All your files now belong to us

Peter WoodChief Executive Officer

First Base Technologies LLP

Ransomware:All your files now belong to us

The future and impact of ransomware

Slide 2 © First Base Technologies 2016

Founder and CEO - First Base Technologies LLP• Engineer, IT and information security professional since 1969• Fellow of the BCS, the Chartered Institute for IT• Chartered IT Professional• CISSP• Senior Member of the Information Systems Security Association (ISSA)• 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group• Member of the Institute of Information Security Professionals• Member of the BCS Information Risk Management and Assurance Group• Chair of white-hats.co.uk• UK Programme Chair for the Corporate Executive Programme• Member of ACM, IEEE, First Forensic Forum (F3), Institute of Directors • Member of Mensa

Peter Wood



Introduction



DefinitionRansomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paidMore modern ransomware families, collectively categorised as crypto-ransomware, encrypt certain file types on infected systems and force users to pay the ransom through certain online payment methods to get a decrypt key

Source: http://www.trendmicro.com/vinfo/us/security/definition/Ransomware


Scale

Source: http://phishme.com/q1-2016-sees-93-phishing-emails-contain-ransomware/


Business impact

• Ransom ‘fee’• User support during incident• Lost user productivity• Recovery and restoration• Crisis management• Press and PR• Communicating with customers and

business partners• Post-incident analysis• Planning for mitigating controls• Implementing mitigating controls• Testing mitigating controls


Target systems

• PCs and laptops

• Mobile devices

• Servers

• Networks

• Databases

• Cloud systems

• Online backups

• Real-time DR systems

• ICS / SCADA systems


Infection

• Downloaded onto systems when unwitting users visit malicious or compromised websites

• Arrives as a payload dropped or downloaded by other malware

• Delivered as attachments from spammed email

• Downloaded from malicious pages through malvertisements*

• Dropped by exploit kits onto vulnerable systems

Source: http://www.trendmicro.com/vinfo/us/security/definition/Ransomware

* an online advertisement that is infected with malicious code


Evolution



Evolution: RaaS


Evolution: RaaS


Evolution: Try before you buy

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf


Evolution: IoT


Evolution: Office 365

22 June: Avanan's Cloud Security Platform detected a massive attack against its customers that were using Office 365The zero-day Cerber ransomware was spread through email and encrypted users’ files using macrosThis malware played an audio file, informing the user that the computer’s files have been encrypted while a warning message was displayed on screen

Source: http://www.avanan.com/resources/attack-on-office-365-corporate-users-with-zero-day-ransomware-virus


Evolution: worm behaviour

Source: https://blog.knowbe4.com/microsoft-alert-zcryptor-ransomware-with-worm-feature


Targeted Ransomware



Targeted ransomware: Samas

Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/

Infection chain diagram:How Ransom:MSIL/Samas gets into the system


Samas distribution 17 March 2016


Targeted ransomware: Samas

• In March 2016, the FBI posted alert about SAMAS as a very real threat to enterprises/businesses

• Specifically, its ability to encrypt files not only on the system it infects but also those shared on the affected organisation’s network

• It also goes after network-stored backups, clearly in an attempt to undermine the typical recommendations for dealing with ransomware

• Threat actors currently using SAMAS are also taking advantage of the malware’s ability to enact a persistent infiltration to “manually locate and delete” the mentioned backups

• Its routines seemingly mirror those of a typical targeted attack: it uses other malicious components to do penetration tests against its target servers as well as scan them for vulnerabilities in its quest to infiltrate

Source: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fbi-posts-warning-about-ransomware-that-goes-after-backups


Samas case study

• MedStar, a non-profit group that runs 10 hospitals in the Baltimore and Washington area, was attacked with Samas in April 2016

• The IT department detected the intrusion in their servers and stopped the ransomware from spreading by shutting down most of its network operations

• The engineers also successfully restored three main clinical systems from backup

• This quick and active approach ultimately saved not only the hospital reputation but also the lives of admitted patients, said Ann Nickels, a spokeswoman for the MedStar medical system

Source: http://thehackernews.com/2016/04/hospital-ransomware.html


Defences and Responses



Paying the ransom

In the first three months of 2016, attacks cost victims more than $200 million. The total cost in 2015 was $325 million, so we’re going to see much more dismal results as the year goes on.

Source: http://www.datto.com/blog/ransomware-attacks-skyrocketing-in-2016

Beware: UltraDeCryptor does not deliver the decryption routines after you pay

Source: https://blog.knowbe4.com/ultradecryptor-ransomware-does-not-decrypt-your-files

Some vendors offer decryption tools for some ransomware: AVG, Kaspersky, Trend Micro, etc.

Source: http://www.thewindowsclub.com/list-ransomware-decryptor-tools


Defend yourself!

1. Air-gapped backups2. Backups of cloud data3. Encrypted backups of key data on write-once

media (DVD, Blu-ray)4. Regular server and database patching5. Endpoint patching (ref Secunia)6. Ad blocking software for browsers7. Secure home networks for employees8. Regular testing of the kill chain (e.g. phishing)9. Intensive anti-ransomware training for all staff10. Keep up to date on the evolution of ransomware


Peter WoodChief Executive Officer

First Base Technologies LLP

[email protected]

http://firstbase.co.uk

twitter: @peterwoodx

Need more information?

Internet

All your files now belong to us