SOLUTION BRIEF

COMBATING RANSOMWARE
Defend against the attackers’ top choice for multifaceted extortion

Ransomware and multifaceted extortion have become top cyber security threats
Multifaceted extortion blends
for organizations of all shapes and sizes. Ransomware actors have intensified their
the impact of a data breach with
attack campaigns by threatening critical infrastructure shutdowns, risking public
the already painful impact of
ransomware. A data breach can health and safety, diverting vital public resources, disrupting educational institutions
result in greater reputational and impacting data privacy. The average downtime experienced from a ransomware
damage, regulatory fines, class attack is 21 days.2
action lawsuits, and derailed
digital transformation initiatives. Ransomware actors are becoming increasingly aggressive, turning once relatively
These consequences were not simple attacks into more elaborate—and lucrative—multifaceted extortion
typically seen with ransomware
operations. Multifaceted extortion involves multiple attack points, including
before 2019.1
ransomware encryption, data theft and public “naming and shaming” of the victim
organizations, all of which presents a more profound risk to organizations.

In March 2021, one of the largest

US insurance companies publicly
reported a ransom payment of
$40 million,3 the largest known
ransomware payment to-date.

1 FireEye (2021). M-Trends 2021.

2 Coveware (February 1, 2021). Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands.
3 Business Insider (May 22, 2021). One of the biggest US insurance companies reportedly paid hackers $40 million ransom after a cyberattack.
S O LU T I O N BR I E F | M A N D I A N T Combating Ransomware 2

Anatomy of a targeted ransomware attack

• Backdoor variants • WMI

• Existing breach • SMB/NSF
• Sleeper malware, • PowerShell Remoting

MAINTAIN PRESENCE MOVE LATERALLY

INITIAL RECON INITIAL COMPROMISE ESTABLISH FOOTHOLD COMPLETE MISSION
ESCALATE PRIVILEGE INTERNAL RECON
Open-Source Gain initial Access Strengthen Position Ransomware Deployment
Intelligence (OSINT) Into Target Within Target Steal Data
Obtain Elevated Identify Backup Servers, Disrupt Business Ops
Permissions Business Servers, Sensitive Data Extort Organization
(most susceptible to ransomware Financial Payment
attacks)

• Social engineering • Custom malware • Credential theft • Critical system recon • Access critical business servers
• Internet-based attack • Command and control • Password cracking • System/active directory • Data theft
• Cross-compromises • Web shells • “Pass-the-Hash” /user enumeration • Ransomware encryptor deployment
• Data mining

The objectives of ransomware defenses

When ransomware is successfully deployed, organizations often experience technical and non-technical challenges that can cripple
their operations. To counter the frequently seen combination of poor visibility into the effectiveness of controls and detection
environments and the advanced techniques, skills and resources of threat actors, organizations must have a holistic risk mitigation
strategy, from the board level to security practitioners.

Stop an attack before Accelerate response and Allow the organization

ransomware is deployed minimize impact of an attack to resume operations

Ideally, every organization should strive to catch a ransomware attack at its earliest stages to prevent deployment. Early detection
of the intrusion allows an organization to accelerate their response, minimize the impact of ransomware and swiftly resume
business operations.

How Mandiant helps address this challenge

Many organizations victimized by ransomware have turned to Mandiant to help them respond to their incident. With experience on the
frontlines of hundreds of such incidents, Mandiant has developed expertise and intelligence to understand who the attackers are, how
they operate and ultimately, how to counter them.

Mandiant has the unique ability to find the intrusions that precede ransomware deployment quickly and at scale. Through automated
solutions and comprehensive services, your organization can prepare, prevent and respond to ransomware and multifaceted extortion
attacks. Mandiant solutions bolster both your preparedness and cyber defense to help protect against multifaceted extortion attacks.
S O LU T I O N BR I E F | M A N D I A N T Combating Ransomware 3

Prepare
Ready your cyber defenses against ransomware and multifaceted extortion campaigns BENEF ITS
through threat intelligence, security program assessment, controls validation and • Access to the most up-to-date
frontline threat intelligence enables
hands-on operational exercises—with on-demand access to Mandiant frontline experts.
understanding of the identity,
targets, timing, motivation and
Mandiant can help you prepare your specific environment with the Mandiant Advantage
methods of the latest threat actors.
platform and services. The platform offers access to timely, relevant and easy to
consume threat insights that accelerate security decision making to mitigate risk. You’ll • Prioritize and focus efforts with
gain visibility, evidence and confidence in your cyber readiness against ransomware threat intelligence on the specific
threats facing your industry and
through automated testing programs that give you real data on how your security controls
organization, test security controls
are performing. Our frontline experts can better prepare you and your team to mitigate and remediate vulnerabilities.
threats, reduce business risk and lessen the impact of ransomware.
• Minimize the impact of an attack and
reduce security incident response
Assess Test defenses Continuously Practice
Procure intel
capabilities and configuration validate controls response plans time

• Safely test your organization

against real-world ransomware
Prevent attack scenarios to identify existing
Identify the activity that precedes ransomware deployment and activate mitigation misconfigurations in your environment
strategies to avoid a major ransomware and multifaceted extortion incident. and help improve or develop a more
robust security posture.
With Mandiant Advantage, response readiness services and on-demand access
to Mandiant cyber defense experts, security teams can identify active and past
compromises quickly and stop attackers before they cause damage to their organization.
Security teams get an early knowledge advantage through automated modules that
identify critical indicators of compromise (IOCs). Managed detection and response
services provide specialized expertise, such as integration of attacker research to detect
malicious activity faster and the effective prioritization of mitigation efforts.

Automate detection 24x7 monitoring Activate experts

Respond
Reduce the impact of ransomware and multifaceted extortion attacks with swift and
decisive action.

Mandiant provides access to incident response experts so you can rapidly and effectively
respond to ransomware and multifaceted extortion attacks. These specialists complete
in-depth attack analysis, perform crisis management across the full attack lifecycle and
help you recover your business operations after a breach.

Incident Response Get back to business

S O LU T I O N BR I E F | M A N D I A N T Combating Ransomware 4

Offerings
TABLE 1. Offerings.

Prepare

Solution Description Delivery

Mandiant Advantage Provide your organizations with visibility into the latest ransomware threats directly from the frontlines. Mandiant Advantage
Threat Intelligence

Ransomware Defense Evaluate your ability to prevent, detect, contain and remediate ransomware by assessing the impact an Mandiant Consulting Services
Assessment attack could have on your internal network.

Active Directory Assess existing misconfigurations, process weaknesses and exploitation methods within your Active Mandiant Consulting Services
Security Assessment Directory—the most abused network service by attackers to escalate privileges in a successful ransomware
and multifaceted extortion attack.

Red Team for Evaluate your ability to protect your most critical assets through real-world ransomware attack scenarios. Mandiant Consulting Services
Ransomware Mandiant experts emulate tactics, techniques and procedures (TTPs) seen in an actual ransomware
incident to identify weaknesses and recommend effective improvements.

Mandiant Advantage Discover how effective you will be against the top ransomware families from the field. Continuously evaluate Mandiant Advantage
Ransomware Defense your ability to detect and contain an attack. Identify changes required to help ensure your defenses can
Validation block or contain modern ransomware.

Tabletop Exercise Evaluate your ransomware incident response plan through scenario gameplay. Mandiant identifies gaps Mandiant Consulting Services
– Technical and between your documented and expected response versus what actually happens during a real-world attack.
Executive

Prevent

Mandiant Advantage Access automated Mandiant expertise to rapidly identify indicators of compromise (IOCs) from active and Mandiant Advantage
Automated Defense targeted ransomware in your environment. Reduce threat actor dwell time and lessen the impact of an
attack with real-time awareness at machine speed, scale and consistency.

Mandiant Advantage Enlist Managed Defense experts for 24/7 support to minimize your risk from strategic ransomware threats Mandiant Managed Services
Managed Defense to protect your organization from extortion, ransom, downtime and theft.

Expertise On Demand Request investigations into ransomware threats with the click of a button–when you need it. Our experts will Mandiant Consulting Services
respond with commentary and analysis based on the collective threat intelligence and expertise of Mandiant.

Respond

Incident Response Activate the best-in-business response experts to complete in-depth attack analysis, perform crisis Mandiant Consulting Services
Service management over the complete attack lifecycle and help recover business operations after a breach.

Incident Response Retain Mandiant incident response experts on standby with a competitive 2-hour service level agreement Mandiant Consulting Services
Retainer (SLA) option that enables faster and more effective response to cyber incidents.

Conclusion
With Mandiant you can address the challenge of ransomware can reach in your environment, you can uncover technical and
and mitigate or significantly minimize the overall impact of this operational weaknesses and in turn make both strategic and
attack type. After identifying the critical assets that attacks tactical improvements.

Learn more at [Link]

Mandiant About Mandiant

11951 Freedom Dr, 6th Fl, Reston, VA 20190 Since 2004, Mandiant® has been a trusted partner to security-conscious
(703) 935-1700 organizations. Today, industry-leading Mandiant threat intelligence and
833.3MANDIANT (362.6342) expertise drive dynamic solutions that help organizations develop more
info@[Link] effective programs and instill confidence in their cyber readiness.

©2022 Mandiant, Inc. All rights reserved. Mandiant is a registered trademark of Mandiant, Inc. All other brands, products, or service
names are or may be trademarks or service marks of their respective owners. M-EXT-SB-EN-US-000420-01