Ransomware is Here: Fundamentals Everyone Needs to Know

RANSOMWARE IS HERE: FUNDAMENTALS EVERYONE NEEDS TO KNOW

JEREMIAH GROSSMAN CHIEF OF SECURITY STRATEGY

@jeremiahg https://www.jeremiahgrossman.com/

http://blog.jeremiahgrossman.com/

http://sentinelone.com/

JEREMIAH GROSSMAN

WHO I AM…

▸ Professional Hacker

▸ OWASP Person of the Year (2015)

▸ International Speaker

▸ Black Belt in Brazilian Jiu-Jitsu

▸ Founder of WhiteHat Security

“RANSOMWARE IS A TYPE OF MALWARE THAT CAN BE COVERTLY INSTALLED ON A COMPUTER WITHOUT KNOWLEDGE OR INTENTION OF THE USER THAT RESTRICTS ACCESS TO THE INFECTED COMPUTER SYSTEM IN SOME WAY, AND DEMANDS THAT THE USER PAY A RANSOM TO THE MALWARE OPERATORS TO REMOVE THE RESTRICTION.”

Wikipedia

WHAT IS RANSOMWARE?

YOU KNOW IT

WHEN INFECTED WITH RANSOMWARE…

CRYPTO LOCKER CRYPTO WALL TESLACRYPT

REVETON JIGSAW LOCKY

“THERE ARE NOW MORE THAN 120 SEPARATE FAMILIES OF RANSOMWARE, SAID EXPERTS STUDYING THE MALICIOUS SOFTWARE.”

ORDER OR OPERATIONS

STEP-BY-STEP

1. Targeting – OS, geography, banking/ecommerce, consumer

2. Propagation – spear-phishing, drive-by-download, attachments

3. Exploit – exploit kits, vulnerability-based, unpatched systems

4. Infection – payload delivery, backdoor access

5. Execution – encryption, disruption, blocked access, RANSOM

DESIGNED TO EVADE DETECTION

01100111010101101010101010100101100010101101001100101101

Wrappers: Turn known code into a new binary

Variations / Obfuscators: Slightly alter code to make known code appear new/different

Packers: Ensure code runs only on a real machine (anti-VM, sleepers, interactions, anti-debug)

Targeting: Allows code to run only on a specific target machine/configuration

Ransomware Code: The actual attack code that attacks your files, blocks access to the system and/or encrypts data

“THE FBI RECENTLY PUBLISHED THAT RANSOMWARE VICTIMS PAID OUT $209 MILLION IN Q1 2016 COMPARED TO $24 MILLION FOR ALL OF 2015.”

LA Times

THE BIRTH OF A BILLION DOLLAR CYBER-CRIME INDUSTRY

“IN ITS LETTER, THE DHS NOTED THAT ITS NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER (NCCIC) HAD INITIATED OR RECEIVED 321 REPORTS OF RANSOMWARE-RELATED ACTIVITY AFFECTING 29 DIFFERENT FEDERAL AGENCIES SINCE JUNE 2015. THE 321 REPORTS INCLUDE ATTEMPTED INFECTIONS AND INFECTIONS THAT WERE DEALT WITH BY THE AGENCIES' INTERNAL SECURITY TEAMS.”

Business Insider

THE BIRTH OF A BILLION DOLLAR CYBER-CRIME INDUSTRY

WHY THE RANSOMWARE EXPLOSION NOW?

ALMOST 50% AFFECTED END UP MAKING THE PAYMENT

The number of users who came across crypto ransomware in the last year increased by more than 500% over the previous year. (Dec, 2015) -Kaspersky

THE RANSOM AND PAYMENT METHODS▸ $200-$2000, average $300 (High $20,000)

▸ Most commonly paid through BitCoin

▸ Also through premium SMS/phone call, anonymous cash card or prepaid transfer service

Secondary Motives

▸ Leave spyware behind

▸ Open backdoors

▸ Steal passwords

RANSOMWARE DOES NOT NEED ROOT ACCESS

"RANSOMWEB" DESCRIBES ATTACKS DURING WHICH CROOKS BREAK INTO A WEBSITE USING VARIOUS VULNERABILITIES AND ENCRYPT ITS CONTENT. THIS CAN BE ITS DATABASE OR ITS FILES, BUT IN THE END, CROOKS NOTIFY THE SITE OWNERS THAT THEY HAVE TO PAY A RANSOM TO GET THEIR FILES BACK.”

HOSPITALS NASCAR GOVERNMENT

SCHOOLS POLICE GAMERS

“ON WEDNESDAY, U.S. SECURITY COMPANY KNOWBE4 SAID IT WAS RECENTLY CONTACTED BY A HEALTH CENTER THAT PAID HACKERS NEARLY $40,000 AFTER 250 DEVICES, INCLUDING AN MRI MACHINE, BECAME INFECTED WITH RANSOMWARE, PROMPTING THE UNNAMED ORGANIZATION TO SHUT DOWN FOR FIVE DAYS.”

“[PRIME HEALTHCARE SERVICE] SAYS IT DEFEATED THE CYBERATTACK WITHOUT PAYING A RANSOM. BUT IT ACKNOWLEDGED SOME PATIENTS WERE TEMPORARILY PREVENTED FROM RECEIVING RADIOLOGY TREATMENTS, AND OTHER OPERATIONS WERE DISRUPTED BRIEFLY WHILE COMPUTER SYSTEMS WERE DOWN.”

“IN MARCH, HACKERS ENCRYPTED DATA AT MEDSTAR HEALTH, WHICH OPERATES 10 HOSPITALS IN MARYLAND AND THE DISTRICT OF COLUMBIA. THE VIRUS CAUSED DELAYS IN SERVICE AND TREATMENT UNTIL COMPUTERS WERE BROUGHT BACK ONLINE. THE COMPANY SAID IT DID NOT PAY A REPORTED $19,000 RANSOM DEMAND.“

“NASCAR TEAM CIRCLE SPORT-LEAVINE FAMILY RACING (CSLFR) HAS REVEALED TODAY IT FACED A RANSOMWARE INFECTION THIS PAST APRIL, WHEN IT ALMOST LOST ACCESS TO CRUCIAL FILES WORTH NEARLY $2 MILLION, CONTAINING CAR PARTS LISTS AND CUSTOM HIGH-PROFILE SIMULATIONS THAT WOULD HAVE TAKEN 1,500 MAN-HOURS TO REPLICATE.”

“RECENTLY, THE AMERICAN PUBLIC UTILITY LANSING BOARD OF WATER & LIGHT (BWL) HAS ANNOUNCED THAT THE COMPANY HAS BECOME A VICTIM OF RANSOMWARE ATTACK THAT KNOCKED THE UTILITY'S INTERNAL COMPUTER SYSTEMS OFFLINE.”

“POLICE DEPARTMENT CHIEF MICHAEL LYLE CLAIMED THAT ONE UNSUSPECTING USER FROM WITHIN THE DEPARTMENT OPENED THE EMAIL, TRIGGERING THE PAYLOAD OF THE RANSOMWARE WHICH PROCEEDED TO ENCRYPT FILES AND TAKE CONTROL OF A PROGRAM KNOWN AS TRITECH. THE SOFTWARE IS AN ESSENTIAL TOOL, ONE THAT POLICE OFFICERS USE FOR COMPUTER AIDED DISPATCH AND AS A RECORD MANAGEMENT SYSTEM DURING PATROL. THE PROGRAM ALSO ENABLES LAW ENFORCEMENT OFFICERS TO LOG INCIDENT REPORTS.”

“TO BE HONEST, WE OFTEN ADVISE PEOPLE JUST TO PAY THE RANSOM.” -JOSEPH BONAVOLONTA ASSISTANT SPECIAL AGENT IN CHARGE OF THE FBI’S CYBER & COUNTERINTELLIGENCE PROGRAM

The Security Ledger

TO PAY OR NOT TO PAY…

“THE FBI DOES NOT ADVISE VICTIMS ON WHETHER OR NOT TO PAY THE RANSOM.”

"THE FBI ADVISES THAT THE USE OF BACKUP FILES IS AN EFFECTIVE WAY TO MINIMIZE THE IMPACT OF RANSOMWARE AND THAT IMPLEMENTING COMPUTER SECURITY BEST PRACTICES IS THE MOST EFFECTIVE WAY TO PREVENT RANSOMWARE INFECTIONS,”

-DONALD J. GOOD DEPUTY ASSISTANT DIRECTOR OF THE FBI'S CYBER DIVISION

SOFTPEDIA

THE FBI’S “OFFICIAL” POSITION

RANSOMWARE IS INNOVATING

RESEARCH AND DEVELOPMENT INCREASING

▸ Recent ransomware is targeted, sophisticated and harder to detect

▸ Once data is encrypted there virtually no options

▸ Modern encryption techniques impossible to break

▸ Restore from backups is time consuming, some data loss

▸ CryptoLocker 3.0 payments have been estimated at $325 Million

▸ Ransomware criminals netting roughly $150 Million per year

SOPHISTATION

BUSINESS MODELS ARE EVOLVING AND MATURING

Ransomware is Here: Fundamentals Everyone Needs to Know

Technology

Transcript of Ransomware is Here: Fundamentals Everyone Needs to Know

RANSOMWARE - healthyagingcore.ca

Ransomware: Modern Day PiratesRansomware • What is ransomware • History of ransomware • Actors and their motivations • Anatomy of a ransomware attack • Cost of a ransomware

Ransomware - Mark Chimely

in the Community Like Everyone Else: Fundamentals ... · 12/6/2019 1 Life in the Community Like Everyone Else: Fundamentals of Community Inclusion and Participation Mark S. Salzer,

Webroot - Ransomware Threats

a computer club open to everyone MONITOR · (1) ransomware, (2) adware, (3) spyware, (4) key loggers, (5) botnets, and (6) hijackers. Ransomware restricts your access to your PC and

Threat Alert NotPetya Ransomware Attack...The NotPetya Ransomware Attack June 2017 A Deep Dive into the NotPetya Ransomware Attack This is a new variant of the Petya ransomware family

Business Guide to Ransomware - IT Best of Breed · 2017-05-15 · Business Guide to Ransomware Table of Contents: 1. Introduction to Ransomware 2. Ransomware as a Service 3. Dissection

Ransomware by lokesh

Ransomware- success stories Triangle InfoSeCon · Ransomware Ransomware WannaCry,Petya,CryptoLocker,and TeslaCrypt are some of the more notable examples of such ransomware. In general,

AtomSilo Ransomware

Ransomware Eradication using Biomorphic Perimeterisation€¦ · recover from NotPetya. Types of Ransomware (Device Target) Ransomware Device Targets Device Targets are Different

Ransomware Mitigation Strategies

Ransomware Cyber Threat Acronis Infographicdownload.acronis.com/...Ransomware_Threat_Acronis... · RANSOMWARE THE NEW CYBER THREAT AND HOW TO STOP IT RANSOMWARE: hackers hold your

Cisco Ransomware Overview (with video) · Cisco Ransomware Defense Solutions. Ransomware is a Massive Market Size of the ransomware market –$1B and growing $1B $209M in Q1 CY2016

PC Ransomware Tips

Ransomware Handbook

RANSOMWARE PROTECTION€¦ · RANSOMWARE PROTECTION UIDE . ... Exploitation Exploit Mitigations Application Behavior Payload Execution ... PREVENTION AGAINST RANSOMWARE.

Ransomware 0th Review

Ransomware Prevalence & Safeguards