1. Amy Nicewick
April 20, 2021
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
KEYNOTE:
REDUCE THE RISK OF RANSOMWARE
DATA CONNECTORS | VIRTUAL SUMMIT | CHICAGO
APRIL 20, 2021
Amy Nicewick
Section Chief
CISA Cybersecurity Division
11. Amy Nicewick
April 20, 2021
Beyond the Headlines: What is Ransomware?
11
Ransomware is a form of malware
designed to encrypt files on a device,
rendering any files and the systems
that rely on them unusable.
Malicious actors then demand ransom
in exchange for decryption.
Ransomware Overview
12. Amy Nicewick
April 20, 2021
The following are examples
of vectors of infection for
ransomware attacks:
• Phishing
• Compromised Websites
• Malvertising
• Exploit Kits
• Drive-by Downloads
• Mobile Devices
• Brute Force via RDP
Methods of Infection
12
13. Amy Nicewick
April 20, 2021
Ransomware incidents can severely impact business processes and leave
organizations without the data they need to operate and deliver mission-critical
services.
Malicious actors have adjusted their ransomware tactics over time to include
pressuring victims for payment by threatening to release stolen data if they refuse to
pay and publicly naming and shaming victims as secondary forms of extortion.
The monetary value of ransom demands has also increased, with some demands
exceeding US $1 million.
Ransomware incidents have become more destructive and impactful in nature and
scope.
Infects…Encrypts…Extorts
13
14. Amy Nicewick
April 20, 2021
Actors
REvil
Wizard Spider
Maze
Egregor
NetWalker
Ragnar Locker
DoppelPaymer
Nephilim
Project Root
SMAUG
The Usual Suspects
14
Common
Variants
Cerber
Locky
CryLocker
CryptoLocker
Jigsaw
Nation-States
Russia
North Korea
China
Iran
Source: CrowdStrike 2021 Global Threat Report
15. Amy Nicewick
April 20, 2021
Trend: Ransomware-as-a-Service (RaaS) Model
15
• Ransomware families selling RaaS to other
cybercriminals.
• Popularity increases Barriers to entry drop,
becomes scalable, more efficient.
• Enables relatively unskilled bad actors to access
complex tools and the environment from which to
run their campaigns.
• The “commoditization” of the ransomware threat:
Entrepreneurial Operators, including NetWalker, Nefilim, and Sodinokibi/Revil all provide
access to partners in pre-agreed profit-sharing arrangements.
• Increased investment in many of the platforms themselves, upgrading their core
ransomware systems to stay ahead of the good guys and evade detection.
16. Amy Nicewick
April 20, 2021
Weaponized: One part Ransomware,
One Part Data Breach
Old Paradigm: Victim’s data encrypted, actor locks
victim out of their own files. If victim refused to pay
the ransom, the actor destroyed their files.
New Paradigm: Attacker exfiltrates data (e.g., large
quantities of sensitive commercial information,) before
encrypting them. Attacker threatens to publish unless
ransom paid, often will release small portions of data online. If negotiation goes badly,
attacker publishes all data and/or sells to a third party – putting added pressure on
enterprises to meet the hackers’ demands.
Trend: Double Extortion
16
17. Amy Nicewick
April 20, 2021
Cyber criminals are exploiting the COVID-19
outbreak for their own personal gain with a
range of ransomware attacks.
Scams include emails containing malware that
appear to be sent from the Director-General of
the World Health Organization (WHO), and
others which claim to offer vaccines and
face masks to fight the pandemic.
Exploiting vulnerabilities in software and
remote working tools as more people work
from home during the pandemic.
Ransomware targeting Healthcare sector,
including hospitals, clinics.
(Ryuk, Babuk Locker)
Trend: COVID-19 Exploitation
17
18. Amy Nicewick
April 20, 2021
Ransomware campaigns aimed at
high-value targets.
Generated demand in the market for
network access brokers (typically with
affiliates of RaaS groups) in 2020.
BGH targeting Healthcare Sector,
increasingly with double extortion
demands.
Introduction of dedicated leak sites
(DLSs) associated with specific
ransomware families.
Trend: Big Game Hunting (BGH)
18
Source: CrowdStrike 2021 Global Threat Report
22. Amy Nicewick
April 20, 2021
Ransomware Attacks on CI on the Rise
22
Attacks on Critical
Infrastructure have Risen
Dramatically in the
Last Two Years
Top 5 Most Targeted
Critical Infrastructure Sectors*
Critical Infrastructure Sector Frequency
Government Facilities 241
Healthcare and Public Health 157
Education Facilities Subsector 135
Information Technology 74
Critical Manufacturing 68
*November 2013 – March 2021
According to Data from Temple University
“Critical Infrastructure Ransomware Incident Dataset”
23. Amy Nicewick
April 20, 2021
Why Target CI?
23
Follow the Money
“Cybercriminals are becoming more savvy. They know who has money. The folks
who operate inside those critical infrastructure sectors are no longer immune.”
– Brandon Wales, CISA Acting Director
According to recent Palo Alto Networks study:
The average ransom paid for organizations increased from $115,123
in 2019 to $312,493 in 2020 a 171% year-over-year increase.
The highest ransom paid by an organization doubled from 2019 to 2020,
from $5 million to $10 million.
From 2015 to 2019, the highest ransomware demand was $15 million.
In 2020, the highest ransomware demand was $30 million.
24. Amy Nicewick
April 20, 2021
Chicago’s Key Industries are Targets
24
Top Ransomware Threats to Chicago Industry Sectors
Chicago’s most important industry sectors are also the key targets
of ransomware attacks:
Manufacturing
Business and Professional Services
Food Industry
Transportation and Distribution
Healthcare and Life Sciences
Information Technology
IL government and education entities have also been targeted in
serious ransomware attacks, including Cook County (Chicago) and
others since 2017
29. Amy Nicewick
April 20, 2021
CISA Ransomware Resources
29
CISA.gov/ransomware
Ransomware Guide
CISA INSIGHTS: Ransomware Outbreak
Toolkit, fact sheet, and images
Alerts and Statements
US-CERT activity alerts on ransomware threats
Joint statements on ransomware with our partners
Guides and Services
Cyber Hygiene Services
TTX Exercises
Factsheets and Infographics
Protect Your Center From Ransomware poster
Ransomware: What It Is and What To Do About It
Training and Webinars
Webinars, Presentations
CDM Training
Incident Response Training Series CISA.gov/ransomware
30. Amy Nicewick
April 20, 2021
Ransomware Campaign Toolkit
30
CISA’s Ransomware Campaign Toolkit is on our ransomware
webpage. Download and Support the Campaign.
31. Amy Nicewick
April 20, 2021
Ransomware Guide
31
Joint CISA and MS-ISAC
Ransomware Guide
The Ransomware Guide includes
recommendations, best practices,
recommended incident response
policies and procedures, cyber
hygiene services, and several
checklists that organizations can
use to help protect against or
response to ransomware attacks.
32. Amy Nicewick
April 20, 2021
Ransomware Guide Contents
32
Ransomware Infection Vectors:
Internet-Facing Vulnerabilities
and Misconfigurations
Phishing
Precursor Malware Infection
Third-Parties and MSPs
General Best Practices and
Hardening Guidance
Ransomware Response Checklist
33. Amy Nicewick
April 20, 2021
Ransomware Guide: Select Best Practices
33
Regularly maintain offline, encrypted backups of data and
regularly test your backups.
Create, maintain, and exercise a basic cyber incident
response plan and associated communications plan.
Conduct regular vulnerability scanning to identify and
address vulnerabilities, especially those on internet-facing
devices, to limit the attack surface.
CISA offers a no-cost Vulnerability Scanning service and
other no-cost assessments: cisa.gov/cyber-resource-hub.
34. Amy Nicewick
April 20, 2021
Ransomware Guide: Select Best Practices
34
Implement a cybersecurity user awareness and training program that includes
guidance on identifying and reporting suspicious activity (e.g., phishing) or
incidents. Conduct organization-wide phishing tests to gauge user awareness.
Ensure antivirus and anti-malware software and signatures are up to date.
Additionally, turn on automatic updates for both solutions.
Consider risk management and cyber hygiene practices of third parties or managed
service providers (MSPs) your organization relies on.
Retain secure logs from both network devices and local hosts. This supports triage
and remediation of cybersecurity events. Logs can be analyzed to determine the
impact of events and ascertain whether an incident has occurred.
35. Amy Nicewick
April 20, 2021
Ransomware Response Checklist
35
Detection and Analysis
Determine systems impacted, immediately isolate + triage impacted systems for
restoration/recovery
Engage internal/external stakeholders - help to mitigate, respond to, and
recover from incident
Containment and Eradication
Investigate: Take a system image and memory capture of a sample
of affected devices
Research trusted guidance for ransomware variant + conduct
examination of IDS/IPS and logs
Conduct extended analysis to identify persistence mechanisms
Rebuild systems based on a prioritization of critical services
IT security authority declares the incident over
36. Amy Nicewick
April 20, 2021
Ransomware Response Checklist
36
Recovery and Post-Incident Activity
Reconnect systems, restore data from
offline, encrypted backups based on
critical services prioritization
Document lessons learned from the
incident
Consider sharing lessons learned and
relevant indicators of compromise (IOCs)
with CISA and sector ISAC/ISAO
37. Amy Nicewick
April 20, 2021
Executive Decision-Making Considerations
37
CISA encourages organization to develop a Ransomware Playbook that provides the practices for
response as well as illustrates critical points for executive leadership involvement, including
deciding whether to pay a ransom. When deciding whether to pay a ransom, executives will have
many considerations, including:
Advice from the FBI.
Recommendations from in-house Legal Counsel,
Board, etc.
The impact of maintaining manual operations
without interrupting business services.
The impact to partner systems and operations.
Do we have Cyber Insurance?
Reputational/Brand risk exposure of paying the ransom.
Financial risk of paying or not paying the ransom.
It is important to note that even if the ransom is paid, many impacted
organizations have still had to pay recovery expenses in addition to the
ransom payment.
38. Amy Nicewick
April 20, 2021
Old Model, New Mindset
Requires real-time authentication tests
of users
Automatically blocks suspicious
activities
Prevents adversaries from privilege
escalation demonstrated in SolarWinds
incident
Consideration: Zero Trust Strategy Model
38
SolarWinds Example
Victim organizations’ emphasis on network perimeter
security, lacking internal detection methods of
intruders already present in network
Decades’ old reliance on detectors deployed at
network perimeter fed by intel on known
threats/actors
Need balance between internal/external detection
methods for effective implementation
Guiding Principles
Never trust, always verify and explicitly authorize to least privilege required
Assume breach; assume adversary already is present in environment
Deny by default and heavily scrutinize all users, data flows, requests
Verify explicitly all access to resources consistently using multiple attributes (dynamic and static)
Zero Trust Guiding Principles
Never trust, always verify and explicitly authorize to least privilege required
Assume breach; assume adversary already is present in environment
Deny by default and heavily scrutinize all users, data flows, requests
Explicitly verify all access to resources using multiple attributes (dynamic and static)
40. Amy Nicewick
April 20, 2021
Stay Connected with CISA
40
Log on to us-cert.cisa.gov/mailing-lists-and-feeds
to sign-up for alerts.
CISA offers updates on the subscription topics below.
Current
Activities
Alerts
Analysis
Reports
Tips Bulletins
ICS
Advisories
ICS Medical
Advisories
ICS
Announce
ments
ICS Alerts
Community
Bulletin
10
GovDelivery/NCAS
Topics Available
42. Amy Nicewick
April 20, 2021
Victims of ransomware should report it immediately to:
CISA at www.us-cert.gov/report;
Local FBI Field Office; or
Secret Service Field Office.
If Attacked
42
43. Amy Nicewick
April 20, 2021
43
For more information:
cisa.gov/ransomware
Contact:
Amy.Nicewick@CISA.dhs.gov