Section 1: Getting Started with a Modern Ransomware Attack
Chapter 1: The History of Human-Operated Ransomware Attacks
Who was behind the SamSam ransomware
The mastermind behind the BitPaymer ransomware
Who was behind the Ryuk ransomware?
Who was behind ransomware-as-a-service programs?
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Chapter 3: The Incident Response Process
Preparation for an incident
Threat detection and analysis
Containment, eradication, and recovery
Section 2: Know Your Adversary: How Ransomware Gangs Operate
Chapter 4: Cyber Threat Intelligence and Ransomware
Strategic cyber threat intelligence
Operational cyber threat intelligence
Tactical cyber threat intelligence
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
External remote services (T1133)
Exploiting public-facing applications (T1190)
Supply chain compromise (T1195)
Command and scripting interpreters (T1059)
Exploitation for client execution (T1203)
Windows Management Instrumentation (T1047)
Obtaining persistent access
Boot or logon autostart execution (T1547)
Scheduled task/job (T1053)
Server software component (T1505)
Exploiting for privilege escalation (T1068)
Creating or modifying system process (T1543)
Process injection (T1055)
Abuse elevation control mechanism (T1548)
Exploiting for defense evasion (T1211)
Deobfuscating/decoding files or information (T1140)
File and directory permissions modification (T1222)
Impairing defenses (T1562)
Indicator removal on host (T1070)
Signed binary proxy execution (T1218)
OS credential dumping (T1003)
Steal or forge Kerberos tickets (T1558)
Exploiting remote services (T1210)
Using alternate authentication material (T1550)
Collecting and exfiltrating data
Data from local system (T1005)
Data from network shared drives (T1039)
Archive collected data (T1560)
Exfiltration over web service (T1567)
Automated exfiltration (T1020)