SlideShare a Scribd company logo

Lessons from a Ransomware Attack: From Chaos to Control

Priyanka Aash
Priyanka Aash

The document summarizes a ransomware attack experienced by the author's organization and the lessons learned. It describes how the ransomware encrypted files and powered off virtual machines. It then details the recovery process over several days, including bringing in an incident response firm, rebuilding infrastructure, and restoring service for customers. Key lessons included having stronger access controls, backups stored separately, and implementing security tools like EDR, centralized logging, and identity management best practices.

Technology
1 of 27
Download to read offline
Lessons Learned from the Ransomware Attack From Chaos to Control
Certified on… • Chief Information Security Officer • Ethical Hacker • NIST Cyber Security Framework • Data Privacy and EU GDPR Practitioner • ISO 22301:2019 Lead Implementer • IS0 27001 Internal Auditor • Business Continuity GPG • ITIL v3 • RHCE PRABHAKAR RAMAKRISHNAN (CISO & General Manager – IT Infrastructure) IT Infrastructure, Information security, Business Continuity & Data Privacy About me
Growing Threat of Ransomware Attacks • Ransomware is a type of malware that encrypts files on a victim's computer system, making them inaccessible until a ransom is paid. • The threat of ransomware attacks is growing as cybercriminals are becoming more sophisticated and using new tactics such as double extortion, where they not only encrypt the victim's data but also threaten to leak it if the ransom is not paid.
Impact of Ransomware Attacks • Ransomware attacks can have a devastating impact on individuals and organizations, causing financial losses, reputational damage, and even legal liabilities. • In addition to the direct costs of paying the ransom and restoring the encrypted data, there are also indirect costs such as lost productivity, business interruption and regulatory compliance.
Sharing My Experiences and Lessons Learned
Backup • RPO • 2 Hours • 8 Hours • 24 Hours
IRP
How we recovered…
22-July-22 (Friday) 1:30 AM All the virtual machines were powered off in one of our locations Blocked one of the users who had many open connections to the file server 22-July-22 (Friday) 6:30 AM Identified a compromise (Virtual servers were powered down and many files were encrypted) 22-July-22 (Friday) 8:30 AM Initiated a call with CXO’s Informed all our customers about the incident
22-July-22 (Friday) 8:30 PM Situation Assessment – Evolving 22-July-22 (Friday) 9:30 PM Decided to rebuild completely War room setup 23-July-22 (Saturday) 9:00 AM Focus of the Recovery Process… Two things were important for me 1. How do we identify how this incident happened? 2. How do we protect from further damage?
23-July-22 (Saturday) 9:30 AM Approached vendors for Incident Response Services Mandiant Vs Crowdstrike 23-July-22 (Saturday) 6:30 PM Decided to go with Crowdstrike. Completed all the formalities. 24-July-22 (Sunday) Onboarded Crowdstrike. Agent installation for 3500+ devices
24-July-22 (Sunday) Coimbatore location was our focus. Infrastructure was made LIVE. Strong verification process 26-July-22 (Tuesday) Started production and delivery for a few customers 29/30-July-22 (Friday) Started production and delivery for most of our customers
BlackCat/ALPHV Office 1 Office 2 Mgmt Server Mgmt Server VM Infra Active Directory File Server Mgmt Server VM Infra Mega.io
Incident Summary • Threat actor used a compromised account to access the servers over RDP • Using the Admin account the Threat actor copied and installed an open-source software for anonymous communication named TOR (The Onion Router). During this installation, Threat Actor masqueraded the anonymity software TOR as Applocker.exe which is a legitimate Microsoft Windows application. • TOR is an open-source software that creates a multi-hop proxy network which allows Threat Actors to communicate with the installed systems over an encrypted channel.
Incident Summary To further maintain persistence in the environment, the Threat Actor installed multiple remote management software like Atera agent, AnyDesk, LogMeIn and BitVise and ZeroTier. Threat Actor attempted to perform lateral movement by installing the Remote Management tool named Action1 Threat Actor used the compromised privileged account to copy a compressed file which contained multiple legitimate system administration tools, different variants of ransomware encryptor and text files Threat Actor created an account MS_BACKUP on the Domain controller and added the Account Domain Admin Group
Ransomware Deployment Activity • The Threat Actor copied multiple binaries of Windows and Linux based ALPHV ransomware encryptors to the system. • The Threat Actor targeted ESXi systems by copying the Linux ALPHV ransomware executable and linkable format (ELF) binaries on multiple VMware ESXi systems. • Once connected to the ESXi systems through SSH connections using the root account, the Threat Actor copied over the ALPHV ELF binary encryptor to the ESXi systems and executed the ransomware encryptor. This resulted in the encryption of several virtual machine disk (VMDK) files stored on the datastore attached to these ESXi systems.
Major Gap’s EDR was not installed in the servers that were compromised. Weak password, Same password used for multiple devices. 2FA was not configured for all external facing applications. Backups stored in the same environment. Lack of centralized logging.
Social Media
Important Documents
Situational Awareness Report
Communication Plan
Recovery Process Customer Name
Key Points • Behavioural Aspect • Avoid Long/continuous working • Communication/Transparency • Separate Project Management Team • Social Media Posts • Strengthen your Backup (3.2.1.0) • Identity and access management – Least privilege access, strong password policy, 2FA for all critical infrastructure. • Centralized log management (SIEM) • Managed SOC/MDR • Micro segmentation • Regular review of your existing processes
Thank You!

Recommended

Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionAlert Logic
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 

Recommended

Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionAlert Logic
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Defending Your IBM i Against Malware
Defending Your IBM i Against MalwareDefending Your IBM i Against Malware
Defending Your IBM i Against MalwarePrecisely
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondLessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondAPNIC
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)TzahiArabov
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?MenloSecurity
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack SurfaceAlert Logic
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Lucideus Certified Cyber Security Analyst
Lucideus Certified Cyber Security Analyst Lucideus Certified Cyber Security Analyst
Lucideus Certified Cyber Security Analyst Lucideus Tech
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Mis jaiswal-chapter-11
Mis jaiswal-chapter-11Mis jaiswal-chapter-11
Mis jaiswal-chapter-11Amit Fogla
 
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014Massimo Chirivì
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series BreakfastCSO_Presentations
 
5 attack vectors behind 3000+ breaches.pdf
5 attack vectors behind 3000+ breaches.pdf5 attack vectors behind 3000+ breaches.pdf
5 attack vectors behind 3000+ breaches.pdfprithaaash
 
A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...Manimaran A
 
FireEye Report.ppt
FireEye Report.pptFireEye Report.ppt
FireEye Report.pptDubemJavapi
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudAlert Logic
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentDawn Yankeelov
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for businessDaniel Thomas
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 

More Related Content

Similar to Lessons from a Ransomware Attack: From Chaos to Control

Defending Your IBM i Against Malware
Defending Your IBM i Against MalwareDefending Your IBM i Against Malware
Defending Your IBM i Against MalwarePrecisely
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondLessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondAPNIC
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)TzahiArabov
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?MenloSecurity
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack SurfaceAlert Logic
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Lucideus Certified Cyber Security Analyst
Lucideus Certified Cyber Security Analyst Lucideus Certified Cyber Security Analyst
Lucideus Certified Cyber Security Analyst Lucideus Tech
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Mis jaiswal-chapter-11
Mis jaiswal-chapter-11Mis jaiswal-chapter-11
Mis jaiswal-chapter-11Amit Fogla
 
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014Massimo Chirivì
 
5 attack vectors behind 3000+ breaches.pdf
5 attack vectors behind 3000+ breaches.pdf5 attack vectors behind 3000+ breaches.pdf
5 attack vectors behind 3000+ breaches.pdfprithaaash
 
A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...Manimaran A
 
FireEye Report.ppt
FireEye Report.pptFireEye Report.ppt
FireEye Report.pptDubemJavapi
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudAlert Logic
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentDawn Yankeelov
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for businessDaniel Thomas
 

Similar to Lessons from a Ransomware Attack: From Chaos to Control (20)

Defending Your IBM i Against Malware
Defending Your IBM i Against MalwareDefending Your IBM i Against Malware
Defending Your IBM i Against Malware
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondLessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Lucideus Certified Cyber Security Analyst
Lucideus Certified Cyber Security Analyst Lucideus Certified Cyber Security Analyst
Lucideus Certified Cyber Security Analyst
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Mis jaiswal-chapter-11
Mis jaiswal-chapter-11Mis jaiswal-chapter-11
Mis jaiswal-chapter-11
 
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
 
5 attack vectors behind 3000+ breaches.pdf
5 attack vectors behind 3000+ breaches.pdf5 attack vectors behind 3000+ breaches.pdf
5 attack vectors behind 3000+ breaches.pdf
 
A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...
 
FireEye Report.ppt
FireEye Report.pptFireEye Report.ppt
FireEye Report.ppt
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for business
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 

Recently uploaded

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Recently uploaded (20)

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

Lessons from a Ransomware Attack: From Chaos to Control

  • 1. Lessons Learned from the Ransomware Attack From Chaos to Control
  • 2. Certified on… • Chief Information Security Officer • Ethical Hacker • NIST Cyber Security Framework • Data Privacy and EU GDPR Practitioner • ISO 22301:2019 Lead Implementer • IS0 27001 Internal Auditor • Business Continuity GPG • ITIL v3 • RHCE PRABHAKAR RAMAKRISHNAN (CISO & General Manager – IT Infrastructure) IT Infrastructure, Information security, Business Continuity & Data Privacy About me
  • 3. Growing Threat of Ransomware Attacks • Ransomware is a type of malware that encrypts files on a victim's computer system, making them inaccessible until a ransom is paid. • The threat of ransomware attacks is growing as cybercriminals are becoming more sophisticated and using new tactics such as double extortion, where they not only encrypt the victim's data but also threaten to leak it if the ransom is not paid.
  • 4. Impact of Ransomware Attacks • Ransomware attacks can have a devastating impact on individuals and organizations, causing financial losses, reputational damage, and even legal liabilities. • In addition to the direct costs of paying the ransom and restoring the encrypted data, there are also indirect costs such as lost productivity, business interruption and regulatory compliance.
  • 5. Sharing My Experiences and Lessons Learned
  • 6.
  • 7. Backup • RPO • 2 Hours • 8 Hours • 24 Hours
  • 8.
  • 9.
  • 10. IRP
  • 12. 22-July-22 (Friday) 1:30 AM All the virtual machines were powered off in one of our locations Blocked one of the users who had many open connections to the file server 22-July-22 (Friday) 6:30 AM Identified a compromise (Virtual servers were powered down and many files were encrypted) 22-July-22 (Friday) 8:30 AM Initiated a call with CXO’s Informed all our customers about the incident
  • 13. 22-July-22 (Friday) 8:30 PM Situation Assessment – Evolving 22-July-22 (Friday) 9:30 PM Decided to rebuild completely War room setup 23-July-22 (Saturday) 9:00 AM Focus of the Recovery Process… Two things were important for me 1. How do we identify how this incident happened? 2. How do we protect from further damage?
  • 14. 23-July-22 (Saturday) 9:30 AM Approached vendors for Incident Response Services Mandiant Vs Crowdstrike 23-July-22 (Saturday) 6:30 PM Decided to go with Crowdstrike. Completed all the formalities. 24-July-22 (Sunday) Onboarded Crowdstrike. Agent installation for 3500+ devices
  • 15. 24-July-22 (Sunday) Coimbatore location was our focus. Infrastructure was made LIVE. Strong verification process 26-July-22 (Tuesday) Started production and delivery for a few customers 29/30-July-22 (Friday) Started production and delivery for most of our customers
  • 16. BlackCat/ALPHV Office 1 Office 2 Mgmt Server Mgmt Server VM Infra Active Directory File Server Mgmt Server VM Infra Mega.io
  • 17. Incident Summary • Threat actor used a compromised account to access the servers over RDP • Using the Admin account the Threat actor copied and installed an open-source software for anonymous communication named TOR (The Onion Router). During this installation, Threat Actor masqueraded the anonymity software TOR as Applocker.exe which is a legitimate Microsoft Windows application. • TOR is an open-source software that creates a multi-hop proxy network which allows Threat Actors to communicate with the installed systems over an encrypted channel.
  • 18. Incident Summary To further maintain persistence in the environment, the Threat Actor installed multiple remote management software like Atera agent, AnyDesk, LogMeIn and BitVise and ZeroTier. Threat Actor attempted to perform lateral movement by installing the Remote Management tool named Action1 Threat Actor used the compromised privileged account to copy a compressed file which contained multiple legitimate system administration tools, different variants of ransomware encryptor and text files Threat Actor created an account MS_BACKUP on the Domain controller and added the Account Domain Admin Group
  • 19. Ransomware Deployment Activity • The Threat Actor copied multiple binaries of Windows and Linux based ALPHV ransomware encryptors to the system. • The Threat Actor targeted ESXi systems by copying the Linux ALPHV ransomware executable and linkable format (ELF) binaries on multiple VMware ESXi systems. • Once connected to the ESXi systems through SSH connections using the root account, the Threat Actor copied over the ALPHV ELF binary encryptor to the ESXi systems and executed the ransomware encryptor. This resulted in the encryption of several virtual machine disk (VMDK) files stored on the datastore attached to these ESXi systems.
  • 20. Major Gap’s EDR was not installed in the servers that were compromised. Weak password, Same password used for multiple devices. 2FA was not configured for all external facing applications. Backups stored in the same environment. Lack of centralized logging.
  • 26. Key Points • Behavioural Aspect • Avoid Long/continuous working • Communication/Transparency • Separate Project Management Team • Social Media Posts • Strengthen your Backup (3.2.1.0) • Identity and access management – Least privilege access, strong password policy, 2FA for all critical infrastructure. • Centralized log management (SIEM) • Managed SOC/MDR • Micro segmentation • Regular review of your existing processes