Breaking Ransomware: Explore ways to find and exploit flaws in a ransomware attack 9789355513625

Table of contents :
Section I: Ransomware Understanding
1. Warning Signs, Am I Infected?
Introduction
Structure
Objectives
Proactive steps
Symptoms
Immediate actions
Disconnect the infected computer
Check the scope of infection
Check which ransomware infected you
Plan for response
Conclusion
2. Ransomware Building Blocks
Introduction
Structure
Objectives
Defining ransomware
Cryptocurrency
Bitcoin (BTC)
Ethereum (ETH)
Cryptomining
TOR (Anonymous browsing)
Ransomware as a Service (RaaS)
How RaaS works
RaaS business models
Affiliate-based
Subscription-based
Licensing for lifetime
Threat actors
Vulnerability, exploit and payload
Ransomware attack vectors
Email
Phishing scam
Unsolicited advertisements
Email spoofing
Spear phishing
Exploit kits
USB and removable media
Malvertising
Stages of ransomware
Conclusion
3. Current Defense in Place
Introduction
Structure
Objectives
Existing solutions in place
Backup solutions
Static or signature-based solutions
Dynamic behavior-based solutions
Entropy-based products
Machine learning products
Honeyfile products
User awareness trainings
Vulnerability management tools
Cryptographic interceptors
Analysis of current solutions
R-Locker
PayBreak
Redemption-anti-ransomware
Microsoft controlled folder access
Conclusion
4. Ransomware Abuses Cryptography
Introduction
Structure
Objectives
Concept of cryptography
Types of cryptography algorithms
Symmetric algorithms
Categories of symmetric encryption algorithm
Asymmetric algorithms
Hybrid encryption method
How ransomware abuses cryptographic algorithms
Conclusion
5. Ransomware Key Management
Introduction
Structure
Objectives
Key management techniques
No key management or scareware
Key on the victim machine
Key on hacker machine or attacker network
Conclusion
Section II: Ransomware Internals
6. Internal Secrets of Ransomware
Introduction
Structure
Objectives
Crypto API
CryptAcquireContext
phProv
szContainer
szProvider
dwProvType
dwFlags
CryptAcquireContext Example
CryptGenKey
hProv
Algid
dwFlags
phKey
CryptGenKeyExample
CryptGetUserKey
hProv
dwKeySpec
phUserKey
CryptGetUserKey Example
CryptExportKey
hKey
hExpKey
dwBlobType
dwFlags
pbData
pdwDataLen
CryptExportKey PlainTextBlob Example
CryptExportKey SimpleBlob Example
CryptImportKey
hProv
pbData
dwDataLen
hPubKey
dwFlags
phKey
CryptImportKey Example
Conclusion
7. Portable Executable Insides
Introduction
Structure
Objectives
Creating a custom binary
Structure of Portable Executable
DOS header
DOS Stub
PE header
File header
Optional header
SectionAlignment
FileAlignment
SizeOfImage
SizeOfHeaders
Subsystem
NumberOfRvaAndSizes
Data directory
Section table
Conclusion
8. Portable Executable Sections
Introduction
Structure
Objectives
Sections
.textbss section
.text section
.rsrc section
.rdata
.data
Export section
Import section
When PE file is loaded in memory
Conclusion
Section III: Ransomware Assessment
9. Performing Static Analysis
Introduction
Structure
Objectives
Static analysis
Phase 1 - Infect host
Phase 2 – Generate key
Phase 3 – Encrypt User Data
Phase 4 – Demand ransom
Static analysis tools
PE Studio
CFF explorer
Conclusion
10. Perform Dynamic Analysis
Introduction
Structure
Objectives
Dynamic analysis
Disassemblers
IDA
Ghidra
Cutter
Debuggers
x32dbg/x64dbg
Monitors
Process monitor
Process Explorer
Autoruns
Dependency Walker
Wireshark
Burp Suite
Conclusion
Section IV: Ransomware Forensics
11. What’s in the Memory
Introduction
Structure
Objectives
Static analysis
Dynamic analysis– Check in the memory
Conclusion
12. LockCrypt 2.0 Ransomware Analysis
Introduction
Structure
Objectives
Static Analysis
Dynamic analysis
Conclusion
13. Jigsaw Ransomware Analysis
Introduction
Structure
Objectives
Ransomware analysis
Static analysis
Conclusion
Section V: Ransomware Rescue
14. Experts Tips to Manage Attacks
Introduction
Structure
Objectives
Ransomware incident response plan
Identification
Analysis
Determining the strain of ransomware
Determining the scope of the ransomware infection
Assessing the impact of the ransomware attack
Identifying the initial infection vector of the source of the infection
Containment
Eradication
Communication
Recovery
Post-incident
Ransomware mitigation strategies
Endpoint security solutions
Endpoint antivirus solutions
Endpoint Detection and Response (EDR)
Managed Detection and Response (MDR)
Extended Detection and Response (XDR)
Endpoint protection platform (EPP)
Endpoint operating system hardening
Display file extensions
Disable AutoPlay
Disable Remote Desktop protocol (RDP)
Software restriction policies (SRP) And AppLocker
Disable Windows Script Host
Disable Server Message Block (SMB)
Secure domain controllers (DCs)
Restricting the use of PowerShell
Network security solutions
Next Generation Firewall (NGFW)
Network sandboxing
Intrusion detection system (IDS)
Intrusion prevention system (IPS)
Data Loss Prevention
Honeypot
DNS (Domain Name System) Security
Security information and event management (SIEM)
Security Orchestration, Automation, and Response (SOAR)
Zero Trust Network Access (ZTNA)
Stop ransomware attacks
Least privilege account
Patch management
Environment hardening
Enterprise Mobility Management (EMM)
Components inside an EMM Solution
End user level security
Virtualization technology
Disable macros in Office files
Cyber security awareness training
E-mail security
Backup strategy
Auditing backup policies
Encrypting backup data
Immutable storage
Air gap backup
Use the 3-2-1 backup rule
Ascertain backup coverage
Test the backup plan
Conclusion
Index