Ransomware attacks doubled in 2015 and the trend is sure to continue. To meet this growing threat, enterprises must gain real-time visibility into anomalous behaviour. This session explains how organisations can detect and mitigate ransomware attacks using wire data.
Ransomware: Hard to Stop for Enterprises, Highly Profitable for Criminals
1. Ransomware: Hard to Stop for Enterprises,
Highly Profitable for Criminals
Raja Mukerji
Co-Founder and President, ExtraHop Networks
2. Ransomware: Hard to Stop
for Enterprises, Highly
Profitable for Criminals
Raja Mukerji
Co-Founder and President, ExtraHop Networks
3. Ransomware: Easy Money for
Criminals
1. A user’s machine gets infected with
malware
Client
Attacker
Mail Server
File
Share
Client ClientClient
2. The malware downloads an encryption program
3. Begins encrypting files on the client
4. Spreads to network shares that the client
is connected to
5. Spreads infected document(s) to other
users/systems
6. Ransom is paid using Bitcoin, which is
extremely difficult to track
4. Ransomware:
Fast and Easy for Criminals
Ransomware Facts
Ransomware now makes up about 60 percent
of malware infections encountered by
Malwarebytes anti-virus software
The CryptoLocker strain of ransomware is
responsible for $325 million in damages so far.
Hollywood Presbyterian Medical Center paid a
$17,000 ransom after shifting to paper
processes for one week.
The FBI has offered a $3 million reward for the
arrest of Evgeniy Bogachev, believed to be
linked to ransomware viruses.
0
100000
200000
300000
400000
Q4 2014
Q1 2015
Q2 2015
Q3 2015
Number of users attacked by Trajon-Ransom
malware tracked by Kaspersky Lab
11. Detect Ransomware
Behavior on the Network
Client
Attacker
Mail Server
File
Share
SMTPHTTP
CIFS
CIFS
Client ClientClient
1. Detect ransomware activity on the
network by analysing all CIFS WRITE
operations in real time
2. Trace the infection to identify all
infected clients and systems
3. Investigate the incident to identify
“patient zero,” the source of the
malware, and the attack vector
12. Analyze Data in Flight
to Understand Risk
Most importantly …
catch ransomware
attacks live, in real time
15. Wire Data = Risk Visibility
CVE Detection
Shellshock
HTTP.sys
Turla malware
Heartbleed
FREAK SSL/TLS
POODLE
Logjam
Compliance
SSH tunneling
Non-standard ICMP
Non-standard DNS
Non-standard HTTP
Disallowed file types
Invalid file extension writes
Blacklisted traffic
Encryption Profile
Certificate expiration
Key length
Outdated SSL sessions
MD5/SHA-1 cert signing
SSL traffic by port
Email encryption
Wild card certificates
Protocol Activity
Unencrypted FTP
Telnet
Gopher
TACACS
SNMP v1, v2, v2c
Finger
IRC
Application & User Behavior
Privileged user logins
Unauthorized connections
Lateral network traversal
Brute force attacks
Storage/DB access
Fraudulent transactions
Large data transfers
Unstructured Packets Structured Wire Data
16. Architecture Matters
Continuous Packet Capture Stream Processing
How it works Write to disk first, then analyze Analyze first, then write to disk
Performance
limits
Disk speed Bus throughput and RAM
Lookback Data typically stored for days Data typically stored for months
Packet capture Capture packets for all flows Capture packets for the flows you want
Cost More, bigger appliances with more storage
(Up to 200+ TB on 3U appliance)
Fewer, smaller appliances with less storage
(2.4 TB on 2U appliance)
CPUDisk
Wire
CPU Disk
Wire
17. Ransomware Detection Types
• Type 1: Checks for known file extensions
that are commonly associated with
ransomware attacks
• Type 2: Compares all file extensions
against a “whitelist” to uncover potential
attacks
• Type 3: Looks for WRITE activity that
exceeds a configurable threshold
• Type 4: Advanced detection of
instructional files typically associated with
ransomware variants that are left behind
during an attack