2. UNDERSTANDING THE THREAT AND EXPOSURE
What is
Ransomware
Ransomware
Types
PC, MAC,
Mobile
victims
How it
spreads and
selects target
What is the
damage
How to
defend
against it
Don’t play
along
3. UNDERSTANDING THE
THREAT -
RANSOMWARE
Ransomware is the new
malware with a very focused
aim of not just causing
disruption but scoping illicit
payments out of your money.
By definition, RANSOM
malware, or RANSOMWARE, is a
type of malware that prevents
users from accessing their
system or personal files and
demands ransom payment in
order to regain access.
Image courtesy:freepik.com
4. TYPES OF
RANSOMWARE
Scare
Ware
Screen
Lockers
Encrypting
Malware
Scareware
Scareware,as it turns out, is not that scary.It includes rogue security software and
tech support scams.You might receivea pop-up message claiming that malware was
discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll
likely continue to be bombarded with pop-ups, but your files are essentially safe.
Screen lockers
When lock-screen ransomware gets on your computer,it means you’re frozen out
of your PC entirely.A full-size window, often accompanied by an official-looking FBI
or US DoJ seal saying illegal activity has been detected on your computer and you
must pay a fine.
Ransomware
This malicious piece of malware encrypts your files, demanding payment in order to
decrypt and redeliver.The reason why this type of ransomware is so dangerous is
because once cybercriminals get ahold of your files, no security software or system
restore can return them to you.Unless you pay the ransom. Even if you do pay up,
there’s no guarantee the cybercriminals will give you those files back.
5. QUICK HISTORY
THE FIRST RANSOMWARE, PC CYBORG OR AIDS, WAS
CREATED IN THE LATE 1980S. WOULD ASK FOR 189$
FOR DECRYPTING YOUR ENCRYPTED FILES.
2004, WHEN GPCODE USED WEAK RSA ENCRYPTION
TO HOLD PERSONAL FILES FOR RANSOM.
In 2007,WinLock, instead of encrypting
files, locked people out of their desktops,
took over the victim screen and
displayed pornographic images.Then, it
demanded payment via a paid SMS to
remove them.
Reveton in 2012,started locking victims
out of desktops showing official-looking
page that appeared from LEAs such as
FBI and Interpol. Reveton accused victim
that he had committed a crime. a fine be
paid ranging from $100 to $3,000 with a
pre-paid card e.g UKash or
PaySafeCard.
In 2013 CryptoLocker used military
grade encryption and stored the key to
unlock files on a remote server.This is
still the methodology of attacked in use
today.
WannaCry in May 2017 and Petya in
June 2017, used encrypting ransomware
to ensnare users and businesses across
the globe.
2018,Ryuk attacks American news
publications and Water and Sewer
Authority. Ryuk infiltrated networks with
reconnaisance trojans Emotet or
TrickBot, to find high-value and high yield
targets and upon finding good
target, Emotet/TrickBot re-infects the
system with Ryuk.
2017:Sodinokibi ransomware
(GandCrab) chose (MSP) to spread
infections. By August 2019,hundreds of
dental offices in US found they could no
longer access patient records.Attackers
used a compromised MSP, to directly
infect 400+ dental offices using the
record keeping software.
6. DEFYING THE BIAS,
NO ONE IS SAFE
RANSOMWARE infects
all platforms, on different scales
PC platform
MAC
Mobile users
Linux users
7. RANSOMWARE FOR
MAC
Not ones to be left out of the
ransomware game, Mac malware
authors dropped the first
ransomware for Mac OSes in 2016.
Called KeRanger, the ransomware
infected an app called Transmission
that, when launched, copied malicious
files that remained running quietly in
the background for three days until
they detonated and encrypted files.
Thankfully,Apple’s built-in anti-
malware program XProtect released
an update soon after the
ransomware was discovered that
would block it from infecting user
systems. Nevertheless, Mac
ransomware is no longer theoretical.
8. ARE MOBILE
DEVICES SAFE?
Mobile ransomware
It wasn’t until the height of the
infamous CryptoLocker and other
similar families in 2014 that
ransomware was seen on a large scale
on mobile devices.Mobile ransomware
typically displays a message that the
device has been locked due to some
type of illegal activity.The message
states that the phone will be unlocked
after a fee is paid. Mobile ransomware is
often delivered via malicious apps,and
requires that you boot the phone up in
safe mode and delete the infected app
in order to retrieve access to your
mobile device.
10. HOW FAST IS IT
SPREADING
By the end of
2016
- 12.3% of global
enterprise
detections were
ransomware
- 1.8 percent of
consumer
detections
By 2017
- 35 percent of
SMB had
experienced a
Ransomware.
Geographically,
ransomware
attacks are
focused on
western markets,
the UK, US, and
Canada ranking as
the top 3 targets
As emerging
markets in Asia
and South
America ramp up
on economic
growth,expect to
see an increase in
ransomware (and
other forms of
malware) there as
well.
11. SCOPING THE THREAT
GandCrab, SamSam,WannaCry, NotPetya—
Ransomware attacks on businesses went up 88% in the
second half of 2018.
GandCrab has already raked in somewhere around $300
million in paid ransoms, with individual ransoms set from
$600 to $700,000.
In another notable attack happening back in March of 2018,
the SamSam ransomware crippled the City of Atlanta by
knocking out several essential city services—including revenue
collection and the police record keeping system.All told, the
SamSam attack cost Atlanta $2.6 million to remediate.
A new analysis by Coveware,a remediation and incident
response firm, has revealed that the average ransomware
payment amount increased by six times between 2018 and Q3
2019.The average ransomware payment amount as of Q3
stands at $41,198.
12. UNDERSTANDINGTHE
VULNERABILITIES -
RANSOMWARE SPREADS
Mal
Spam
Malvertising
Drive-by
Downloads and
exploits
Malicious spam, or malspam
- unsolicited email delivering malware with booby-trapped attachments
- PDFs or Word documents are most often used
- contain links to malicious websites
Cybercriminals use social engineering tricks to get people to open attachments
What tricks?
- such as posing as the FBI or Interpol
-Tax authorities, IRA
To scare users into paying sum of money to unlock their files.
Peaked in 2016, RANSOMEWARE started malvertising or malicious advertising
- little to no user interaction required
- browsing even legitimate sites, users is directed to criminal servers
- without ever clicking on an ad
- Just by visiting sites
Previously it was just to deliver spam but now its delivering malware best suited to
deliver,most often, that malware is ransomware.
Malvertising often uses an infected iframe, or invisible webpage element which
redirects to an exploit landing page, and malicious code attacks the system from the
landing page via exploit kit.All this happens without the user’s knowledge, which is
why it’s often referred to as a drive-by-download.
13. APPLYING CONTROLS - HOW TO
SAFEGUARD YOU HOME AND BUSINESS
Understanding ransomware risk, how it works, and how to spot the signs
Organizations must take variety of measures to guard against ransomware attacks.
Conducting a risk analysis to identify threats and vulnerabilities to electronic data and
establishing a remediation plan to mitigate those risks
Implementing procedures to safeguard against malicious software
Training users to detect malicious software and reporting such detections
Backup your data, off site. Scan existing backup for usability
Ensure reliable Patch management is applied to your network.
Maintaining an overall contingency plan that includes disaster recovery, emergency
operation, frequent data backups, and test restorations
Implementing incident responses to mitigate ransomware
14. IF YOU ARE AVICTIM, DON’T PLAY THEIR GAME
Check and see if there is a decryptor.
- In rare cases you may be able to decrypt your data without paying
Don’t pay the ransom.
- Though some surveys indicate that paying ransom did allow data
recovery, cybercriminals are NOT our friends so don’t get your
hopes up and Law Enforcement agencies also stress on not paying
the ransom. BUT, things are changing fast. It turns out
Money is not the ONLY ransom they want now.
No Guarantees
- There’s no guarantee you’ll get your files back. RANSOMWare
is working because people started paying for data.
They showed cybercriminals that ransomware attacks work.
Recover
- Find backup to your data first, a copy left offline, on a USB, on a
CD is most likely save you from ransom demands.
Apply #SelfCleansingPC mechanisms to your home PC, Business
network as your first line of defense.