PETYA・JIGSAW・WANNACRY・ZEPTO・LOCKY

Business Resilience = Data Resilience

Speaker Introduction

Brent Reichow From Minneapolis, Minnesota (USA)

April 1992 Arrived in Chiba, Japan

Work History LINC Computers (EDS), NTT-WT, PSINet (C&W) Stellent (Oracle), Internet Security Systems (ISS)

July 2004 Co-founded Blueshift K.K.

Blueshift Business Leading provider of data protectionsolutions delivering secure, off-site, disk based, data backup, and disaster recovery services to small, medium and large organizations

Client Markets Automotive, education, financial services, healthcare, insurance, legal services, logistics, manufacturing, marketing, media, NPO, real estate, recruiting, retail and technology

URL www.dataprotection.co.jp/www.dataprotection.jp

Blueshift’s Cloud Backup Business

Client Site

Location 2

Administrator

Public or Private

Data Centers

WAN / INTERNET

A. Initial full backup is made, compressed and encrypted data is sent to public or private data center locations

B. Additional schedule or manual backups, will transfer changed data (deltas) off-site (incremental forever

G. Retention Policy

• 30 day, 1 year

• Longer options

C. Rapid restores (deltas /changed data)

• Multiple restoration points in time

• Restore in minutes not hours

F. Remote Management

• Email alerting functionality

• Manage multiple servers

D. Security

• All data is encrypted with 256 bit AES

• Data remains encrypted in flight and at rest

E. Onsite Appliance (de-duplication, compression, encryption)

• LAN speed restores with local available storage

• File Server• Mail Server• Database Server• Virtual Machine (VM)• Cloud 2 Cloud

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=y06mOIf30_k4eM&tbnid=MmfRSP6QcxxvoM:&ved=0CAUQjRw&url=http://www.mark-lau.com/packages.php&ei=GY8bUZDyKouOmQXUooHgAg&bvm=bv.42261806,d.dGI&psig=AFQjCNFvwj3EdEt2IUOH7wM_RarjhbynHQ&ust=1360846367943283http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=y06mOIf30_k4eM&tbnid=MmfRSP6QcxxvoM:&ved=0CAUQjRw&url=http://www.mark-lau.com/packages.php&ei=GY8bUZDyKouOmQXUooHgAg&bvm=bv.42261806,d.dGI&psig=AFQjCNFvwj3EdEt2IUOH7wM_RarjhbynHQ&ust=1360846367943283

A Billion Dollar Industry

So How Does Ransomware Work?

Ransomware as a Service (RaaS) - Typically the Developer Receives 30% of Ransom Paid by Victims

USB

FileServer

Database NAS

Internet

Workstations

Phishing Email

Zepto Ransomware Attack

Your computer files have been encrypted Your photos, videos, documents, etc…

Every hour files will be deleted. Increasing in amount every time.After 72 hours all that _

But, don’t worry! I have not deleted them, yet.Your have 24 hours to pay 150 USD in Bitcoins to get the decryption key.

1. Wide availability of advanced encryption

2. Bitcoin’s rise, anonymity, no oversight

3. Rise of Ransomware as a Service, try & buy

4. Lack of proper education and training

5. More attack vectors – email, www, sms, etc

2017 RANSOMWAREFACTOIDS#1

Threat to businesses globally is ransomware

Ransomware software development market growth2,500%

Current market value of 1 bitcoin, up over 550% YTD$6,389

6,300+Number of ransomware development vendors selling their software to users on the dark web

Number of ransomwareproduct listings45,000

US$5 BillionExpected ransomware damages globally in 2017

of businesses infected lost access to data for 2 days or more72%

A company is hit with ransomware every

40 Seconds

The Facts, The Risk

Spam is an

increasingly risk!

The more spam

received the more

likely someone/an

employee will click

and open!

Meaning 66% of

businesses

couldn’t depend

on their backups

to recover data!

You shouldn’t

solely depend on

an anti-virus

solution to stop

ransomware!

Human nature

demonstrates

that 1 in 5

people will click

on an email attachment!

40%Of All Spam

Contains

Ransomware

Of Infected

Businesses

Paid The

Ransom $$

Ransomware

Victims Had

Anti-Virus

Software

Protection

Of All

Company

Workers

Will Click

On A

Phishing

Email

66% 93% 20%

Growth of Ransomware in Japan

ランサムウェア：新しいソリューションが必要な新たな問題です

REPORTED RANSOMWARE

INCIDENTS AFFECTING

BUSINESSES IN JAPAN

2014 2015 2016 2017

RANSOMWARE

EXPECTED TO

GROW

1000%IN 2017

20% of Companies That Pay, Don’t Receive Their Decryption Keys

No Industry Is Safe From Ransomware

WannaCry Ransomware Timeline

WannaCry Not Good For Ransomware Economy

• 200,000+ devices affected by WannaCry ransomware

• WannaCry spread to over 200 countries

• The payment process wasn’t made clear to WannaCry victims

The Problem

• Unique ID and bitcoin wallet for each victim not created

• Decryption keys not sent to victims who paid

• Only US$50,000 in payments received - could have been much much more

• Ransome $300, after 3 days $600, after 7 days data deletion

• Used Microsoft Server Message Block (SMBv1) vulnerability

And Now Bad Rabbit, Ransomware or False Flag? Began proliferating October 23/24

Malware masquerading as an Adobe Flash Player update, click!

Victims directed to Tor payment page – 0.05 bitcoins around US$285

Pay within 40 hours or ransom increases

Russia (86%), followed by Japan (3%) Bulgaria (2%), Ukraine (1%), US (1%) and all other countries (7%).

Like Petya, BR contains an SMB component which can propagate without user interaction-brute force passwords

But Bad Rabbit is no longer very active

Ransomware’s Future?

IoTCloudTV

DRIVE

BY

False

Flag

SmokescreenAI?

What To Do?

What If Ransomware Strikes?

Isolate•Physically remove/disconnect the infected machine(s) from the network.

Stop•Stop/discontinue your current data backup process. This will prevent you from ruining your previous data backups.

Identify

•Identify the type of ransomware that you are dealing with. You can find decryption tools online for well known ransomware variations which can save you time, money and effort.

Sort

•Sorting through all the files can speed up the data restore process. Files encrypted by the ransomware will need to be restored using your previous backups. However, you may find that some files were not encrypted (good news) as recovery is not needed

Priority

•Before starting the restore process prioritize which files & folders are most important to getting back to normal business operations . Ex –does the finance department need to close this month’s books? Is your legal team working on a specific case? .

Where•Where will you restore your data to? The same location or an alternative location? Do you have enough disk space to restore your data?

Restore

•Prioritizing important data for restore vs. a full data restore will speed up the recovery time. Getting back to business normal business operations as quickly as possible is the key

Ransomware Prevention, Best Practices

1. Educate Employees

2. Conduct Regular Data Backups

3. Restrict Admin & System Access

4. Maintain & UpdateSoftware- MS, AV

5. Adopt Email FilteringTechnologies to Reduce Spam

6. Block Email Attachments or Possibly Remove Attachments

Thank You!

www.dataprotection.co.jp

breichow@blueshift.co.jp

blueshiftDP / blueshiftDPJ

Blueshift Data Protection

blueshiftdp

Useful Links:Contact Information:

https://www.bleepingcomputer.com/

https://www.darkreading.com/

https://thecyberwire.com/

http://www.theregister.co.uk/

https://www.sans.org/newsletters/newsbites

https://www.nomoreransom.org/en/index.html/