Roger A. Grimes - Ransomware Protection Playbook

As the encryption issue was being fixed, the far bigger problem for criminals was how a ransomware creator could get paid without getting caught and sent to jail. Two things happened. First, Bitcoin was invented in 2009. It took a few years, but by 2014, the ransomware programs made the link to Bitcoin, and the whole ransomware industry exploded. Now, criminals could get paid without getting caught.

Second, some major countries, like Russia, became cyber safe havens for ransomware criminals. Today, many ransomware gangs are located in or around Russia and operate with near impunity. Many pay bribes to local and country law enforcement as a part of doing business, and their revenue streams are seen as a net positive in their host countries. As long as they don't encrypt computers in their host or friendly ally countries, they are free to do business with few exceptions.

With these two new developments in place, sophisticated ransomware programs started to take out entire businesses, hospitals, police stations, and even entire cities. Today, ransomware is so prolific that entire companies being taken down, and ransoms paid in the multi-million-dollar range don't even raise an eyebrow. Ransomware attacks are taking down oil pipelines, food production plants, corporate mega-conglomerates, closing schools, delaying healthcare, and pretty much exploiting everything they can with near impunity. As I write this, ransomware gangs are likely in their “golden years,” causing more disruption and making more money, than ever before. At this moment, we aren't doing a very good job at stopping it.

But we can. That's what this book is about. It's about preventing ransomware from happening in the first place, as your number-one objective, and minimizing damage if your organization gets hit. Turns out there are many things any organization can do to avoid being hit by ransomware or to at least significantly minimize the odds. Fighting ransomware is more than having a good, solid backup and up-to-date antivirus program.

This book will tell you the best things you can do to prevent a ransomware attack from happening in the first place, better than any other source you can find. It will tell you the details of what you need to do before you are possibly hit by ransomware and what to do, step-by-step if you are exploited. You don't have to be a victim. You can fight back.

Anyone can be a victim of ransomware. Ransomware is difficult to defeat currently. The aim of this book is not to say that you can 100 percent defeat ransomware. You can't. No one can make that claim. Cybersecurity defense is about risk minimization, not elimination. My goal is to help you minimize the risk as much as possible. If you follow the ideas and steps in this book, you will minimize your risk of a successful ransomware exploit as best you can given the current state of what we can do until we get new defenses that work better for us all (covered in Chapter 2, “ Preventing Ransomware”).

Fight the good fight!

This book is primarily aimed at anyone who is in charge of managing their organization's computer security, from the front-line defender to the top computer security executive. It is for anyone who is considering reviewing, buying, or implementing computer security defenses for the first or the tenth time.

What it will take to prevent and mitigate ransomware is what it will take to prevent and mitigate all malicious hackers and malware. The lessons taught in this book, if followed, will significantly reduce risk of all malicious hackers and malware attacks. Even if one day ransomware goes away, the lessons learned here will readily apply to the next “big” attack. Ransomware is not your real problem; it's an outcome of your real problem.

Ransomware Protection Playbook contains 12 chapters separated into 2 distinct parts.

Part Isummarizes what ransomware does, how sophisticated it is, and how to prevent it from exploiting your organization and devices. Many people don't understand how mature ransomware is and even more don't concentrate enough on stopping it before it attacks.

Chapter 1 , “Introduction to Ransomware” Chapter 1covers ransomware starting with a little bit of history of the significant milestones and then discusses the very sophisticated and mature versions used today. The ransomware industry is run much more like a multilevel marketing firm/ecosystem than anything else. Chapter 1will cover the common pieces and parts. As an encompassing introduction, it is also the longest chapter in the book.

Chapter 2 , “Preventing Ransomware” Preventing ransomware is something that isn't talked about enough. The most recommended “prevention” control, a good backup, is not prevention at all. Chapter 2will talk about the things every person and organization should be doing to prevent ransomware to the best of their ability. And in the process of discussing how to defeat ransomware, it will discuss how to best defeat all malicious hackers and malware.

Chapter 3 , “Cybersecurity Insurance” The decision to purchase cyber insurance is a big dilemma for organizations facing the threat of ransomware. Cyber insurance is complex. Chapter 3gives readers a basic understanding of cyber insurance, including the things that should be avoided when considering a policy. It ends with a frank discussion of the massive changes happening in the cybersecurity industry right now and where it's headed.

Chapter 4 , “Legal Considerations” Chapter 4covers the legal considerations involved with dealing with a successful ransomware attack, not only in the decision of whether to pay or not pay the ransom, although that is a big part of this chapter, but also how to use legal help to your benefit during an attack. Chapter 4will contain tips and recommendations that every organization should utilize in their planning and responses to ransomware.

Part IIwill help you plan for and respond to a successful ransomware attack.

Chapter 5 , “Ransomware Response Plan” Every organization should have a detailed ransomware response plan created and practiced ahead of an actual ransomware event. Chapter 5will cover what your ransomware response plan should contain.

Chapter 6 , “Detecting Ransomware” If you can't stop a cybersecurity exploit from happening, the next best thing is early warning and detection. Chapter 6covers the best ways to detect ransomware and gives you the best chance to stop it before it begins to do real damage.

Chapter 7 , “Minimizing Damage” Chapter 7assumes ransomware has been able to successfully compromise an environment and has encrypted files and exfiltrated data. How do you minimize the spread of ransomware and its damage during the first hours of the first day? Chapter 7tells you how.

Chapter 8 , “Early Responses” After the initial damage has been prevented from spreading further, now comes the initial cleanup, better assessment, and additional responses, beyond just preventing further spread. Chapter 8is what you need to be doing after the first day or two. How well you perform this part of the response often determines how long it will take to fully recover.

Chapter 9 , “Environment Recovery” Chapter 9covers what you need to be doing after the first few days. You've stopped the spread, minimized the damage, and started to get some initial systems back up and working. Chapter 9is what you need to be doing after the initial worst is over. It covers the longer-term items, the ones that often take days to weeks, or even months, to recover or rebuild.