The document provides an in-depth analysis of ransomware, particularly focusing on various types such as Locky, Petya, and Jigsaw, highlighting their operation mechanisms and prevalence in Q1 2016. It discusses the rise of ransomware attacks, including delivery methods and payment demands, while also emphasizing the importance of prevention and detection strategies for individuals and organizations. Additionally, it presents Cyren's security solutions aimed at combating these cyber threats.

1. 1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
A DEEP DIVE ON RANSOMWARE
An Update from the May 2016 Cyberthreat Report
Avi Turiel

2. 2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
 Ransomware 101
 Notable Q1 ransomware
 (and decryption success)
 Locky in detail
 Q1 Cyberthreat data
Agenda

3. 3©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Ransomware in Q1
©2016. CYREN Ltd. All Rights Reserved

4. 4© 2014 CYREN Confidentialand Proprietary 4©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

5. 5©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Petya: Overwrites master boot record
• Samsam: Compromises servers, uses the
servers to compromise other networked
machines, and then holds them ransom
• TeslaCrypt: Originally targeted game files,
now targets all file types
• GhostCrypt: Masquerades as CryptoLocker
• CryptoWall: Provides a free single-use
decryption
• Jigsaw: Deletes increasing numbers of files
till ransom is paid (and 1,000 files after
reboot)
• Locky
Ransomware in Q1
Search: Bleeping computer, Jigsaw

6. 6©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Don’t count on these though…
• Ransomware gets patched
• E.g.: TeslaCrypt V3
Some ransomware decryption success!

7. 7©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Do you know anyone who has been infected with Ransomware?
• Yes
• No
Poll: First hand experience

8. 8© 2014 CYREN Confidentialand Proprietary 8©2016. CYREN Ltd. All Rights Reserved
Understanding Locky

9. 9©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• First extensive use of JavaScript as an email delivery method
• Most variants in a single day
• Highest email malware attachments in a single day
• Vast numbers of compromised websites
• Over 1 million tracked by CYREN
• Encrypts all files on shared network drives
Locky highlights

10. 10©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• First detected in February
• Initial distribution by MS-Word macro
malware (email attachments)
• Initially from same botnet as used for
Dridex (banking malware)
Brief history
Email with JS
attachment
Redirect to
compromised
site hosting
ransomware
Download
and run
Encrypt files
Demand
ransom

11. 11©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Locky delivery emails

12. 12©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Emails with malware
attachments surged
412% in March due to
Locky outbreaks
• Primarily during
weekdays and
between working
hours
• Also spread via Web
exploit kits
Vast distribution

13. 13©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Ubiquitous in email - most systems view it as benign
• Easy to reprogram (less skill needed), automated creation of variants
• Many obfuscation tools
• Small size
• Locky is the first malware to use JavaScript (JS) in such massive
quantities
• Over 1.5 million variants in one day (30 March)
Locky uses JavaScript

14. 14©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Malware deletes itself if Russian language detected
• Encrypts:
• Videos, images, documents, and source code
• Files located in connected networks, servers, or drives (including removable)
• Renames to .locky
• Deletes any local back-up files
• If bitcoin wallet is found it is emptied, then scrambled
Post-infection
Ransomware does
not have to hide

15. 15©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

16. 16©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 0.5 to 1 bitcoin for individual
computers
• ~$200 - $400
• 50 or more bitcoins for
business
• ~$20,000
• Multiple onion links, multiple
bitcoin addresses
Paying the ransom

17. 17©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Do you know the outcome of the Ransomware experience/s you
have dealt with/are familiar with?
(choose multiple answers):
• Paid and got files back
• Paid but files were not decrypted
• Didn’t pay but managed to recover data (e.g.: backup)
• Didn’t pay and lost data
• Unsure of outcome/No experience with Ransomware
Poll: Dealing with ransomware

18. 18©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
IMPROVE YOUR PREVENTION
• Email security gateway
• 91% of attacks start in email
• Stop spam, viruses before they reach your users
• Web security gateway
• Stop malware downloads, malicious URLs
• Stop C&C communications, data exfiltration
• Network sandboxing
• Identify and stop never-before-seen malware
• Endpoint security with active monitoring
• Make sure its up to date
• Security training
• Social engineering, don’t click that link…
How to avoid being a ransomware victim
IMPROVE YOUR DETECTION/RESPONSE
• Backup and recovery
• Implement it
• Test it
• Know the difference between backup and sync
• Network shares
• Avoid mapping network drives with large file
repositories (or no write permissions)

19. 20© 2014 CYREN Confidentialand Proprietary 20©2016. CYREN Ltd. All Rights Reserved

20. 21© 2014 CYREN Confidentialand Proprietary 21©2016. CYREN Ltd. All Rights Reserved

21. 22© 2014 CYREN Confidentialand Proprietary 22©2016. CYREN Ltd. All Rights Reserved

22. 23© 2014 CYREN Confidentialand Proprietary 23©2016. CYREN Ltd. All Rights Reserved

23. 24© 2014 CYREN Confidentialand Proprietary 24©2016. CYREN Ltd. All Rights Reserved

24. 25©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
CYREN Powers the World’s Security
500K+
Threat collection points
600M+
Users protected
17B+
Daily transactions
130M+
Threats blocked

25. 26©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
CYREN’s 100% cloud security services
SaaS Secure Web Gateway
protects users from cyber-
threats, monitors and controls
web usage, and protect users
both on and off the network.
SaaS Secure Email Gateway
protects users from spam,
phishing attacks, viruses and
zero-hour malware with a
seamless end-user experience.
Cloud-powered threat
intelligence and SDKs allow
technology vendors and service
providers to detect a broad set
of cyber-threats, including
malicious websites, phishing
attacks, malware, botnets, and
spam.
Enterprise OEM

26. 27©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved
You can also find us here:
www.CYREN.com
twitter.com/cyreninc
linkedin.com/company/cyren
©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Thank You. Any Questions or Thoughts?