John Hammond Shares Insights on Ransomware Attack and Incident Response

In this video, John Hammond shares a captivating story about an attempt to compromise an entire network through ransomware. He begins by explaining that he is working from a Windows 11 virtual machine and has a folder on his desktop called "investigation." He recounts a recent case handled by the security operations center of his company, Huntress. Hammond presents an incident report where the Huntress agent was tasked with isolating a host to prevent the incident from spreading to other devices. He emphasizes that the incident is of critical severity and that the best solution would be a complete reset of the host. However, assisted mediation can clean known malicious elements. He explains that the incident involved a compromised user who remotely authenticated to the host from another IP address, likely the domain controller, which is bad news as it means the entire infrastructure is probably compromised. Hammond warns about the lack of visibility and telemetry on unmonitored hosts, highlighting the importance of installing security solutions like Huntress on all servers and workstations. He then shows the artifacts left by the attacker, including batch scripts and the ransomware itself. He analyzes these scripts, explaining their operation and potential impact. For example, one script deletes all volume shadow copies to prevent data recovery, while another attempts to close various processes and services to disrupt normal operations. He also explores the tools used by the attackers, such as a network scanner and ransomware binaries compiled for different operating systems and architectures. He demonstrates the execution of the ransomware in a sandbox to observe its behavior and the changes it makes to the system, such as changing the wallpaper and creating a ransom note. Hammond concludes by emphasizing the importance of incident detection and response in defending against ransomware. He encourages cybersecurity analysts to use tools like those from Eric Zimmerman for forensic analysis and to remain vigilant against new attack techniques. To watch the full video, go to: https://www.youtube.com/watch?v=KS9u-h90fPI