NCSC Speaker

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Ransomware: Past, Present, and Future
By A Cyber Security Advisor
NCSC

What is the NCSC?
The new National Cyber Security Centre is the UK’s authority on cyber security and
part of GCHQ.
The NCSC brings together cyber security into a single, expert organisation building
on the best of what we already have and combining the functions of:
• CESG
• CERT-UK
• Cyber related aspects of Centre for the Protection of National Infrastructure
• Centre for Cyber Assessment
2

3
Where we are based
Cheltenham
London Victoria

4
Our Organisation

5
What we do:
We understand cyber security:
Sharing our knowledge, we identify and address systemic vulnerabilities
We respond to cyber security incidents:
Managing serious security breaches, we reduce the harm they cause to the UK
We nurture our national cyber security capability:
Providing leadership on critical issues, harnessing talent and technology
We reduce risks to the UK:
We help public and private sector organisations secure their networks

About Me: The Details
Over 40 years in the IT Industry:
• Career divided between private and public sectors
• Involved in IT / Cyber security since 2004
• Joined NCSC in 2016
• Work with companies in the Communications, IT Services and Space
sectors of the CNI
• Government Chair of the Space Information Exchange since 2016

• The Basics
• How It All Began
• Current Edition
• Back to the Future
• How to Prepare: Now, and in the Future
Ransomware:
Past, Present and Future

Wikipedia’s definition of ransomware:
“Ransomware is computer malware that installs covertly on a victim's
device (e.g., computer, smartphone, wearable device) and that either
mounts the cryptoviral extortion attack from cryptovirology that holds the
victim's data hostage, or mounts a cryptovirology leakware attack that
threatens to publish the victim's data, until a ransom is paid.”1
In short: an entity renders data or a device inaccessible, then demands
payment for its ‘release’
1 Wikipedia https://en.wikipedia.org/wiki/Ransomware
Ransomware: The Basics

Purpose: Money!!!!
and relatively lower risk than traditional kidnap, ransom, and
extortion methods.
• Direct Revenue Generation: $1 Billion in 20162
• Top Impacted Countries: United States, Japan, United Kingdom, Italy,
Germany, and Russia3
• Most Prevalent attack vectors: misleading apps, fake antivirus scams4
• Average Ransom Demand: Range between $500-$20005
• Business Costs: $75 Billion per year6
2, 5, 6: Rock, Tracy. “Ransomware Statistics 2016-2017: A Scary Trend in Cyberattacks” February 27, 2017. Invenio IT. http://invenioit.com/security/ransomware-statistics-2016/
3 and 4: Savage, Kevin. Coogan, Peter. Lau, Hon. “The Evolution of Ransomware” August 6, 2015. Symantec.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf
Ransomware: The Basics

The original “kidnap, ransom, and extortion” (KRE) technique
• Used in ancient times for payment, bargaining, warfare
• Still used in parts of the world today
Well-known Cases:
• Richard the Lionheart (1192)
• Charles Lindbergh Jr (1932) – “The Lindbergh Baby”
• Peter Weinberger (1956) – Changed kidnapping laws in US
• Patty Hearst (1974)
Ransomware: How it all began

Enter Technology:
First known ransomware attack using encryption
• AIDS Trojan (1989) written by Joseph Popp
• Software Expiration Pop-Up Notice
• $189 US Ransom
• Poorly written
• Symmetric Cryptography

Learn and Improve from the mistakes of others
• Adam Young and Moti Yung experiment (1996)
• Encrypt with public key and ransom the private key
• Introduced concept of ‘electronic money’ extortion

Examples of extortion through ransomware:
• Gpcode, Gpcode.AG, Gpcode.AK (varients)
• TROJ.RANSOM.A
• Archiveus
• Krotten
• Cryzip
• MayArchive
As advancing technologies grew, so did the size of encryption keys:
Ransomware: Where it all began

Four Flavours:
Crypto ransomware Mobile ransomware
Locker ransomware Leakware (aka Doxware)
Ransomware: Current Edition

Crypto Ransomware:
An infection encrypting data within a computer or system, denying crypto keys
until a ransom is paid.

*different to preventing access to files or data, which is crypto ransomware
Locker Ransomware * :
An infection locking a computer or device, denying access until a ransom is
paid.

Mobile Ransomware:
Blockers; payloads are commonly an APK file installed on user’s mobile to
lock access to the device, or mobile application(s) access. Online
synchronization negates the incentive to encrypt data, so limited to denying
access to mobile use.
*Instances vary based on type of mobile device – i.e., Android vs iOS

Example: Ashley Maddison
Leakware:
Also known as Doxware: this form of malicious activity combines ‘doxing’ and
ransomware. It combines both encryption of data and the collection/theft of
personal information for the use of future extortion activities.
“…instead of locking up your sensitive data and making them inaccessible to
you, it makes them accessible to everybody – unless you pay up.”7
7 Littlejohn Shinder, Debra. The Evolution of Extortionware. February 7, 2017. GFI Tech Talk. https://techtalk.gfi.com/the-evolution-of-extortionware/

Technology advances much faster than implementation of security measures.
WannaCry (aka: WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor)
• Date: 12 May 2017 – Present
• Location(s): Everywhere!
• Ransom Demand: $300-$600
• Cause: EternalBlue exploit / Failure to patch
• Damage Thus Far: Over 200K victims and more than 230K
computers infected8
8 https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Ransomware: Back to the future

Petya (AKA NotPetya. Varients included Petna, Pneytna, Goldeneye)
• Date: 27 June 2017 onwards
• Location(s):Ukraine: - spreading westward
• Ransom Demand: $300 in bitcoins – but were they after money?
• Cause: EternalBlue exploit / Failure to patch
• Damage thus far: Epicentre was Ukraine, but included UK and US

“Mr Smith Group”
The US TV network has refused to pay a multimillion dollar ransom
demand to the hackers, who compromised the network’s systems in
July and have since leaked a series of embarrassing documents, emails
and unaired shows, including Game of Thrones and Curb Your
Enthusiasm.

Evolution and Innovation:
Stealthier: searching for a bigger ‘pay-load’
• Long-term game
• Less about data than entire business
• Infrastructure
• Operations
• E.g. Hospitals, Power Grids

Evolution and Innovation:
Stealthier: searching for a bigger ‘pay-load’
• Long-term game
• Less about data than entire business
• Infrastructure
• Manufacture
• Operations
E.g. UK Space Industry

What does the “entire business” mean?
Not limited to data sets or system access, but also:
• Incident Response
• Backups
• Restoration/Recovery Operations
Leading to:
Total Organisational Paralysis

What you are (hopefully?) doing now:
• Business Risk Assessment
• Data Recovery (backups)
• Detection
• Disaster Recovery Plan
Ransomware: How to prepare –
now

What to Do in the Future:
• Dependable Data Recovery Solutions
• Updated Backup Systems
• Cyber Insurance?
• Exercise, Exercise, Exercise!!!!!
• Crypto Currency
Ransomware: How to prepare –
in the future

How have you been Impacted? What lessons have you learned?
If not …………….?
Ransomware:
For further information see: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

28
For further information see: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

NCSC Speaker

More Related Content

What's hot

Similar to NCSC Speaker

More from Royal United Services Institute for Defence and Security Studies

Recently uploaded

NCSC Speaker