• Home

  • Technology

  • Ransomware is Here: Fundamentals Everyone Needs to Know
28
RANSOMWARE IS HERE: FUNDAMENTALS EVERYONE NEEDS TO KNOW JEREMIAH GROSSMAN CHIEF OF SECURITY STRATEGY @jeremiahg https://www.jeremiahgrossman.com/ http://blog.jeremiahgrossman.com/ http://sentinelone.com/

Ransomware is Here: Fundamentals Everyone Needs to Know

Embed Size (px)

Citation preview

Page 1: Ransomware is Here: Fundamentals Everyone Needs to Know

RANSOMWARE IS HERE: FUNDAMENTALS EVERYONE NEEDS TO KNOW

JEREMIAH GROSSMAN CHIEF OF SECURITY STRATEGY

@jeremiahg https://www.jeremiahgrossman.com/

http://blog.jeremiahgrossman.com/

http://sentinelone.com/

http://www.jeremiahgrossman.com/
Page 2: Ransomware is Here: Fundamentals Everyone Needs to Know

JEREMIAH GROSSMAN

WHO I AM…

▸ Professional Hacker

▸ OWASP Person of the Year (2015)

▸ International Speaker

▸ Black Belt in Brazilian Jiu-Jitsu

▸ Founder of WhiteHat Security

Page 3: Ransomware is Here: Fundamentals Everyone Needs to Know

“RANSOMWARE IS A TYPE OF MALWARE THAT CAN BE COVERTLY INSTALLED ON A COMPUTER WITHOUT KNOWLEDGE OR INTENTION OF THE USER THAT RESTRICTS ACCESS TO THE INFECTED COMPUTER SYSTEM IN SOME WAY, AND DEMANDS THAT THE USER PAY A RANSOM TO THE MALWARE OPERATORS TO REMOVE THE RESTRICTION.”

Wikipedia

WHAT IS RANSOMWARE?

Page 4: Ransomware is Here: Fundamentals Everyone Needs to Know

YOU KNOW IT

WHEN INFECTED WITH RANSOMWARE…

Page 5: Ransomware is Here: Fundamentals Everyone Needs to Know
Page 6: Ransomware is Here: Fundamentals Everyone Needs to Know

CRYPTO LOCKER CRYPTO WALL TESLACRYPT

REVETON JIGSAW LOCKY

“THERE ARE NOW MORE THAN 120 SEPARATE FAMILIES OF RANSOMWARE, SAID EXPERTS STUDYING THE MALICIOUS SOFTWARE.”

Page 7: Ransomware is Here: Fundamentals Everyone Needs to Know

ORDER OR OPERATIONS

STEP-BY-STEP

1. Targeting – OS, geography, banking/ecommerce, consumer

2. Propagation – spear-phishing, drive-by-download, attachments

3. Exploit – exploit kits, vulnerability-based, unpatched systems

4. Infection – payload delivery, backdoor access

5. Execution – encryption, disruption, blocked access, RANSOM

Page 8: Ransomware is Here: Fundamentals Everyone Needs to Know

DESIGNED TO EVADE DETECTION

01100111010101101010101010100101100010101101001100101101

Wrappers: Turn known code into a new binary

Variations / Obfuscators: Slightly alter code to make known code appear new/different

Packers: Ensure code runs only on a real machine (anti-VM, sleepers, interactions, anti-debug)

Targeting: Allows code to run only on a specific target machine/configuration

Ransomware Code: The actual attack code that attacks your files, blocks access to the system and/or encrypts data

Page 9: Ransomware is Here: Fundamentals Everyone Needs to Know

“THE FBI RECENTLY PUBLISHED THAT RANSOMWARE VICTIMS PAID OUT $209 MILLION IN Q1 2016 COMPARED TO $24 MILLION FOR ALL OF 2015.”

LA Times

THE BIRTH OF A BILLION DOLLAR CYBER-CRIME INDUSTRY

Page 10: Ransomware is Here: Fundamentals Everyone Needs to Know

“IN ITS LETTER, THE DHS NOTED THAT ITS NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER (NCCIC) HAD INITIATED OR RECEIVED 321 REPORTS OF RANSOMWARE-RELATED ACTIVITY AFFECTING 29 DIFFERENT FEDERAL AGENCIES SINCE JUNE 2015. THE 321 REPORTS INCLUDE ATTEMPTED INFECTIONS AND INFECTIONS THAT WERE DEALT WITH BY THE AGENCIES' INTERNAL SECURITY TEAMS.”

Business Insider

THE BIRTH OF A BILLION DOLLAR CYBER-CRIME INDUSTRY

Page 11: Ransomware is Here: Fundamentals Everyone Needs to Know

WHY THE RANSOMWARE EXPLOSION NOW?

Page 12: Ransomware is Here: Fundamentals Everyone Needs to Know

ALMOST 50% AFFECTED END UP MAKING THE PAYMENT

The number of users who came across crypto ransomware in the last year increased by more than 500% over the previous year. (Dec, 2015) -Kaspersky

Page 13: Ransomware is Here: Fundamentals Everyone Needs to Know

THE RANSOM AND PAYMENT METHODS▸ $200-$2000, average $300 (High $20,000)

▸ Most commonly paid through BitCoin

▸ Also through premium SMS/phone call, anonymous cash card or prepaid transfer service

Secondary Motives

▸ Leave spyware behind

▸ Open backdoors

▸ Steal passwords

Page 14: Ransomware is Here: Fundamentals Everyone Needs to Know

RANSOMWARE DOES NOT NEED ROOT ACCESS

"RANSOMWEB" DESCRIBES ATTACKS DURING WHICH CROOKS BREAK INTO A WEBSITE USING VARIOUS VULNERABILITIES AND ENCRYPT ITS CONTENT. THIS CAN BE ITS DATABASE OR ITS FILES, BUT IN THE END, CROOKS NOTIFY THE SITE OWNERS THAT THEY HAVE TO PAY A RANSOM TO GET THEIR FILES BACK.”

Page 15: Ransomware is Here: Fundamentals Everyone Needs to Know

HOSPITALS NASCAR GOVERNMENT

SCHOOLS POLICE GAMERS

Page 16: Ransomware is Here: Fundamentals Everyone Needs to Know

“ON WEDNESDAY, U.S. SECURITY COMPANY KNOWBE4 SAID IT WAS RECENTLY CONTACTED BY A HEALTH CENTER THAT PAID HACKERS NEARLY $40,000 AFTER 250 DEVICES, INCLUDING AN MRI MACHINE, BECAME INFECTED WITH RANSOMWARE, PROMPTING THE UNNAMED ORGANIZATION TO SHUT DOWN FOR FIVE DAYS.”

“[PRIME HEALTHCARE SERVICE] SAYS IT DEFEATED THE CYBERATTACK WITHOUT PAYING A RANSOM. BUT IT ACKNOWLEDGED SOME PATIENTS WERE TEMPORARILY PREVENTED FROM RECEIVING RADIOLOGY TREATMENTS, AND OTHER OPERATIONS WERE DISRUPTED BRIEFLY WHILE COMPUTER SYSTEMS WERE DOWN.”

“IN MARCH, HACKERS ENCRYPTED DATA AT MEDSTAR HEALTH, WHICH OPERATES 10 HOSPITALS IN MARYLAND AND THE DISTRICT OF COLUMBIA. THE VIRUS CAUSED DELAYS IN SERVICE AND TREATMENT UNTIL COMPUTERS WERE BROUGHT BACK ONLINE. THE COMPANY SAID IT DID NOT PAY A REPORTED $19,000 RANSOM DEMAND.“

Page 17: Ransomware is Here: Fundamentals Everyone Needs to Know

“NASCAR TEAM CIRCLE SPORT-LEAVINE FAMILY RACING (CSLFR) HAS REVEALED TODAY IT FACED A RANSOMWARE INFECTION THIS PAST APRIL, WHEN IT ALMOST LOST ACCESS TO CRUCIAL FILES WORTH NEARLY $2 MILLION, CONTAINING CAR PARTS LISTS AND CUSTOM HIGH-PROFILE SIMULATIONS THAT WOULD HAVE TAKEN 1,500 MAN-HOURS TO REPLICATE.”

“RECENTLY, THE AMERICAN PUBLIC UTILITY LANSING BOARD OF WATER & LIGHT (BWL) HAS ANNOUNCED THAT THE COMPANY HAS BECOME A VICTIM OF RANSOMWARE ATTACK THAT KNOCKED THE UTILITY'S INTERNAL COMPUTER SYSTEMS OFFLINE.”

“POLICE DEPARTMENT CHIEF MICHAEL LYLE CLAIMED THAT ONE UNSUSPECTING USER FROM WITHIN THE DEPARTMENT OPENED THE EMAIL, TRIGGERING THE PAYLOAD OF THE RANSOMWARE WHICH PROCEEDED TO ENCRYPT FILES AND TAKE CONTROL OF A PROGRAM KNOWN AS TRITECH. THE SOFTWARE IS AN ESSENTIAL TOOL, ONE THAT POLICE OFFICERS USE FOR COMPUTER AIDED DISPATCH AND AS A RECORD MANAGEMENT SYSTEM DURING PATROL. THE PROGRAM ALSO ENABLES LAW ENFORCEMENT OFFICERS TO LOG INCIDENT REPORTS.”

Page 18: Ransomware is Here: Fundamentals Everyone Needs to Know

“TO BE HONEST, WE OFTEN ADVISE PEOPLE JUST TO PAY THE RANSOM.” -JOSEPH BONAVOLONTA ASSISTANT SPECIAL AGENT IN CHARGE OF THE FBI’S CYBER & COUNTERINTELLIGENCE PROGRAM

The Security Ledger

TO PAY OR NOT TO PAY…

Page 19: Ransomware is Here: Fundamentals Everyone Needs to Know

“THE FBI DOES NOT ADVISE VICTIMS ON WHETHER OR NOT TO PAY THE RANSOM.”

"THE FBI ADVISES THAT THE USE OF BACKUP FILES IS AN EFFECTIVE WAY TO MINIMIZE THE IMPACT OF RANSOMWARE AND THAT IMPLEMENTING COMPUTER SECURITY BEST PRACTICES IS THE MOST EFFECTIVE WAY TO PREVENT RANSOMWARE INFECTIONS,”

-DONALD J. GOOD DEPUTY ASSISTANT DIRECTOR OF THE FBI'S CYBER DIVISION

SOFTPEDIA

THE FBI’S “OFFICIAL” POSITION

Page 20: Ransomware is Here: Fundamentals Everyone Needs to Know
Page 21: Ransomware is Here: Fundamentals Everyone Needs to Know

RANSOMWARE IS INNOVATING

Page 22: Ransomware is Here: Fundamentals Everyone Needs to Know

RESEARCH AND DEVELOPMENT INCREASING

Page 23: Ransomware is Here: Fundamentals Everyone Needs to Know
Page 24: Ransomware is Here: Fundamentals Everyone Needs to Know

▸ Recent ransomware is targeted, sophisticated and harder to detect

▸ Once data is encrypted there virtually no options

▸ Modern encryption techniques impossible to break

▸ Restore from backups is time consuming, some data loss

▸ CryptoLocker 3.0 payments have been estimated at $325 Million

▸ Ransomware criminals netting roughly $150 Million per year

SOPHISTATION

Page 25: Ransomware is Here: Fundamentals Everyone Needs to Know
Page 26: Ransomware is Here: Fundamentals Everyone Needs to Know
Page 27: Ransomware is Here: Fundamentals Everyone Needs to Know

BUSINESS MODELS ARE EVOLVING AND MATURING

Page 28: Ransomware is Here: Fundamentals Everyone Needs to Know

Conti Ransomware

Conti Ransomware

Documents
Amenazas para la ciberseguridad en la gestión del software ... · 17 Ransomware. 18 Ransomware ENDESA. 19 Ransomware ENDESA 19 820 casos resueltos del Ransomware de la Campaña Endesa

Amenazas para la ciberseguridad en la gestión del software ... · 17 Ransomware. 18 Ransomware ENDESA. 19 Ransomware ENDESA 19 820 casos resueltos del Ransomware de la Campaña Endesa

Documents
Threat Alert NotPetya Ransomware Attack...The NotPetya Ransomware Attack June 2017 A Deep Dive into the NotPetya Ransomware Attack This is a new variant of the Petya ransomware family

Threat Alert NotPetya Ransomware Attack...The NotPetya Ransomware Attack June 2017 A Deep Dive into the NotPetya Ransomware Attack This is a new variant of the Petya ransomware family

Documents
Responding To Ransomware - NYMISSA · Ransomware is getting more sophisticated, and shifting to an enterprise threat. Ransomware Nightmares ... 50% of ransomware victims have paid

Responding To Ransomware - NYMISSA · Ransomware is getting more sophisticated, and shifting to an enterprise threat. Ransomware Nightmares ... 50% of ransomware victims have paid

Documents
LockBit Ransomware

LockBit Ransomware

Documents
Einfache Möglichkeit, zu deinstallieren PadCrypt ransomware: Entfernen PadCrypt ransomware

Einfache Möglichkeit, zu deinstallieren PadCrypt ransomware: Entfernen PadCrypt ransomware

Technology
Ransomware Handbook

Ransomware Handbook

Documents
Cisco Ransomware Overview (with video) · Cisco Ransomware Defense Solutions. Ransomware is a Massive Market Size of the ransomware market –$1B and growing $1B $209M in Q1 CY2016

Cisco Ransomware Overview (with video) · Cisco Ransomware Defense Solutions. Ransomware is a Massive Market Size of the ransomware market –$1B and growing $1B $209M in Q1 CY2016

Documents
Thermostat Ransomware

Thermostat Ransomware

Documents
MalwareBytes - Ransomware

MalwareBytes - Ransomware

Technology
CSIO: Ransomware

CSIO: Ransomware

Documents
Defend Your Data from Ransomware Attacksdiscover.zyxel.com/rs/471-TTL-126/images/Ransomware...Defend Your Data from Ransomware Attacks The Threat of Ransomware The WannaCry attack

Defend Your Data from Ransomware Attacksdiscover.zyxel.com/rs/471-TTL-126/images/Ransomware...Defend Your Data from Ransomware Attacks The Threat of Ransomware The WannaCry attack

Documents
RANSOMWARE PROTECTION€¦ · RANSOMWARE PROTECTION UIDE . ... Exploitation Exploit Mitigations Application Behavior Payload Execution ... PREVENTION AGAINST RANSOMWARE

RANSOMWARE PROTECTION€¦ · RANSOMWARE PROTECTION UIDE . ... Exploitation Exploit Mitigations Application Behavior Payload Execution ... PREVENTION AGAINST RANSOMWARE

Documents
Malwarebytes Anti-Ransomware Administrator Guide · Malwarebytes Anti-Ransomware Administrator Guide 1 What is Ransomware? In the simplest terms, the name ransomware says it all

Malwarebytes Anti-Ransomware Administrator Guide · Malwarebytes Anti-Ransomware Administrator Guide 1 What is Ransomware? In the simplest terms, the name ransomware says it all

Documents
Cybercrime Tactics & Techniques: Q2 2019 Ransomware ......Ransomware shifts to business targets » Consumer ransomware drops -12% YoY & -25% QoQ » Business focused ransomware increase

Cybercrime Tactics & Techniques: Q2 2019 Ransomware ......Ransomware shifts to business targets » Consumer ransomware drops -12% YoY & -25% QoQ » Business focused ransomware increase

Documents
Business Guide to Ransomware - IT Best of Breed · 2017-05-15 · Business Guide to Ransomware Table of Contents: 1. Introduction to Ransomware 2. Ransomware as a Service 3. Dissection

Business Guide to Ransomware - IT Best of Breed · 2017-05-15 · Business Guide to Ransomware Table of Contents: 1. Introduction to Ransomware 2. Ransomware as a Service 3. Dissection

Documents
Ransomware infographicITU - itu.int · ransomware detections were flagged as crypto-ransomware. a 27% increase since it was discovered. A ransomware variant seen in Russia that zipped

Ransomware infographicITU - itu.int · ransomware detections were flagged as crypto-ransomware. a 27% increase since it was discovered. A ransomware variant seen in Russia that zipped

Documents
a computer club open to everyone MONITOR · (1) ransomware, (2) adware, (3) spyware, (4) key loggers, (5) botnets, and (6) hijackers. Ransomware restricts your access to your PC and

a computer club open to everyone MONITOR · (1) ransomware, (2) adware, (3) spyware, (4) key loggers, (5) botnets, and (6) hijackers. Ransomware restricts your access to your PC and

Documents
RANSOMWARE - healthyagingcore.ca

RANSOMWARE - healthyagingcore.ca

Documents
Ransomware Tips to Help Avoid Ransomware Attacks · 2019. 5. 8. · installed the ransomware. Tips to Help Avoid Ransomware Attacks 1. Don’t click. Visiting unsafe, suspicious or

Ransomware Tips to Help Avoid Ransomware Attacks · 2019. 5. 8. · installed the ransomware. Tips to Help Avoid Ransomware Attacks 1. Don’t click. Visiting unsafe, suspicious or

Documents
Ransomware: Modern Day PiratesRansomware • What is ransomware • History of ransomware • Actors and their motivations • Anatomy of a ransomware attack • Cost of a ransomware

Ransomware: Modern Day PiratesRansomware • What is ransomware • History of ransomware • Actors and their motivations • Anatomy of a ransomware attack • Cost of a ransomware

Documents
Ransomware - asecuritysite.com · Types •Locker Ransomware. Locks the computer. •Crypto Ransomware. Requires decryption key. •Master Boot Record Ransomware. Attack MBR so that

Ransomware - asecuritysite.com · Types •Locker Ransomware. Locks the computer. •Crypto Ransomware. Requires decryption key. •Master Boot Record Ransomware. Attack MBR so that

Documents
UNMASKING RANSOMWARE

UNMASKING RANSOMWARE

Documents
DATA SCIENCE OR BLACK MAGIC – CYBERSECURITY THREATS … · RANSOMWARE, BITCOIN MINING IS THE NEW BLACK* 3 Low cost + easy money = perfect storm What everyone is seeing ü Ransomware

DATA SCIENCE OR BLACK MAGIC – CYBERSECURITY THREATS … · RANSOMWARE, BITCOIN MINING IS THE NEW BLACK* 3 Low cost + easy money = perfect storm What everyone is seeing ü Ransomware

Documents
Understanding Ransomware: Impact, Evolution and Defensive ...€¦ · 14/07/2014  · 3 Evolution of Ransomware 3.1 Historic Examples of Ransomware Ransomware trojans appeared as

Understanding Ransomware: Impact, Evolution and Defensive ...€¦ · 14/07/2014  · 3 Evolution of Ransomware 3.1 Historic Examples of Ransomware Ransomware trojans appeared as

Documents
Ransomware Statistics 2016: A Ransomware Roundup

Ransomware Statistics 2016: A Ransomware Roundup

Software
com Software Testing Tutorials “Basics for beginners. Fundamentals for everyone.” Welcome to Day 5 Software Testing Tutorials “Basics for beginners. Fundamentals

com Software Testing Tutorials “Basics for beginners. Fundamentals for everyone.” Welcome to Day 5 Software Testing Tutorials “Basics for beginners. Fundamentals

Documents
Artículo La Lucha contra el Ransomware...¿Cómo funciona un ransomware?: Tipos de Ransomware: Los ransomware se pueden clasificar en 3 grandes grupos 1. Bloqueadores de computadoras

Artículo La Lucha contra el Ransomware...¿Cómo funciona un ransomware?: Tipos de Ransomware: Los ransomware se pueden clasificar en 3 grandes grupos 1. Bloqueadores de computadoras

Documents
Ransomware: The Known and Unknown€¦ · Can I get ransomware from removable devices? Can I get ransomware from social media? Can a hacker infect me with ransomware through other

Ransomware: The Known and Unknown€¦ · Can I get ransomware from removable devices? Can I get ransomware from social media? Can a hacker infect me with ransomware through other

Documents
Easy way to uninstall PadCrypt ransomware: Remove PadCrypt ransomware

Easy way to uninstall PadCrypt ransomware: Remove PadCrypt ransomware

Technology