Exhibitor session: Fortinet
•Download as PPTX, PDF•
1 like•2,236 views
Chair: Ewan Quibell, management systems and service leader, Jisc. 16:55-17:35 - Ransomware briefing Speaker: Adrian Louth, Fortinet. Ransomware became headline news in 2016 and looks to remain as the top security concern for all organisations in all sectors. Starting with a review of 2016 we’ll discuss the motives and behaviour of the cyber criminals behind this growing threat and try and get into their mindset. We’ll look at what strategies can limit the impact of this threat including whether to pay is ever right. We will introduce a real life example and how Fortinet’s Security Fabric has effectively stopped the threat and we will look at what’s next in ransomware. The goal of this session is to be interesting and informative and to build insight for the audience to prioritise and take effective actions to minimise the risk and exposure this threat causes.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Exhibitor session: Fortinet
Similar to Exhibitor session: Fortinet (20)
More from Jisc
More from Jisc (20)
Recently uploaded
Recently uploaded (20)
Exhibitor session: Fortinet
- 1. Fortinet
- 2. © Copyright Fortinet Inc. All rights reserved. Adrian Louth
- 3. © Copyright Fortinet Inc. All rights reserved. 2016 Ransomware Review
- 4. 4 61% 39% Exploit Kits Exploit Kits Related to Ransomware Other Exploit Kits 67% 33% Data Loss Experienced Data Loss No Data Loss 93% 7% Email Phishing related to Ransomware Other Phishing 42% 58% Businesses Affected Affected in last year Unaffected last year x3 increase in attacks against Businesses
- 6. © Copyright Fortinet Inc. All rights reserved. Why Ransomware?
- 7. 7 Business Case – Research from Jamison Utter Ransomware With 90 Days Support cost $3,000 » Guaranteed 10% infection rate Expect 0.5% pay out SEO and Traffic Acquisition campaign $3,000 » Guaranteed traffic rates 20,000 clicks a day. Ransom one Bitcoin approx. $300 at the time.
- 8. 8 The Maths 20,000 visitors x 10% Infection Rate = 2,000 Infections per day 2,000 x 0.5% pay-outs = 10 pay-outs per day 10 pay-outs x $300 x 90 days = $270,000
- 10. 10 Stages of RansomwareExploitationand Infection Phishing and Human errors are the primary mechanism to exploit a system. Deliveryand Execution Once the initial exploit has been used the ransomware executable is delivered and persistence is established BackupCorruption Backup systems and files are targeted, notably shadow copies, etc. to ensure the disruption is maximised FileEncryption Ransomware will perform a secure key exchange with it’s Command and Control Server and use the keys to perform the encryption RansomDemand The user is notified of the ransom demand which often increase after a period of time. 15 Minutes
- 11. © Copyright Fortinet Inc. All rights reserved. Pay or Not Pay?
- 12. 12 Pay The Piper? %X $ Cost of recovering data or system? Either way you should rebuild the system and identify the infection path or you will be hit again. Cost of Ransom and Likelihood of being given the keys to restore.
- 13. 13 Some Campaigns are known to not give out recovery keys. Others have helpdesk numbers and are willing to discount. About 20% of people who pay don’t get their files back. When you’ve paid you may be targeted again. Pay the Piper?
- 14. © Copyright Fortinet Inc. All rights reserved. Turn Off and Go Home?
- 15. 15 What can we do? Backup Patch Manage Privilege and Control Access, Disable Macros Educate Staff
- 16. 16 What can we do? Get Bitcoins Know where to find Decryptors Have a plan and exercise it
- 17. © Copyright Fortinet Inc. All rights reserved. Real Business Example
- 18. 18 Real World Example • Attacks 2-3 times a week • Approximately 7-10 infections per week • Targeting Senior Executives (Whaling) • Each Instance of Ransomware Costing Approximately £1,000 • £1,000 x 7 x 52 = £364,000 pa
- 19. 19 How does Fortinet help? Source: Verizon 2016 Data Breach Investigations Report, April 2016 Code Continuum Known Good Probably Good Might be Good Completely Unknown Somewhat Suspicious Very Suspicious Known Bad Security Technologies Whitelists Reputation: File, IP, App, Email App Signatures, Digitally singed files Sandboxing Heuristics Reputation: File, IP, App, Email Generic Signatures Blacklists Signatures 99.5%* Of Malware samples are Unique to an Organization
- 20. 20 Fortinet Co-ordinated Security Fabric Known threats on web/messaging traffic blocked on the NGFW, Secure Email Gateway and the End Point Unknown URLs and Files submission to FortiSandbox FortiSandbox to deliver URL and AV DB updates for malicious or suspicious detection. Mail Server FortiGateNGFW Internet FortiSandbox FortiClient FortiMail
- 21. © Copyright Fortinet Inc. All rights reserved. Future for Ransomware
- 23. 23 Hackers Breached the Hotel’s door systems and caused the room doors to lock. The Hotel ended up having to pay about $1,800 in Bitcoins to regain control of the system. “We were at maximum capacity with 180 guests and decided that it was better to give in” Managing Director, Christoph Brandstaetter
- 25. Thank you
Editor's Notes
- Hello Everybody thanks for joining us this morning. We still have a number of people coming in so we’ll give them a minute or two. Hello again, I think most of us are on now so let’s get started. My name is Adrian Louth and I work in the Enhanced Technology Team here at Fortinet. Today I’m going to cover what is a really hot topic in Cyber Security and that is Ransomware. I hope you all get something useful and interesting from this session and I want to thank you for making time to join me this morning. Just so you know I am recording the session and we’ll be able to share this on-line after the session. Any questions you have please feel to type them in the chat box and I will collect them together and will send a Q&A email next week of anything that wasn’t answered during the webinar. Let’s start at the beginning by talking a little about what Ransomware is.
- While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own. Ransomware is increasingly for hire on the criminal underground Notable examples of ransomware that appeared in 2016 and use this model are Petya/Mischa and Shark ransomware, which was later rebranded under the name Atom. The partner often signs up to a traditional commission-based arrangement. For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission. There is also an initial usage fee. Someone looking to use the Stompado ransomware, for example, needs to come up with just $39. With other criminals offering their services in spam distribution, ransomware notes etc. it’s not difficult for an aspiring attacker to get started.
- Around 3,500 keys where released for Chimera Ransomware last year. By Janus Secrtetary. Here’s a nerdy bit… Janus Syndicate is the criminal organization in GoldenEye and the picture used on the Janus Secretary Twitter account is Boris Ivanovitch Grishenko. He was a Russian computer technician at the GoldenEye control center in Severnaya, Siberia. Anyway, enough of Janus. For the moment. Wildfire servers were seized in 2016 and decryption keys are now available, however the group seem to have reemerged as Hades. The Group behind TeslaCrypt seemed to have a crisis of conscience and released the master key.
- This is research from Jamison Utter while he was at InfoBlox, and Jamison wanted to find out about the process of setting up a ransomware campaign. Jamison is a super smart guy but wanted to do this using no specialist or coding skills. He went to the Dark Web and found someone who would supply him with all he needed run a ransomware campaign, code, payload etc. the supplier even gave guaranteed infection rates and 90 days of support for $3,000 Dollars. Click They quoted a guaranteed 10% Infection Rate Click They quoted a half a percent pay out. Click Next Jamison needed to drive traffic to his new campaign, just like most of us in business need to do and so he engaged someone, again on the Dark Web to do Search Engine Optimisation and Traffic Acquisition for him. Again this came with Guarantees. Click This time “of clicks per day”. Click Jamison was in principle going to ask for 1 Bitcoin which at the time was around $300 Dollars. Now I just want to point out Jamison never ran the campaign but here we have all the components for him to do so if his motives were different. So Let’s look at the Maths. Click
- The Maths Click 20,000 visitors with a guaranteed Infection Rate of 10% Is 2,000 Infections per Day Click With a half a percent pay out makes 10 pay outs per Day Click 10 pay-outs of $300 for 90 days is Click = $270,000 Now that’s a pretty compelling ROI. And this isn’t a Dragons Den pitch trying to get you all to invest. We can see why it’s become the cyber criminal’s favourite technique for making money. With this in mind let’s look at some of the campaigns we’re seeing in the wild. Click
- While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own. Ransomware is increasingly for hire on the criminal underground This is a screengrab of Petya Ransomware Onion site. Petya recently has been bundling Mischa Ransomware and is also behind the Goldeneye Ransomware. If you look in the top left you can see our this Ransomware As A Service is run by our friends Janus. The partner often signs up to a traditional commission-based arrangement. For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission. There is also an initial usage fee. Someone looking to use the Stompado ransomware, for example, needs to come up with just $39. With other criminals offering their services in spam distribution, ransomware notes etc. it’s not difficult for an aspiring attacker to get started.
- What to do? I can’t give you magic bullet advice but I can share with you some key tactics and probably reiterate things you know you should be doing and hopefully you are doing. Click First one, and this is the big one. Backup, and I mean off-line backups, and Verify your backups. I see some smaller organisations replicating and not backing up and when they get hit by Ransomware the encryption gets replicated too meaning they’re dead in the water. Click Keep all your computers and devices Patched and up to date. Click Don’t forget non-Windows machines. We’ve seen a Linux based campaign and we’re also seeing Mac’s becoming targets as often they are favoured by execs in organisations and logically may have access to more critical data, as well as being more willing to pay. Click Manage the use of privileged accounts such as local admin on your laptops, configure access controls so people can only access what they need to access, Disable macro scripts. I’d also consider whether your organisation should be running Adobe Flash as it’s heavily targeted. Click Educate your staff, especially those who want local admin rights, make sure your staff are aware of phishing attacks and what they should and shouldn’t do. Also what should they do in the worst case scenario. Click
- Click Have a plan for when it happens, what should happen in what order, first thing look for decryptors, restore from backups, how do you handle remote staff, etc. plan it and exercise the plan. Click One Company I spoke with found out how to get BitCoins and workout what that process would be, who has authority, who signs what, etc. their Plan A was not to pay but they were smart enough to at least prepare a Plan B. Click And finally make sure you’re aware of all the decryptors out there, they can be found on lots of different security research sites, I’ve seen Trend Micro, Kaspersky Labs, and a few others all with numerous decryptors. And also check out nomoreransom.org which has helped around 2,500 people get their files unencrypted worth an estimated €1.35 million Euros in ransoms. Do this in conjunction with having good technology to help in this fight and you’ll be in a pretty good position. But ideally we want to avoid ever needing to use a plan or rely on decryptors or backups. Click
- Real World Example But to stop ransomware infections in the real world let’s look at a real world example. Early this year we spoke to a large organisation who were being hit with a lot of Ransomware and this their analysis of the impact it was having on their business. This became their business case. Click They were seeing 2-3 attacks every week Click Which caused between 7 and 10 infections per week Click The attacks were targeting senior execs, as we mentioned earlier there’s good reason to do this. Click They worked out each instance of ransomware cost them around £1,000. I was surprised this figure wasn’t higher but they went through the costs of lost productivity, IT time for getting everything back up and running, everything. This puts the annual cost at £364,000 pounds a year. This kicked off a project to stop ransomware in the organisation. Click
- How does Fortinet help We’re all good at dealing with what we know is good and what we know is bad. But with the Verizon DBIR Report showing that 99.5% of malware is unique to that organisation we need a way of better analysing that unknown code. Click This is where dynamic analysis of run-time activity better known as Sandboxing comes in to its own. Click
- Let’s look at how the Fortinet Fabric helps solve this problem.
- At an average room rate of 200 Euros per person and double occupancy we can see that $10 per room is extremely good value to be released from this problem. The Reason I’ve included this in futures is as I’ve alluded to in this session. Criminals will be targeting your business processes as this causes the most disruption and the higher the disruption the higher the likelihood of someone paying.