Interview: A Security Engineer’s Guide to Ransomware Attack Response
A conversation with Certified Ethical Hacker Zak Stufflebeam
Because ransomware has become such an issue in cybersecurity, EC-Council caught up with Zak Stufflebeam to talk about ransomware attacks, trends, and responses.
The other big thing is making proper backups. So, if you have a correct backup procedure and policy in place, then if a ransomware attack does happen, you can cut it off and restore your network to business as usual quickly.
What concerns you the most about recent ransomware trends?
Honestly, the most concerning part about the ransomware trend is that this has been an ongoing issue for years and years, and it’s continuing. It’s almost progressing. It’s ramping up.
To me, that’s immensely concerning because it means that their business model, as far as the attackers go, is working. And that’s more alarming than the ransomware itself.
Because when you see a business model that works, especially in the crime industry, you’re going to see more people join that train because it’s easy money in their eyes. And to me, that’s the most alarming—not the ransomware itself, but the fact that it’s climbing, more people are starting to get into this industry, and at this rate, it’s not going to go away anytime soon.
Should companies pay the ransom? What do you feel the ethical approach is?
I don’t think companies should pay the ransom. Now, I understand there is the case-by-case basis.
If your company can’t afford not to pay the ransom, meaning you can’t afford to restore your network, then you must do what’s best for your company. I would never pay the ransom simply because their business model is working. The reason ransomware is still going on today is that they are getting paid and are making money.
So, if we can cut that out, if we could stop everyone from paying that, then that business model no longer works, and they would have to find a different reason to attack companies, or they would have to find a new solution for their profit.
I don’t believe that paying the ransom is a smart thing to do, simply because if one person did it to you, they might leave you alone, but there may be others that will come as well. And you’re now going to be vulnerable to that attack again.
I feel like the ethical approach is not to pay the ransom. It is my opinion. Because if you pay, you just funded that resource to go and attack somebody else for the similar tech.
So, you’re just continuing the trend. You’re continuing to support a company committing cybercrimes, and they will continue to do this until they stop getting funding or profit from this. So, I think everyone should not pay, but I understand that’s not practical from a business standpoint, and I understand if you have to pay.
Deploying ransomware is a crime, but it seems like you never hear about criminals being held accountable. Why do you think that is?
Well, I think it’s simple and not straightforward at the same time to understand why criminals aren’t held accountable a lot of times for these cybercrimes. One of the substantial issues that several people don’t understand is to do an investigation.
Let’s say someone stole $100,000, and it costs $200,000 to investigate. It doesn’t make sense to pursue that person.
Now, why would it cost so much? It’s because you have to get legal action in other countries.
You have to get subpoenas and proper documentation to go to those countries and start investigating and get those logs and things like that. So that alone is expensive.
But besides that, you have to understand that not every country abides by the same laws. That’s the most difficult part of it.
So, an example: if it’s not illegal to attack, let’s say, the U.S. from your country, and then you attack us, and we say, “Hey, we want to investigate this.” If you go and ask that country, “Hey, we would like to pursue this, we’d like to prosecute,” and it’s not illegal in that country, they’re most likely not going to allow you.
It doesn’t make sense to authorize your laws to go into their country. So that’s usually the most telling thing that you see.
These criminals are doing this from a country that doesn’t prosecute, doesn’t issue any warrants for their arrest, and doesn’t hold them accountable for hacking other countries, which is a big problem.
The other reason, like I said, is usually funding. And I don’t mean that unpleasantly. But usually, hackers are pretty good at hiding their tracks and using multiple VPNs to multiple countries.
And when that happens, you have to pursue each of those leads into each country, which means you have to negotiate and get proper documentation and things for each country that VPN entered, which makes it extremely expensive and time-consuming. And therefore, a lot of times, it’s not worth it, because you’re not going to be able to prosecute that person, and it’s going to cost you an arm and a leg to do so from a government spending standpoint.
If your company suffered a ransomware attack today, what steps would you take to recover?
If my company suffered a ransomware attack, there are a couple of things that I would do right away. The first thing I do is try to minimalize the attack surface.
So, I would segregate whatever machines they took over, whatever they’ve done already. From there, I would look for indicators of compromise from the beginning.
So, I would go back and start looking at how they got in. When did they get in? The second I found out where they got in and how they got in, I would try to fix that.
And then, I would make sure we have good backups because we keep good backups, and I would back our systems up to that point. I would not pay them. My company has the resources to fix these issues rather than pay these criminals depending on what the ransomware attack looks like.
There don’t seem to be many options for learning reverse engineering or dissecting ransomware. Why do you think that is?
I think the issue isn’t that there are no resources to learn reverse engineering of ransomware. It is that it’s not well advertised as hacking.
So, hacking sounds cool, people associate it with movies and shows, and they see it as a fascinating and cool career field. But dissecting malware is a different mindset.
And it’s hard to find people that enjoy that complex of a problem, where hacking you get a direct result, you get into a machine, you get into a box, where dissecting malware, you may be spending months trying to find an issue. And even if you find it, you’re going to try to publish that and hope that people fix their issues which most of the time, as we know, people are behind on patching and things.
So even if you find it, you may not help that much. And that’s the hard thing.
So that’s why I think that people who do malware analysis are insanely talented and bright individuals that deserve a lot more recognition than they get because they have saved millions and 1000s of dollars all over the world constantly. And they kind of fly under the radar.
And I think that’s our biggest issue. It’s not that we don’t teach it because, if you look hard enough, you can find the resources. I think the hard part is that it’s not advertised as the cool career field when they’re the ones that are saving a lot of people.
What takeaways did you get from C|EH regarding ransomware?
The biggest takeaway I got when taking C|EH regarding ransomware was how big of an issue this is, because several people hear about it here and there, but they don’t realize how often these attacks occur. So that was a massive takeaway, because I didn’t understand how complex the issue really was and how big the attack surface is out there.
The other big takeaway from the ransomware is how big these attacks are and that it’s not the ransomware that’s the problem. It’s the initial attack, and how they’re getting a foothold into your system.
The ransomware can only work if they have access to your system. So, if you can stop that initial attack, look for the indicators of compromise, and cut them off from the source, then the ransomware never can happen.
So that was a huge takeaway from C|EH, that I remember thinking to myself, “Well, why are companies allowing them that initial foothold?”
I understand it’s impossible to make your network 100% secure. But at the same time, if we can do a better job at stopping advanced attacks from happening and getting an initial hold of your network, you can prevent the ransomware from spreading, which is the real issue.
Is your IT team ready to handle ransomware attacks?
Build a Rewarding Career with the C|EH Fast-Growing Job Market
1,800+ ethical hacking job openings on LinkedIn alone1
C|EHs in the U.S. earn over $82,000 per year on average2
Wide Range of Opportunities
Prepare for 20+ cybersecurity job roles with the C|EH
Zak stufflebeam is a security engineer, pentester, and red team member in the field of cyber security. Along with CEH he holds the ECES among many non ec council certifications and ranks among the top 1% in tryhackme in the world. Connect with him at https://www.linkedin.com/in/zakery-stufflebeam-8b4662195.
Follow his cyber security channel at YouTube.com/stuffy24 and Twitter @stuffy2224
Greig, J. (2022, February 10). Nearly $700 million spent on ransomware payments in 2020 alone: report. ZDNet. https://www.zdnet.com/article/nearly-700-million-spent-on-ransomware-payments-in-2020-report.
Views expressed in this interview are personal. The interview has been produced with the aid of a transcription service and may contain dictation, typographical, technical, and/or other errors. The facts, opinions, and language in the interview may not reflect the views of EC-Council or the interviewee’s employer, and EC-Council does not assume any responsibility or liability for the same.