SlideShare a Scribd company logo

DataConnectors_Keynote_FINAL.pptx

A
Amy Nicewick, CISSP, CCSP, CEH

Ransomware keynote for DataConnectors

Presentations & Public Speaking
1 of 43
Amy Nicewick April 20, 2021 C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y KEYNOTE: REDUCE THE RISK OF RANSOMWARE DATA CONNECTORS | VIRTUAL SUMMIT | CHICAGO APRIL 20, 2021 Amy Nicewick Section Chief CISA Cybersecurity Division
Amy Nicewick April 20, 2021 39 Minutes 2
Amy Nicewick April 20, 2021 Signs of Trouble 3
Amy Nicewick April 20, 2021 Production Stopped, Frustration Mounts 4
Amy Nicewick April 20, 2021 To Pay or Not to Pay 5
Amy Nicewick April 20, 2021 Employees Frustrated, Customers Angry 6
Amy Nicewick April 20, 2021 Spreading to Affiliates, Partners 7
Amy Nicewick April 20, 2021 Local Story Goes National 8 ACME ‘’HISTORIC’’ RANSOMWARE ATTACK
Amy Nicewick April 20, 2021 …Six Months Later 9
Amy Nicewick April 20, 2021 Ransomware Overview
Amy Nicewick April 20, 2021 Beyond the Headlines: What is Ransomware? 11 Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware Overview
Amy Nicewick April 20, 2021 The following are examples of vectors of infection for ransomware attacks: • Phishing • Compromised Websites • Malvertising • Exploit Kits • Drive-by Downloads • Mobile Devices • Brute Force via RDP Methods of Infection 12
Amy Nicewick April 20, 2021  Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services.  Malicious actors have adjusted their ransomware tactics over time to include pressuring victims for payment by threatening to release stolen data if they refuse to pay and publicly naming and shaming victims as secondary forms of extortion.  The monetary value of ransom demands has also increased, with some demands exceeding US $1 million.  Ransomware incidents have become more destructive and impactful in nature and scope. Infects…Encrypts…Extorts 13
Amy Nicewick April 20, 2021 Actors  REvil  Wizard Spider  Maze  Egregor  NetWalker  Ragnar Locker  DoppelPaymer  Nephilim  Project Root  SMAUG The Usual Suspects 14 Common Variants  Cerber  Locky  CryLocker  CryptoLocker  Jigsaw Nation-States  Russia  North Korea  China  Iran Source: CrowdStrike 2021 Global Threat Report
Amy Nicewick April 20, 2021 Trend: Ransomware-as-a-Service (RaaS) Model 15 • Ransomware families selling RaaS to other cybercriminals. • Popularity increases  Barriers to entry drop, becomes scalable, more efficient. • Enables relatively unskilled bad actors to access complex tools and the environment from which to run their campaigns. • The “commoditization” of the ransomware threat: Entrepreneurial Operators, including NetWalker, Nefilim, and Sodinokibi/Revil all provide access to partners in pre-agreed profit-sharing arrangements. • Increased investment in many of the platforms themselves, upgrading their core ransomware systems to stay ahead of the good guys and evade detection.
Amy Nicewick April 20, 2021  Weaponized: One part Ransomware, One Part Data Breach  Old Paradigm: Victim’s data encrypted, actor locks victim out of their own files. If victim refused to pay the ransom, the actor destroyed their files.  New Paradigm: Attacker exfiltrates data (e.g., large quantities of sensitive commercial information,) before encrypting them. Attacker threatens to publish unless ransom paid, often will release small portions of data online. If negotiation goes badly, attacker publishes all data and/or sells to a third party – putting added pressure on enterprises to meet the hackers’ demands. Trend: Double Extortion 16
Amy Nicewick April 20, 2021  Cyber criminals are exploiting the COVID-19 outbreak for their own personal gain with a range of ransomware attacks.  Scams include emails containing malware that appear to be sent from the Director-General of the World Health Organization (WHO), and others which claim to offer vaccines and face masks to fight the pandemic.  Exploiting vulnerabilities in software and remote working tools as more people work from home during the pandemic.  Ransomware targeting Healthcare sector, including hospitals, clinics. (Ryuk, Babuk Locker) Trend: COVID-19 Exploitation 17
Amy Nicewick April 20, 2021  Ransomware campaigns aimed at high-value targets.  Generated demand in the market for network access brokers (typically with affiliates of RaaS groups) in 2020.  BGH targeting Healthcare Sector, increasingly with double extortion demands.  Introduction of dedicated leak sites (DLSs) associated with specific ransomware families. Trend: Big Game Hunting (BGH) 18 Source: CrowdStrike 2021 Global Threat Report
Amy Nicewick April 20, 2021 Ransomware & Critical Infrastructure
Amy Nicewick April 20, 2021 Critical Infrastructure Focused 20
Amy Nicewick April 20, 2021 The Threat to Critical Infrastructure 21
Amy Nicewick April 20, 2021 Ransomware Attacks on CI on the Rise 22 Attacks on Critical Infrastructure have Risen Dramatically in the Last Two Years Top 5 Most Targeted Critical Infrastructure Sectors* Critical Infrastructure Sector Frequency Government Facilities 241 Healthcare and Public Health 157 Education Facilities Subsector 135 Information Technology 74 Critical Manufacturing 68 *November 2013 – March 2021 According to Data from Temple University “Critical Infrastructure Ransomware Incident Dataset”
Amy Nicewick April 20, 2021 Why Target CI? 23 Follow the Money “Cybercriminals are becoming more savvy. They know who has money. The folks who operate inside those critical infrastructure sectors are no longer immune.” – Brandon Wales, CISA Acting Director According to recent Palo Alto Networks study: The average ransom paid for organizations increased from $115,123 in 2019 to $312,493 in 2020  a 171% year-over-year increase. The highest ransom paid by an organization doubled from 2019 to 2020, from $5 million to $10 million. From 2015 to 2019, the highest ransomware demand was $15 million. In 2020, the highest ransomware demand was $30 million.
Amy Nicewick April 20, 2021 Chicago’s Key Industries are Targets 24 Top Ransomware Threats to Chicago Industry Sectors  Chicago’s most important industry sectors are also the key targets of ransomware attacks:  Manufacturing  Business and Professional Services  Food Industry  Transportation and Distribution  Healthcare and Life Sciences  Information Technology  IL government and education entities have also been targeted in serious ransomware attacks, including Cook County (Chicago) and others since 2017
Amy Nicewick April 20, 2021 CISA and the Ransomware Campaign
Amy Nicewick April 20, 2021 Cybersecurity and Infrastructure Security Agency (CISA) 26
Amy Nicewick April 20, 2021 Ransomware Campaign Overview 27
Amy Nicewick April 20, 2021 Ransomware Campaign Key Messages 28
Amy Nicewick April 20, 2021 CISA Ransomware Resources 29 CISA.gov/ransomware  Ransomware Guide  CISA INSIGHTS: Ransomware Outbreak  Toolkit, fact sheet, and images  Alerts and Statements  US-CERT activity alerts on ransomware threats  Joint statements on ransomware with our partners  Guides and Services  Cyber Hygiene Services  TTX Exercises  Factsheets and Infographics  Protect Your Center From Ransomware poster  Ransomware: What It Is and What To Do About It  Training and Webinars  Webinars, Presentations  CDM Training  Incident Response Training Series CISA.gov/ransomware
Amy Nicewick April 20, 2021 Ransomware Campaign Toolkit 30 CISA’s Ransomware Campaign Toolkit is on our ransomware webpage. Download and Support the Campaign.
Amy Nicewick April 20, 2021 Ransomware Guide 31 Joint CISA and MS-ISAC Ransomware Guide The Ransomware Guide includes recommendations, best practices, recommended incident response policies and procedures, cyber hygiene services, and several checklists that organizations can use to help protect against or response to ransomware attacks.
Amy Nicewick April 20, 2021 Ransomware Guide Contents 32  Ransomware Infection Vectors:  Internet-Facing Vulnerabilities and Misconfigurations  Phishing  Precursor Malware Infection  Third-Parties and MSPs  General Best Practices and Hardening Guidance  Ransomware Response Checklist
Amy Nicewick April 20, 2021 Ransomware Guide: Select Best Practices 33 Regularly maintain offline, encrypted backups of data and regularly test your backups. Create, maintain, and exercise a basic cyber incident response plan and associated communications plan. Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface. CISA offers a no-cost Vulnerability Scanning service and other no-cost assessments: cisa.gov/cyber-resource-hub.
Amy Nicewick April 20, 2021 Ransomware Guide: Select Best Practices 34 Implement a cybersecurity user awareness and training program that includes guidance on identifying and reporting suspicious activity (e.g., phishing) or incidents. Conduct organization-wide phishing tests to gauge user awareness. Ensure antivirus and anti-malware software and signatures are up to date. Additionally, turn on automatic updates for both solutions. Consider risk management and cyber hygiene practices of third parties or managed service providers (MSPs) your organization relies on. Retain secure logs from both network devices and local hosts. This supports triage and remediation of cybersecurity events. Logs can be analyzed to determine the impact of events and ascertain whether an incident has occurred.
Amy Nicewick April 20, 2021 Ransomware Response Checklist 35 Detection and Analysis  Determine systems impacted, immediately isolate + triage impacted systems for restoration/recovery  Engage internal/external stakeholders - help to mitigate, respond to, and recover from incident Containment and Eradication  Investigate: Take a system image and memory capture of a sample of affected devices  Research trusted guidance for ransomware variant + conduct examination of IDS/IPS and logs  Conduct extended analysis to identify persistence mechanisms  Rebuild systems based on a prioritization of critical services  IT security authority declares the incident over
Amy Nicewick April 20, 2021 Ransomware Response Checklist 36 Recovery and Post-Incident Activity  Reconnect systems, restore data from offline, encrypted backups based on critical services prioritization  Document lessons learned from the incident  Consider sharing lessons learned and relevant indicators of compromise (IOCs) with CISA and sector ISAC/ISAO
Amy Nicewick April 20, 2021 Executive Decision-Making Considerations 37 CISA encourages organization to develop a Ransomware Playbook that provides the practices for response as well as illustrates critical points for executive leadership involvement, including deciding whether to pay a ransom. When deciding whether to pay a ransom, executives will have many considerations, including:  Advice from the FBI.  Recommendations from in-house Legal Counsel, Board, etc.  The impact of maintaining manual operations without interrupting business services.  The impact to partner systems and operations.  Do we have Cyber Insurance?  Reputational/Brand risk exposure of paying the ransom.  Financial risk of paying or not paying the ransom. It is important to note that even if the ransom is paid, many impacted organizations have still had to pay recovery expenses in addition to the ransom payment.
Amy Nicewick April 20, 2021 Old Model, New Mindset  Requires real-time authentication tests of users  Automatically blocks suspicious activities  Prevents adversaries from privilege escalation demonstrated in SolarWinds incident Consideration: Zero Trust Strategy Model 38 SolarWinds Example  Victim organizations’ emphasis on network perimeter security, lacking internal detection methods of intruders already present in network  Decades’ old reliance on detectors deployed at network perimeter fed by intel on known threats/actors  Need balance between internal/external detection methods for effective implementation Guiding Principles Never trust, always verify and explicitly authorize to least privilege required Assume breach; assume adversary already is present in environment Deny by default and heavily scrutinize all users, data flows, requests Verify explicitly all access to resources consistently using multiple attributes (dynamic and static) Zero Trust Guiding Principles  Never trust, always verify and explicitly authorize to least privilege required  Assume breach; assume adversary already is present in environment  Deny by default and heavily scrutinize all users, data flows, requests  Explicitly verify all access to resources using multiple attributes (dynamic and static)
Amy Nicewick April 20, 2021 Wrap Up
Amy Nicewick April 20, 2021 Stay Connected with CISA 40 Log on to us-cert.cisa.gov/mailing-lists-and-feeds to sign-up for alerts. CISA offers updates on the subscription topics below. Current Activities Alerts Analysis Reports Tips Bulletins ICS Advisories ICS Medical Advisories ICS Announce ments ICS Alerts Community Bulletin 10 GovDelivery/NCAS Topics Available
Amy Nicewick April 20, 2021 Stay Connected with CISA 41
Amy Nicewick April 20, 2021 Victims of ransomware should report it immediately to: CISA at www.us-cert.gov/report; Local FBI Field Office; or Secret Service Field Office. If Attacked 42
Amy Nicewick April 20, 2021 43 For more information: cisa.gov/ransomware Contact: Amy.Nicewick@CISA.dhs.gov

Recommended

2022 Sonicwall Cyber Threat Report
2022 Sonicwall Cyber Threat Report2022 Sonicwall Cyber Threat Report
2022 Sonicwall Cyber Threat ReportAlex492583
 
Istr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecIstr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecSoluciona Facil
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22CheapSSLsecurity
 
Internet Security Threat Report (ISTR) Government
Internet Security Threat Report (ISTR) GovernmentInternet Security Threat Report (ISTR) Government
Internet Security Threat Report (ISTR) GovernmentSSLRenewals
 
Trend micro research covid19 threat brief summary 27 mar
Trend micro research covid19 threat brief summary 27 marTrend micro research covid19 threat brief summary 27 mar
Trend micro research covid19 threat brief summary 27 marPrime Infoserv
 
CYBER-THREAT-LANDSCAPE-2021.pdf
CYBER-THREAT-LANDSCAPE-2021.pdfCYBER-THREAT-LANDSCAPE-2021.pdf
CYBER-THREAT-LANDSCAPE-2021.pdfKrishna N
 

Recommended

2022 Sonicwall Cyber Threat Report
2022 Sonicwall Cyber Threat Report2022 Sonicwall Cyber Threat Report
2022 Sonicwall Cyber Threat ReportAlex492583
 
Istr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecIstr number 23 internet security threat repor 2018 symantec
Istr number 23 internet security threat repor 2018 symantecSoluciona Facil
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22Symantec (ISTR) Internet Security Threat Report Volume 22
Symantec (ISTR) Internet Security Threat Report Volume 22CheapSSLsecurity
 
Internet Security Threat Report (ISTR) Government
Internet Security Threat Report (ISTR) GovernmentInternet Security Threat Report (ISTR) Government
Internet Security Threat Report (ISTR) GovernmentSSLRenewals
 
Trend micro research covid19 threat brief summary 27 mar
Trend micro research covid19 threat brief summary 27 marTrend micro research covid19 threat brief summary 27 mar
Trend micro research covid19 threat brief summary 27 marPrime Infoserv
 
CYBER-THREAT-LANDSCAPE-2021.pdf
CYBER-THREAT-LANDSCAPE-2021.pdfCYBER-THREAT-LANDSCAPE-2021.pdf
CYBER-THREAT-LANDSCAPE-2021.pdfKrishna N
 
Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Waqas Amir
 
2016 Symantec Internet Security Threat Report
2016 Symantec Internet Security Threat Report2016 Symantec Internet Security Threat Report
2016 Symantec Internet Security Threat ReportRapidSSLOnline.com
 
Istr 21-2016-en
Istr 21-2016-enIstr 21-2016-en
Istr 21-2016-enAndrey Apuhtin
 
HCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportHCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportMatthew J McMahon
 
Cyber attacks in 2021
Cyber attacks in 2021Cyber attacks in 2021
Cyber attacks in 2021redteamacademypromo
 
Symantec Intelligence Report
Symantec Intelligence ReportSymantec Intelligence Report
Symantec Intelligence ReportSymantec
 
NAGTRI Journal Article
NAGTRI Journal ArticleNAGTRI Journal Article
NAGTRI Journal ArticleTaylre Janak
 
Global Cyber Attacks report 2018 - 2019 | HaltDos
Global Cyber Attacks report 2018 - 2019 | HaltDosGlobal Cyber Attacks report 2018 - 2019 | HaltDos
Global Cyber Attacks report 2018 - 2019 | HaltDosHaltdos
 
Tackling the maze ransomware attack with security testing
Tackling the maze ransomware attack with security testingTackling the maze ransomware attack with security testing
Tackling the maze ransomware attack with security testingCigniti Technologies Ltd
 
Sel03129 usen
Sel03129 usenSel03129 usen
Sel03129 usenAndrey Apuhtin
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRifDhy22
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Vertex Holdings
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security reportMarco Antonio Agnese
 
original.pdf
original.pdforiginal.pdf
original.pdfBeHappy284922
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
seqrite-prediction-report-2023.pdf
seqrite-prediction-report-2023.pdfseqrite-prediction-report-2023.pdf
seqrite-prediction-report-2023.pdfsatheesh kumar
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Black Duck by Synopsys
 
Ransomware (1).pdf
Ransomware (1).pdfRansomware (1).pdf
Ransomware (1).pdfHiYeti1
 
Ransomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksRansomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksΔρ. Γιώργος K. Κασάπης
 
The Real Threat of CyberattacksEmmanuel .docx
The Real Threat of CyberattacksEmmanuel .docxThe Real Threat of CyberattacksEmmanuel .docx
The Real Threat of CyberattacksEmmanuel .docxhelen23456789
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 

More Related Content

Similar to DataConnectors_Keynote_FINAL.pptx

Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Waqas Amir
 
2016 Symantec Internet Security Threat Report
2016 Symantec Internet Security Threat Report2016 Symantec Internet Security Threat Report
2016 Symantec Internet Security Threat ReportRapidSSLOnline.com
 
HCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportHCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportMatthew J McMahon
 
Symantec Intelligence Report
Symantec Intelligence ReportSymantec Intelligence Report
Symantec Intelligence ReportSymantec
 
NAGTRI Journal Article
NAGTRI Journal ArticleNAGTRI Journal Article
NAGTRI Journal ArticleTaylre Janak
 
Global Cyber Attacks report 2018 - 2019 | HaltDos
Global Cyber Attacks report 2018 - 2019 | HaltDosGlobal Cyber Attacks report 2018 - 2019 | HaltDos
Global Cyber Attacks report 2018 - 2019 | HaltDosHaltdos
 
Tackling the maze ransomware attack with security testing
Tackling the maze ransomware attack with security testingTackling the maze ransomware attack with security testing
Tackling the maze ransomware attack with security testingCigniti Technologies Ltd
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRifDhy22
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Vertex Holdings
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security reportMarco Antonio Agnese
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
seqrite-prediction-report-2023.pdf
seqrite-prediction-report-2023.pdfseqrite-prediction-report-2023.pdf
seqrite-prediction-report-2023.pdfsatheesh kumar
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Black Duck by Synopsys
 
Ransomware (1).pdf
Ransomware (1).pdfRansomware (1).pdf
Ransomware (1).pdfHiYeti1
 
The Real Threat of CyberattacksEmmanuel .docx
The Real Threat of CyberattacksEmmanuel .docxThe Real Threat of CyberattacksEmmanuel .docx
The Real Threat of CyberattacksEmmanuel .docxhelen23456789
 

Similar to DataConnectors_Keynote_FINAL.pptx (20)

Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015
 
2016 Symantec Internet Security Threat Report
2016 Symantec Internet Security Threat Report2016 Symantec Internet Security Threat Report
2016 Symantec Internet Security Threat Report
 
Istr 21-2016-en
Istr 21-2016-enIstr 21-2016-en
Istr 21-2016-en
 
HCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat reportHCA 530, Week 2, Symantec 2016 threat report
HCA 530, Week 2, Symantec 2016 threat report
 
Cyber attacks in 2021
Cyber attacks in 2021Cyber attacks in 2021
Cyber attacks in 2021
 
Symantec Intelligence Report
Symantec Intelligence ReportSymantec Intelligence Report
Symantec Intelligence Report
 
NAGTRI Journal Article
NAGTRI Journal ArticleNAGTRI Journal Article
NAGTRI Journal Article
 
Global Cyber Attacks report 2018 - 2019 | HaltDos
Global Cyber Attacks report 2018 - 2019 | HaltDosGlobal Cyber Attacks report 2018 - 2019 | HaltDos
Global Cyber Attacks report 2018 - 2019 | HaltDos
 
Tackling the maze ransomware attack with security testing
Tackling the maze ransomware attack with security testingTackling the maze ransomware attack with security testing
Tackling the maze ransomware attack with security testing
 
Sel03129 usen
Sel03129 usenSel03129 usen
Sel03129 usen
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdf
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security report
 
original.pdf
original.pdforiginal.pdf
original.pdf
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
 
seqrite-prediction-report-2023.pdf
seqrite-prediction-report-2023.pdfseqrite-prediction-report-2023.pdf
seqrite-prediction-report-2023.pdf
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
 
Ransomware (1).pdf
Ransomware (1).pdfRansomware (1).pdf
Ransomware (1).pdf
 
Ransomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksRansomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacks
 
The Real Threat of CyberattacksEmmanuel .docx
The Real Threat of CyberattacksEmmanuel .docxThe Real Threat of CyberattacksEmmanuel .docx
The Real Threat of CyberattacksEmmanuel .docx
 

Recently uploaded

OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation Track
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation TrackSBFT Tool Competition 2024 - CPS-UAV Test Case Generation Track
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation TrackSebastiano Panichella
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...NETWAYS
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSebastiano Panichella
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...NETWAYS
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptssuser319dad
 
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)Basil Achie
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSebastiano Panichella
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝soniya singh
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfakankshagupta7348026
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Recently uploaded (20)

OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation Track
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation TrackSBFT Tool Competition 2024 - CPS-UAV Test Case Generation Track
SBFT Tool Competition 2024 - CPS-UAV Test Case Generation Track
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
 
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdf
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
 

DataConnectors_Keynote_FINAL.pptx

  • 1. Amy Nicewick April 20, 2021 C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y KEYNOTE: REDUCE THE RISK OF RANSOMWARE DATA CONNECTORS | VIRTUAL SUMMIT | CHICAGO APRIL 20, 2021 Amy Nicewick Section Chief CISA Cybersecurity Division
  • 2. Amy Nicewick April 20, 2021 39 Minutes 2
  • 3. Amy Nicewick April 20, 2021 Signs of Trouble 3
  • 4. Amy Nicewick April 20, 2021 Production Stopped, Frustration Mounts 4
  • 5. Amy Nicewick April 20, 2021 To Pay or Not to Pay 5
  • 6. Amy Nicewick April 20, 2021 Employees Frustrated, Customers Angry 6
  • 7. Amy Nicewick April 20, 2021 Spreading to Affiliates, Partners 7
  • 8. Amy Nicewick April 20, 2021 Local Story Goes National 8 ACME ‘’HISTORIC’’ RANSOMWARE ATTACK
  • 9. Amy Nicewick April 20, 2021 …Six Months Later 9
  • 10. Amy Nicewick April 20, 2021 Ransomware Overview
  • 11. Amy Nicewick April 20, 2021 Beyond the Headlines: What is Ransomware? 11 Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware Overview
  • 12. Amy Nicewick April 20, 2021 The following are examples of vectors of infection for ransomware attacks: • Phishing • Compromised Websites • Malvertising • Exploit Kits • Drive-by Downloads • Mobile Devices • Brute Force via RDP Methods of Infection 12
  • 13. Amy Nicewick April 20, 2021  Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services.  Malicious actors have adjusted their ransomware tactics over time to include pressuring victims for payment by threatening to release stolen data if they refuse to pay and publicly naming and shaming victims as secondary forms of extortion.  The monetary value of ransom demands has also increased, with some demands exceeding US $1 million.  Ransomware incidents have become more destructive and impactful in nature and scope. Infects…Encrypts…Extorts 13
  • 14. Amy Nicewick April 20, 2021 Actors  REvil  Wizard Spider  Maze  Egregor  NetWalker  Ragnar Locker  DoppelPaymer  Nephilim  Project Root  SMAUG The Usual Suspects 14 Common Variants  Cerber  Locky  CryLocker  CryptoLocker  Jigsaw Nation-States  Russia  North Korea  China  Iran Source: CrowdStrike 2021 Global Threat Report
  • 15. Amy Nicewick April 20, 2021 Trend: Ransomware-as-a-Service (RaaS) Model 15 • Ransomware families selling RaaS to other cybercriminals. • Popularity increases  Barriers to entry drop, becomes scalable, more efficient. • Enables relatively unskilled bad actors to access complex tools and the environment from which to run their campaigns. • The “commoditization” of the ransomware threat: Entrepreneurial Operators, including NetWalker, Nefilim, and Sodinokibi/Revil all provide access to partners in pre-agreed profit-sharing arrangements. • Increased investment in many of the platforms themselves, upgrading their core ransomware systems to stay ahead of the good guys and evade detection.
  • 16. Amy Nicewick April 20, 2021  Weaponized: One part Ransomware, One Part Data Breach  Old Paradigm: Victim’s data encrypted, actor locks victim out of their own files. If victim refused to pay the ransom, the actor destroyed their files.  New Paradigm: Attacker exfiltrates data (e.g., large quantities of sensitive commercial information,) before encrypting them. Attacker threatens to publish unless ransom paid, often will release small portions of data online. If negotiation goes badly, attacker publishes all data and/or sells to a third party – putting added pressure on enterprises to meet the hackers’ demands. Trend: Double Extortion 16
  • 17. Amy Nicewick April 20, 2021  Cyber criminals are exploiting the COVID-19 outbreak for their own personal gain with a range of ransomware attacks.  Scams include emails containing malware that appear to be sent from the Director-General of the World Health Organization (WHO), and others which claim to offer vaccines and face masks to fight the pandemic.  Exploiting vulnerabilities in software and remote working tools as more people work from home during the pandemic.  Ransomware targeting Healthcare sector, including hospitals, clinics. (Ryuk, Babuk Locker) Trend: COVID-19 Exploitation 17
  • 18. Amy Nicewick April 20, 2021  Ransomware campaigns aimed at high-value targets.  Generated demand in the market for network access brokers (typically with affiliates of RaaS groups) in 2020.  BGH targeting Healthcare Sector, increasingly with double extortion demands.  Introduction of dedicated leak sites (DLSs) associated with specific ransomware families. Trend: Big Game Hunting (BGH) 18 Source: CrowdStrike 2021 Global Threat Report
  • 19. Amy Nicewick April 20, 2021 Ransomware & Critical Infrastructure
  • 20. Amy Nicewick April 20, 2021 Critical Infrastructure Focused 20
  • 21. Amy Nicewick April 20, 2021 The Threat to Critical Infrastructure 21
  • 22. Amy Nicewick April 20, 2021 Ransomware Attacks on CI on the Rise 22 Attacks on Critical Infrastructure have Risen Dramatically in the Last Two Years Top 5 Most Targeted Critical Infrastructure Sectors* Critical Infrastructure Sector Frequency Government Facilities 241 Healthcare and Public Health 157 Education Facilities Subsector 135 Information Technology 74 Critical Manufacturing 68 *November 2013 – March 2021 According to Data from Temple University “Critical Infrastructure Ransomware Incident Dataset”
  • 23. Amy Nicewick April 20, 2021 Why Target CI? 23 Follow the Money “Cybercriminals are becoming more savvy. They know who has money. The folks who operate inside those critical infrastructure sectors are no longer immune.” – Brandon Wales, CISA Acting Director According to recent Palo Alto Networks study: The average ransom paid for organizations increased from $115,123 in 2019 to $312,493 in 2020  a 171% year-over-year increase. The highest ransom paid by an organization doubled from 2019 to 2020, from $5 million to $10 million. From 2015 to 2019, the highest ransomware demand was $15 million. In 2020, the highest ransomware demand was $30 million.
  • 24. Amy Nicewick April 20, 2021 Chicago’s Key Industries are Targets 24 Top Ransomware Threats to Chicago Industry Sectors  Chicago’s most important industry sectors are also the key targets of ransomware attacks:  Manufacturing  Business and Professional Services  Food Industry  Transportation and Distribution  Healthcare and Life Sciences  Information Technology  IL government and education entities have also been targeted in serious ransomware attacks, including Cook County (Chicago) and others since 2017
  • 25. Amy Nicewick April 20, 2021 CISA and the Ransomware Campaign
  • 26. Amy Nicewick April 20, 2021 Cybersecurity and Infrastructure Security Agency (CISA) 26
  • 27. Amy Nicewick April 20, 2021 Ransomware Campaign Overview 27
  • 28. Amy Nicewick April 20, 2021 Ransomware Campaign Key Messages 28
  • 29. Amy Nicewick April 20, 2021 CISA Ransomware Resources 29 CISA.gov/ransomware  Ransomware Guide  CISA INSIGHTS: Ransomware Outbreak  Toolkit, fact sheet, and images  Alerts and Statements  US-CERT activity alerts on ransomware threats  Joint statements on ransomware with our partners  Guides and Services  Cyber Hygiene Services  TTX Exercises  Factsheets and Infographics  Protect Your Center From Ransomware poster  Ransomware: What It Is and What To Do About It  Training and Webinars  Webinars, Presentations  CDM Training  Incident Response Training Series CISA.gov/ransomware
  • 30. Amy Nicewick April 20, 2021 Ransomware Campaign Toolkit 30 CISA’s Ransomware Campaign Toolkit is on our ransomware webpage. Download and Support the Campaign.
  • 31. Amy Nicewick April 20, 2021 Ransomware Guide 31 Joint CISA and MS-ISAC Ransomware Guide The Ransomware Guide includes recommendations, best practices, recommended incident response policies and procedures, cyber hygiene services, and several checklists that organizations can use to help protect against or response to ransomware attacks.
  • 32. Amy Nicewick April 20, 2021 Ransomware Guide Contents 32  Ransomware Infection Vectors:  Internet-Facing Vulnerabilities and Misconfigurations  Phishing  Precursor Malware Infection  Third-Parties and MSPs  General Best Practices and Hardening Guidance  Ransomware Response Checklist
  • 33. Amy Nicewick April 20, 2021 Ransomware Guide: Select Best Practices 33 Regularly maintain offline, encrypted backups of data and regularly test your backups. Create, maintain, and exercise a basic cyber incident response plan and associated communications plan. Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface. CISA offers a no-cost Vulnerability Scanning service and other no-cost assessments: cisa.gov/cyber-resource-hub.
  • 34. Amy Nicewick April 20, 2021 Ransomware Guide: Select Best Practices 34 Implement a cybersecurity user awareness and training program that includes guidance on identifying and reporting suspicious activity (e.g., phishing) or incidents. Conduct organization-wide phishing tests to gauge user awareness. Ensure antivirus and anti-malware software and signatures are up to date. Additionally, turn on automatic updates for both solutions. Consider risk management and cyber hygiene practices of third parties or managed service providers (MSPs) your organization relies on. Retain secure logs from both network devices and local hosts. This supports triage and remediation of cybersecurity events. Logs can be analyzed to determine the impact of events and ascertain whether an incident has occurred.
  • 35. Amy Nicewick April 20, 2021 Ransomware Response Checklist 35 Detection and Analysis  Determine systems impacted, immediately isolate + triage impacted systems for restoration/recovery  Engage internal/external stakeholders - help to mitigate, respond to, and recover from incident Containment and Eradication  Investigate: Take a system image and memory capture of a sample of affected devices  Research trusted guidance for ransomware variant + conduct examination of IDS/IPS and logs  Conduct extended analysis to identify persistence mechanisms  Rebuild systems based on a prioritization of critical services  IT security authority declares the incident over
  • 36. Amy Nicewick April 20, 2021 Ransomware Response Checklist 36 Recovery and Post-Incident Activity  Reconnect systems, restore data from offline, encrypted backups based on critical services prioritization  Document lessons learned from the incident  Consider sharing lessons learned and relevant indicators of compromise (IOCs) with CISA and sector ISAC/ISAO
  • 37. Amy Nicewick April 20, 2021 Executive Decision-Making Considerations 37 CISA encourages organization to develop a Ransomware Playbook that provides the practices for response as well as illustrates critical points for executive leadership involvement, including deciding whether to pay a ransom. When deciding whether to pay a ransom, executives will have many considerations, including:  Advice from the FBI.  Recommendations from in-house Legal Counsel, Board, etc.  The impact of maintaining manual operations without interrupting business services.  The impact to partner systems and operations.  Do we have Cyber Insurance?  Reputational/Brand risk exposure of paying the ransom.  Financial risk of paying or not paying the ransom. It is important to note that even if the ransom is paid, many impacted organizations have still had to pay recovery expenses in addition to the ransom payment.
  • 38. Amy Nicewick April 20, 2021 Old Model, New Mindset  Requires real-time authentication tests of users  Automatically blocks suspicious activities  Prevents adversaries from privilege escalation demonstrated in SolarWinds incident Consideration: Zero Trust Strategy Model 38 SolarWinds Example  Victim organizations’ emphasis on network perimeter security, lacking internal detection methods of intruders already present in network  Decades’ old reliance on detectors deployed at network perimeter fed by intel on known threats/actors  Need balance between internal/external detection methods for effective implementation Guiding Principles Never trust, always verify and explicitly authorize to least privilege required Assume breach; assume adversary already is present in environment Deny by default and heavily scrutinize all users, data flows, requests Verify explicitly all access to resources consistently using multiple attributes (dynamic and static) Zero Trust Guiding Principles  Never trust, always verify and explicitly authorize to least privilege required  Assume breach; assume adversary already is present in environment  Deny by default and heavily scrutinize all users, data flows, requests  Explicitly verify all access to resources using multiple attributes (dynamic and static)
  • 39. Amy Nicewick April 20, 2021 Wrap Up
  • 40. Amy Nicewick April 20, 2021 Stay Connected with CISA 40 Log on to us-cert.cisa.gov/mailing-lists-and-feeds to sign-up for alerts. CISA offers updates on the subscription topics below. Current Activities Alerts Analysis Reports Tips Bulletins ICS Advisories ICS Medical Advisories ICS Announce ments ICS Alerts Community Bulletin 10 GovDelivery/NCAS Topics Available
  • 41. Amy Nicewick April 20, 2021 Stay Connected with CISA 41
  • 42. Amy Nicewick April 20, 2021 Victims of ransomware should report it immediately to: CISA at www.us-cert.gov/report; Local FBI Field Office; or Secret Service Field Office. If Attacked 42
  • 43. Amy Nicewick April 20, 2021 43 For more information: cisa.gov/ransomware Contact: Amy.Nicewick@CISA.dhs.gov