Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ransomware ly

83 views

Published on

Technical Presentation speech for Toastmasters on Ransomware and suggested mitigations. Tied vulnerabilities to various HITRUST controls

Published in: Education
  • Be the first to comment

Ransomware ly

  1. 1. RANSOMWARE PRESENTATION Lisa Young May 21, 2017
  2. 2. Agenda • Introduction – Education & Work History • What is Ransomware? • Ransomware History Timeline • Ransomware Statistics • Types of Ransomware • Examples of Ransomware • Cryptolocker and Cryptowall • Wanncry • Tips to Avoid Ransomware • Questions & Answers 2
  3. 3. Education & Work History – Lisa Young 3 Various jobs Computer Aided Drafting CAD operator1985- 1988 Network Manager/CAD Operator – KTG Glassworks – 1988 - 1999 Customer Support/IT Director – Anesthesia Recording, Inc. /Agilent Technologies – 1999 – 2000 Systems Network Engineer/IT Site Manager Philips Healthcare 2000 - 2013 Student Transitioning 2013 Security Analyst – Gateway Health – 2013 - 2015 Senior Information Security Risk Consultant – 2015 - Present Education Work History
  4. 4. Ransomware Information ➢ What is ransomware? Malicious software (malware) that locks a device, such as a computer, tablet or smartphone and then demands a ransom to unlock it ➢ Where did ransomware originate? The first documented case ‘Gpcoder’appeared in 2005 in the United States, but quickly spread around the world ➢ How does it affect a computer? The software is normally contained within an attachment to an email that masquerades as something innocent. Once opened it encrypts the hard drive, making it impossible to access or retrieve anything stored on there – such as photographs, documents or music ➢ How can you protect yourself? Anti-virus software can protect your machine, although cybercriminals are constantly working on new ways to override such protection ➢ How much are victims expected to pay? The ransom demanded varies. Victims of a 2014 attack in the UK were charged £500 or about $652.00 in the US. However, there’s no guarantee that paying will get your data back http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/ 4
  5. 5. Ransomware History Timeline-2005 – Q1, 2016 5
  6. 6. Ransomware Statistics http://invenioit.com/security/ransomware-statistics-2016/ 6 Ransomware Statistics Ransomware emails spiked 6,000% 40% of all spam email had ransomware 59% of infections came from email 92% of surveyed IT firms reported attacks on their clients Infections hit 56,000 in a single month Attacks expected to double in 2017 Healthcare and Financial Services were the hardest hit 70% of businesses paid the ransom 20% of businesses paid more than $40,000 Less than 25% of ransomware attacks are reported Most businesses face at least 2 days of downtime
  7. 7. Types of Ransomware ➢ Encryption – Crypto – Affects data and files on system, system functions but cannot access the files ➢ Lock Screen – Prevents victim from using the system by locking all components ➢ Master Boot Record MBR – Prevents victim from booting the system 7
  8. 8. 1. Cryptolocker and Cryptowall – September 5, 2013 ➢Ransomware Trojans that encrypt your personal files ➢(Trojan - malicious computer program which is used to hack into a computer by misleading users of its true intent) ➢Use social engineering techniques that trick you into running it. ➢Designed to extort money ➢Spreads in many ways ➢Phishing emails that contain malicious attachments or links ➢Drive-by download sites ➢Password protected zip file in email – password included ➢Often cryptolocker arrives in files that contain double extensions such as filename.pdf.exe 8
  9. 9. How Cryptolocker gets installed ➢When victim clicks the file, the Trojan goes memory resident on the computer and takes the following actions: ➢Saves itself to a folder in the user’s profile (AppData, LocalAppData). ➢Adds a key to the registry to make sure it runs every time the computer starts up. ➢Spawns two processes of itself: One is the main process, the other aims to protect the main process against termination. 9
  10. 10. File Encryption ➢ CryptoLocker encrypts files on the computer’s hard disk and every network drive the infected user has access to. 10
  11. 11. 2. Wannacry – May 12,2017 One anonymous doctor at a major trauma center in London wrote online: 'Everything has gone down. No blood results, no radiology images, there's no group specific blood available.’ ➢ Hospitals across the country ➢ As of 5/14/17 – 150 countries affected & 230,000 victims ➢ Weekend chaos ➢ Russian-Linked cyber gang ‘Shadow Brokers’ blamed 11
  12. 12. WannaCry Message Locks all the data on a computer system and leaves the user with only two files: instructions on what to do next and the Wanna Decryptor program itself. 12
  13. 13. Cyber Attack hits German Train Station 13
  14. 14. How Wannacry Spreads ➢Exploits a Windows server vulnerability – Security Bulletin MS17-010 patch available since March 2017 ➢The NSA discovered, but information about it and how to exploit it was stolen in a breach and then leaked to the public by a hacking group known as the Shadow Brokers. ➢Microsoft issued a fix in mid-March, but many computers and servers never actually received the patch, leaving those systems open to attack. ➢A young cyber expert managed to stop the spread of the attack by accidentally triggering a "kill switch" when he bought a web domain for less than £10. ➢When the WannaCry program infects a new computer it contacts the web address. It is programmed to terminate itself if it manages to get through. When the 22-year-old researcher bought the domain the ransomware could connect and was therefore stopped. This created what is known as a ‘sinkhole’. 14
  15. 15. How to Avoid Ransomware ➢Patch Computers ➢Use anti virus and always have the latest update. ➢Be wary of emails from senders you don’t know – especially with attachments such as .zip files ➢Don’t click links in emails ➢Disable hidden file extensions ➢Backup your data on a regular basis ➢Don’t pay the ransom https://answers.microsoft.com/en-us/windows/forum/windows_10-security/wanna-cry-ransomware/5afdb045-8f36-4f55-a992-53398d21ed07 15
  16. 16. Questions 16
  17. 17. Appendix Cyber Maps Terms defined Related HITRUST Controls Norse Attack Map Sinkhole 02.e Information Security Awareness, Education, and Training CheckPoint Threat Cloud Malware 09.J Controls against malicious code FIREEYE CYBER THREAT MAP Trojan 09.L Backup KASPERSKY - CYBERTHREAT REAL- TIME MAP Worm 10.k Change Control Procedures Digital Attack Map Virus Botnet Domain Name Service (DNS) Ransomware Bitcoin Drive-by-download attack Server Message Block (SMB) 17
  18. 18. Norse Attack Map • Http://map.norsecorp.com/#/ Ranks the country of attack origin, attack type, attack target country and displays a live feed of attacks. 18
  19. 19. Check Point - THREATCLOUD Shows attacking and targeted countries, along with a counter of how many attacks have happened in the current day. 19
  20. 20. FIREEYE CYBER THREAT MAP Shows similar data as the Norse and Check Point maps, they also show the top 5 targeted industries for the past 30 days. 20
  21. 21. KASPERSKY - CYBERTHREAT REAL-TIME MAP Can customize the look of the map by filtering certain types of malicious threats, such as email malware, Web site attacks, vulnerability scans, etc. 21
  22. 22. Digital Attack Map 22
  23. 23. Terms • Sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by security analysts. Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware. • Malware – Malicious software program that is intended to damage or disable computers and computer systems. • Trojan - Malicious computer program which is used to hack into a computer by misleading users of its true intent • Worm - standalone malicious software that does not require a host program or human help to propagate. • Virus - type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and inserting its own code. Infected computer programs can include as well, data files, or the "boot" sector of the hard drive. • Botnet - a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g., to send spam messages. • Domain Name Servers (DNS) - The Internet's equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses. • Ransomware - Malicious software (malware) that locks a device, such as a computer, tablet or smartphone and then demands a ransom to unlock it • Bitcoin - a type of digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank. • Drive-by-download attack – means two things, each concerning the unintended download of computer software from the Internet: Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet) automatically. • Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS, /ˈsɪfs/),[1][2] operates as an application-layer network protocol[3] mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. • Note: Definitions from wikipedia 23
  24. 24. 02.e Information Security Awareness, Education, and Training CSF Control for Spam/Malicious attachment Control Text Implementation Requirement 02.E Information Security/Awareness, Education, and Training All employees of the organizations and contractors and third party users shall receive appropriate awareness training and regular updates in organizational policies and procedures as relevant to their job function. Ongoing training for these individuals and organizations shall include security and privacy requirements as well as training in the correct use of information assets and facilities (including but not limited to log-on procedures, use of software packages, anti-malware for mobile devices, and information on the disciplinary process). 24
  25. 25. 09.J Controls against malicious code CSF Control for Ransomware Control Text Implementation Requirement 09.J Controls against malicious code Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided. Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. 25
  26. 26. 09.L Backup CSF Control for Crypto- Ransomware Control Text Implementation Requirement 09.L Backup Backup copies of information and software should be taken and tested regularly. Backup copies of information and software shall be made, and tested at appropriate intervals. Complete restoration procedures shall be defined and documented for each system. 26
  27. 27. 10.k Change Control Procedures CSF Control for security updates on systems Control Text Implementation Requirement 10.k Change Control Procedures The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures. Review and update the baseline configuration of the information system: when required due to critical security patches, upgrades and emergency changes (e.g., unscheduled changes, system crashes, replacement of critical hardware components), major system changes/upgrades; i. as an integral part of information system component installations, ii. upgrades, and iii. supporting baseline configuration documentation reflects ongoing implementation of operational configuration baseline updates, either directly or by policy. 27

×