Upload
buidung
View
227
Download
5
Embed Size (px)
Citation preview
www.SCStateHouse.gov Michael Lauth, Security Analyst
RansomwareWhat is Ransomware?
• Is computer malware which loads a cryptovirology attack• It then demands a ransom payment of some sort to restore your files
How does it work?1. [attacker→victim] The attacker generates a key pair and places the corresponding
public key in the malware. The malware is released.2. [victim→attacker] When the malware decides to attack, it generates a random
symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim's data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertextand e-money to the attacker.
3. [attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with his private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key.
How Ransomware Spreads
• Web ‘drive by’ downloaders
• USB sticks and devices
Spear Phishing is #1 Way Ransomware is Delivered94% of people could not tell the difference between a real email vs. a spear phishing email
Source: intermedia.net/report/ransomware
Risks and Impact of Ransomware
• Inadequate protection of email can easily lead to a
ransomware attack
• ‘An ounce of prevention is worth a pound of cure’ is
particularly true
• Ransomware encryption is so advanced that even law enforcement agencies like the FBI are unable to decrypt it
• The impact of ransomware is immediate
• Ransom payments• Remediation time and costs• Business disruption• Brand damage
T H E I M P A C T O F T H E C U R R E N T M O D E L
$3.5M AVERAGE COST OF A BREACH
Median number of days before detection
205 DAYS
To respond to a breach
32 DAYS
Of companies learned they were
breached from an external entity
69%
Of organizations were breached
3/4 had active command and control
communications
97%
SOURCE: MANDIANT M-TRENDS REPORT / PONEMON COST OF DATA BREACH STUDY
CYBER SECURITY’S MAGINOT LINE: A REAL-WORLD ASSESSMENT OF THE DEFENSE-IN-DEPTH MODEL
T H I N K L I K E Y O U R A T T A C K E R
WHO ARE THEY?HAVE THEY GAINED
ACCESS?HOW DO YOU STOP THEM?
‣ Teams of humans targeting
you
‣ Highly tailored and
customized attacks
‣ Need insight on which
adversaries may be targeting
your industry
‣ Removing malware doesn’t
eliminate the attacker
‣ Need threat intel that detects
malware linked to known
adversary groups
‣ Attackers evade detection by
using existing tools and
protocols
‣ However they use them in
identifiable ways
‣ Need attacker profiles that
details tools, techniques and
procedures employed by
adversaries
What SC doesSouth Carolina uses a layered approach
Network Traffic1. Active layer of ACL’s on our edge router & Internal connections2. Application based firewall (NGFW)3. IPS/IDS4. Advanced Anti-Malware product5. Endpoint protection
Our email security is also layered1. Standard anti-spam firewall2. Advanced Anti-Malware product3. Exchange rules
We have had great success with products from FireEye for Advanced Malware protection and detection.
Malware DetectionHere are some reports on malware detection
These are malware ridden packages which made it past our standard anti-spam product Cisco Ironport. The Ironport has an AV engine in use from Sophos.
Malware Detection
Example of a document which made it past out first layer of protection but picked up by the FireEye.