Michael Kemps, CEOInnovative Computing Systems, Inc.
THE RISE OF RANSOMWARE AND ITS THREAT TO THE LEGAL PROFESSION
@ICSGetsIT
RANSOMWARE AND SECURITY BREACHES:
THREATS & RISKS
THE RISE OF RANSOMWARE AND SECURITY BREACHES• What is Ransomware?
– Acquired by a simple click on an otherwise seemingly legitimate email– Encrypts all files instantly – on premise or cloud– Criminals demand money via untraceable Bitcoins – Decryption takes much longer than encryption – Recent events resulted in FBI suggesting companies pay ransom
• https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/
• Attacks increasing exponentially in the legal community!– Hackers Breach Law Firms, Including Cravath and Weil Gotshal
• http://www.wsj.com/articles/hackers-breach-cravath-swaine-other-big-law-firms-1459293504
– Law360: “’Cryptolocker’ Virus Holding Law Firm Data For Ransom• http://www.law360.com/articles/629305/cryptolocker-virus-holding-law-firm-data-for-ransom
– 80% Share of the country’s top 100 law firms have had a security breach• http://www.bloomberg.com/news/articles/2015-03-19/cyber-attacks-force-law-firms-to-improve-data-security
– Panama Papers Leak Casts Light on a Law Firm Founded on Secrecy• http://www.nytimes.com/2016/04/07/world/americas/panama-papers-leak-casts-light-on-a-law-firm-founded-on-
secrecy.html?_r=0
IT WOULD NEVER HAPPEN TO ME!ABA 2015 TECH SURVEY…
CONSEQUENCES
• Loss of client assets• Increased firm risk• Significant downtime • Loss of money• Reputation• Opportunity cost
CASE STUDY: LOS ANGELES LAW FIRM
RANSOMWARE STRIKES TWICE
• Boutique Los Angeles-area law firm
• Hit with two variants of CryptoLocker, a popular ransomware program
• First ransom demand: Almost $25,000• Ransomware code executed full access to all shared, roaming
profile directories of all users, giving them access to local workstations and servers
• Required server mitigation and reimaging of 50 desktops (two days for all desktops)
• Five days of downtime right before Christmas 2015
HOW DID THEY GET IN?
• Likely originated in Citrix/RDP server• Part-time IT consultant gave domain administrative
privileges to all users• Old workstations, software and storage
• 2014 Windows image had not been updated since creation
• That’s 2 ½ years of updates for every machine• Slower Internet connection than most modern cell
phones
AFTER THE 1ST ATTACK
• Fortunately, we were able to recover data and remediate damage
• We made strong arguments for upgrades to vulnerable areas in their network
• Our proposals to help prevent another attack went unheeded . . .
A FEW WEEKS LATER, THEY WERE HACKED AGAIN.
• Second ransom demand around $15,000• Hack not as bad this time as it was
localized, for the most part• Only one workstation hit, but . . . • Virus was able to inject itself into some
server shares
NEW PLAN
The law firm is planning to:– Increase Internet speed– Implement new firewalls– Purchase SAN and new VMhost– Purchase new servers– Replace anti-virus with next generation
endpoint protection
STILL THINKITCAN’THAPPEN TOYOU?
WHY SO THREATS MANY REMAIN UNDETECTED
WrappersDesigned to turn known code into a new binary
Variations / ObfuscatorsDesigned to slightly alter code to make known code appear new/different
PackersDesigned to make sure code runs only on a real machine (anti-vm, dormant, interactions, anti-debug)
TargetingDesigned to allow code run only on a specific target machine/configuration
Malicious CodeThe actual code that runs. Always the same goals – persist, steal/spy, exfiltrate, etc..
Evasion Techniques
CONSIDERATIONS?
• Traditional Antivirus is not enough• ”We have a firewall, right?!”• Multi-layered approach is a must
– Regular Vulnerability Scanning– Current and Patched Environment– Next-Generation Endpoint Protection
THE SOLUTION:
NEXT-GENERATIONENDPOINT PROTECTION
NEXT-GENERATION ENDPOINT PROTECTION
Real-time analysis and root cause forensic investigation
Automatic Mitigation- Quarantine files and endpoints
Rollback and Immunize- Automatic remediation to undo system changes
Dynamic Execution Inspection- Full system monitoring to protect from evasive, packed malware, and attack code
Reputation based preemptive block and prevention policies-Protect from known threats
NEXT GENERATION ENDPOINT PROTECTION
Dynamic Memory Inspection-Protect from App and memory based exploits. Drive by downloads.
PROTECT ALL VECTORS OF ATTACK
Cover all vectors of attack
Fileless
Memory only malware, No disc based indicators
Documents
Exploits rooted in Office documents, Adobe, Macros. Spearphising emails.
Browser
Drive by downloads, Flash, Java, Javascript, vbs, iframe/html5, plug-ins
Scripts
Powershell, WMI, PowerSploit, VBS
Credentials
Credentials scraping, Mimikatz, Tokens
Executables
Malware, Trojans, Worms, Backdoors, Payload based
MALWARE EXPLOITS LIVE/INSIDER
WHICH ENDPOINT PROTECTION PLATFORM . . . AND WHY?
WE KNOW ANTIVIRUS ISN’T ENOUGH, BUT . . .
Exploit protection only, CPU intensive, needs to offload to sandbox to analyze files, prone to evasions, no visibility. Windows only.
Prevention
Anti-Exploitation
Dynamic Anti-Malware
Mitigation
Remediation
Forensics
Prevention
Anti-Exploitation
Dynamic Anti-Malware
Mitigation
Remediation
Forensics
Prevention
Anti-Exploitation
Sandbox
Mitigation
Remediation
Sandbox
Static inspection, Pre execution, statistics (“math”) based binary profiling, zero visibility or endpoint Forensics. Windows only
Traps
The only full on device detection and forensic solution not prone to evasions or bypasses
Prevention
Anti-Exploitation
Dynamic Anti-Malware
Mitigation
Remediation
Forensics
No exploit/malware detection beyond cloud intelligence indicator matching
OUR CHOICE…
ANTIVIRUS REPLACEMENT
• 99% Real world detection
• 98% Prevalent malware• 0% False positives• 6 Performance score (5-
25 scale)
True, Complete Antivirus ReplacementProtect from legacy threats as well as Advanced Threats, while still maintaining compliance.
One agent, no scans, no constant updates, small footprint.No static signatures, no IOCs.
INDUSTRY ACCOLADES
The Case of Gyges, the invisible malware
The evolution of Dyre
OSX Kernel RootkitsAnd memory vulnerabilities
SHAKACON
23
Today's multiheadedmalware needs a multipronged solution
Computing goes to the cloud –so does crimeSony Hack Signals
Threat to Destroy Data, Not Just Steal It
The state of cybersecurity in the enterprise: 2015
Blogs• WireLurker Malware Targets iPhone
and Mac
• Unpatched Vulnerabilities Leave Apple Users at Risk
• Sandworm Demonstrates Why Patches aren’t Foolproof
• Is Zero Day Java Exploit Detection Possible?
• More Embedded Systems Havoc: ATM Hacks Target Endpoints Once Again
• Internet Explorer Vulnerability Kept Secret For Three Years
RSA Innovation Sandbox Finalist 2015
RSA Shark Tank 20 CISO Panel Winner
QUESTIONS?