Chair: Ewan Quibell, management systems and service leader, Jisc.
16:55-17:35 - Ransomware briefing
Speaker: Adrian Louth, Fortinet.
Ransomware became headline news in 2016 and looks to remain as the top security concern for all organisations in all sectors. Starting with a review of 2016 we’ll discuss the motives and behaviour of the cyber criminals behind this growing threat and try and get into their mindset.
We’ll look at what strategies can limit the impact of this threat including whether to pay is ever right. We will introduce a real life example and how Fortinet’s Security Fabric has effectively stopped the threat and we will look at what’s next in ransomware.
The goal of this session is to be interesting and informative and to build insight for the audience to prioritise and take effective actions to minimise the risk and exposure this threat causes.
4. 4
61%
39%
Exploit Kits
Exploit Kits Related to Ransomware Other Exploit Kits
67%
33%
Data Loss
Experienced Data Loss No Data Loss
93%
7%
Email
Phishing related to Ransomware Other Phishing
42%
58%
Businesses Affected
Affected in last year Unaffected last year
x3 increase in attacks against Businesses
7. 7
Business Case – Research from Jamison Utter
Ransomware With 90 Days Support cost $3,000
» Guaranteed 10% infection rate
Expect 0.5% pay out
SEO and Traffic Acquisition campaign $3,000
» Guaranteed traffic rates 20,000 clicks a day.
Ransom one Bitcoin approx. $300 at the time.
8. 8
The Maths
20,000 visitors x 10% Infection Rate
= 2,000 Infections per day
2,000 x 0.5% pay-outs = 10 pay-outs per day
10 pay-outs x $300 x 90 days
= $270,000
10. 10
Stages of RansomwareExploitationand
Infection
Phishing and
Human errors
are the primary
mechanism to
exploit a system.
Deliveryand
Execution
Once the initial
exploit has been
used the
ransomware
executable is
delivered and
persistence is
established
BackupCorruption
Backup systems
and files are
targeted, notably
shadow copies,
etc. to ensure
the disruption is
maximised
FileEncryption
Ransomware
will perform a
secure key
exchange with
it’s Command
and Control
Server and use
the keys to
perform the
encryption
RansomDemand
The user is
notified of the
ransom demand
which often
increase after a
period of time.
15 Minutes
12. 12
Pay The Piper?
%X $
Cost of recovering data or system?
Either way you should rebuild the system and
identify the infection path or you will be hit again.
Cost of Ransom and Likelihood of
being given the keys to restore.
13. 13
Some Campaigns are known to not give out recovery keys.
Others have helpdesk numbers and are willing to discount.
About 20% of people who pay don’t get their files back.
When you’ve paid you may be targeted again.
Pay the Piper?
18. 18
Real World Example
• Attacks 2-3 times a week
• Approximately 7-10 infections per week
• Targeting Senior Executives (Whaling)
• Each Instance of Ransomware Costing
Approximately £1,000
• £1,000 x 7 x 52 = £364,000 pa
19. 19
How does Fortinet help?
Source:
Verizon 2016 Data Breach Investigations Report, April 2016
Code
Continuum
Known Good
Probably
Good
Might be Good
Completely
Unknown
Somewhat
Suspicious
Very
Suspicious
Known Bad
Security
Technologies
Whitelists
Reputation:
File, IP, App,
Email App
Signatures,
Digitally singed
files
Sandboxing Heuristics
Reputation:
File, IP, App,
Email Generic
Signatures
Blacklists
Signatures
99.5%*
Of Malware samples are
Unique to an Organization
20. 20
Fortinet Co-ordinated Security Fabric
Known threats on
web/messaging traffic
blocked on the NGFW,
Secure Email Gateway
and the End Point
Unknown URLs and Files
submission to FortiSandbox
FortiSandbox to deliver
URL and AV DB
updates for malicious
or suspicious detection.
Mail Server
FortiGateNGFW
Internet
FortiSandbox
FortiClient
FortiMail
23. 23
Hackers Breached the Hotel’s door systems and caused the
room doors to lock.
The Hotel ended up having to pay about $1,800 in Bitcoins to
regain control of the system.
“We were at maximum capacity with 180 guests and decided that
it was better to give in” Managing Director, Christoph Brandstaetter
Hello Everybody thanks for joining us this morning. We still have a number of people coming in so we’ll give them a minute or two.
Hello again, I think most of us are on now so let’s get started.
My name is Adrian Louth and I work in the Enhanced Technology Team here at Fortinet. Today I’m going to cover what is a really hot topic in Cyber Security and that is Ransomware. I hope you all get something useful and interesting from this session and I want to thank you for making time to join me this morning.
Just so you know I am recording the session and we’ll be able to share this on-line after the session. Any questions you have please feel to type them in the chat box and I will collect them together and will send a Q&A email next week of anything that wasn’t answered during the webinar.
Let’s start at the beginning by talking a little about what Ransomware is.
While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own.
Ransomware is increasingly for hire on the criminal underground
Notable examples of ransomware that appeared in 2016 and use this model are Petya/Mischa and Shark ransomware, which was later rebranded under the name Atom.
The partner often signs up to a traditional commission-based arrangement. For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission.
There is also an initial usage fee. Someone looking to use the Stompado ransomware, for example, needs to come up with just $39.
With other criminals offering their services in spam distribution, ransomware notes etc. it’s not difficult for an aspiring attacker to get started.
Around 3,500 keys where released for Chimera Ransomware last year.
By Janus Secrtetary.
Here’s a nerdy bit…
Janus Syndicate is the criminal organization in GoldenEye and the picture used on the Janus Secretary Twitter account is Boris Ivanovitch Grishenko. He was a Russian computer technician at the GoldenEye control center in Severnaya, Siberia.
Anyway, enough of Janus. For the moment.
Wildfire servers were seized in 2016 and decryption keys are now available, however the group seem to have reemerged as Hades.
The Group behind TeslaCrypt seemed to have a crisis of conscience and released the master key.
This is research from Jamison Utter while he was at InfoBlox, and Jamison wanted to find out about the process of setting up a ransomware campaign. Jamison is a super smart guy but wanted to do this using no specialist or coding skills.
He went to the Dark Web and found someone who would supply him with all he needed run a ransomware campaign, code, payload etc. the supplier even gave guaranteed infection rates and 90 days of support for $3,000 Dollars.
Click
They quoted a guaranteed 10% Infection Rate
Click
They quoted a half a percent pay out.
Click
Next Jamison needed to drive traffic to his new campaign, just like most of us in business need to do and so he engaged someone, again on the Dark Web to do Search Engine Optimisation and Traffic Acquisition for him. Again this came with Guarantees.
Click
This time “of clicks per day”.
Click
Jamison was in principle going to ask for 1 Bitcoin which at the time was around $300 Dollars.
Now I just want to point out Jamison never ran the campaign but here we have all the components for him to do so if his motives were different.
So Let’s look at the Maths.
Click
The Maths
Click
20,000 visitors with a guaranteed Infection Rate of 10%
Is 2,000 Infections per Day
Click
With a half a percent pay out makes 10 pay outs per Day
Click
10 pay-outs of $300 for 90 days is
Click
= $270,000
Now that’s a pretty compelling ROI.
And this isn’t a Dragons Den pitch trying to get you all to invest.
We can see why it’s become the cyber criminal’s favourite technique for making money.
With this in mind let’s look at some of the campaigns we’re seeing in the wild.
Click
While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own.
Ransomware is increasingly for hire on the criminal underground
This is a screengrab of Petya Ransomware Onion site. Petya recently has been bundling Mischa Ransomware and is also behind the Goldeneye Ransomware. If you look in the top left you can see our this Ransomware As A Service is run by our friends Janus.
The partner often signs up to a traditional commission-based arrangement. For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission.
There is also an initial usage fee. Someone looking to use the Stompado ransomware, for example, needs to come up with just $39.
With other criminals offering their services in spam distribution, ransomware notes etc. it’s not difficult for an aspiring attacker to get started.
What to do?
I can’t give you magic bullet advice but I can share with you some key tactics and probably reiterate things you know you should be doing and hopefully you are doing.
Click
First one, and this is the big one. Backup, and I mean off-line backups, and Verify your backups. I see some smaller organisations replicating and not backing up and when they get hit by Ransomware the encryption gets replicated too meaning they’re dead in the water.
Click
Keep all your computers and devices Patched and up to date.
Click
Don’t forget non-Windows machines. We’ve seen a Linux based campaign and we’re also seeing Mac’s becoming targets as often they are favoured by execs in organisations and logically may have access to more critical data, as well as being more willing to pay.
Click
Manage the use of privileged accounts such as local admin on your laptops, configure access controls so people can only access what they need to access, Disable macro scripts. I’d also consider whether your organisation should be running Adobe Flash as it’s heavily targeted.
Click
Educate your staff, especially those who want local admin rights, make sure your staff are aware of phishing attacks and what they should and shouldn’t do. Also what should they do in the worst case scenario.
Click
Click
Have a plan for when it happens, what should happen in what order, first thing look for decryptors, restore from backups, how do you handle remote staff, etc. plan it and exercise the plan.
Click
One Company I spoke with found out how to get BitCoins and workout what that process would be, who has authority, who signs what, etc. their Plan A was not to pay but they were smart enough to at least prepare a Plan B.
Click
And finally make sure you’re aware of all the decryptors out there, they can be found on lots of different security research sites, I’ve seen Trend Micro, Kaspersky Labs, and a few others all with numerous decryptors. And also check out nomoreransom.org which has helped around 2,500 people get their files unencrypted worth an estimated €1.35 million Euros in ransoms.
Do this in conjunction with having good technology to help in this fight and you’ll be in a pretty good position. But ideally we want to avoid ever needing to use a plan or rely on decryptors or backups.
Click
Real World Example
But to stop ransomware infections in the real world let’s look at a real world example.
Early this year we spoke to a large organisation who were being hit with a lot of Ransomware and this their analysis of the impact it was having on their business. This became their business case.
Click
They were seeing 2-3 attacks every week
Click
Which caused between 7 and 10 infections per week
Click
The attacks were targeting senior execs, as we mentioned earlier there’s good reason to do this.
Click
They worked out each instance of ransomware cost them around £1,000.
I was surprised this figure wasn’t higher but they went through the costs of lost productivity, IT time for getting everything back up and running, everything.
This puts the annual cost at £364,000 pounds a year. This kicked off a project to stop ransomware in the organisation.
Click
How does Fortinet help
We’re all good at dealing with what we know is good and what we know is bad. But with the Verizon DBIR Report showing that 99.5% of malware is unique to that organisation we need a way of better analysing that unknown code.
Click
This is where dynamic analysis of run-time activity better known as Sandboxing comes in to its own.
Click
Let’s look at how the Fortinet Fabric helps solve this problem.
At an average room rate of 200 Euros per person and double occupancy we can see that $10 per room is extremely good value to be released from this problem.
The Reason I’ve included this in futures is as I’ve alluded to in this session. Criminals will be targeting your business processes as this causes the most disruption and the higher the disruption the higher the likelihood of someone paying.