Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ransomware in targeted attacks

Ransomware has emerged as a major epidemic for business and consumers. Every day we are encountering thousands of malicious samples that are related to ransomware, ranging from executable files, script downloaders and malicious documents with macros.
Threat actors use different techniques to infect victims from the simplest way like attached executable file in email message to the most difficult like drive-by attack with exploits (even with zero-days!).
We found something new emerging in 2016: several targeted attacks with one main goal – to execute ransomware in the victim’s network and encrypt as much resources as possible. In such cases, payment for decryption depends on the number of affected workstations, servers and victim type (small company or a big market player). Very often, as a result of such attacks, the victim cannot use data from workstation and servers to continue normal functions because the ransomware used the full disk encryption method.
This leaves victim companies in a state of desperation, leading to demands for huge payments for decryption keys. We have encountered cases where the payment demand was more than half a million dollars! In that case, the threat actor used a vulnerability in one popular application server to infect a victim’s network and then used several public tools to get necessary privileges to install ransomware to all workstations and servers. As a result, more than 1000 workstations were encrypted.

  • Login to see the comments

Ransomware in targeted attacks

  1. 1. RANSOMWARE  IN  TARGETED  ATTACKS Ivanov  Anton Kaspersky  Lab
  3. 3. CISO  NIGHTMARE  STORY 3Security  Analyst  Summit  2017
  4. 4. CISO  NIGHTMARE  STORY 4Security  Analyst  Summit  2017
  6. 6. HOW  BIG  IS  THE  PROBLEM? 6Security  Analyst  Summit  2017
  7. 7. WHO  IS  INVOLVED? 7Security  Analyst  Summit  2017
  8. 8. MOTIVATION 8Security  Analyst  Summit  2017 1) Money 2) Diversion  from  APT  attack 3) Unfortunately  it  is  very  easy  and  cheap  for  attackers  L
  9. 9. MONEY 9Security  Analyst  Summit  2017
  11. 11. 11Security  Analyst  Summit  2017 Actors  behind  targeted  attacks  with  ransomware: • Mamba  group • PetrWrap group • Partners  of  one  famous  underground  group ACTORS  BEHIND  TARGETED  ATTACKS  
  12. 12. MAMBA  GROUP 12Security  Analyst  Summit  2017
  13. 13. MAMBA  GROUP 13Security  Analyst  Summit  2017
  14. 14. MAMBA  GROUP 14Security  Analyst  Summit  2017
  15. 15. MAMBA  GROUP 15Security  Analyst  Summit  2017
  16. 16. MAMBA  GROUP 16Security  Analyst  Summit  2017
  17. 17. MAMBA  GROUP 17Security  Analyst  Summit  2017
  18. 18. MAMBA  GROUP 18Security  Analyst  Summit  2017 1) Uses  exploits  to  own  an  organization’s  network 2) Installs  PUPY  Rat  for  persistence 3) Uses  mimikatz 4) PsExec for  ransomware  is  installed
  19. 19. PETRWRAP
  20. 20. PETRWRAP 20Security  Analyst  Summit  2017
  21. 21. PETRWRAP 21Security  Analyst  Summit  2017
  22. 22. PETRWRAP 22Security  Analyst  Summit  2017
  23. 23. PETRWRAP 23Security  Analyst  Summit  2017
  24. 24. PETRWRAP GROUP 24Security  Analyst  Summit  2017
  25. 25. PETRWRAP GROUP 25Security  Analyst  Summit  2017
  26. 26. PETRWRAP GROUP 26Security  Analyst  Summit  2017
  28. 28. 3RD PARTY  PARTNERS 28Security  Analyst  Summit  2017
  29. 29. 3RD PARTY  PARTNERS 29Security  Analyst  Summit  2017
  30. 30. 3RD PARTY  PARTNERS 30Security  Analyst  Summit  2017
  31. 31. 3RD PARTY  PARTNERS 31Security  Analyst  Summit  2017
  32. 32. 3RD PARTY  PARTNERS 32Security  Analyst  Summit  2017
  33. 33. 3RD PARTY  PARTNERS 33Security  Analyst  Summit  2017
  34. 34. 3RD PARTY  PARTNERS 34Security  Analyst  Summit  2017
  36. 36. CONCLUSIONS 36Security  Analyst  Summit  2017
  37. 37. CONCLUSIONS 37Security  Analyst  Summit  2017 • Targeted  attacks  with  ransomware  will  be  the  main  ransomware  trend  in  2017 • Protect  the  perimeter • In  the  event  of  an  attack,  good  IR  could  help • DO  NOT  PAY • Use  security  solutions  with  a  behavioral  detection  component
  38. 38. LET'S  TALK?