FOR528: Ransomware and Cyber Extortion Learn to thwart ransomware and cyber extortion threats once and for all! The term “Ransomware” no longer refers to a simple encryptor that locks down resources. The advent of Human-Operated Ransomware (HumOR) along with the evolution of Ransomware-as-a-Service (RaaS) have created an entire ecosystem that thrives on hands-on the keyboard, well-planned attack campaigns. It is a rapidly growing threat that has evolved from being a single machine infection following an ill-advised mouse click to becoming a booming enterprise capable of crippling large and small networks alike. Even when extortion actors do not deploy an encryptor, the fallout can be devastating. Organizations are at risk of losing their data and information to these attacks, which can lead to revenue losses, reputational damage, theft of employee time and productivity, and inability to function normally. It is now common to see these large- scale, sophisticated attacks where the ransomware actors first establish persistence and execute tools on their target, then move laterally throughout the organization, and ultimately exfiltrate data before deploying their ransomware payloads. That is, if they even deploy an encryptor. Even though payments to ransomware actors slowed in early 2022 as compared to previous years, that same year there were over 2,600 posts made to extortion sites related to ransomware. This number does not include an unknown quantity of incidents that were resolved through communication and/or negotiation behind the scenes prior to public notification. Of the reported incidents from 2022, the following are the top 10 compromised sectors: • Construction • Hospital and Health Care • Government Administration • T Services and IT Consulting • Law Practice • Automotive • Financial Services • Higher Education • Insurance • Real Estate The FOR528: Ransomware and Cyber Extortion course teaches students how to deal with the specifics of ransomware to prepare for, detect, hunt, respond to, and address the aftermath of these attacks. The course features a hands-on approach to learning using real-world data and includes a full day capture the flag (CTF) challenge to help students solidify their learning. The four-day class teaches students what artifacts to collect, how to collect them, how to scale collection efforts, how to parse the data, and how to review the parsed results in aggregate. The course also provides in-depth details and detection methods for each phase of the ransomware and cyber extortion attack lifecycle. These phases include Initial Access, Execution, Defense Evasion, Persistence, Attacks on Active Directory (AD), Privilege Escalation, Credential Access, Lateral Movement, Data Access, Data Exfiltration, and Payload Deployment. Unfortunately, many businesses will find themselves falling victims to ransomware attacks because they feel they are not in danger. Regardless of whether your organization is small, medium, or large, every internet-connected network is at risk… and the threat is not going away any time soon. Who Should Attend • Information security professionals who want to learn how to collect, parse, and analyze forensic artifacts in support of ransomware incident response • Incident response team members who need to use deep-dive digital forensics to help solve their Windows data breach and intrusion cases, perform damage assessments, and develop indicators of compromise • Incident triage analysts such as those working in a Security Operations Center, Computer Incident Response Team, or similar • Managed Services Provider (MSP) and Managed Security Services Providers (MSSPs) analysts who may need to aid in ransomware incident response • Law enforcement officers, federal agents, and detectives who want to become deep subject-matter experts on ransomware investigations • Medical and hospitality IT staff who may need to response to ransomware events • Anyone interested in a deep understanding of Ransomware-specific Incident Response who has a background in information systems, information security, computers You Will Be Able To • Ransomware Evolution and History • Windows Forensics Artifacts Critical to Ransomware Incident Response • Evidence Acquisition Tools and Techniques • Initial Access • Execution and Defense Evasion • Persistence • Privilege Escalation and Credential Access • Lateral Movement • Active Directory Attacks • Data Access • Data exfiltration • Archive creation and data staging • Data exfiltration routes • Backup and Recovery tampering • Payload deployment • Encryption specifics including source code review • Decryptors • Cobalt Strike architecture, components, and payloads • Dealing with an active threat • Conti ransomware operations case study • Hunting methods and techniques 4 Day Program 24 CPEs Laptop Required sans.org/for528 • Watch a preview of this course • Discover how to take this course: Online, In-Person