The Complete Guide To Ransomware

THE COMPLETE GUIDE
TO RANSOMWARE
[UPDATED FOR 2022]
From CISOs to SecOps teams, find out how ransomware is evolving

and what you need to do to be able to detect and respond to attacks.
Lepide
Copyright Lepide USA Inc.
Lepide
CONTENTS
Introduction
What CISOs Need to Know
US State and Federal Ransomware Compliance Issues
Security Strategies: Passwords, Permissions
and Active Directory
Ransomware: To Pay or Not to Pay?
Security Operations: Finding Threats in Near Real-Time
About Lepide
Lepide
INTRODUCTION
It should come to no one’s surprise that in the FBI’s 2021

report on cybercrime, ransomware makes it to their list of
major malware trends. Last year, the top US law-enforcement
agency received over 3,700 ransomware complaints involving
over $37 million in cryptocurrency payments. Of course, these
numbers reflect just the ransomware that was reported to
the FBI.
Research firm Chainalysis can gain insight into ransomware

crypto transactions through clever tracking of the public
blockchain, which can reveal payment amounts made by
corporate victims. For 2021, they estimated that on a world-
wide-basis, total ransomware transactions were valued at
over $600 million! It’s not as if the ransomware threat
environment is going away anytime soon.
The FBI also reports that the tactics and strategies of these
criminal gangs continue to evolve. In a recent Cybersecurity
Advisory, they note the “professionalization” of ransomware
with the use of a ransomware-as-a-service (RaaS) model. This
allows the criminals to rent, not buy, off-the-shelf malware in
which the cyber criminals automatically share a percentage of
their Bitcoin revenue with the RaaS provider. The attackers

can also use third parties to negotiate the transaction with

the victims, which can include 24/7 call centers to handle
“customer” questions. Ransomware is now a successful
criminal operation that has taken on the trappings of a
white-collar service-based business.
While there are innovations on the technical side, the attack

methods and malware itself remains fairly constant. As the
FBI notes, the top vectors for getting into victims’ systems are
still phishing, stolen credentials used to login over Remote
Desktop Protocol (RDP), or vanilla brute-force password
attacks on public-facing access points. There’s nothing new or
innovative in these tried-and-true techniques.
Once inside, the attackers typically run commands to explore

the network and learn about IP addresses, domains, and
server names, gathering useful intelligence along the way.
They also explore Windows Active Directory to inventory the
user community specifically finding those who are likely to
have elevated permissions.
Leveraging standard network and admin utilities, they rely on

the fact that Windows’ PowerShell is available as a scripting
language—what’s known as living-off-the-land (LoL)—to
stealthy infect their target. The attackers then try to install the
actual ransomware on as many servers as possible, and then
wait for the victim to notice their file systems have been
encrypted and then respond to the ransom note.

In 2022, ransomware continues to make the news — see the

recent Hive ransomware attacks — and there’s no reason to
believe the threat will subside any time soon. However, there
are practical, simple to implement strategies to contain the
risk of such an attack.
In this guide, we’ll explain in more detail why ransomware

requires CISOs’ attention and cover the defense strategies
that SecOps teams can deploy. We’ll conclude with techniques
and tools, specifically Data Security Platforms (DSPs), used for
secondary defenses that can detect and stop ransomware
attacks in progress.

Lepide
WHAT CISOS NEED TO KNOW
Before we delve into practical strategies for limiting

ransomware risk, it’s important for CISOs and other C-levels
to understand what’s driving the ransomware market. The
answer is relatively simple: for the attacker, ransomware is
incredibly profitable, far more so than hacking into systems to
find monetizable personally identifiable information (PII) —
credit card and social security numbers — and selling them
on dark exchanges.
We now know this to be the case after a team of NYU

researchers who study the dark markets were fortunate
enough to gain access to the actual transaction history of one
infamous stolen data marketplace, BriansClub. They
discovered a very skewed market where a few sellers of
stolen PII were raking in millions whereas the media seller —
the bottom 50% — earned far less at under $47,000.
Their research tells a tale of hackers who after all the effort to
break in and find data find the rewards to be far less than
expected. This is especially the case when the stolen credit
card numbers are associated with national banks known to
have better security and therefore would be less valuable to
the criminals who buy them on the exchange. It’s a picture of

mostly smaller hackers selling perhaps a few valuable to the

criminals who buy them on the exchange. It’s a picture of
mostly smaller hackers selling perhaps a few thousand
records and ultimately receiving only $10 per record.
Contrast this with ransomware where the attackers avoid the

additional time and effort involved with finding marketable PII
data since the file system itself is inherently of value to the
victim.
We know from cyber insurer NetDiligence and claims made

by its corporate customers in recent years that ransomware
payments to attackers are far more generous: excluding the
largest claims, the average payment for most attacks is
around $100,000, and about twice the size of the typical sale
of PII data based on transaction from BriansClub.
Estimated ransomware payments worldwide based on analysis of

crypto-currency addresses. (Chainalysis)

Chainalysis most recent estimates of average ransomware

payments also track NetDiligence’s claim data: this research
firm calculated an average ransomware payment at about
$118,000 in 2021.

Lepide
US STATE AND FEDERAL

RANSOMWARE COMPLIANCE ISSUES
Ransomware is more than just a financial

consideration, there are also legal and compliance
implications as well. US data laws at the state level typically
require reporting to state legal authorities when there’s been
a data breach — data that’s been copied or acquired.
The relevant language in these breach laws typically define a

breach of security to mean “unauthorized acquisition of
computerized data that compromises the security,
confidentiality, or integrity of personal information”. This
leads to the question of whether a ransomware attack, where
the victim’s data is encrypted but not necessarily acquired,
constitutes a breach. And the answer is “no”. Access alone is
not enough to be considered a breach: the data must be
taken offsite.
There are, though, three exceptions in US state breach leads

that we are aware of where access alone — as would be the
case in a ransomware incident — would be reportable: New
Jersey, Florida, and Connecticut. And so, in those states a
ransomware attack would generally be reportable —although
there are considerations whether PII as defined by the state

law has been accessed by the ransomware.
An interesting trend is that states are starting to consider

security incidents where the IT system has been disrupted to
be reportable — regardless of whether PII data was taken.
For example, New York State Department of Financial Service

(NYDFS) innovative Cybersecurity Regulation (NYCRR 500) has
just such a provision that considers attempts to gain
unauthorized access to misuse or disrupt an IT system to be a
"cybersecurity event”. Under this law, which covers the state’s
huge financial sector, those security events that are “material
harming” a bank or broker’s operations would have to be
reported no later than 72 hours to the state’s regulators after
its discovered.
What about US Federal Data Security Legislation?
The two most relevant are the Health Insurance Portability

and Accountability Act (HIPAA) and the Gramm-Leach-Bliley
Act (GLBA). The key point is that companies that fall under
these laws, healthcare insurers and providers for HIPAA, and
banks and other financial companies (mortgage brokers,
brokers, investment advisors, trading houses) for GLBA,
would have legal requirements regarding ransomware.
Under HIPAA, a breach is defined as the “impermissible

acquisition, access, use, or disclosure of protected health
information. Note the use of “or” here. It’s similar to the

breach definitions found in the above three state laws. The

tricky part for CISOs is determining whether protected health
information (PHI) — essentially HIPAA’s version of PII — has
been accessed.
In other words, under HIPAA unauthorized access alone of

PHI is considered a breach, and therefore ransomware’s
encryption of data files would generally be a reportable event
to the Department of Health and Human Services (HHS).
More information can be found in this ransomware fact sheet
from HHS.
For GBLA, there has been a recent change made by one of the
key regulatory agencies involved in rule making for this law
that has similar implications as the aforementioned NYDFS
law. In late 2021, the Federal Reserve, along with Federal
Deposit Insurance Company (FDIC), finalized a rule
requiring financial companies under its authority— banking
institutions — to notify regulators when there’s been a
“computer security incident”.
The rule defines a security incident as any kind of occurrence

that “causes actual harm to the confidentiality, integrity, or
availability of an information system or the information that
the system processes, stores, or transmits.” In short, a
ransomware incident that disrupts operations at a bank
would have to be reported within 36 hours according to these
new rules that went into effect April 1, 2022.

The table below summarizes the above reporting

requirements:
Agency Rule or Law Remarks
Regulators in New State data breach laws For these states,
Jersey, Florida, and ransomware is
Connecticut reportable as a data
breach when PII is
accessed
New York Department CRR 500 Cybersecurity
of Financial Services incidents that
(NYDFS) materially affect
operations - such as
ransomware - are
reportable to the DFS’s
superintendent.
Dept. of Health & HIPAA (45 CFR § Ransomware is
Human Services (HHS) 164.304) reportable as a data
breach if protected
health information
(PHI) is accessed.
Federal Trade Safeguards Rule FTS is currently
Commission (FTC) seeking comment.
Securities and Regulation S-P Will likely mirror FTC
Exchange Commission Safeguards Rule in the
(SEC) near future.

Agency Rule or Law Remarks
Federal Reserve (FDIC, Computer Security Reporting of disruptive
OCC) Incident Notification security events.
Effective April 1, 2022.
Compliance by May 1,
2022.
It is likely that other agencies involved in GLBA rule making,

which includes the Securities and Exchange Commission (SEC)
for brokers and investors, and the Federal Trade Commission
(FTC) covering non-banking financial institutions, will
introduce similar rules on incident reporting in the near
future.
For US companies that do business in the EU, the General

Data Protection Regulation (GDPR) comes into play. Under
this law, a data breach is reportable if it leads to “the
accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data”. For
the GDPR, personal data is the term used for PII—although
it’s far more encompassing than a typical PII list of identifiers.
Most likely, a ransomware attack on a large corporate file
system would be reportable to the local data authorities
established in each EU country.
In any case, CISOs for US companies in the healthcare and

financial sectors need to be particularly concerned with
ransomware reporting requirements as well as all the specific

security controls (more below) in these regulations that are
intended to limit the risks of malware.

Lepide
SECURITY STRATEGIES: PASSWORDS,

PERMISSIONS AND ACTIVE DIRECTORY
In the current threat environment, attackers know that they

don’t need to apply a complicated exploit. Instead, they
merely send out a phish mail that baits the employee to click
and then open a Word document or other attachment that
contains a malware payload. This is a common entry
technique for ransomware as well. It’s been used in the
aforementioned Quantum ransomware incident as well as in
the recent spate of Hive ransomware attacks.
In these cases, the email is crafted to look official, often

appearing to come from, say a travel agency or FedEx (or
other delivery services), or even from the company’s own HR
department. Unfortunately, even at this point with all the
warnings and employee training, far too many workers are
still clicking.
Besides phishing, another common entry technique is simple

brute force password guessing applied to corporate VPNs or
exposed email services such as Windows Outlook Web Access
(OWA). An easy fix for in these cases, of course, is to enable
multi-factor authentication (MFA). Yet even at this point in the
ransomware epidemic, too many companies are reluctant to

introduce it. They shouldn’t be: the minor increase in

employee inconvenience is far outweighed by the reduction
in hacking risks.
This leads to the more widespread problem of weak

employee passwords. Even in the case of phishing, where the
attackers enter without a password, one of their first task
once inside is to begin the process of harvesting credentials—
finding or guessing passwords as well as collecting passwords
hashes that can be accessed and exploited through
pass-the-hash techniques (PtH). The key point is that they
have a high likelihood of finding accounts with simple
passwords — “spring2022”, or “admin1234” — that can be
easily guessed by the attackers.
Of particular interest are administrative-level or other

higher-privileged users. With ransomware, the goal is to
encrypt as much of the victim’s file system as possible, and
admin-level accounts make that far easier to accomplish.
Unfortunately, as a matter of convenience, IT staff often make

these admin passwords easy to remember, and therefore
easier for hackers to guess. The attackers understand this,
and they can identify these and other desirable users through
utilities such as AdFind, which can query the Active Directory
database and thereby allow them to find high-value targets.
Another option for attackers is to simply look for plaintext

passwords in the file system, emails, and in Active Directory

itself. Unfortunately, it is again not that unusual for these

plaintext passwords to be found particularly within Active
Directory — usually stored there as a convenience for
admins. However, these kinds of oversights can be spotted
through regular audits done as part of a pen-testing program.
We’ve written more about these preventive strategies, in
another white paper, Executive’s Guide to Penetration
Testing.
The key takeaway for IT security managers is to enforce

complex passwords by encouraging employees to use, what’s
known in data security circles as, correct-horse-battery-cable.
It’s essentially a mnemonic or memory aide where the first
letters of some sentence or simple story form the password.
IT admins can enforce these high-complexity passwords with
additional modules to AD that can check a password’s
complexity when the user account is first created and
subsequently when passwords are changed.

Lepide
RANSOMWARE:
TO PAY OR NOT TO PAY?
Your company has been great about implementing the above

security defenses — improved employee password
complexity, implemented tight RBAC rules, trained employees
to detect phish mail, added MFA, and made it harder for
attackers to leverage existing admin tools in LoL-style attacks.
And of course, they have been vigilant in maintaining recent
backups of major file systems.
And then the systems are attacked successfully by a

ransomware gang. What do you do next?
Ideally, you restore the file system from the backups and then
careful remove any permanent malware tasks that restart the
ransomware’s file encryption process. Unfortunately, it’s not
always that easy.
Many organizations don’t have recent backups, or the

backups themselves were encrypted by the attackers! Even
with backups, affected companies may perform a cost-benefit
analysis and realize that the time involved in restoring huge
corporate file systems leads to a revenue loss — imagine an
e-retailer forced offline during a major holiday — that far

outweighs the cost of the ransom.
The headline-making ransomware attack on Colonial Pipeline

in 2021 is instructive. This US energy company daily carries
2.5 million barrels of oil and jet fuel over its 5500-mile
network that stretches from Texas to the Northeast. When
the ransomware hit in late April, Colonial was forced to shut
down its pipeline.
In what seemed like a purely bottom-line decision, they

decided to pay a DarkSide ransomware gang — technically an
affiliate in the RaaS model — an eye-popping $4.4 million in
Bitcoins even though they had a backup.
Healthcare is at the top of the list for those organization reporting ransomware to the FBI.

Also tipping the scales toward payment was the possibility of

a double-extortion—the gang threatened to expose some or
all of Colonial's data on the web if they were not paid!
To be clear, the FBI recommends not paying the ransom since

it encourages the cybercriminals, and also reporting these
incidents to the agency. In the case of Colonial, the FBI was
able to claw back about half of the ransom by getting access
to the secret private key associated with the Bitcoin account
— this may not always be possible.
On the other side of the equation, ransomware payments are

illegal in some cases. In late 2020, the US Treasury
Department’s Office of Foreign Assets Control (OFAC) issued
an advisory reminded companies they are prohibited from
engaging in transactions with companies or entities on its
sanctions list. Many but not all the major cyber gangs
involved in ransomware are on the Treasury’s list. In the case
of Colonial, DarkSide, though, was not on the list.
So, should a company pay the ransom? They shouldn’t ever

have to if they’ve put in place reasonable security measures,
such as the ones we mentioned above. Colonial fell very short
in their security practices, including not having MFA in place
on their network, and also, critically, not enforcing stricter
password policies. Ultimately, they were fined almost one
million dollars for lax security by US government energy
regulators.

Like many organizations as well as in particular local

governments, Colonial came to the conclusion it was just less
costly to pay and bring services back online than not to pay.
We also know from the Chainalysis research above that many
companies in fact are paying, and effectively treating the
ransomware as a cost of doing business.
Helping tip the scales towards this view are cyber-insurance

companies that sell ransomware policies covering the ransom
payment as well as general business insurers that can offset
some of the cost of a business disruption.
And even the FBI’s advice is evolving as they recognize that

making payments illegal would discourage companies from
sharing information about ransomware incidents with the
government. The FBI is moving towards the same view that
the payment is a business decision.
Ransomware may eventually be seen as not all that different

from companies facing fire, theft, or “shrinkage” in the
brick-and-mortar world.

Lepide
SECURITY OPERATIONS:
FINDING THREATS IN NEAR-REAL TIME
There’s one more key strategy to consider in reducing

ransomware risk and not paying the ransom. This involves
having a secondary defense that can spot ransomware
attacks in progress, and then stop them early enough so the
damage is limited, and operations can continue without
significant disruption.
At this point, it’s helpful to introduce a more modern

approach to identifying malware attacks called a “kill chain”.
When security experts analyze many such attacks, they’ve
noticed overall similarities: some of the specific techniques
may vary but the purpose is the same. The kill chain
represents an attempt by these experts to break down the
attack process into a sequence of procedures and organize
them into higher level categories.
This contrasts with older (and less successful) approaches

they rely on “signatures”, used in traditional anti-virus
scanners, which identify the malware binary by calculating
hash values. This approach is almost useless with PowerShell
and other scripting used in LoL-based attacks.

Lockheed Martin’s kill chain is just one example of an

implementation. Their model breaks down an attack into
seven discrete steps and then associates actions that the
attackers take with each step. By generalizing the attack
process, the defenders can focus on specific events and
actions that are always present regardless of the malware
involved.
Another similar but more complex approach is Mitre’s Att&ck

Matrix, which has 10 steps in its model, and has the
advantage of being based on real-world hacking techniques—
“a globally-accessible knowledge base of adversary tactics and
techniques based on real-world observations”.
It’s useful to consider the Att&ck information collected for

specific ransomware, say for Ryuk, which infected many US
hospitals in 2019-2020 and is still a threat. Defenders charged
with monitoring networks and systems for unusual activities
would find the actual techniques described in Att&ch’s data
base (below) to be very valuable in detecting and then
stopping an attack.
For example, Ryuk starts a Windows command line

interpreter, cmd.exe, to adjust certain registry entities,
enumerates files and directories on all mounted drives, and
can issue a Windows command to delete every access-based
restriction on file and directories. These are actions that can
show up in event and system logs, and no doubt an alert
security op center technician may be able to spot these

irregularities with the help of some home-grown tools.
Some of the techniques used by Hive as detailed in the Att&ck database.
Here’s the larger problem: these may not be unusual activities

— updating permission on a part of the file system — if the
user is a sys admin. In other words, in a home-grown
approach you’d have the issue of “false positives” — reacting
when there’s no real problem.
Even more of an issue is that it’s beyond the capabilities of

most security operation centers to keep up with the latest
threats and their specific techniques. It useful to know, for
example, that with the latest Hive ransomware, email
addresses are scanned and then sent to a remote server.
These and other arguments lead to the necessity of a data

security platform or DSP. This is a business-class solution that

can not only automate the monitoring or detection of an

attack based on the latest threat techniques, but also — and
this is key — using advanced statistical or AI to decide when
these activities are abnormal for a specific user. This is known
as user behavior analytics (UBA) and involves collecting user
activities on an enterprise-wide basis and then developing a
profile of common file and process activities for each user.
Contrast this with ransomware where the attackers avoid the

additional time and effort involved with finding marketable PII
data since the file system itself is inherently of value to the
victim.
We know from cyber insurer NetDiligence and claims made

by its corporate customers in recent years that ransomware
payments to attackers are far more generous: excluding the
largest claims, the average payment for most attacks is
around $100,000, and about twice the size of the typical sale
of PII data based on transaction from BriansClub. Chainalysis
most recent estimates of average ransomware payments also
track NetDiligence’s claim data: this research firm calculated
an average ransomware payment at about $118,000 in 2021.
With a UBA profile in hand, the DSP can then decide whether
a sudden flurry of permission updates or file queries and that
correlates with the same user making an unusual number of
AD lookups is normal — which might be the case say for a sys
admin conducting system maintenances — or unusual and
possibly the indication of a ransomware attack if the activities

are associated with an ordinary employee in, say, the

accounting or marketing department.
A security operations center that relies on a DSP can then,

after perhaps verifying against manual checks of the system
logs, confidently proceed in a response: stopping processes
involved in the ransomware encryption, disabling user
accounts that have been taken over by hackers, removing
unusual registry entries, and then begin the file recovery
process and notifying appropriate privacy and legal
departments.
An added benefit to the DSP is that besides being able to

detect threat an attack in progress, they can also automate
some of the security protections we mention early.
Their auditing capabilities allow the DSP to understand user

access patterns and therefore help derive folder permissions
that reflect those employees that need access as part of their
jobs. The DSP can also scan folders, AD, and Microsoft
Exchange email accounts to discover sensitive data — PII,
passwords, and confidential data — that either should be
better protected with more restrictive permission, or perhaps
in the case of plaintext passwords, just completely removed.
Some DSPs can even automate a permissions approval
process when an employee requests access to a project
folder, routing it to the appropriate manager.

While it may be impossible in all cases to prevent

ransomware from entering a system — particularly as new
zero-days are discovered — it is possible with DSPs to make
these occurrences a rarity, and to stop this malware in an
early phase of its encryption process, long before it causes
significant disruption.

Lepide
ABOUT LEPIDE
We founded Lepide back in 2015 because we felt

cybersecurity was failing to keep up with the rapidly changing
market. It lacked context and intelligence and was failing to
protect what really mattered – the data.
Fast forward to today, and we have over 1,600 happy

customers all over the world using our award-winning Data
Security Platform.
Data breaches, including those associated with ransomware,

often start with Active Directory, with attackers moving
laterally within the network to target sensitive data in file
servers and other data stores.
Our unique approach, and our powerful solution, provides

the much needed visibility over changes to these critical
systems and interactions with sensitive data. We deliver this
information in real time to enable you to quickly detect and
react to security threats.
If you’d like to take a closer look at Lepide Data Security

Platform, we recommend the first place to start is a
personalized demonstration.

If you’re more interested in detecting and preventing threats

in your environment immediately, then we suggest to
schedule a free risk assessment session with one of our
security team.
Follow the links below:
https://www.lepide.com/demorequest.html
https://www.lepide.com/data-risk-assessment.html

THANKS FOR READING
Lepide

The Complete Guide To Ransomware

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Complete Guide To Ransomware

Uploaded by

Copyright:

Available Formats

THE COMPLETE GUIDE

From CISOs to SecOps teams, ﬁnd out how ransomware is evolving

What CISOs Need to Know

US State and Federal Ransomware Compliance Issues

Security Strategies: Passwords, Permissions

and Active Directory

Ransomware: To Pay or Not to Pay?

Security Operations: Finding Threats in Near Real-Time

It should come to no one’s surprise that in the FBI’s 2021

Research ﬁrm Chainalysis can gain insight into ransomware

Copyright Lepide USA Inc.

can also use third parties to negotiate the transaction with

While there are innovations on the technical side, the attack

Once inside, the attackers typically run commands to explore

Leveraging standard network and admin utilities, they rely on

Copyright Lepide USA Inc.

In 2022, ransomware continues to make the news — see the

In this guide, we’ll explain in more detail why ransomware

Copyright Lepide USA Inc.

WHAT CISOS NEED TO KNOW

Before we delve into practical strategies for limiting

We now know this to be the case after a team of NYU

Copyright Lepide USA Inc.

mostly smaller hackers selling perhaps a few valuable to the

Contrast this with ransomware where the attackers avoid the

We know from cyber insurer NetDiligence and claims made

Estimated ransomware payments worldwide based on analysis of

Copyright Lepide USA Inc.

Chainalysis most recent estimates of average ransomware

Copyright Lepide USA Inc.

US STATE AND FEDERAL

Ransomware is more than just a ﬁnancial

The relevant language in these breach laws typically deﬁne a

There are, though, three exceptions in US state breach leads

Copyright Lepide USA Inc.

law has been accessed by the ransomware.

An interesting trend is that states are starting to consider

For example, New York State Department of Financial Service

What about US Federal Data Security Legislation?

The two most relevant are the Health Insurance Portability

Under HIPAA, a breach is deﬁned as the “impermissible

Copyright Lepide USA Inc.

breach deﬁnitions found in the above three state laws. The

In other words, under HIPAA unauthorized access alone of

The rule deﬁnes a security incident as any kind of occurrence

Copyright Lepide USA Inc.

The table below summarizes the above reporting

Agency Rule or Law Remarks

Regulators in New State data breach laws For these states,

Jersey, Florida, and ransomware is

Connecticut reportable as a data

breach when PII is

New York Department CRR 500 Cybersecurity

of Financial Services incidents that

(NYDFS) materially aﬀect

reportable to the DFS’s

Dept. of Health & HIPAA (45 CFR § Ransomware is

Human Services (HHS) 164.304) reportable as a data

Federal Trade Safeguards Rule FTS is currently

Commission (FTC) seeking comment.

Securities and Regulation S-P Will likely mirror FTC

Exchange Commission Safeguards Rule in the

(SEC) near future.