion
Backup are critical, if the client had maintain there backups, the client would be able to recover, won’t pay the demand our expert can reduce the financial risk. Let the professional handle the case, the client should have loss all there data while trying to remove the ransomware before the don’t know how it works. It is highly recommended to uses a security team that that can analyze the decryption tool to ensure there is no logic boom being dropped.
It is also critical to ensure your organization takes step to ensure security of all system, implementation of Managed SOC, MDR services, and Employee Security Training awareness
