RANSOMWARE RESEARCH SCENARIO
ABC Services Ltd (‘ABC’) is a global financial services provider. To comply with local regulatory frameworks, they operate offices around the world, most of which have a legal requirement to store their Know Your Customer (‘KYC’) information in on-site servers.
One of these servers, located in Lebanon, was recently infected with a variation of malware called ransomware, which has prevented ABC from accessing their local KYC data by encrypting it with a secret key. The threat actor behind the attack left behind a file on the server that demands a ransom for the return/decryption of this data.
Once they became aware of this incident, they instructed their local IT team to bring the server offline to mitigate the risk of the malware spreading across their network. They also activated their business continuity plans to minimize disruption to their core business, which involved recreating the servers from backups taken over a month ago.
ABC approached YOU to help them answer several questions, specifically:
- What type of ransomware was used?
- How is the ransomware typically delivered?
- What is the likely profile of the original developers of the ransomware?
- What is the likely profile of a threat actor using this ransomware?
- Are there any known methods of decrypting the data encrypted by the ransomware?
- What is the likelihood that the ransomware has exfiltrated data?
- What additional information would you require to investigate whether the threat actor has exfiltrated KYC data?
They have provided you with a sample of the ransomware and asked you to carry out a preliminary investigation. The sample they provided contains the following key information:
- Info.exe (the ‘executable’) – this is the file name of the ransomware that was used to encrypt ABC’s data.
- [email protected] and [email protected] – these email addresses are provided in the ransom note left as a text file on the client’s systems, as a means of contacting the threat actor.
- no_more_ransom – this file name suffix is present on files encrypted by the ransomware that affected your systems and data.
Please research and prepare a written summary of findings to answer ABC’s questions in an MS Word report. While you will certainly have to make assumptions about the situation, we will expect you to be able to explain and answer above questions at a high level about some of the key technical concepts involved in your findings.
Examples of topics you may consider including in the report are:
RDP, asymmetric encryption, brute forcing, and phishing. Please be sure to capture the key findings from your research into the malware as well as the potential implications of this incident for ABC.