Upload
peter-wood
View
42
Download
4
Embed Size (px)
Citation preview
Peter WoodChief Executive Officer
First Base Technologies LLP
Ransomware:All your files now belong to us
The future and impact of ransomware
Slide 2 © First Base Technologies 2016
Founder and CEO - First Base Technologies LLP• Engineer, IT and information security professional since 1969• Fellow of the BCS, the Chartered Institute for IT• Chartered IT Professional• CISSP• Senior Member of the Information Systems Security Association (ISSA)• 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group• Member of the Institute of Information Security Professionals• Member of the BCS Information Risk Management and Assurance Group• Chair of white-hats.co.uk• UK Programme Chair for the Corporate Executive Programme• Member of ACM, IEEE, First Forensic Forum (F3), Institute of Directors • Member of Mensa
Peter Wood
Slide 3 © First Base Technologies 2016
Slide 4 © First Base Technologies 2016
Introduction
Ransomware:All your files now belong to us
Slide 5 © First Base Technologies 2016
DefinitionRansomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paidMore modern ransomware families, collectively categorised as crypto-ransomware, encrypt certain file types on infected systems and force users to pay the ransom through certain online payment methods to get a decrypt key
Source: http://www.trendmicro.com/vinfo/us/security/definition/Ransomware
Slide 6 © First Base Technologies 2016
Scale
Source: http://phishme.com/q1-2016-sees-93-phishing-emails-contain-ransomware/
Slide 7 © First Base Technologies 2016
Business impact
• Ransom ‘fee’• User support during incident• Lost user productivity• Recovery and restoration• Crisis management• Press and PR• Communicating with customers and
business partners• Post-incident analysis• Planning for mitigating controls• Implementing mitigating controls• Testing mitigating controls
Slide 8 © First Base Technologies 2016
Target systems
• PCs and laptops
• Mobile devices
• Servers
• Networks
• Databases
• Cloud systems
• Online backups
• Real-time DR systems
• ICS / SCADA systems
Slide 9 © First Base Technologies 2016
Infection
• Downloaded onto systems when unwitting users visit malicious or compromised websites
• Arrives as a payload dropped or downloaded by other malware
• Delivered as attachments from spammed email
• Downloaded from malicious pages through malvertisements*
• Dropped by exploit kits onto vulnerable systems
Source: http://www.trendmicro.com/vinfo/us/security/definition/Ransomware
* an online advertisement that is infected with malicious code
Slide 10 © First Base Technologies 2016
Evolution
Ransomware:All your files now belong to us
Slide 11 © First Base Technologies 2016
Evolution: RaaS
Slide 12 © First Base Technologies 2016
Evolution: RaaS
Slide 13 © First Base Technologies 2016
Evolution: Try before you buy
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf
Slide 14 © First Base Technologies 2016
Evolution: IoT
Slide 15 © First Base Technologies 2016
Evolution: Office 365
22 June: Avanan's Cloud Security Platform detected a massive attack against its customers that were using Office 365The zero-day Cerber ransomware was spread through email and encrypted users’ files using macrosThis malware played an audio file, informing the user that the computer’s files have been encrypted while a warning message was displayed on screen
Source: http://www.avanan.com/resources/attack-on-office-365-corporate-users-with-zero-day-ransomware-virus
Slide 16 © First Base Technologies 2016
Evolution: worm behaviour
Source: https://blog.knowbe4.com/microsoft-alert-zcryptor-ransomware-with-worm-feature
Slide 17 © First Base Technologies 2016
Targeted Ransomware
Ransomware:All your files now belong to us
Slide 18 © First Base Technologies 2016
Targeted ransomware: Samas
Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/
Infection chain diagram:How Ransom:MSIL/Samas gets into the system
Slide 19 © First Base Technologies 2016
Samas distribution 17 March 2016
Slide 20 © First Base Technologies 2016
Targeted ransomware: Samas
• In March 2016, the FBI posted alert about SAMAS as a very real threat to enterprises/businesses
• Specifically, its ability to encrypt files not only on the system it infects but also those shared on the affected organisation’s network
• It also goes after network-stored backups, clearly in an attempt to undermine the typical recommendations for dealing with ransomware
• Threat actors currently using SAMAS are also taking advantage of the malware’s ability to enact a persistent infiltration to “manually locate and delete” the mentioned backups
• Its routines seemingly mirror those of a typical targeted attack: it uses other malicious components to do penetration tests against its target servers as well as scan them for vulnerabilities in its quest to infiltrate
Source: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fbi-posts-warning-about-ransomware-that-goes-after-backups
Slide 21 © First Base Technologies 2016
Samas case study
• MedStar, a non-profit group that runs 10 hospitals in the Baltimore and Washington area, was attacked with Samas in April 2016
• The IT department detected the intrusion in their servers and stopped the ransomware from spreading by shutting down most of its network operations
• The engineers also successfully restored three main clinical systems from backup
• This quick and active approach ultimately saved not only the hospital reputation but also the lives of admitted patients, said Ann Nickels, a spokeswoman for the MedStar medical system
Source: http://thehackernews.com/2016/04/hospital-ransomware.html
Slide 22 © First Base Technologies 2016
Defences and Responses
Ransomware:All your files now belong to us
Slide 23 © First Base Technologies 2016
Paying the ransom
In the first three months of 2016, attacks cost victims more than $200 million. The total cost in 2015 was $325 million, so we’re going to see much more dismal results as the year goes on.
Source: http://www.datto.com/blog/ransomware-attacks-skyrocketing-in-2016
Beware: UltraDeCryptor does not deliver the decryption routines after you pay
Source: https://blog.knowbe4.com/ultradecryptor-ransomware-does-not-decrypt-your-files
Some vendors offer decryption tools for some ransomware: AVG, Kaspersky, Trend Micro, etc.
Source: http://www.thewindowsclub.com/list-ransomware-decryptor-tools
Slide 24 © First Base Technologies 2016
Defend yourself!
1. Air-gapped backups2. Backups of cloud data3. Encrypted backups of key data on write-once
media (DVD, Blu-ray)4. Regular server and database patching5. Endpoint patching (ref Secunia)6. Ad blocking software for browsers7. Secure home networks for employees8. Regular testing of the kill chain (e.g. phishing)9. Intensive anti-ransomware training for all staff10. Keep up to date on the evolution of ransomware
Slide 25 © First Base Technologies 2016
Peter WoodChief Executive Officer
First Base Technologies LLP
http://firstbase.co.uk
twitter: @peterwoodx
Need more information?