Ransomware Resources and Suggestions

General-purpose resources:

• Ransomware Overview Google Doc View the prevention sheet.
• ID Ransomware
• No More Ransom
• Coinbase If you have to pay in Bitcoin.
• MITRE ATT&CK
• APT Groups
• Malware Analysis Tools

Prevention

• Have off-line backups that are not connected to Active Directory.
• Understand the implication of having your backup servers crypto-ransomwared.
• Harden Active Directory.
• Have a ransomware Incident Response Plan. Print this.
• Have an up-to-date list of emergency contacts printed.
• Keep up-to-date with the latest ransomware activities.
• Actively defend against common initial access paths; see MITRE link above.
• Deploy endpoint Advanced Persistent Threat (APT) detection tools.
• Train your organization's users to spot phishing e-mails.
• Keep all systems and web-browsers up-to-date.
• Prioritize strict security architecture on all organizational projects.

Crypto OSINT

Tools to help you research past payments to ransomware gangs so you can potentially negotiate better:

• Blockchair Use this to see prior payments to a given wallet before negotiations.
• Etherscan Use this to track Ethereum payments
• Intelligence X OSINT tool that can track lots of things
• Block Explorer
• Wallet Explorer Bitcoin block explorer with address grouping and wallet lableling
• Bitnodes

Response

• Locate a printed copy of your ransomware incident response plan.
• Communicate to the appropriate people that an event has occurred.
• In most companies, you will also open a bridge for the team to discuss things.
• Don't slow down your first responders.
• Get your legal counsel involved.
• Identify the variant of ransomware.
• Check to see if decryption tools exist.

Active Directory Clean-up Resources

• French CERT Active Directory Security Assessment Checklist
• BloodHound
• Pingcastle
• Microsoft Active Directory Security Assessment
• Sysmon Modular
• PlumHound