Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
RANSOMWARE IS HERE: FUNDAMENTALS
EVERYONE NEEDS TO KNOW
JEREMIAH GROSSMAN
CHIEF OF SECURITY STRATEGY
@jeremiahg
https://ww...
JEREMIAH GROSSMAN
WHO I AM…
▸ Professional Hacker
▸ OWASP Person of the Year (2015)
▸ International Speaker
▸ Black Belt i...
“RANSOMWARE IS A TYPE OF MALWARE
THAT CAN BE COVERTLY INSTALLED ON A
COMPUTER WITHOUT KNOWLEDGE OR
INTENTION OF THE USER T...
YOU KNOW IT
WHEN INFECTED WITH
RANSOMWARE…
CRYPTO LOCKER CRYPTO WALL TESLACRYPT
REVETON JIGSAW LOCKY
“THERE ARE NOW MORE THAN 120 SEPARATE
FAMILIES OF RANSOMWARE, SA...
ORDER OR OPERATIONS
STEP-BY-STEP
1. Targeting – OS, geography, banking/ecommerce, consumer
2. Propagation – spear-phishing...
DESIGNED TO EVADE DETECTION
01100111
01010110
10101010
10100101
10001010
11010011
00101101
Wrappers: Turn known code into ...
“THE FBI RECENTLY PUBLISHED
THAT RANSOMWARE VICTIMS
PAID OUT $209 MILLION IN Q1
2016 COMPARED TO $24
MILLION FOR ALL OF 20...
“IN ITS LETTER, THE DHS NOTED THAT ITS
NATIONAL CYBERSECURITY AND
COMMUNICATIONS INTEGRATION CENTER
(NCCIC) HAD INITIATED ...
WHY THE RANSOMWARE EXPLOSION NOW?
ALMOST 50% AFFECTED END UP
MAKING THE PAYMENT
The number of users who came across crypto ransomware in
the last year incre...
THE RANSOM AND PAYMENT METHODS
▸ $200-$2000, average $300 (High $20,000)
▸ Most commonly paid through BitCoin
▸ Also throu...
RANSOMWARE DOES NOT NEED ROOT ACCESS
"RANSOMWEB" DESCRIBES ATTACKS DURING WHICH CROOKS BREAK INTO A
WEBSITE USING VARIOUS ...
HOSPITALS NASCAR GOVERNMENT
SCHOOLS POLICE GAMERS
“ON WEDNESDAY, U.S. SECURITY COMPANY KNOWBE4 SAID IT WAS RECENTLY
CONTACTED BY A HEALTH CENTER THAT PAID HACKERS NEARLY $4...
“NASCAR TEAM CIRCLE SPORT-LEAVINE FAMILY RACING (CSLFR) HAS REVEALED TODAY IT
FACED A RANSOMWARE INFECTION THIS PAST APRIL...
“TO BE HONEST, WE OFTEN
ADVISE PEOPLE JUST TO PAY
THE RANSOM.”
-JOSEPH BONAVOLONTA
ASSISTANT SPECIAL AGENT IN CHARGE OF TH...
“THE FBI DOES NOT ADVISE VICTIMS ON WHETHER OR
NOT TO PAY THE RANSOM.”
"THE FBI ADVISES THAT THE USE OF BACKUP FILES IS
AN...
RANSOMWARE IS INNOVATING
RESEARCH AND DEVELOPMENT INCREASING
▸ Recent ransomware is targeted,
sophisticated and harder to detect
▸ Once data is encrypted there
virtually no options
▸ ...
BUSINESS MODELS
ARE EVOLVING AND
MATURING
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
Upcoming SlideShare
Loading in …5
×

Ransomware is Here: Fundamentals Everyone Needs to Know

2,483 views

Published on

If you’re an IT professional, you probably know at least the basics of ransomware. Instead of using malware or an exploit to exfiltrate PII from an enterprise, bad actors instead find valuable data and encrypt it. Unless you happen to have an NSA-caliber data center at your disposal to break the encryption, you must pay your attacker in cold, hard bitcoins—or else wave goodbye to your PII. Those assumptions aren’t wrong, but they also don’t tell the whole picture.

During this event we’ll discuss topics such as:

Why Ransomware is Exploding
The growth of ransomware, as opposed to garden-variety malware, is enormous. Hackers have found that they can directly monetize the data they encrypt, which eliminates the time-consuming process of selling stolen data on the Darknet. In addition, the use of ransomware requires little in the way of technical skill—because attackers don’t need to get root on a victim’s machine.

Who the Real Targets Are
Two years ago, the most newsworthy victims of ransomware were various police departments. This year, everyone is buzzing about hospitals. Is this a deliberate pattern? Probably not. Enterprises are so ill-prepared for ransomware that attackers have a green field to wreak havoc. Until the industry shapes up, bad actors will target ransomware indiscriminately.

Where Ransomware Stumbles
Although ransomware is nearly impossible to dislodge when employed correctly, you may be surprised to find that not all bad actors have the skill to do it. Even if ransomware targets your network, you may learn that your attackers have used extremely weak encryption—or that they’ve encrypted files that are entirely non-critical.

As far as ransomware is concerned, forewarned is forearmed. Once you know how attackers deliver ransomware, who they’re likely to attack, and the weaknesses in the ransomware deployment model, you’ll be able to understand how to protect your enterprise.

Published in: Technology

Ransomware is Here: Fundamentals Everyone Needs to Know

  1. 1. RANSOMWARE IS HERE: FUNDAMENTALS EVERYONE NEEDS TO KNOW JEREMIAH GROSSMAN CHIEF OF SECURITY STRATEGY @jeremiahg https://www.jeremiahgrossman.com/ http://blog.jeremiahgrossman.com/ http://sentinelone.com/
  2. 2. JEREMIAH GROSSMAN WHO I AM… ▸ Professional Hacker ▸ OWASP Person of the Year (2015) ▸ International Speaker ▸ Black Belt in Brazilian Jiu-Jitsu ▸ Founder of WhiteHat Security
  3. 3. “RANSOMWARE IS A TYPE OF MALWARE THAT CAN BE COVERTLY INSTALLED ON A COMPUTER WITHOUT KNOWLEDGE OR INTENTION OF THE USER THAT RESTRICTS ACCESS TO THE INFECTED COMPUTER SYSTEM IN SOME WAY, AND DEMANDS THAT THE USER PAY A RANSOM TO THE MALWARE OPERATORS TO REMOVE THE RESTRICTION.” Wikipedia WHAT IS RANSOMWARE?
  4. 4. YOU KNOW IT WHEN INFECTED WITH RANSOMWARE…
  5. 5. CRYPTO LOCKER CRYPTO WALL TESLACRYPT REVETON JIGSAW LOCKY “THERE ARE NOW MORE THAN 120 SEPARATE FAMILIES OF RANSOMWARE, SAID EXPERTS STUDYING THE MALICIOUS SOFTWARE.”
  6. 6. ORDER OR OPERATIONS STEP-BY-STEP 1. Targeting – OS, geography, banking/ecommerce, consumer 2. Propagation – spear-phishing, drive-by-download, attachments 3. Exploit – exploit kits, vulnerability-based, unpatched systems 4. Infection – payload delivery, backdoor access 5. Execution – encryption, disruption, blocked access, RANSOM
  7. 7. DESIGNED TO EVADE DETECTION 01100111 01010110 10101010 10100101 10001010 11010011 00101101 Wrappers: Turn known code into a new binary Variations / Obfuscators: Slightly alter code to make known code appear new/ different Packers: Ensure code runs only on a real machine (anti-VM, sleepers, interactions, anti-debug) Targeting: Allows code to run only on a specific target machine/configuration Ransomware Code: The actual attack code that attacks your files, blocks access to the system and/or encrypts data
  8. 8. “THE FBI RECENTLY PUBLISHED THAT RANSOMWARE VICTIMS PAID OUT $209 MILLION IN Q1 2016 COMPARED TO $24 MILLION FOR ALL OF 2015.” LA Times THE BIRTH OF A BILLION DOLLAR CYBER-CRIME INDUSTRY
  9. 9. “IN ITS LETTER, THE DHS NOTED THAT ITS NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER (NCCIC) HAD INITIATED OR RECEIVED 321 REPORTS OF RANSOMWARE-RELATED ACTIVITY AFFECTING 29 DIFFERENT FEDERAL AGENCIES SINCE JUNE 2015. THE 321 REPORTS INCLUDE ATTEMPTED INFECTIONS AND INFECTIONS THAT WERE DEALT WITH BY THE AGENCIES' INTERNAL SECURITY TEAMS.” Business Insider THE BIRTH OF A BILLION DOLLAR CYBER-CRIME INDUSTRY
  10. 10. WHY THE RANSOMWARE EXPLOSION NOW?
  11. 11. ALMOST 50% AFFECTED END UP MAKING THE PAYMENT The number of users who came across crypto ransomware in the last year increased by more than 500% over the previous year. (Dec, 2015) -Kaspersky
  12. 12. THE RANSOM AND PAYMENT METHODS ▸ $200-$2000, average $300 (High $20,000) ▸ Most commonly paid through BitCoin ▸ Also through premium SMS/phone call, anonymous cash card or prepaid transfer service Secondary Motives ▸ Leave spyware behind ▸ Open backdoors ▸ Steal passwords
  13. 13. RANSOMWARE DOES NOT NEED ROOT ACCESS "RANSOMWEB" DESCRIBES ATTACKS DURING WHICH CROOKS BREAK INTO A WEBSITE USING VARIOUS VULNERABILITIES AND ENCRYPT ITS CONTENT. THIS CAN BE ITS DATABASE OR ITS FILES, BUT IN THE END, CROOKS NOTIFY THE SITE OWNERS THAT THEY HAVE TO PAY A RANSOM TO GET THEIR FILES BACK.”
  14. 14. HOSPITALS NASCAR GOVERNMENT SCHOOLS POLICE GAMERS
  15. 15. “ON WEDNESDAY, U.S. SECURITY COMPANY KNOWBE4 SAID IT WAS RECENTLY CONTACTED BY A HEALTH CENTER THAT PAID HACKERS NEARLY $40,000 AFTER 250 DEVICES, INCLUDING AN MRI MACHINE, BECAME INFECTED WITH RANSOMWARE, PROMPTING THE UNNAMED ORGANIZATION TO SHUT DOWN FOR FIVE DAYS.” “[PRIME HEALTHCARE SERVICE] SAYS IT DEFEATED THE CYBERATTACK WITHOUT PAYING A RANSOM. BUT IT ACKNOWLEDGED SOME PATIENTS WERE TEMPORARILY PREVENTED FROM RECEIVING RADIOLOGY TREATMENTS, AND OTHER OPERATIONS WERE DISRUPTED BRIEFLY WHILE COMPUTER SYSTEMS WERE DOWN.” “IN MARCH, HACKERS ENCRYPTED DATA AT MEDSTAR HEALTH, WHICH OPERATES 10 HOSPITALS IN MARYLAND AND THE DISTRICT OF COLUMBIA. THE VIRUS CAUSED DELAYS IN SERVICE AND TREATMENT UNTIL COMPUTERS WERE BROUGHT BACK ONLINE. THE COMPANY SAID IT DID NOT PAY A REPORTED $19,000 RANSOM DEMAND.“
  16. 16. “NASCAR TEAM CIRCLE SPORT-LEAVINE FAMILY RACING (CSLFR) HAS REVEALED TODAY IT FACED A RANSOMWARE INFECTION THIS PAST APRIL, WHEN IT ALMOST LOST ACCESS TO CRUCIAL FILES WORTH NEARLY $2 MILLION, CONTAINING CAR PARTS LISTS AND CUSTOM HIGH-PROFILE SIMULATIONS THAT WOULD HAVE TAKEN 1,500 MAN-HOURS TO REPLICATE.” “RECENTLY, THE AMERICAN PUBLIC UTILITY LANSING BOARD OF WATER & LIGHT (BWL) HAS ANNOUNCED THAT THE COMPANY HAS BECOME A VICTIM OF RANSOMWARE ATTACK THAT KNOCKED THE UTILITY'S INTERNAL COMPUTER SYSTEMS OFFLINE.” “POLICE DEPARTMENT CHIEF MICHAEL LYLE CLAIMED THAT ONE UNSUSPECTING USER FROM WITHIN THE DEPARTMENT OPENED THE EMAIL, TRIGGERING THE PAYLOAD OF THE RANSOMWARE WHICH PROCEEDED TO ENCRYPT FILES AND TAKE CONTROL OF A PROGRAM KNOWN AS TRITECH. THE SOFTWARE IS AN ESSENTIAL TOOL, ONE THAT POLICE OFFICERS USE FOR COMPUTER AIDED DISPATCH AND AS A RECORD MANAGEMENT SYSTEM DURING PATROL. THE PROGRAM ALSO ENABLES LAW ENFORCEMENT OFFICERS TO LOG INCIDENT REPORTS.”
  17. 17. “TO BE HONEST, WE OFTEN ADVISE PEOPLE JUST TO PAY THE RANSOM.” -JOSEPH BONAVOLONTA ASSISTANT SPECIAL AGENT IN CHARGE OF THE FBI’S CYBER & COUNTERINTELLIGENCE PROGRAM The Security Ledger TO PAY OR NOT TO PAY…
  18. 18. “THE FBI DOES NOT ADVISE VICTIMS ON WHETHER OR NOT TO PAY THE RANSOM.” "THE FBI ADVISES THAT THE USE OF BACKUP FILES IS AN EFFECTIVE WAY TO MINIMIZE THE IMPACT OF RANSOMWARE AND THAT IMPLEMENTING COMPUTER SECURITY BEST PRACTICES IS THE MOST EFFECTIVE WAY TO PREVENT RANSOMWARE INFECTIONS,” -DONALD J. GOOD DEPUTY ASSISTANT DIRECTOR OF THE FBI'S CYBER DIVISION SOFTPEDIA THE FBI’S “OFFICIAL” POSITION
  19. 19. RANSOMWARE IS INNOVATING
  20. 20. RESEARCH AND DEVELOPMENT INCREASING
  21. 21. ▸ Recent ransomware is targeted, sophisticated and harder to detect ▸ Once data is encrypted there virtually no options ▸ Modern encryption techniques impossible to break ▸ Restore from backups is time consuming, some data loss ▸ CryptoLocker 3.0 payments have been estimated at $325 Million ▸ Ransomware criminals netting roughly $150 Million per year SOPHISTATION
  22. 22. BUSINESS MODELS ARE EVOLVING AND MATURING

×