cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Re: Paying ransomware doesn't pay

> Steve-Wilme (Advocate I) posted a new reply in Industry News on 05-06-2021 09:25

> I'm referring to an actual ransomware incident, which was recovered by deleting
> all the VDIs on which the infection was believed to be in memory, logging off
> all staff, recreating everything affected from a clean off line image and then
> restoring the encrypted files from the latest backups.  The systems were on
> premise.  No ransom was paid.

That's the ticket!

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
I like long walks, especially when they are taken by people who
annoy me. - Fred Allen
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Steve-Wilme
Advocate I

Re: Paying ransomware doesn't pay

But the trick is to keep the ransomware out, which in the case of the incident concerned meant changing the received wisdom.  No you can't rely on your AV product to keep it out.  You can't rely on your web filtering either, as it's often simply not smart enough.  We had to move to weekly patch cycles, as attackers were reverse engineering the patches released by vendors to craft exploits, so actually targeting organisations with a longer patch delay time.  So if you go back to your old NIST SP800-40 there's a reason they cite patch delay time as a key metric to capture!

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Caute_cautim
Community Champion

Re: Paying ransomware doesn't pay

@Steve-WilmeThen what about ensuring your vulnerability management system is directly aligned with what is really going on in the world, and ensuring your patch management regime is prioritised in terms of urgency or criticality?

 

Regards

 

Caute_Cautim

denbesten
Community Champion

Re: Paying ransomware doesn't pay


@Steve-Wilme wrote:

But the trick is to keep the ransomware out, ....  We had to move to weekly patch cycles


Without question, prompt preventative maintenance is important, but it is also important to realize that patching will not protect you from a  Zero-day (been there; had to recover a company from one). 

 

One really wants a multi-layered defense strategy that includes both preventative and recovery measures.

Caute_cautim
Community Champion

Re: Paying ransomware doesn't pay

@denbesten   It would also be a good idea to replace human beings (radical approach) with Robotic Process Automation (RPA) especially in repetitive roles, especially those who do not think or are multi-tasking - talking to their mates on mobile phones etc etc or distracted. 

 

https://www.ibm.com/au-en/automation/rpa?p1=Search&p4=43700054672209358&p5=e&gclid=Cj0KCQjwytOEBhD5A...

 

However, a good endpoint prevention regime is also required, with automatic policies to reduce the likelihood of a zero day occurring especially with Augmented Intelligence (AI) to reduce the impact and therefore the resultant cost of compromise.

 

Regards

 

Caute_cautim

 

 

 

 

Caute_cautim
Community Champion

Re: Paying ransomware doesn't pay

Hi All

 

An here is another gloat of Ransomware attacks in Australia:

 

https://www.csoonline.com/article/3617498/ransomware-has-put-australia-s-hospital-cybersecurity-on-l...

 

Look at the impact on people and hospitals.

 

Regards

 

Caute_cautim

Tags (1)
rslade
Influencer II

Re: Paying ransomware doesn't pay

> Caute_cautim (Community Champion) posted a new reply in Industry News on

>   An here is another gloat of Ransomware attacks in Australia

Hmmmmm.

A "gloat" of ransomware attacks. As a collective noun, that seems oddly
appropriate ...

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468