Blog
#ISC2Congress 2022: Lessons from a Ransomware Attack
When an organization suffers a ransomware attack, how well they can respond comes down to preparedness. An up-to-date, comprehensive incident response plan (IRP) can make a big difference, said Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea.
Joseph spoke about ransomware response on Monday as part of the annual (ISC)² Security Congress, taking place through Wednesday in Las Vegas. To illustrate the importance of being prepared when responding to an attack, Joseph walked his audience through an experience he had with a client.
The company’s security team was notified of an attack by the hackers through email and text. In response, the company activated its response plan and called Joseph to help them with recovery and investigation. The client was fortunate to have an incident plan in place that they could use. Joseph said in some cases the plan becomes inaccessible because it is encrypted by ransomware with everything else.
That wasn’t the case with this client. “They’d done the plan. They’d done the preparation. They had a communication plan. They had contact lists of who to contact. They went through and had definition of what the type of incidents are going to be dealing with,” Joseph said.
But while the company had done some preparation, the plan was incomplete. For one thing, the plan had not been updated in a long time, and the company had never run a drill, Joseph said. “This was the first time they were contacting the press, the first time working with legal team, the first time working with HR,” he said.
It was also the first time working with the sales and finance teams on how to respond to an incident – when one was already under way. “And that’s not what you want to be doing. Time is so critical in this world.”
The response plan itself was incomplete. For instance, it did not address what the finance team should do to acquire bitcoin for ransom if the company choose to go that route, Joseph said.
“They had no idea, no plans in the response for time zones and naming conventions and formats, or even the plan of actually taking images from infected machines. They had actually no hard disc available in order to actually store tens of terabytes of data that needed to be collected.”
Weighing Options
As Joseph and the response team weighed recovery options, they learned that restoring from a backup was out. The hackers had encrypted the backup along with other critical systems.
The company also weighed paying ransom, but chose to rebuild from scratch. This was possible only because of a disconnected machine that Joseph came across. The machine had sat unused for about a year.
“It meant that they had to rebuild one year’s worth of their data, Joseph said. “But it meant that they actually had a recovery point.”
As the recovery process took place, Joseph investigated how the hackers infiltrated the system. It turns out “patient zero” was an accountant who had called the organization’s hosting provider to gain access to systems. The accountant was traveling out of the country and demanded immediate access.
The provider agreed to grant access and, in the process, created a vulnerability in the remote desktop protocol (RDP) that the hackers were able to exploit. From there, the attackers were able to get into other systems and disable security, all while hiding their tracks, Joseph said.
The result was a major breach to the company. “This ransomware case was very devastating, very impactful for the business. And there was a lot of key lessons that they learned.”
Those lessons, he said, included “education, good hygiene, really getting into awareness and understanding what the risks are.” Another lesson was the importance of a having a backup and test plan, as well as a response plan tailored to ransomware attacks, he said.
In addition, the company learned about zero trust and least privilege. The accountant whose actions created the vulnerability had local administrator rights that really weren’t needed, he said.
And ultimately, Joseph said, it’s critical for organizations to understand how attackers operate. Understanding hacker techniques is how a company can best defend itself, he said.