Enterprise Ransomware Resources

The focus of these resources is more on building resilience against the systemic threat of ransomware from an enterprise perspective. Last updated 2022-02-18. Feel free to send pull requests or tips to me.

Guidance

• ransomware.org:
  • Solid material on what ransomware is, how it works, how to prevent it and how to remove it
  • Ransomware Fundamentals videos and webinars
  • The Ransomware - Understand. Prevent. Recover. book by Allen Liska (2021)
• FS-ISAC: Ransomware Essentials
• Joint CISA/NCSC-UK/ACSC: AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware (2022-02)
• Cybersecurity & Infrastructure Security Agency (CISA):
  • StopRansomware
  • Cyber Security Evaluation Tool (CSET) with a Ransomware Readiness Assessment (RRA) module
  • MS-ISAC Ransomware Guide + Ransomware Response Checklist(2020-09)
  • AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
  • AA20-049A: Ransomware Impacting Pipeline Operations
  • Tabletop Exercise Packages (CTEPs), including ransomware
• FBI Internet Crime Complaint Center (IC3):
  • CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack
• Australian Cyber Security Centre (ACSC):
  • Ransomware {Emergency Response One-Pager, Prevention and Protection Guide, Action Checklist, Emergency Response Guide} (not really aimed at the enterprise level)
• NCSC-UK:
  • Mitigating malware and ransomware attacks (2021-09)
  • Ransomware: What board members should know and what they should be asking their technical experts (2021-06)
• NCSC-NZ: Protecting from ransomware, incl. lifecycle of a ransomware incident flowchart (2021)
• Canadian Centre for Cyber Security:
  • ITSAP.00.099: How to prevent and recover from ransomware (2021-09) + Ransomware playbook (2021-11)
• Institute for Security + Technology: Ransomware Task Force (RTF): Combating Ransomware (2021-09)
• European Union Agency for Cybersecurity (ENISA):
  • ENISA Threat Landscape 2021 (2021-10)

• Information Security Forum (ISF): Extinction Level Attacks: A Survival Guide (2020-11), Understanding the Ransomware Menace (2021)
• VirusTotal: Ransomware in a Global Context (2021-10)

• National Institute of Science and Technology (NIST):
  • Computer Security Resource Center (CSRC):
    • Getting Started with Cybersecurity Risk Management: Ransomware (2022-02)
    • IR 8374: Ransomware Risk Management: A Cybersecurity Framework Profile (2022-02)
    • Ransomware Protection and Response
    • Securing Data Integrity Against Ransomware Attacks: Using the NIST Cybersecurity Framework and NIST Cybersecurity Practice Guides
    • SP 1800-11: Data Integrity: Recovering from Ransomware and Other Destructive Events (2020-09)
    • SP 1800-25: Identifying and Protecting Assets Against Ransomware and Other Destructive Events (2020-12)
    • SP 1800-26: Detecting and Responding to Ransomware and Other Destructive Events (2020-12)
    • SP 800-184: Guide for Cybersecurity Event Recovery (2016-12)
  • National Cybersecurity Center of Excellence (NCCoE):
    • Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events 
  • Microsoft:
    • Ransomware and Extortion (2022-02-19)
    • Backup and restore plan to protect against ransomware (2022-02-19)
    • DART ransomware approach and best practices (2022-02-19)
    • Azure Defenses for Ransomware Attack (2021-09-10)

Incident Reports

• PWC incident report on the Conti attack against the Irish Health Security Executive (2021-12) + lessons learned by HHS.gov (2022-02)
• KPMG incident report on the attack against Østre Toten municipality in January 2021 (2021-10)

Selected Papers

• The Transnational Cybercrime Extortion Landscape and the Pandemic: Changes in Ransomware Offender Tactics, Attack Scalability and the Organisation of Offending - David S. Wall, European Law Enforcement Research Bulletin (2021)

Insurance

• Lloyds:
  • Guidance for Handling a Ransomware Incident (2021-12)
  • Y5359: Guidance for Handling a Ransomware Claim Incident (2021-12)

Storage Management, incl. and Backup/Restore

• NIST: SP 800-209: Security Guidelines for Storage Infrastructure (2020-10)

Threat Actors and TTPs:

• CISA: BlackMatter, Conti, Conti #2, Conti #3, Darkside, SamSam, Petya
• FBI: Diavol (2022-01), BlackByte (2022-02), Cuba (2021-12), HelloKitty + BlackMatter (2021-10), Hive (2021-08), Darkside (2021-05)
• ACSC: Conti (2021-12), LockBit 2.0 (2021-08)
• Joe DiMaggio: The History of REvil (2022-01-27)
• CERT-FR: CERTFR-2021-CTI-006: Ryuk (2021-02), CERTFR-2021-CTI-007: Egregor (2021-03)
• The DFIR Report (multiple excellent blog posts)
• Conti Ransomware Playbook leak
• Conti February 2022 Leak + Procedures

Miscellaneous

• Ransomware Overview - By @nyxbone and @cyb3rops
• Ransomware Reports

• Curated Intelligence: Initial Access Broker Landscape
• Simulators: Ransim, QuickBuck
• Emsisoft/Fabian Wosar: Decryption tools, faster decryption, various guidance and commercial tooling
• Andy Robbins of SpecterOps: BloodHound versus Ransomware: A Defender’s Guide (2021-06-08)
• Amazon AWS:
  • Ransomware mitigation: Top 5 protections and recovery preparation actions (2021-09)
  • Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper (2021-09)
  • Securing your AWS environments from ransomware (2020-04)

Selected Nordic Ransomware Incidents

Material on Defendable Enterprises split out into separate list available here.