If you’re an IT professional, you probably know at least the basics of ransomware. Instead of using malware or an exploit to exfiltrate PII from an enterprise, bad actors instead find valuable data and encrypt it. Unless you happen to have an NSA-caliber data center at your disposal to break the encryption, you must pay your attacker in cold, hard bitcoins—or else wave goodbye to your PII. Those assumptions aren’t wrong, but they also don’t tell the whole picture. During this event we’ll discuss topics such as: Why Ransomware is Exploding The growth of ransomware, as opposed to garden-variety malware, is enormous. Hackers have found that they can directly monetize the data they encrypt, which eliminates the time-consuming process of selling stolen data on the Darknet. In addition, the use of ransomware requires little in the way of technical skill—because attackers don’t need to get root on a victim’s machine. Who the Real Targets Are Two years ago, the most newsworthy victims of ransomware were various police departments. This year, everyone is buzzing about hospitals. Is this a deliberate pattern? Probably not. Enterprises are so ill-prepared for ransomware that attackers have a green field to wreak havoc. Until the industry shapes up, bad actors will target ransomware indiscriminately. Where Ransomware Stumbles Although ransomware is nearly impossible to dislodge when employed correctly, you may be surprised to find that not all bad actors have the skill to do it. Even if ransomware targets your network, you may learn that your attackers have used extremely weak encryption—or that they’ve encrypted files that are entirely non-critical. As far as ransomware is concerned, forewarned is forearmed. Once you know how attackers deliver ransomware, who they’re likely to attack, and the weaknesses in the ransomware deployment model, you’ll be able to understand how to protect your enterprise.

1. RANSOMWARE IS HERE: FUNDAMENTALS
EVERYONE NEEDS TO KNOW
JEREMIAH GROSSMAN
CHIEF OF SECURITY STRATEGY
@jeremiahg
https://www.jeremiahgrossman.com/
http://blog.jeremiahgrossman.com/
http://sentinelone.com/

2. JEREMIAH GROSSMAN
WHO I AM…
▸ Professional Hacker
▸ OWASP Person of the Year (2015)
▸ International Speaker
▸ Black Belt in Brazilian Jiu-Jitsu
▸ Founder of WhiteHat Security

3. “RANSOMWARE IS A TYPE OF MALWARE
THAT CAN BE COVERTLY INSTALLED ON A
COMPUTER WITHOUT KNOWLEDGE OR
INTENTION OF THE USER THAT RESTRICTS
ACCESS TO THE INFECTED COMPUTER
SYSTEM IN SOME WAY, AND DEMANDS THAT
THE USER PAY A RANSOM TO THE MALWARE
OPERATORS TO REMOVE THE RESTRICTION.”
Wikipedia
WHAT IS RANSOMWARE?

4. YOU KNOW IT
WHEN INFECTED WITH
RANSOMWARE…

6. CRYPTO LOCKER CRYPTO WALL TESLACRYPT
REVETON JIGSAW LOCKY
“THERE ARE NOW MORE THAN 120 SEPARATE
FAMILIES OF RANSOMWARE, SAID EXPERTS
STUDYING THE MALICIOUS SOFTWARE.”

7. ORDER OR OPERATIONS
STEP-BY-STEP
1. Targeting – OS, geography, banking/ecommerce, consumer
2. Propagation – spear-phishing, drive-by-download, attachments
3. Exploit – exploit kits, vulnerability-based, unpatched systems
4. Infection – payload delivery, backdoor access
5. Execution – encryption, disruption, blocked access, RANSOM

8. DESIGNED TO EVADE DETECTION
01100111
01010110
10101010
10100101
10001010
11010011
00101101
Wrappers: Turn known code into a new
binary
Variations / Obfuscators: Slightly alter
code to make known code appear new/
different
Packers: Ensure code runs only on a real
machine (anti-VM, sleepers, interactions,
anti-debug)
Targeting: Allows code to run only on a
specific target machine/configuration
Ransomware Code: The actual attack
code that attacks your files, blocks access
to the system and/or encrypts data

9. “THE FBI RECENTLY PUBLISHED
THAT RANSOMWARE VICTIMS
PAID OUT $209 MILLION IN Q1
2016 COMPARED TO $24
MILLION FOR ALL OF 2015.”
LA Times
THE BIRTH OF A BILLION DOLLAR CYBER-CRIME INDUSTRY

10. “IN ITS LETTER, THE DHS NOTED THAT ITS
NATIONAL CYBERSECURITY AND
COMMUNICATIONS INTEGRATION CENTER
(NCCIC) HAD INITIATED OR RECEIVED 321
REPORTS OF RANSOMWARE-RELATED
ACTIVITY AFFECTING 29 DIFFERENT FEDERAL
AGENCIES SINCE JUNE 2015. THE 321
REPORTS INCLUDE ATTEMPTED INFECTIONS
AND INFECTIONS THAT WERE DEALT WITH BY
THE AGENCIES' INTERNAL SECURITY TEAMS.”
Business Insider
THE BIRTH OF A BILLION DOLLAR CYBER-CRIME INDUSTRY

11. WHY THE RANSOMWARE EXPLOSION NOW?

12. ALMOST 50% AFFECTED END UP
MAKING THE PAYMENT
The number of users who came across crypto ransomware in
the last year increased by more than 500% over the previous
year. (Dec, 2015) -Kaspersky

13. THE RANSOM AND PAYMENT METHODS
▸ $200-$2000, average $300 (High $20,000)
▸ Most commonly paid through BitCoin
▸ Also through premium SMS/phone call,
anonymous cash card or prepaid transfer
service
Secondary Motives
▸ Leave spyware behind
▸ Open backdoors
▸ Steal passwords

14. RANSOMWARE DOES NOT NEED ROOT ACCESS
"RANSOMWEB" DESCRIBES ATTACKS DURING WHICH CROOKS BREAK INTO A
WEBSITE USING VARIOUS VULNERABILITIES AND ENCRYPT ITS CONTENT. THIS
CAN BE ITS DATABASE OR ITS FILES, BUT IN THE END, CROOKS NOTIFY THE
SITE OWNERS THAT THEY HAVE TO PAY A RANSOM TO GET THEIR FILES BACK.”

15. HOSPITALS NASCAR GOVERNMENT
SCHOOLS POLICE GAMERS

16. “ON WEDNESDAY, U.S. SECURITY COMPANY KNOWBE4 SAID IT WAS RECENTLY
CONTACTED BY A HEALTH CENTER THAT PAID HACKERS NEARLY $40,000 AFTER 250
DEVICES, INCLUDING AN MRI MACHINE, BECAME INFECTED WITH RANSOMWARE,
PROMPTING THE UNNAMED ORGANIZATION TO SHUT DOWN FOR FIVE DAYS.”
“[PRIME HEALTHCARE SERVICE] SAYS IT DEFEATED THE CYBERATTACK WITHOUT
PAYING A RANSOM. BUT IT ACKNOWLEDGED SOME PATIENTS WERE TEMPORARILY
PREVENTED FROM RECEIVING RADIOLOGY TREATMENTS, AND OTHER OPERATIONS
WERE DISRUPTED BRIEFLY WHILE COMPUTER SYSTEMS WERE DOWN.”
“IN MARCH, HACKERS ENCRYPTED DATA AT MEDSTAR HEALTH, WHICH OPERATES 10
HOSPITALS IN MARYLAND AND THE DISTRICT OF COLUMBIA. THE VIRUS CAUSED
DELAYS IN SERVICE AND TREATMENT UNTIL COMPUTERS WERE BROUGHT BACK
ONLINE. THE COMPANY SAID IT DID NOT PAY A REPORTED $19,000 RANSOM DEMAND.“

17. “NASCAR TEAM CIRCLE SPORT-LEAVINE FAMILY RACING (CSLFR) HAS REVEALED TODAY IT
FACED A RANSOMWARE INFECTION THIS PAST APRIL, WHEN IT ALMOST LOST ACCESS TO
CRUCIAL FILES WORTH NEARLY $2 MILLION, CONTAINING CAR PARTS LISTS AND CUSTOM
HIGH-PROFILE SIMULATIONS THAT WOULD HAVE TAKEN 1,500 MAN-HOURS TO
REPLICATE.”
“RECENTLY, THE AMERICAN PUBLIC UTILITY LANSING BOARD OF WATER & LIGHT
(BWL) HAS ANNOUNCED THAT THE COMPANY HAS BECOME A VICTIM OF
RANSOMWARE ATTACK THAT KNOCKED THE UTILITY'S INTERNAL COMPUTER
SYSTEMS OFFLINE.”
“POLICE DEPARTMENT CHIEF MICHAEL LYLE CLAIMED THAT ONE UNSUSPECTING USER FROM WITHIN
THE DEPARTMENT OPENED THE EMAIL, TRIGGERING THE PAYLOAD OF THE RANSOMWARE WHICH
PROCEEDED TO ENCRYPT FILES AND TAKE CONTROL OF A PROGRAM KNOWN AS TRITECH. THE
SOFTWARE IS AN ESSENTIAL TOOL, ONE THAT POLICE OFFICERS USE FOR COMPUTER AIDED DISPATCH
AND AS A RECORD MANAGEMENT SYSTEM DURING PATROL. THE PROGRAM ALSO ENABLES LAW
ENFORCEMENT OFFICERS TO LOG INCIDENT REPORTS.”

18. “TO BE HONEST, WE OFTEN
ADVISE PEOPLE JUST TO PAY
THE RANSOM.”
-JOSEPH BONAVOLONTA
ASSISTANT SPECIAL AGENT IN CHARGE OF THE FBI’S
CYBER & COUNTERINTELLIGENCE PROGRAM
The Security Ledger
TO PAY OR NOT TO PAY…

19. “THE FBI DOES NOT ADVISE VICTIMS ON WHETHER OR
NOT TO PAY THE RANSOM.”
"THE FBI ADVISES THAT THE USE OF BACKUP FILES IS
AN EFFECTIVE WAY TO MINIMIZE THE IMPACT OF
RANSOMWARE AND THAT IMPLEMENTING COMPUTER
SECURITY BEST PRACTICES IS THE MOST EFFECTIVE
WAY TO PREVENT RANSOMWARE INFECTIONS,”
-DONALD J. GOOD
DEPUTY ASSISTANT DIRECTOR OF THE FBI'S CYBER DIVISION
SOFTPEDIA
THE FBI’S “OFFICIAL” POSITION

21. RANSOMWARE IS INNOVATING

22. RESEARCH AND DEVELOPMENT INCREASING

24. ▸ Recent ransomware is targeted,
sophisticated and harder to detect
▸ Once data is encrypted there
virtually no options
▸ Modern encryption techniques
impossible to break
▸ Restore from backups is time
consuming, some data loss
▸ CryptoLocker 3.0 payments have
been estimated at $325 Million
▸ Ransomware criminals netting
roughly $150 Million per year
SOPHISTATION

27. BUSINESS MODELS
ARE EVOLVING AND
MATURING