Flashpoint Launches Ransomware Response & Readiness Service
19.7.18 securityweek 
Ransomware

Threat intelligence and research company Flashpoint on Wednesday announced the launch of a new service designed to help organizations prepare and respond to ransomware and other types of cyber extortion incidents.

The new Threat Response & Readiness Subscription is available immediately, both as an extension to Flashpoint’s other business risk intelligence offerings and a standalone service that can be purchased separately. Pricing is customized based on the customer’s requirements for response and readiness engagements.

The readiness part of the service includes ransomware workshops, tabletop exercises (TTX), and pre-negotiated rates and engagement hours. The workshops are designed to educate the customer’s employees on ransomware, including how it works, how organizations can become infected, attacker profiles, and cryptocurrencies.

The TTX involves discussing simulated scenarios, assessing the effectiveness of current response plans, establishing roles and responsibilities, and improving coordination.

As for incident response, Flashpoint provides research on the threat actor launching the attack, engages with the attacker in an effort to determine appropriate mitigations, and even helps the victim acquire cryptocurrency in case they decide to pay the ransom.

“While law enforcement and the security community generally do not recommend that victims pay ransoms or extortion demands, in some cases it is the most reasonable decision, particularly for organizations concerned with the consequences of impermissible downtime and the inaccessibility of critical systems or data,” Tom Hofmann, VP of Threat intelligence at Flashpoint, told SecurityWeek.

“Determining whether or not to pay a ransom or extortion demand is a highly individual and situational decision. Deciding factors generally include available evidence, information, estimated impact, and perhaps most importantly, the estimated validity of the attacker’s claims—in other words, if a payment is made, will the attacker actually unlock or deliver the data?” Hofmann added.

As part of the response service, Flashpoint directly engages with the attacker on behalf of the customer to verify if the threat is real and if the hackers’ claims are credible, determine if the compromised data may be recovered by other means, identify mitigations, and, if necessary, pay the ransom.

Analyzing the threat also involves investigating the digital wallet accepting the ransom or extortion payment, which can provide insight into the validity of the attacker’s claims.

“In some cases, suspected attackers are actually just automated bots attempting to scam victims into paying and have no intention of encrypting or otherwise compromising the victim’s data. If analysis reveals that a unique wallet has not been configured for each unique infection, it is an indicator that the attacker may be less sophisticated, an automated bot could potentially be involved, and further analysis is likely required,” Hofmann explained.

Flashpoint strongly discourages any individual or organization from engaging directly with the threat actor on their own, due to “the inherent difficulties and security risks involved,” Hofmann said.