Understanding Ransomware Response
13 July 2022
We recently had the opportunity to interview Devon Ackerman, Practice Lead & Head of #DFIR Services for North America at Kroll. Before he was at Kroll, Devon worked with the FBI as a supervisory special agent, coordinating both domestic and international digital forensic investigations.
Devon described two case studies that offer helpful insights into the state of cyber attacks and their threat actors.
Detective Story
Some years ago, a law firm approached Kroll with an unusual case. A client was losing business every single month: long-established suppliers were just ending their contracts. They suspected that a recently-departed employee was providing information to a competitor that was taking the business. But there wasn’t any proof. This was where Devon and his team came in.
An Atypical Case
In a traditional digital forensics or incident response investigation, you’re looking at logs or a computer server or a firewall, trying to put together a timeline of how something occurred. That’s what Devon and his team asked for at first. What did they find?
A wiped computer (a full-secure overwrite of the data had been done)
A factory-reset phone
Two factory-reset iPads
No networking logs, as the client simply designed and made a particular type of item for resale
With nothing coming from the technology side, Devon sent a former law enforcement officer to sit where the employee sat to look around and see if anything was missing. As he examined the space more closely, it was clear that there was a large storage device that probably used to be there but wasn’t there any longer (a telltale sign was the plugs that were left behind).
The investigator also noted that there was a server in the office, which had the entire customer database and all the order information for the company. Knowing what a goldmine of information this would be for a competitor, the team started looking at the logs and found a folder structure that had been created about a month before the employee left. That folder had an entire backup of the customer database as well as a database dump of the email software, going back eight years. These digital fingerprints were like a note in an empty file cabinet: “I copied these files on this date.”
The narrative was coming together; a large amount of important company data was copied. Where was it copied to?
Devon and his team found security footage of people entering and exiting the building. After reviewing 60 days of footage around the time of the employee’s resignation, they found a day that he entered with a backpack (which he never usually did). When he left at the end of the day, the backpack’s shape was significantly different. It must have contained the digital storage for the files and, sure enough, the employee had made the mistake of purchasing the storage with a company card two months before he left the company.
Another piece of the digital narrative was an email rule that had been disabled but not deleted. This rule captured a copy of every incoming email to the president and CFO of the company and routed it to an external, non-business domain.
Finally, to add real-world correlation to these digital findings, Kroll sent a PI to surveil the ex-employee and saw them driving to the office building of a competitor. One day he even came out of the building with a swag bag that had the competitor’s logo on it, confirming that he had stopped by that office.
All these digital and real-world findings didn’t necessarily constitute a smoking gun, but they provided a documented narrative that allowed the law firm to successfully sue the ex-employee on behalf of the client.
This approach works in the civil space, where you don’t have to prove something beyond a reasonable doubt. But it also helps law enforcement authorities in the criminal space. By putting together a dossier, companies like Kroll can help get the ball rolling on an investigation that might not otherwise happen. The FBI handles over 700,000 cases a year, so the ones that have a head start in the form of such a dossier have the best chance of being solved.
Life and Death
While we’ve seen ransomware take down infrastructure and make life troublesome or inconvenient, we may not have heard of life-and-death situations. The second case that Devon shared with us was of a hospital that had a ransomware attack.
The ransomware affected every part of the hospital’s software; they couldn’t take in new patients, which meant that people coming to the emergency room in ambulances were being turned away.
When you’re dealing with ransomware cases, there’s always a time element at play. The threat actor is trying to force a decision on a limited time scale and the victim is trying to buy more time to restore the environment and potentially avoid paying. When you add an additional stressor like emergency patients being turned away, the situation can be really hard to manage.
In this case, Devon used a triage technique, just as emergency rooms do. He focused on what needed to get up and running first. Using a team working around the clock in shifts, they found the original intrusion point and patched the system going forward. Then they had to make sure that the threat actor was flushed out of all the systems. This was challenging as there had been secondary detonations of the ransomware across terminals where employees logged in, so they had to be told not to log in until the problem was solved.
The additional challenge was making sure that protected and private patient information was preserved, not just for the patients but for evidentiary reasons. Devon and his team had to devise a plan that preserved the evidence but at the same time would get the systems up and running again. This included making a decision to overwrite some non-business-critical systems to get certain machines up and running.
Thanks to Devon and his team’s calmness in the face of considerable stress, the hospital was able to start serving patients again faster than if it had tried to handle it on its own.
If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.