Webinar: A deep dive on ransomware

1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
A DEEP DIVE ON RANSOMWARE
An Update from the May 2016 Cyberthreat Report
Avi Turiel

2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
 Ransomware 101
 Notable Q1 ransomware
 (and decryption success)
 Locky in detail
 Q1 Cyberthreat data
Agenda

Ransomware in Q1
©2016. CYREN Ltd. All Rights Reserved

• Petya: Overwrites master boot record
• Samsam: Compromises servers, uses the
servers to compromise other networked
machines, and then holds them ransom
• TeslaCrypt: Originally targeted game files,
now targets all file types
• GhostCrypt: Masquerades as CryptoLocker
• CryptoWall: Provides a free single-use
decryption
• Jigsaw: Deletes increasing numbers of files
till ransom is paid (and 1,000 files after
reboot)
• Locky
Ransomware in Q1
Search: Bleeping computer, Jigsaw

• Don’t count on these though…
• Ransomware gets patched
• E.g.: TeslaCrypt V3
Some ransomware decryption success!

• Do you know anyone who has been infected with Ransomware?
• Yes
• No
Poll: First hand experience

8© 2014 CYREN Confidentialand Proprietary 8©2016. CYREN Ltd. All Rights Reserved
Understanding Locky

• First extensive use of JavaScript as an email delivery method
• Most variants in a single day
• Highest email malware attachments in a single day
• Vast numbers of compromised websites
• Over 1 million tracked by CYREN
• Encrypts all files on shared network drives
Locky highlights

• First detected in February
• Initial distribution by MS-Word macro
malware (email attachments)
• Initially from same botnet as used for
Dridex (banking malware)
Brief history
Email with JS
attachment
Redirect to
compromised
site hosting
ransomware
Download
and run
Encrypt files
Demand
ransom

Locky delivery emails

• Emails with malware
attachments surged
412% in March due to
Locky outbreaks
• Primarily during
weekdays and
between working
hours
• Also spread via Web
exploit kits
Vast distribution

• Ubiquitous in email - most systems view it as benign
• Easy to reprogram (less skill needed), automated creation of variants
• Many obfuscation tools
• Small size
• Locky is the first malware to use JavaScript (JS) in such massive
quantities
• Over 1.5 million variants in one day (30 March)
Locky uses JavaScript

• Malware deletes itself if Russian language detected
• Encrypts:
• Videos, images, documents, and source code
• Files located in connected networks, servers, or drives (including removable)
• Renames to .locky
• Deletes any local back-up files
• If bitcoin wallet is found it is emptied, then scrambled
Post-infection
Ransomware does
not have to hide

• 0.5 to 1 bitcoin for individual
computers
• ~$200 - $400
• 50 or more bitcoins for
business
• ~$20,000
• Multiple onion links, multiple
bitcoin addresses
Paying the ransom

• Do you know the outcome of the Ransomware experience/s you
have dealt with/are familiar with?
(choose multiple answers):
• Paid and got files back
• Paid but files were not decrypted
• Didn’t pay but managed to recover data (e.g.: backup)
• Didn’t pay and lost data
• Unsure of outcome/No experience with Ransomware
Poll: Dealing with ransomware

IMPROVE YOUR PREVENTION
• Email security gateway
• 91% of attacks start in email
• Stop spam, viruses before they reach your users
• Web security gateway
• Stop malware downloads, malicious URLs
• Stop C&C communications, data exfiltration
• Network sandboxing
• Identify and stop never-before-seen malware
• Endpoint security with active monitoring
• Make sure its up to date
• Security training
• Social engineering, don’t click that link…
How to avoid being a ransomware victim
IMPROVE YOUR DETECTION/RESPONSE
• Backup and recovery
• Implement it
• Test it
• Know the difference between backup and sync
• Network shares
• Avoid mapping network drives with large file
repositories (or no write permissions)

CYREN Powers the World’s Security
500K+
Threat collection points
600M+
Users protected
17B+
Daily transactions
130M+
Threats blocked

CYREN’s 100% cloud security services
SaaS Secure Web Gateway
protects users from cyber-
threats, monitors and controls
web usage, and protect users
both on and off the network.
SaaS Secure Email Gateway
protects users from spam,
phishing attacks, viruses and
zero-hour malware with a
seamless end-user experience.
Cloud-powered threat
intelligence and SDKs allow
technology vendors and service
providers to detect a broad set
of cyber-threats, including
malicious websites, phishing
attacks, malware, botnets, and
spam.
Enterprise OEM

27©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved
You can also find us here:
www.CYREN.com
twitter.com/cyreninc
linkedin.com/company/cyren
©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Thank You. Any Questions or Thoughts?

Webinar: A deep dive on ransomware

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (9)

Similar to Webinar: A deep dive on ransomware

Similar to Webinar: A deep dive on ransomware (20)

More from Cyren, Inc

More from Cyren, Inc (12)

Recently uploaded

Recently uploaded (20)

Webinar: A deep dive on ransomware