Outline (I will add modify examples based on the most recent ransomware case I work.):
I. Introduction
• About author
• Overview of ransomware, purpose of the talk and set expectations.
• Explain how the presented information can be used by the security teams.

II. Anatomy of a Ransomware Attack
• Pre-encryption and post-encryption ransomware
o Pre-encryption stage indicators:
- Security team identified alerts or activity for Tools, Techniques and Procedures (TTPs) that indicates a potential ransomware actor.
- Suspicious file activity like zip files creations or performance slow down on file server, databases or critical systems. Spike in CPU or network traffic.
- Disable Antivirus, EDR and other security tools.
- Recent tampering of backup and deletion of Volume Shadow Copies.
- Tracking the TTPs used, they can assist in identification of the ransomware group in the pre-encryption stage. A ransomware group usually uses similar TTPs for each victim.
o Post-encryption stage indicators:
• Ransomware Kill Chain
o Initial Access
- Phishing and Social Engineering
• Phishing emails containing malicious attachments and links that drops malware or host a phishing website that harvest user credentials.
• Drive by compromise
• Search Engine Optimization Poisoning
• Social engineering helpdesk or users
Exploitation of software's, internet facing, and internet exposed services
• Internet exposed services and applications like RDP, Citrix portals brute forcing
• Vulnerable software exploitation of known and Zero-day vulnerabilities.
• Supply chain attacks
- Insider Threats
- Role of Initial Access Brokers
o Credential Harvesting
- Threat actor needs high privileged accounts to move laterally, run malware and be GODs of the environment. They either dump credentials or exploit vulnerabilities to escalate privileges.
- Commonly ransomware groups use below tools:
• Mimikats
• Lsaas memory dumping
• LaZagne
• NTDS.dit dumping
• SAM database dumping
I addition to the system credentials, some Threat Actors collect credentials and cookies stored in the web browser.
o Land and Expand
- After gaining initial access, the threat actor may leverage combination of Live of the Land Binaries (LOLBins), off-the-shelf and custom malware of choice to execute next stages of the attack.
• Network scanners and discovery
• Active Directory enumeration
• Tools for credential harvesting
• Lateral movement using RDP, SSH, similar tools and protocols.
• Tools and malware for persistence
o Persistence
- Threat Actor may install persistence mechanisms that will allow them to maintain multiple access points to the environment.
- Threat Actor may use following techniques to maintaining persistence:
• Services, autoruns, registry run keys, startup items, WMI, Scheduled Task, cron jobs, init scripts, kernel modules, boot kits and more.
- Run Custom malware, reverse shells, CobalStrike, and off-the-shelf Remote Access Tools like:
• AnyDesk, ScreenConnect, TeamViewer, LogMeIn, NetSupport Client, Boomgar
o Data exfiltration
- Most ransomware groups use double extortion technique, where they exfiltrate data before encrypting it. Ransom is demanded in exchange of decryption key and data suppression. And threaten to upload data to Threat Actor operated leak site or dark web forums, if ransom is not paid.
- Threat Actors are in search of sensitive data:
• Finance
• R&D
• HR data
• Payroll
• Intellectual Property
• User Personal Data
- Threat Actors generally use data transfer tool like WinSCP, FileZilla and Rclone, Cloud storage platforms Mega, OneDrive
o Encryption
- This is the last stage of the attack where the encryptor is executed.
- Deployment mechanisms
• PsExec, GroupPolicy, PDQDeploy, in-built deployment capabilities
- How each encryptor differ from group to group – this section will cover unique example of ransomware executables, show differences and commonalities.
• Encryption algorithms,
• Ways used for efficient encryption.
• Case Study
This section will walk audience through a frictional scenario based on real ransomware attack, provide in-depth experience of a ransomware attack, and will create a base for the next “Aftermath” section.

    Mythical Fortress Inc. is a global medical device manufacturer. They are headquartered in the USA, a manufacturing plant in USA and satellite offices across the globe. On a Friday morning, employees in the USA location identified a note on screen, encrypted files and was unable to access services on the network. Note indicated that it was BlackBasta ransomware and provided a .onion link in the ransom note for the next steps.

III. Aftermath
• Invoke and follow IR plan. Containment is Key!
• Is your email compromised? Setup out-of-band communication channel.
o Threat Actors can monitor your email and chats. Threat hunt and validate.
o Steps to protect from such events.
• Assemble management, internal and external technical and legal teams.
o Third party IR firm, restoration partners, ransomware negotiators.
• Any legal obligations to notify law enforcement or customers.
• Investigating a ransomware incident - When, What and How’s
• Recovery
o Check if fileserver and backups are viable.
o Assess the impact of encryption and make a list of critical systems needed to restore business.
o Follow RED Yellow and Green bucket recovery strategy.
• Consider reaching out to the Threat Actor for ransomware negotiations?
• Common mistakes and lessons learned.
o Common Mistakes including but not limited to:
- Asset management
- Security tooling, controls, and visibility over the environment
- Robust backup mechanisms
o Propose security recommendations for efficient response.
- Operations
- Logging
- Access Control
- Credential Protection
- Data Protection
- Audits and proactive Assessments

IV. Conclusion and Takeaways
• Conclude the talk and summarize key takeaways.

Takeaways:
• Knowledge about how ransomware attacks work, stages of attack, how to prepare, respond and investigate their first ransomware attacks.
• What questions to ask while preparing and investigating a ransomware incident.
• Propose best practices and security recommendations that will help audience to protect against such attacks, minimize the impact of the attack, and prepare to respond.