Come to this session to learn how Europol, the Dutch police, Intel Security, and Kaspersky Lab have come together in an unprecedented collaboration of government and private-sector organizations. Open source ransomware code makes it easier to lock victims’ computers and encrypt their data, resulting in an alarming increase of cyber ransom. In response www.nomoreransom.org was created with the additional cooperation of AWS and Barracuda Web Application Firewall. Learn what tools are available to retrieve encrypted data and take a peek under the hood of this mission-critical website in the fight against ransomware. Perhaps because the site opposes ransomware, it has already received a number of attacks. Learn how AWS and Intel worked to rebuff these persistent assaults.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
John Fokker - Digital Team Coordinator, NHTCU
Raj Samani, Intel
Ben Potter – Security Consultant, AWS
November 30, 2016
SAC327
No More Ransom!
How Europol, the Dutch Police, and AWS
Are Helping Millions Deal with Cybercrime

2. What to Expect from the Session
1. Better understanding of the threat to our digital society
2. How the No More Ransom initiative can help you
3. Architecting a website for scale and security

3. Healthcare – Ransomware Attacks
• Hospital’s network down for more than a week
• Systems for CT scans and others impacted
• Email, patient files, and other data encrypted
• Staff went back to fax machines for communication
• Hospital pays $17,000 USD ransom to get data back
• They were not the only hospital hit by ransomware

4. The following slides contain strong language

5. How it Often Starts….

6. And then….

7. Ransom negotiations
Please send me the key. I have a small business.
This way I go bankrupt……..
I won't contact the police. You have till tonight 0:00.
After that I will turn to Interpol.
So win-win send me the decryption key.
Victim:
Criminal: LOL
we can do 0.3 bitcoins if you agree no reason
we don’t target specific people
we don’t bow to threats
we can do 0.3 btc lowest

8. Ransom negotiations
I lost six years of photos of my children and
all documents of my study
OK, just pay 0,6 bitcoin and you’ll get your
files.
Victim:
Criminal:
May your children be cursed and i hope they
have deceases in there miserable lives.
Victim:
OKCriminal:

9. Police reports

10. • 49 campaign code identifiers
• 406,887 attempted infections of CryptoWall
version 3
• Estimated $631 million (USD) in damages
• 4,046 malware samples
• 839 command and control URLs
• 5 second-tier IP addresses used for
command and control
CyberThreat Alliance

11. Fightback Begins

12. Demystifying the Problem

13. Take Down Pipeline
15
July 25, 2016: Shade ransomware
July 28, 2016: Chimera ransomware
August 23, 2016: Wildfire ransomware
So far so good.

14. Another New Option
16
Option A – Pay the bad guys
Option B – Lose your data
Option C – _______
Decryption Tools

15. Healthcare Targeted
17
January February
2016
Titus Med Care
Texas, USA
Alphacrypt Ransomware
Berkshire HS Massachusetts,
USA
Ransomware
Multiple Hospitals
North Rhine, Germany
Ransomware
Two Hospitals Melbourne,
Australia
Obot & Ransomware
Royal Berkshire Hospital
United Kingdom
Ransomware
Whanganui Hospital Korea
Locky Ransomware
Systematic

16. Fightback Continues
• 45.00 BTC
• 40.00 BTC
• 21.94 BTC
• 22.00 BTC
• 22.00 BTC
• 40.00 BTC
$100,000.00
so far…...
Details of case: https://blogs.mcafee.com/mcafee-labs/targeted-ransomware-no-longer-future-threat/
Analysis of Bitcoin Wallets

17. Prevention
• Quickly install security updates
• Ensure updated security software is installed
• Implement a robust backup and recovery strategy
• Conduct employee training

18. Let AWS Handle the IT Infrastructure
AWS Marketplace: quickly provision the resources needed –
Tasked with setting up a highly visible and targeted web portal
in roughly two weeks.
Security – AWS cloud infrastructure architected to be one of the
most secure cloud environments available today.
Elasticity – Instantly scale up or down based on demand.
– Before launch – Best guess of number of visitors:
12,000/day
– Day of launch – 2.6 m visitors

19. NoMoreRansom.Org Edge Architecture
Amazon S3
Content Hosting
Amazon
CloudFront
Failover Site
AWS WAF
Amazon
Route 53
Failover health check
The Internet
Amazon
CloudFront
Primary Site
Amazon S3
Content Hosting
AWS WAF
Amazon
Route 53
Latency Routing
Multiple Regions
Barracuda
Firewall
Amazon
EC2
Amazon
VPC

20. NoMoreRansom.Org Regional Architecture
Barracuda
WAF
AWS
Lambda
Functions
Amazon
Redshift
Data Warehouse
Amazon
Elasticsearch Service
Log Analytics
Edge Locations
Elastic Load
Balancing
Elastic Load
Balancing
AWS
Elastic Beanstalk
Amazon
API Gateway

21. Security
• 51K attacks reported by Barracuda post-launch
• Range from standard DDOS assaults to more exotic attacks
on portions of the infrastructure
• 1 Million+ attack requests went through VPN systems
to mask their true origin
• NoMoreRansom.org is still up and operating well, it has
never been brought down by attackers

22. Recommendations
• Review the scale-up time of AMIs
• Review the impact of technical choices: look for ways to automate
• Explore scenarios thoroughly with your client to ensure happiness
• Build a trusted relationship with your partners

23. Take Away: Complexity
• Strive for simplicity
• De-couple technology dependencies
• The most complicated aspect of the solution is the log parsing and
analytics system, which is being fine tuned
• The second most complex aspect is global co-ordination or multiple
stakeholders and technical staff

24. Take Away: Reduce Attack Surface of Web Application
• Not every system can or should use server-less architecture
• Every system needs to maintain a high security stance
• Regardless of the type of request, return a success message
programmatically to fool automated attack systems

25. The Journey Begins Here
 Unauthorized packets are sent
 Malware created in car as
communication gateway
 Exposes OBU ad starts sending many
bad packets
 Creates malware on the ADAS
 Sends a super-packet
 The car is destroyed
OBU
Home Enterprise Web OEM Roadside
Audio/Video TelematicsDiagnostics ADAS

26. Thank you!
Visit the Barracuda Booth and
request AWS Credits to Start a
FREE Trial on AWS Marketplace
Twitter: @Raj_Samani