Question

(ONLY NEED ANSWER FOR PART 4 OF THIS CASE STUDY)

Wana Decryptor Attack Case Study - Part 1

Scenario:

You are employed at a bank of medium size, worth 5 billion dollars. The IT Director reports to the CIO – both the CIO and CISO report to the COO. At 11:00 A.M. on a Monday morning, the IT Help Desk receives a call from a user in the Wire Transfer Department. He reports that his computer is frozen and appears to have a message that some type of ransom is requested to free the files up from a type of encryption.

What should your help desk do next? Consider the following:

·      What is your response plan to this incident?

·      How would you escalate this situation?

·      Who would you notify?

·      What is your customer notification plan?

·      What is the relevant regulatory requirement?

Let’s identify the most probable sequence of events. Select One:

1.   The Help Desk opens a ticket, assigns it to a technician to respond to the user’s workstation, to inspect and determine what the actual problem is and whether it is a virus or a computer issue that could be resolved by the IT team.

2.   The Help Desk instructs the user to unplug his computer from the network, proceeds to open a ticket and assigns an IT tech to inspect the user’s computer for an analysis and a possible solution.

3.   The Help Desk simultaneously proceeds to notify the IT Director of the issue, dispatches a technician and awaits feedback.

4.   In addition to #3, the Help Desk proceeds to inform the CISO of the occurrence.

5.   The Help Desk instructs the user to shut down and restart his computer to see if the problem has been remedied before taking any action.

6.   Any other actions that are not listed above?

As you reflect on what to do and what may happen, the IT Technician arrives:

·      The technician immediately determined and reported that the computer was infected with Ransomware.

·      He states that there is no way to remove the malware other than disconnecting it from the network and re-imagine it.

·      The other option is to pay the ransom of $300.00.

What now? Post your primary thoughts on the scenario, considerations on the most probable next steps, and what you would do after learning the new information from the IT technician's report then find commonalities and differences in your thoughts and approaches and discuss as a class.

Wana Decryptor Attack Case Study - Part 2

The Help Desk gets the report from the technician and informs the IT Director of the finding...

·      The IT Director agrees to disconnect the computer and re-image it, but also requests to have someone check to see if the virus has spread to other computers and/or the network.

·      The technician removes the infected computer and takes it to re-image.

·      The network staff are told to check network drives for virus infection as requested by the IT Director.

Let’s identify the most probable sequence of events. Select One:

1.   The Help Desk does not receive any other calls regarding this incident – therefore they believe it is an isolated incident.

2.   The Help Desk receives five other calls from the same department now also claiming that their computers are also frozen and they need assistance.

3.   The Network staff checks the department drive and it also appears to be encrypted – so all user files residing there are encrypted and cannot be opened.

4.   The Network staff now also find out that in addition to #3, the server is also encrypted and cannot be accessed.

5.   Others not noted above. Please explain.

More to Consider:

·      What failsafe controls do you have in place to restore wire transfer operations quickly?

·      Could it happen to the wire transfer computers? (If so why and if not why not)?

·      What could you have done prior to the incident to mitigate this threat?

Post your considerations on the most probable next steps then find commonalities and differences in your thoughts and approaches and discuss as a class.

Wana Decryptor Attack Case Study - Part 3

What to do after a ransomware attack on a network:

·  Do not pay the ransom

·  Turn off all the devices/computers and disconnect all the devices from the network

·  Find the source:-as the out-of-dated and the misconfigured software can be easily compromised, get all the users/employees to know who witnessed the first symptoms of the threat and when, find out this was through email attachment or the link.

·  Alert all the users or employees of the organization.

·  Re-image the infected endpoints, all servers, and virtual machines.

·  Restore all, from a backup to a clean device.

I generally backup my all the files every day, by using the auto-backup functionality provided by my smart phone as well as the Laptop.

As in the given scenario, files are backed up every two hours, so first we should disconnect the all devices from the network, and then report about the incident to higher authorities of the company, they can contact further to the cyber-security officials.

We may try to retrieve the encrypted files with the help of the free decryptors, as it is not an easy task, as most of the ransomware attackers used the advanced encryption algorithm. If we do not want to pay, we should work for 2 hours more to get on to the work back.

My recommended action for the future:

·  Install the early Threat Detection Systems

·  Create the Restore and the Recovery Points

·  Block the Vulnerable Plug-Ins

·  Train all Employees of the organization.

·  Enforce the Strong Password Security policies.

·  Add the virus Control at the Email Server of the organization.

Wana Decryptor Attack Case Study - Part 4

The CEO hears about the issue. He/She makes a call to a colleague at another bank who had recently suffered a similar attack and informs them that he (the other bank) paid a $300 fee and all files were decrypted...

• The CEO now orders you to pay the ransom and take the risk but he/she wants the affected files unencrypted ASAP.
• Are you ready to pay the ransom – and if so, can you? If not, why not?
• Are you ready to purchase the bitcoins and pay the ransom?
• If you can’t, what are you going to tell your CEO as to why you cannot pay the ransom?

Post and Discuss:

• When you re-imaged your computer, you lost communication with the attacker and now you cannot continue communicating to pay the ransom. Why not?
• How are you going to explain to your CEO, that due to the fact that you disconnected the computer and began re-imaging it – you lost communication and cannot pay the ransom. How will he/she react?
• Why did you take action without first escalating the issue to senior management or his office prior to making that decision?
• What now?
• What could you have done differently prior to the incident to prevent this kind of scenario?

Answer 1

Solution: Being an IT Help desk as I received a call from a user that his computer has been frozen and appears to have been attacked by cyber attackers.

Things I would recommend: From the moment the bat never pays, Full-frame recovery maybe together, go sweep from a bound CD or USB drive, if you notice your frame is definitely backing up no description, shut it down and disconnect from the Internet. In the unlikely event that once you start and malware is still active, you will not have the option to send or receive directions from the order and controller. That means that without a key or a way to separate the installment, malware can remain inactive. In the meantime, download and launch the security item and use the full.

Program to respond to this event: Leave an influential framework, Eliminate malware- If malware is still active, memory debris should be done before splitting to make a complete record of any malicious cycles running. The disposal site may contain important material used to file documents, which can be deleted and used to help the injured with non-compliant records without paying a ransom, Identify and check for zero tolerance - Identifying a quiet zero (e.g. water source) the various steps they take while in the organization and the level of pollution. Identifying the source of the disease is important in resolving the flow phase, but it can similarly help organizations that address vulnerabilities and reduce the risk of future trade.

How to aggravate the situation:

Step 1: Remove the affected PCs, PCs, and various gadgets from the organization - but DO NOT shut them down.

Step 2: Make a call. Try not to send an email alert about the attack (should be disconnected); instead call the security of your external network to support or install competent internal assets.

Step 3: Conduct an initial crime level assessment to determine the extent of the risk. Which place? What ransom can you expect? What parts of the network are affected? This is why you should keep your workplace focused on getting you out of the organization.

Step 4: Protect the Unsafe There has been a slide to zero in reconstruction at this stage. Instead, you should stop streaming the software before you can start updating your workstations. How? Close the organization component.

step 5: Clean your IT element, Ignore looking at your master's photos before restarting PCs.

Step 6: Start the restore, each PC in sequence.

How to inform:

Make a call. Try not to send an email alert about the attack (should be disconnected); instead call the security of your external network to support or install competent internal assets.

Customer notification system: It is currently easier than ever in the latest memory to test the effectiveness of online protection with customers. Often, there is an issue in the report about other information that may affect the customer base of the organization. Using remarkable models can help you by raising the topic of attack with customers.

Proper regulatory requirements -

Contact the cyber crime office, cybercrime is highly divided into two categories depending on the use of PCs as

1. Target (model, hacking, Virus Attack)

2. Weapon (model, digital mental warfare, IPR violation, provocative entertainment).

THUMBS UP IF YOU LIKE IT!