Come to this session to learn how Europol, the Dutch police, Intel Security, and Kaspersky Lab have come together in an unprecedented collaboration of government and private-sector organizations. Open source ransomware code makes it easier to lock victims’ computers and encrypt their data, resulting in an alarming increase of cyber ransom. In response www.nomoreransom.org was created with the additional cooperation of AWS and Barracuda Web Application Firewall. Learn what tools are available to retrieve encrypted data and take a peek under the hood of this mission-critical website in the fight against ransomware. Perhaps because the site opposes ransomware, it has already received a number of attacks. Learn how AWS and Intel worked to rebuff these persistent assaults.
2. What to Expect from the Session
1. Better understanding of the threat to our digital society
2. How the No More Ransom initiative can help you
3. Architecting a website for scale and security
3. Healthcare – Ransomware Attacks
• Hospital’s network down for more than a week
• Systems for CT scans and others impacted
• Email, patient files, and other data encrypted
• Staff went back to fax machines for communication
• Hospital pays $17,000 USD ransom to get data back
• They were not the only hospital hit by ransomware
7. Ransom negotiations
Please send me the key. I have a small business.
This way I go bankrupt……..
I won't contact the police. You have till tonight 0:00.
After that I will turn to Interpol.
So win-win send me the decryption key.
Victim:
Criminal: LOL
we can do 0.3 bitcoins if you agree no reason
we don’t target specific people
we don’t bow to threats
we can do 0.3 btc lowest
8. Ransom negotiations
I lost six years of photos of my children and
all documents of my study
OK, just pay 0,6 bitcoin and you’ll get your
files.
Victim:
Criminal:
May your children be cursed and i hope they
have deceases in there miserable lives.
Victim:
OKCriminal:
10. • 49 campaign code identifiers
• 406,887 attempted infections of CryptoWall
version 3
• Estimated $631 million (USD) in damages
• 4,046 malware samples
• 839 command and control URLs
• 5 second-tier IP addresses used for
command and control
CyberThreat Alliance
15. Healthcare Targeted
17
January February
2016
Titus Med Care
Texas, USA
Alphacrypt Ransomware
Berkshire HS Massachusetts,
USA
Ransomware
Multiple Hospitals
North Rhine, Germany
Ransomware
Two Hospitals Melbourne,
Australia
Obot & Ransomware
Royal Berkshire Hospital
United Kingdom
Ransomware
Whanganui Hospital Korea
Locky Ransomware
Systematic
17. Prevention
• Quickly install security updates
• Ensure updated security software is installed
• Implement a robust backup and recovery strategy
• Conduct employee training
18. Let AWS Handle the IT Infrastructure
AWS Marketplace: quickly provision the resources needed –
Tasked with setting up a highly visible and targeted web portal
in roughly two weeks.
Security – AWS cloud infrastructure architected to be one of the
most secure cloud environments available today.
Elasticity – Instantly scale up or down based on demand.
– Before launch – Best guess of number of visitors:
12,000/day
– Day of launch – 2.6 m visitors
19. NoMoreRansom.Org Edge Architecture
Amazon S3
Content Hosting
Amazon
CloudFront
Failover Site
AWS WAF
Amazon
Route 53
Failover health check
The Internet
Amazon
CloudFront
Primary Site
Amazon S3
Content Hosting
AWS WAF
Amazon
Route 53
Latency Routing
Multiple Regions
Barracuda
Firewall
Amazon
EC2
Amazon
VPC
21. Security
• 51K attacks reported by Barracuda post-launch
• Range from standard DDOS assaults to more exotic attacks
on portions of the infrastructure
• 1 Million+ attack requests went through VPN systems
to mask their true origin
• NoMoreRansom.org is still up and operating well, it has
never been brought down by attackers
22. Recommendations
• Review the scale-up time of AMIs
• Review the impact of technical choices: look for ways to automate
• Explore scenarios thoroughly with your client to ensure happiness
• Build a trusted relationship with your partners
23. Take Away: Complexity
• Strive for simplicity
• De-couple technology dependencies
• The most complicated aspect of the solution is the log parsing and
analytics system, which is being fine tuned
• The second most complex aspect is global co-ordination or multiple
stakeholders and technical staff
24. Take Away: Reduce Attack Surface of Web Application
• Not every system can or should use server-less architecture
• Every system needs to maintain a high security stance
• Regardless of the type of request, return a success message
programmatically to fool automated attack systems
25. The Journey Begins Here
Unauthorized packets are sent
Malware created in car as
communication gateway
Exposes OBU ad starts sending many
bad packets
Creates malware on the ADAS
Sends a super-packet
The car is destroyed
OBU
Home Enterprise Web OEM Roadside
Audio/Video TelematicsDiagnostics ADAS
26. Thank you!
Visit the Barracuda Booth and
request AWS Credits to Start a
FREE Trial on AWS Marketplace
Twitter: @Raj_Samani