Question

Wana Decryptor Attack Case Study - Part 1

Scenario:

You are employed at a bank of medium size, worth 5 billion dollars. The IT Director reports to the CIO – both the CIO and CISO report to the COO. At 11:00 A.M. on a Monday morning, the IT Help Desk receives a call from a user in the Wire Transfer Department. He reports that his computer is frozen, and appears to have a message that some type of ransom is requested to free the files up from a type of encryption.

What should your help desk do next? Consider the following:

• What is your response plan to this incident?
• How would you escalate this situation?
• Who would you notify?
• What is your customer notification plan?
• What is the relevant regulatory requirement?

Let’s identify the most probable sequence of events. Select One:

1. The Help Desk opens a ticket, assigns it to a technician to respond to the user’s workstation, to inspect and determine what the actual problem is and whether it is a virus or a computer issue that could be resolved by the IT team.
2. The Help Desk instructs the user to unplug his computer from the network, proceeds to open a ticket and assigns an IT tech to inspect the user’s computer for an analysis and a possible solution.
3. The Help Desk simultaneously proceeds to notify the IT Director of the issue, dispatches a technician and awaits feedback.
4. In addition to #3, the Help Desk proceeds to inform the CISO of the occurrence.
5. The Help Desk instructs the user to shut down and restart his computer to see if the problem has been remedied before taking any action.
6. Any other actions that are not listed above?

As you reflect on what to do and what may happen, the IT Technician arrives:

• The technician immediately determined and reported that the computer was infected with Ransomware.
• He states that there is no way to remove the malware other than disconnecting it from the network and re-imagine it.
• The other option is to pay the ransom of $300.00.

What now? Post your primary thoughts on the scenario, considerations on the most probable next steps, and what you would do after learning the new information from the IT technician's report then find commonalities and differences in your thoughts and approaches and discuss as a class.

Answer 1

Solution : Being the IT Help desk as i received call from a user that his computer is frozen and appears to have been attacked by cyber attackers.

Things that i would recommend: Right off the bat never pay the payoff, A full framework restore may be all together , have a go at running a sweep from a bootable CD or USB drive ,f you notice your framework easing back down for apparently no explanation, closed it down and disengage it from the Internet. On the off chance that, when you boot up again the malware is as yet dynamic, it won't have the option to send or get directions from the order and control worker. That implies without a key or approach to separate installment, the malware may remain idle. At that point, download and introduce a security item and run a full output.

Response plan to the incident :Seclude influenced framework ,Quarantine the malware- If the malware is as yet running, memory dumps ought to be made before isolate to make a full record of any malignant cycles that are running. The memory dump may contain the key material that was utilized to encode the documents, which can possibly be removed and used to assist casualties with unscrambling records without paying the ransom, Identify and explore tolerant zero-Identifying quiet zero (for example the wellspring of the disease) is pivotal for seeing how assailants accessed the framework, what different moves they made while they were on the organization and the degree of the contamination. Identifying the wellspring of the disease is valuable for settling the flow episode, yet can likewise assist associations with tending to weaknesses and lessen the danger of future trade off.

How to escalate this situation:

Step1 : Unplug influenced PCs, PCs and different gadgets from the organization – yet DO NOT close them down.

Stage 2: Make a call. Try not to send an email alert about the assault (you should be disconnected); rather telephone your outside network safety uphold or capable inner asset.

step3 : Carry out a first-level criminological examination to discover the degree of the danger. Which area? What ransomware would you say you are confronting? What network components are influenced? This is the reason you have to keep your workstations pursuing you've unplugged them from the organization.

stage 4 :Protect what is as yet sheltered. It is a slip-up to zero in on rebuilding at this stage. Rather, you have to stop the ransomware spreading before you start to reestablish your workstations. How? Close down the organization component.

stage 5: Clean your IT element, Don't neglect to address your lord pictures before doing a full reestablish of the PCs.

Step 6: Begin restoration, each PC in turn.

How would you notify:

Make a call. Try not to send an email alert about the assault (you should be disconnected); rather telephone your outside network safety uphold or capable inner asset.

Customer notification plan: It's currently simpler than any time in recent memory to examine being proactive about online protection with clients. Practically consistently, there's a story in the report about another information penetrate affecting an organization's client base. Utilizing notable models can help you with suggesting the topic of attack with clients.

Relevant regulatory requirement -

Contact cyber crime office , cyber crime is extensively separated into two classifications dependent on use of PCs as

1. Target (model, Hacking, Virus Attack)

2.  Weapon (model, digital psychological warfare, IPR infringement, erotic entertainment).

When the technican immediately determined the malware then the above steps as described for things that IT help desk would recommed should be done.