RANSOMWARE

5/24/2017

Who We AreRIIS is a boutique IT firm focused on joining business

and technology through Custom Mobile , Software

Development and Premium IT Professional Services

Mobile Apps Web Dev Professional Services Security Audits User Experience

Our Specialties

Agenda

• Wanna Cry

• What is Ransomware?

• Different Flavors

• Test Lab Setup

• Fixes

• Preparation Plan

• Call to Action

Wanna Cry

Wanna Cry

Ransomware

News

Trust but VerifyDon’t believe the HypeHard to decipher the signal from the noise

What is Ransomware

Deployment

What is

Ransomware

• Deployment

What is Ransomware

Installation

What is

Ransomware

• Installation

What is Ransomware

Command and Control

What is Ransomware

Destruction

What is Ransomware

Extortion

What is Ransomware

Targets

• Hospitals

• Fortune 500

• Universities and Schools

• Police Stations

• Religious Organizations

What is Ransomware

Flavors

• Locky

• Cryptowall

• CryptXXX

• Jigsaw

• TeslaCrypt

• Petra

• Win32Dircrypt

What is

Ransomware

• Ransomware as a service

Test Lab

Setup

• Wipe machines

• Install fresh copy of Windows 7

• Use dedicated wifi hotspot of test phone

• Download Ransomware from the Zoo

• https://github.com/ytisf/theZoo

• Choose your flavor and install

Test Lab

Setup

Test Lab

Warning

Do not do this on a machine you ever want

to use again. Make sure it is not connected

to your company wifi.

Test Lab

Fixes

Jigsaw

Fixes

Jigsaw

Fixes

Jigsaw

Fixes

TeslaCrypt

Fixes

TeslaCrypt

Fixes

TeslaCrypt

Ransomware Prep Plan

• Backup your data and keep a copy offsite.

• Disconnect from all cloud backup services such as Dropbox.

• Use Antivirus, Firewalls and Email scanners.

• Update your OS when a new patch appears.

• Use Microsoft’s shadow drives (VSS) or Mac’s Time Machine.

• Uninstall Flash.

• Remove or restrict Admin access.

• Disconnect any shared drives.

• Train your staff, send them test phishing emails

• Use a test lab and see if you can recover from a simulated attack.

• Sign up for a Bitcoin account in case you need to pay!

Prep Plan

• Test Phishing Emails

Ransomware Potential Breakpoints

The ransomware must execute and unpack itself and then collect system information.

The ransomware has to change registry settings to maintain persistence.

More advanced ransomware disables system restore and deletes everything in the Volume Shadow Copy (VSC).

Most, but not all, ransomware has to call out to command-and-control infrastructure to get a public key that will be used to encrypt the files.

The ransomware now has to enumerate the files.

It then begins to read and encrypt the files.

If each encrypted file is written to a new file, the original files must be deleted.

Finally, the encryption key is removed from the local machine and sent back to the controller.

Bitcoin

Resources

http://riis.com/blog

https://www.knowbe4.com/phishing-security-test-offer

https://github.com/ytisf/theZoo

https://www.bleepingcomputer.com/download/jigsaw-decrypter/dl/321/

http://www.talosintelligence.com/teslacrypt_tool/

https://noransom.kaspersky.com/

https://www.ghacks.net/2016/03/30/anti-ransomware-overview/

Call(s) to Action

• Set up a Test Lab

• Run a Ransomware drill

Mobile App Partners

Contact us!

riis.com

248.351.1200

1250 Stephenson Hwy, Troy, MI 48083