© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

John Fokker - Digital Team Coordinator, NHTCU

Raj Samani, Intel

Ben Potter – Security Consultant, AWS

November 30, 2016

SAC327

No More Ransom!How Europol, the Dutch Police, and AWS

Are Helping Millions Deal with Cybercrime

What to Expect from the Session

1. Better understanding of the threat to our digital society

2. How the No More Ransom initiative can help you

3. Architecting a website for scale and security

Healthcare – Ransomware Attacks

• Hospital’s network down for more than a week

• Systems for CT scans and others impacted

• Email, patient files, and other data encrypted

• Staff went back to fax machines for communication

• Hospital pays $17,000 USD ransom to get data back

• They were not the only hospital hit by ransomware

The following slides contain strong language

How it Often Starts….

And then….

Ransom negotiations

Please send me the key. I have a small business.

This way I go bankrupt……..

I won't contact the police. You have till tonight 0:00.

After that I will turn to Interpol.

So win-win send me the decryption key.

Victim:

Criminal: LOL

we can do 0.3 bitcoins if you agree no reason

we don’t target specific people

we don’t bow to threats

we can do 0.3 btc lowest

Ransom negotiations

I lost six years of photos of my children and

all documents of my study

OK, just pay 0,6 bitcoin and you’ll get your

files.

Victim:

Criminal:

May your children be cursed and i hope they

have deceases in there miserable lives.

Victim:

OKCriminal:

Police reports

• 49 campaign code identifiers

• 406,887 attempted infections of CryptoWall version 3

• Estimated $631 million (USD) in damages

• 4,046 malware samples

• 839 command and control URLs

• 5 second-tier IP addresses used for command and control

CyberThreat Alliance

Fightback Begins

Demystifying the Problem

Take Down Pipeline

15

July 25, 2016: Shade ransomware

July 28, 2016: Chimera ransomware

August 23, 2016: Wildfire ransomware

So far so good.

Another New Option

16

Option A – Pay the bad guys

Option B – Lose your data

Option C – _______

Decryption Tools

Healthcare Targeted

17

January February

2016

Titus Med Care

Texas, USA

Alphacrypt Ransomware

Berkshire HS Massachusetts,

USA

Ransomware

Multiple Hospitals

North Rhine, Germany

Ransomware

Two Hospitals Melbourne,

Australia

Obot & Ransomware

Royal Berkshire Hospital

United Kingdom

Ransomware

Whanganui Hospital Korea

Locky Ransomware

Systematic

Fightback Continues

• 45.00 BTC

• 40.00 BTC

• 21.94 BTC

• 22.00 BTC

• 22.00 BTC

• 40.00 BTC

$100,000.00

so far…...

Details of case: https://blogs.mcafee.com/mcafee-labs/targeted-ransomware-no-longer-future-threat/

Analysis of Bitcoin Wallets

Prevention

• Quickly install security updates

• Ensure updated security software is installed

• Implement a robust backup and recovery strategy

• Conduct employee training

Let AWS Handle the IT Infrastructure

AWS Marketplace: quickly provision the resources needed –Tasked with setting up a highly visible and targeted web portal in roughly two weeks.

Security – AWS cloud infrastructure architected to be one of the most secure cloud environments available today.

Elasticity – Instantly scale up or down based on demand.

– Before launch – Best guess of number of visitors: 12,000/day

– Day of launch – 2.6 m visitors

NoMoreRansom.Org Edge Architecture

Amazon S3

Content Hosting

Amazon

CloudFront

Failover Site

AWS WAF

Amazon

Route 53

Failover health check

The Internet

Amazon

CloudFront

Primary Site

Amazon S3

Content Hosting

AWS WAF

Amazon

Route 53

Latency Routing

Multiple Regions

Barracuda

Firewall

Amazon

EC2

Amazon

VPC

NoMoreRansom.Org Regional Architecture

Barracuda

WAF

AWS

Lambda

Functions

Amazon

Redshift

Data Warehouse

Amazon

Elasticsearch Service

Log Analytics

Edge LocationsElastic Load

Balancing

Elastic Load

BalancingAWS

Elastic Beanstalk

Amazon

API Gateway

Security

• 51K attacks reported by Barracuda post-launch

• Range from standard DDOS assaults to more exotic attacks

on portions of the infrastructure

• 1 Million+ attack requests went through VPN systems

to mask their true origin

• NoMoreRansom.org is still up and operating well, it has

never been brought down by attackers

Recommendations

• Review the scale-up time of AMIs

• Review the impact of technical choices: look for ways to automate

• Explore scenarios thoroughly with your client to ensure happiness

• Build a trusted relationship with your partners

Take Away: Complexity

• Strive for simplicity

• De-couple technology dependencies

• The most complicated aspect of the solution is the log parsing and

analytics system, which is being fine tuned

• The second most complex aspect is global co-ordination or multiple

stakeholders and technical staff

Take Away: Reduce Attack Surface of Web Application

• Not every system can or should use server-less architecture

• Every system needs to maintain a high security stance

• Regardless of the type of request, return a success message

programmatically to fool automated attack systems

The Journey Begins Here

Unauthorized packets are sent

Malware created in car as

communication gateway

Exposes OBU ad starts sending many

bad packets

Creates malware on the ADAS

Sends a super-packet

The car is destroyed

OBU

Home Enterprise Web OEM Roadside

Audio/Video TelematicsDiagnostics ADAS

Thank you!

Visit the Barracuda Booth and

request AWS Credits to Start a

FREE Trial on AWS Marketplace

Twitter: @Raj_Samani