Webinar: A deep dive on ransomware
Transcript of Webinar: A deep dive on ransomware
1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
A DEEP DIVE ON RANSOMWARE An Update from the May 2016 Cyberthreat Report
Avi Turiel
2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Ransomware 101
Notable Q1 ransomware
(and decryption success)
Locky in detail
Q1 Cyberthreat data
Agenda
3©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Ransomware in Q1
©2016. CYREN Ltd. All Rights Reserved
4© 2014 CYREN Confidential and Proprietary 4©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
5©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Petya: Overwrites master boot record
• Samsam: Compromises servers, uses the servers to compromise other networked machines, and then holds them ransom
• TeslaCrypt: Originally targeted game files, now targets all file types
• GhostCrypt: Masquerades as CryptoLocker
• CryptoWall: Provides a free single-use decryption
• Jigsaw: Deletes increasing numbers of files till ransom is paid (and 1,000 files after reboot)
• Locky
Ransomware in Q1
Search: Bleeping computer, Jigsaw
6©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Don’t count on these though…
• Ransomware gets patched
• E.g.: TeslaCrypt V3
Some ransomware decryption success!
7©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Do you know anyone who has been infected with Ransomware?
• Yes
• No
Poll: First hand experience
8© 2014 CYREN Confidential and Proprietary 8©2016. CYREN Ltd. All Rights Reserved
Understanding Locky
9©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• First extensive use of JavaScript as an email delivery method
• Most variants in a single day
• Highest email malware attachments in a single day
• Vast numbers of compromised websites
• Over 1 million tracked by CYREN
• Encrypts all files on shared network drives
Locky highlights
10©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• First detected in February
• Initial distribution by MS-Word macro malware (email attachments)
• Initially from same botnet as used for Dridex (banking malware)
Brief history
Email with JSattachment
Redirect to compromised
site hosting ransomware
Download and run
Encrypt filesDemand ransom
11©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Locky delivery emails
12©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Emails with malware attachments surged 412% in March due to Locky outbreaks
• Primarily during weekdays and between working hours
• Also spread via Web exploit kits
Vast distribution
13©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Ubiquitous in email - most systems view it as benign
• Easy to reprogram (less skill needed), automated creation of variants
• Many obfuscation tools
• Small size
• Locky is the first malware to use JavaScript (JS) in such massive quantities
• Over 1.5 million variants in one day (30 March)
Locky uses JavaScript
14©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Malware deletes itself if Russian language detected
• Encrypts:• Videos, images, documents, and source code
• Files located in connected networks, servers, or drives (including removable)
• Renames to .locky
• Deletes any local back-up files
• If bitcoin wallet is found it is emptied, then scrambled
Post-infection
Ransomware does not have to hide
15©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
16©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 0.5 to 1 bitcoin for individual computers
• ~$200 - $400
• 50 or more bitcoins for business
• ~$20,000
• Multiple onion links, multiple bitcoin addresses
Paying the ransom
17©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Do you know the outcome of the Ransomware experience/s you have dealt with/are familiar with?
(choose multiple answers):
• Paid and got files back
• Paid but files were not decrypted
• Didn’t pay but managed to recover data (e.g.: backup)
• Didn’t pay and lost data
• Unsure of outcome/No experience with Ransomware
Poll: Dealing with ransomware
18©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
IMPROVE YOUR PREVENTION
• Email security gateway
• 91% of attacks start in email
• Stop spam, viruses before they reach your users
• Web security gateway
• Stop malware downloads, malicious URLs
• Stop C&C communications, data exfiltration
• Network sandboxing
• Identify and stop never-before-seen malware
• Endpoint security with active monitoring
• Make sure its up to date
• Security training
• Social engineering, don’t click that link…
How to avoid being a ransomware victim
IMPROVE YOUR DETECTION/RESPONSE
• Backup and recovery
• Implement it
• Test it
• Know the difference between backup and sync
• Network shares
• Avoid mapping network drives with large file repositories (or no write permissions)
20© 2014 CYREN Confidential and Proprietary 20©2016. CYREN Ltd. All Rights Reserved
21© 2014 CYREN Confidential and Proprietary 21©2016. CYREN Ltd. All Rights Reserved
22© 2014 CYREN Confidential and Proprietary 22©2016. CYREN Ltd. All Rights Reserved
23© 2014 CYREN Confidential and Proprietary 23©2016. CYREN Ltd. All Rights Reserved
24© 2014 CYREN Confidential and Proprietary 24©2016. CYREN Ltd. All Rights Reserved
25©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
CYREN Powers the World’s Security
500K+ Threat collection points
600M+Users protected
17B+Daily transactions
130M+Threats blocked
26©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
CYREN’s 100% cloud security services
SaaS Secure Web Gateway protects users from cyber-
threats, monitors and controls web usage, and protect users both on and off the network.
SaaS Secure Email Gateway protects users from spam,
phishing attacks, viruses and zero-hour malware with a
seamless end-user experience.
Cloud-powered threat intelligence and SDKs allow
technology vendors and service providers to detect a broad set
of cyber-threats, including malicious websites, phishing
attacks, malware, botnets, and spam.
Enterprise OEM
27©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved
You can also find us here:
www.CYREN.com
twitter.com/cyreninc
linkedin.com/company/cyren
©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Thank You. Any Questions or Thoughts?