Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
Adrian Aron
Consultant Systems Engineer
Oct 2016
Cisco Security
Ransomware Defense
Agenda
Ransomware?
The Anatomy of an Attack Video
Cisco Ransomware Defense Solutions
Ransomware is a Massive Market
Size of the
ransomware market
– $1B and growing
$1B
$209M in
Q1 CY2016
$209M
YoY growth of 1000%
since CY2015
1000%
The Evolution of Ransomware Variants
2001
GPCoder
2005 2012 2013 2014
Fake Antivirus
2006
First commercial
Android phone
2007
QiaoZhaz
2008 2015 2016
CRYZIP
Redplus
Bitcoin Network Launched
Reveton.ARansomlock
Dirty DecryptCryptorbitCryptographic LockerUrausy
Cryptolocker
CryptoDefenseKolerKovterSimple LockerCokriCTB-LockerTorrentLockerCoinVaultSvpeng
TeslaCrypt
VirlockLockdroidReveton
ToxCrypvaultDMALockChimeraHidden TearLockscreenTeslaCrypt 2.0
Cryptowall
SamSamLocky
CerberRadamantHydraCryptRokkuJigsawPowerWare
7ev3nKeRangerPetyaTeslaCrypt 3.0TeslaCrypt 4.0TeslaCrypt 4.1
How Ransomware Works
!
!
EMAIL-BASED INFECTION
Files Inaccessible
Email w/ Malicious Attachment
Ransomware Payload
Encryption Key C2 Infrastructure
Encryption Key C2
Infrastructure
Files Inaccessible
!
WEB-BASED INFECTION
Encryption Key C2
Infrastructure
User Clicks a Link or Malvertising
Ransomware Payload
MaliciousInfrastructure
Play the Video: “Anatomy of an Attack”
https://youtu.be/4gR562GW7TI
Let’s Review the Steps of the Attack
The hacker used a valid
looking email to deliver a file
to employees.
Except the originating
domain name wasn’t exact
quallcart.com
The hacker then built enough
“trust” in the email to get
employees to open the file.
The malicious file
executed on the
employee’s laptop.
The first payload, is a
ransomware attack,
used as decoy.
Ultimately, the hacker stole
customer data & financial
information from the
organization.
The side payload, was used
to exfiltrate data.
Ransomware Defense Solutions
Architectural Force MultiplierRansomware defense
NGFW with AMP AMP for Endpoints Network as a Sensor
and Enforcer
OpenDNS Umbrella
Extend Security off Network
+ +
Reinforce the Perimeter
Protect Key Endpoints
Leverage the Network
+
Cisco Email Security with
AMP would have
inspected the email and
detected the malware.
Initial SPF, DKIM and
DMARK checks can easily
spot this type of e-mail.
Cisco AMP for Endpoints
would have detected and
blocked the ransomware on
the laptops and prevented the
PDF attachment from
opening.
Cisco Umbrella and
Firepower NGFW would
have blocked the
ransomware from calling
out to the internet.
Simple Open Automated
Effective Security