Michael Kemps, CEOInnovative Computing Systems, Inc.

THE RISE OF RANSOMWARE AND ITS THREAT TO THE LEGAL PROFESSION

@ICSGetsIT

RANSOMWARE AND SECURITY BREACHES:

THREATS & RISKS

THE RISE OF RANSOMWARE AND SECURITY BREACHES• What is Ransomware?

– Acquired by a simple click on an otherwise seemingly legitimate email– Encrypts all files instantly – on premise or cloud– Criminals demand money via untraceable Bitcoins – Decryption takes much longer than encryption – Recent events resulted in FBI suggesting companies pay ransom

• https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/

• Attacks increasing exponentially in the legal community!– Hackers Breach Law Firms, Including Cravath and Weil Gotshal

• http://www.wsj.com/articles/hackers-breach-cravath-swaine-other-big-law-firms-1459293504

– Law360: “’Cryptolocker’ Virus Holding Law Firm Data For Ransom• http://www.law360.com/articles/629305/cryptolocker-virus-holding-law-firm-data-for-ransom

– 80% Share of the country’s top 100 law firms have had a security breach• http://www.bloomberg.com/news/articles/2015-03-19/cyber-attacks-force-law-firms-to-improve-data-security

– Panama Papers Leak Casts Light on a Law Firm Founded on Secrecy• http://www.nytimes.com/2016/04/07/world/americas/panama-papers-leak-casts-light-on-a-law-firm-founded-on-

secrecy.html?_r=0

IT WOULD NEVER HAPPEN TO ME!ABA 2015 TECH SURVEY…

CONSEQUENCES

• Loss of client assets• Increased firm risk• Significant downtime • Loss of money• Reputation• Opportunity cost

CASE STUDY: LOS ANGELES LAW FIRM

RANSOMWARE STRIKES TWICE

• Boutique Los Angeles-area law firm

• Hit with two variants of CryptoLocker, a popular ransomware program

• First ransom demand: Almost $25,000• Ransomware code executed full access to all shared, roaming

profile directories of all users, giving them access to local workstations and servers

• Required server mitigation and reimaging of 50 desktops (two days for all desktops)

• Five days of downtime right before Christmas 2015

HOW DID THEY GET IN?

• Likely originated in Citrix/RDP server• Part-time IT consultant gave domain administrative

privileges to all users• Old workstations, software and storage

• 2014 Windows image had not been updated since creation

• That’s 2 ½ years of updates for every machine• Slower Internet connection than most modern cell

phones

AFTER THE 1ST ATTACK

• Fortunately, we were able to recover data and remediate damage

• We made strong arguments for upgrades to vulnerable areas in their network

• Our proposals to help prevent another attack went unheeded . . .

A FEW WEEKS LATER, THEY WERE HACKED AGAIN.

• Second ransom demand around $15,000• Hack not as bad this time as it was

localized, for the most part• Only one workstation hit, but . . . • Virus was able to inject itself into some

server shares

NEW PLAN

The law firm is planning to:– Increase Internet speed– Implement new firewalls– Purchase SAN and new VMhost– Purchase new servers– Replace anti-virus with next generation

endpoint protection

STILL THINKITCAN’THAPPEN TOYOU?

WHY SO THREATS MANY REMAIN UNDETECTED

WrappersDesigned to turn known code into a new binary

Variations / ObfuscatorsDesigned to slightly alter code to make known code appear new/different

PackersDesigned to make sure code runs only on a real machine (anti-vm, dormant, interactions, anti-debug)

TargetingDesigned to allow code run only on a specific target machine/configuration

Malicious CodeThe actual code that runs. Always the same goals – persist, steal/spy, exfiltrate, etc..

Evasion Techniques

CONSIDERATIONS?

• Traditional Antivirus is not enough• ”We have a firewall, right?!”• Multi-layered approach is a must

– Regular Vulnerability Scanning– Current and Patched Environment– Next-Generation Endpoint Protection

THE SOLUTION:

NEXT-GENERATIONENDPOINT PROTECTION

NEXT-GENERATION ENDPOINT PROTECTION

Real-time analysis and root cause forensic investigation

Automatic Mitigation- Quarantine files and endpoints

Rollback and Immunize- Automatic remediation to undo system changes

Dynamic Execution Inspection- Full system monitoring to protect from evasive, packed malware, and attack code

Reputation based preemptive block and prevention policies-Protect from known threats

NEXT GENERATION ENDPOINT PROTECTION

Dynamic Memory Inspection-Protect from App and memory based exploits. Drive by downloads.

PROTECT ALL VECTORS OF ATTACK

Cover all vectors of attack

Fileless

Memory only malware, No disc based indicators

Documents

Exploits rooted in Office documents, Adobe, Macros. Spearphising emails.

Browser

Drive by downloads, Flash, Java, Javascript, vbs, iframe/html5, plug-ins

Scripts

Powershell, WMI, PowerSploit, VBS

Credentials

Credentials scraping, Mimikatz, Tokens

Executables

Malware, Trojans, Worms, Backdoors, Payload based

MALWARE EXPLOITS LIVE/INSIDER

WHICH ENDPOINT PROTECTION PLATFORM . . . AND WHY?

WE KNOW ANTIVIRUS ISN’T ENOUGH, BUT . . .

Exploit protection only, CPU intensive, needs to offload to sandbox to analyze files, prone to evasions, no visibility. Windows only.

Prevention

Anti-Exploitation

Dynamic Anti-Malware

Mitigation

Remediation

Forensics

Prevention

Anti-Exploitation

Dynamic Anti-Malware

Mitigation

Remediation

Forensics

Prevention

Anti-Exploitation

Sandbox

Mitigation

Remediation

Sandbox

Static inspection, Pre execution, statistics (“math”) based binary profiling, zero visibility or endpoint Forensics. Windows only

Traps

The only full on device detection and forensic solution not prone to evasions or bypasses

Prevention

Anti-Exploitation

Dynamic Anti-Malware

Mitigation

Remediation

Forensics

No exploit/malware detection beyond cloud intelligence indicator matching

OUR CHOICE…

ANTIVIRUS REPLACEMENT

• 99% Real world detection

• 98% Prevalent malware• 0% False positives• 6 Performance score (5-

25 scale)

True, Complete Antivirus ReplacementProtect from legacy threats as well as Advanced Threats, while still maintaining compliance.

One agent, no scans, no constant updates, small footprint.No static signatures, no IOCs.

INDUSTRY ACCOLADES

The Case of Gyges, the invisible malware

The evolution of Dyre

OSX Kernel RootkitsAnd memory vulnerabilities

SHAKACON

23

Today's multiheadedmalware needs a multipronged solution

Computing goes to the cloud –so does crimeSony Hack Signals

Threat to Destroy Data, Not Just Steal It

The state of cybersecurity in the enterprise: 2015

Blogs• WireLurker Malware Targets iPhone

and Mac

• Unpatched Vulnerabilities Leave Apple Users at Risk

• Sandworm Demonstrates Why Patches aren’t Foolproof

• Is Zero Day Java Exploit Detection Possible?

• More Embedded Systems Havoc: ATM Hacks Target Endpoints Once Again

• Internet Explorer Vulnerability Kept Secret For Three Years

RSA Innovation Sandbox Finalist 2015

RSA Shark Tank 20 CISO Panel Winner

QUESTIONS?