Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment

  • Be the first to like this


  1. 1. Ransomware Prevent, Prepare, Detect, Respond Preston Jennings VP Information Security and CISO Will Hatcher Director Enterprise Information Security Information Security September 2016
  2. 2. I. Review Ransomware History and Problem II. Ransomware Attack Prevention III. Ransomware Attack Preparation IV. Ransomware Attack Detection V. Ransomware Attack Response It is not if, but when, you will be hit. 2©2016 Trinity Health - Livonia, Mich. Discussion Topics
  3. 3. I. Ransomware History and Problem 3©2016 Trinity Health - Livonia, Mich. It’s always been the “Wild Wild West” on the internet, and in terms of cybercrime, ransomware is the latest outlaw. In or around 2012, OC Hackers, an elite group of hackers, discovered ransomware and implemented it. These groups decided that instead of robbing a bank, it would be easier to hijack valuable information and hold it for ransom. And it turns out, it really was that simple.
  4. 4. I. Ransomware History and Problem 4©2016 Trinity Health - Livonia, Mich. • As the times change, so does the name: Hacker, Thief, Pirate, Gangster. But the concept is the same. They’ve got something valuable. Maybe it’s valuable only to you. But…you’re willing to pay money to protect it or get it back. • As an IT or security professional, it is your responsibility to be aware of the dangers and risks that ransomware places on your organization, and to learn the steps to protect yourself and your organization’s assets.
  5. 5. I. Ransomware History and Problem 5©2016 Trinity Health - Livonia, Mich. • Ransomware not only encrypts files; It is smart enough to infect system files and file shares across the network. Once your device or system has been encrypted, the hacker will offer you a method of contact and payment (usually Bitcoin) to retrieve an encryption key. • Only the hacker can provide the encryption key, and that’s his power over you. • The FBI has stated that approximately 75% of those who pay the ransom can then successfully decrypt files using the key provided by the hacker.
  6. 6. I. Ransomware History and Problem 6©2016 Trinity Health - Livonia, Mich. There’s been a lot of hype by the media regarding the enormous damage to networks caused by ransomware. A recent security industry survey sheds light on the facts of these worldwide attacks. BUT THOSE WHO WERE PROPERLY PREPARED MINIMIZED THE IMPACT. Ransomware is a very real threat. Nearly 50% of businesses were victimized last year. Ransomware is ever evolving into a more sophisticated, profitable, and thus a more likely, future threat.
  7. 7. I. Ransomware History and Problem 7©2016 Trinity Health - Livonia, Mich. In a 2016 international survey, conducted by Osterman and sponsored by Malwarebytes, 165 US and 375 other national government and business entities were polled. The results revealed how prevalent attacks have been: • 47% of organizations experienced a ransomware incident in last 12 months, with 39% of respondents being economically impacted from the attack. • Email was the most common vector of attack. • The most common sectors victimized were the healthcare and financial sectors. • Only 40% paid the ransom demanded. • Recovery from back-up was the common remediation.
  8. 8. I. Ransomware History and Problem 8©2016 Trinity Health - Livonia, Mich. Value of the Files That Were Encrypted
  9. 9. I. Ransomware History and Problem 9©2016 Trinity Health - Livonia, Mich. Ransom Amounts Demanded 30% 22% 20% 11% 12% 3% 3% 0% 5% 10% 15% 20% 25% 30% 35% Up to $500 $500 - $1K $1K - $5K $5K - $10K $10K - $50K $50K - $150K More than $150K Response
  10. 10. I. Ransomware History and Problem 10©2016 Trinity Health - Livonia, Mich. Physical Locations by which Ransomware Entered the Organization
  11. 11. I. Ransomware History and Problem 11©2016 Trinity Health - Livonia, Mich. How Ransomware Entered the Organization 31% 28% 24% 4% 3% 1% 9% 0% 5% 10% 15% 20% 25% 30% 35% Response
  12. 12. II. Prevention 12©2016 Trinity Health - Livonia, Mich. • Deploy a good email filter firewall service like Mimecast. • Do not allow attachments ending in .exe, .bat, .cmd, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh, .jar • Good employee awareness program with SaS like: - Kevin Mitnick Security Awareness Training - Wombat Security Technologies - SANS Securing the Human
  13. 13. II. Prevention 13©2016 Trinity Health - Livonia, Mich. • Conduct simulated phishing attacks to test and increase awareness. • Utilize advance software to detect ransomware, such as Microsoft’s Cryptowall scanner. • Use advance endpoint agents to detect and stop ransomware from executing. • Enforce software restriction policies such as: • Do not allow MS Office Macros if possible. Or at least give user the option to allow. • Use system policies to restrict file directory or network drive access.
  14. 14. III. Preparation 14©2016 Trinity Health - Livonia, Mich. • Make sure that all critical systems are fully backed- up every 24 hours. • Test the restore procedures to ensure that the organization’s system can effectively recover. • Have an identified incident response team that includes system administrators, disaster recovery team, back-up data administrators, the CIO and CTO, and security teams. Conduct an exercise identifying who will do what when. If possible, test restoration from back-ups.
  15. 15. IV. Detection 15©2016 Trinity Health - Livonia, Mich. • User cannot open files and gets error messages, like “files have incorrect extensions.” • A html or text file with a statement about how to pay to unlock your files. • An image that warns of a countdown to an increasing ransom or a threat that you will not be able to decrypt files if you don’t pay soon. • Files with names like HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML • Screenshots within emails.
  16. 16. IV. Detection - PadCrypt or Cyrdap.A 2016 16©2016 Trinity Health - Livonia, Mich. This ransomware might arrive as a file named package.pdcr and might be seen being downloaded by TrojanDownloader:MSIL/Crydap.A. You might see a file similar to: encrypted_files.dat - list of encrypted files HELP_YOUR_FILES.html - ransom note package.exe - copy of malware PadCrypt.exe - copy of malware unistl.exe - uninstaller wallpaper.bmp - ransomware wallpaper
  17. 17. IV. Detection - Fantomcrypt.A 2016 17©2016 Trinity Health - Livonia, Mich. This threat might appear as a critical Windows update to lure potential victims to apply the fake update, thus triggering the document encryption process that runs in the background. You see the following ransom note (DECRYPT_YOUR_FILES.HTML) in each folder after your files are encrypted. Your Microsoft Windows Task Manager is disabled and locked-out while your files are encrypted
  18. 18. IV. Detection - Zcrypto.A 2016 18©2016 Trinity Health - Livonia, Mich. This ransomware can stop you from using your PC or accessing your data. It is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware, or fake installers (Flash Player setup). You see the How to decrypt files.html in your machine which displays the ransom note. You see the file types with extension changed to .zcrypt (for example,<originalfilename.zcrypt>) You see the zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.
  19. 19. V. RESPONSE 19©2016 Trinity Health - Livonia, Mich. • Through internal network monitoring. Determine “patient zero” (the source of the infection). • Once found, immediately disconnect from the network (don’t forget wireless). Do not wipe or disinfect computer. Preserve for forensic review. • Determine what drives and systems (servers) that “Patient Zero” has access to. Don’t forget USB, cloud based files, etc. Check each one for any sign of encryption (script). Keep inventory of what is checked and what is infected. Alternative finding can be registry file changes caused by ransomware if known.
  20. 20. V. RESPONSE 20©2016 Trinity Health - Livonia, Mich. • Determine the strain of ransomware. Look at pattern of encryption, request for payment, file names, and whether it is a new strain. Some strains target servers; some spread throughout a domain like a worm; many of the 2015 strains did not spread beyond direct network shares. • Now what? Four options: 1. Restore from a recent backup. 2. Decrypt your files using a third-party decryptor (success is not likely). 3. Negotiate and pay the ransom. 4. Do nothing (lose your data).
  21. 21. V. RESPONSE - Recover From Recent Backup 21©2016 Trinity Health - Livonia, Mich. • Identify the malware (ransomware) files and delete them. If possible, identify the infection vector (phishing, website, etc.) and be sure you have identified all infected computers and blocked that vector. • Check and make sure that your backups are not infected. Ensure that you are not recovering encrypted data or the malware files themselves.
  22. 22. V. RESPONSE - Try to Decrypt 22©2016 Trinity Health - Livonia, Mich. • If the ransomware is an older version like Cryptowall or Cryptolocker, there is a chance that some of the encryption keys have been cracked and recovered from some of the major anti-virus companies. Since the criminals are constantly updating their malware, an attempt to decrypt the ransomware is not likely to work. • Make an effort to positively identify the strain of ransomware.
  23. 23. V. RESPONSE - Try to Decrypt (continued) 23©2016 Trinity Health - Livonia, Mich. • Identify the appropriate decryptor/unlocker solution. Ensure that the tool you are using is reliable and from a reputable source (not some blog spot). Search some mainstream security and AV forums. • If you try a decryptor tool and it fails, look to restore your back-up, because it is possible that you corrupted the encrypted volume. Or you can negotiate with the hacker to buy a key and try it.
  24. 24. V. RESPONSE - Negotiate for Ransom 24©2016 Trinity Health - Livonia, Mich. • If you simply must have your original files back, then your only recourse is to pay the ransom. • Most security professionals advise against this, but it is a viable option because most often the criminals provide a valid decryption key after they receive payment, and the ransom is often a minimal expense to a large enterprise. • Many criminal enterprises provide customer service much like a software company!
  25. 25. V. RESPONSE - Negotiate for Ransom (continued) 25©2016 Trinity Health - Livonia, Mich. How to make payment: 1.Locate the proper payment method: How much, how to pay, where to send and amount of time left to pay. 2.Set up a payment account with a provider like Bitcoin. Bitcoin uses an exchange, and you will need to purchase Bitcoins on the market quickly. Choosing an exchange market or broker can be dicey—due to fraudulent market activity and the exchange or broker requiring banking information. I would set up a separate bank account for this transaction. See for Bitcoin guidance. 3.Some Bitcoin brokers take days to clear transactions. You want to find a local broker that can process the transaction quickly, with multiple payment options. Go to for a local market.
  26. 26. V. RESPONSE - Do Nothing 26©2016 Trinity Health - Livonia, Mich. • Find all instances of ransomware and eliminate them. • Back up encrypted files, in case a decryption key is uncovered at a later date. • Most importantly, find the vector of infection and close that loophole. Take remediation measures, such as user awareness and other recommended prevention measures. • Configure and test recovery with regular backups nightly.