Post on 16-Apr-2017
transcript
Chris Bowen, MBA, CIPP/US, CIPTFounder, Chief Privacy & Security Officer
RansomwareFive Ways to Protect Your Organization
2PROPRIETARY & CONFIDENTIAL
Agenda
Ransomware: Anatomy & Psychology
Case Studies
Recovery Strategies
Five Prevention Strategies
1
2
3
4
3PROPRIETARY & CONFIDENTIAL
Ransomware Attacks are Increasing
0
1000
2000
3000
4000
Total Ransomware
2013Q1 Q2 Q1 Q2 Q3 Q4 Q1 Q2
2014 2015
Source: http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf
4PROPRIETARY & CONFIDENTIAL
Ransomware Attacks Costly
*https://www.ic3.gov/media/2015/150623.aspx^http://cyberthreatalliance.org/cryptowall-report.pdf
Average cost of a demanded ransomware payment.
Combined losses of 992 victims from CryptoWall in mid-2015*
Estimated Bitcoin transactions from CryptoLocker in a two month period.
Estimated amount of losses by the Cyber Threat Alliance to US companies^
$300
$18M
$27M
$325M
5PROPRIETARY & CONFIDENTIAL
Types of Cyber Attackers
http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-aug-2015.pdf
Recreational
• Fame and notoriety• Limited tech resources• Known exploits
Criminal
• Vandalism• Limited tech capabilities
Hacktivist
• Statement• Relentless• Emotionally committed• Vast networks• Targeted attacks
Organized Crime
• Economic gain• Significant tech resources
and capabilities• Established syndicates• Adware, crimeware, IP theft• A lot of spamming/phishing• Prominent in ransomware
State Sponsored
• Cyberwar, state secrets; industrial espionage
• Highly sophisticated• Nearly unlimited resources• Advanced persistent threats
6PROPRIETARY & CONFIDENTIAL
The Psychology of a Ransomware AttackerWhy?• Easy to buy and use the tools• Profit is predictable• Less risk in the payoff – no direct contact or sale of data• Don’t have to find a data buyer• I can automate it globally• Less trackable using bitcoin
Pricing Dynamics• Ransom usually comparatively low to increase
likelihood of payment• Individual payment may be $300; Enterprise $30,000
7PROPRIETARY & CONFIDENTIAL
Ransomware Tools
CryptoWall
Locky TorrentLockerCTB-LockerTeslaCryptSamsamCrypVaultPayCrypt
CryptoWall• Use of unbreakable AES encryption• Widely distributed using exploit kits, spam campaigns & malvertising• Uses I2P network proxies and Tor network for payments using Bitcoins
TorrentLocker (sometimes referred to as CryptoLocker)
• File-encrypting Ransomware - distributed via spam email • Uses AES to encrypt a wide variety of file types • Harvests email addresses from victim to further spread itself
Locky• New but aggressively distributed by spam and compromised websites• Scrambles any files in any directory on any mounted drive that it can
access
8PROPRIETARY & CONFIDENTIAL
Tools Gaining Sophistication• Inflicted unwanted encryption on files stored locally to a
machine
• Now fully able to traverse network drives, SANs and NASes, UNC paths
• Encrypts anything it can touch and access with the level of permissions granted to the user account under which the malware is executing.
10PROPRIETARY & CONFIDENTIAL
Anatomy of a Ransomware Attack
• Critical choices:
- Pay ransom
- Restore from backup• Paying ransom increases risk of
future attacks
The Bait1
• User’s machine typically connected to network, shared cloud services, etc.
• Once open, ransomware silently begins encrypting all of the files it can, without any user interaction or notification.
The Infection2 Ransom Notice3 Pay or Restore 4
• Once done, it alerts the user and provides payment instructions.
• Payment is usually in Bitcoins• Some even provide “Customer
Service” info.
• Typically comes as an email attachment
• Such as: Invoice, shipment tracking document, etc.
• Often very generic, but could include a real vendor name or even your company name.
12PROPRIETARY & CONFIDENTIAL
Malicious Attachments
Word doc with malicious VB code
activated by enabling macros
13PROPRIETARY & CONFIDENTIAL
• Emailing it to huge numbers of people, targeting particularly the US and UK
• May come on its own (often by email) or by way of a backdoor or downloader, brought along as an additional component
• Browser exploit kits, drive-by downloads
• TorrentLocker’s authors have been both nimble and persistent
• Also spreads via RDP ports that have been left open to the Internet, as well as by email
• Can also affect a user’s files that are on drives that are “mapped” – Thumb drives, dropbox, box, usb drives, storage shares
How Does Ransomware Spread?
15PROPRIETARY & CONFIDENTIAL
• Ransomware encrypted files on several of TRMC's data base services, blocking TRMC's ability to enter or retrieve patient data in EHR.
• No ransom paid. Security team remedied situation
Titus Regional Medical Center– Jan 2016
16PROPRIETARY & CONFIDENTIAL
• Suffered a ransomware attack that prevented access to EMR and communications.• The leading suspect suspected cause, according to sources familiar with the
investigation, is a phishing attack—likely a link in an e-mail that was clicked by a hospital employee on a computer with access to the EMR system.
• Paid $17,000 in Bitcoin before contacting law enforcement.
Hollywood Presbyterian – February 2016
17PROPRIETARY & CONFIDENTIAL
• Suffered a ransomware attack locked access to systems and files in all 10 hospitals and 250 outpatient centers.
• Attackers demanded 45 bitcoins within 10 days. Within one day, systems were once again readable, but not writeable.
• The attack involves SAMSAM--a server-side ransomware family that does not rely on malvertising or social engineering hooks to arrive into a target's system.
MedStar Health – March 2016
18PROPRIETARY & CONFIDENTIAL
• Locky ransomware locked down enough of the Kentucky hospital’s data that it was forced to declare an internal state of emergency. Now officials are saying they resolved the situation without giving into attackers’ demands.
• Attack lasted five days. Claim they did not pay.
Methodist Hospital Kentucky – March 2016
20PROPRIETARY & CONFIDENTIAL
What Happens When You’re Locked out
Pay Up Become a target for life
Don’t PayTell hackers to pound sand (But you better have solid backupsand a secure place to restore to)
Files or SystemsEncrypted
Files ThreatenedWith Destruction or Deletion
Files or SystemsLocked
DELETE
21PROPRIETARY & CONFIDENTIAL
Engage Incident Response
Notify your Info Security Team• Notify authorities and regulatory bodies• ID Recovery Time & Point Objectives• Preserve evidence• Engage your legal team ASAP
22PROPRIETARY & CONFIDENTIAL
Isolate The Device• Remove the impacted system from the network and
remove the threat
• Removal is best done with the system off the networks to prevent any potential spread of the threat.
23PROPRIETARY & CONFIDENTIAL
Attempt Data Recovery• Restore any impacted files from a known good backup.
• Restoration of your files from a backup is the fastest way to regain access to your data.
• Requires confidence in integrity of backup
• Requires a destination at which to restore
• May take some time
24PROPRIETARY & CONFIDENTIAL
Hybrid Recovery• Stall for time by trying to negotiate
• In meantime work on recovery from a backup
• Requires confidence in integrity of backup
25PROPRIETARY & CONFIDENTIAL
Pay The Ransom?Why Pay? • Without a backup, may be the only realistic means of retrieving data• Possibly quicker and cheaper than restoration or starting over
Reasons Not To Pay• May increase likelihood of additional attacks• Motivate the attackers to keep carrying out their attacks• Increase likelihood of attacks form other sources• Fund the cybercrime operation and the infrastructure that they are
using to commit further fraud• May not achieve recovery, even if you pay
26PROPRIETARY & CONFIDENTIAL
Start Over• Dispose of all infected devices
• Rebuild from scratch
• Will be expensive and time consuming
• History lost
28PROPRIETARY & CONFIDENTIAL
Defense in Depth in IT
Multi-level SecurityUser, Process, Device
Data & Application Security
Physical Infrastructure
Network SecurityAir-tight - properly configured
System Security
DEFENSE IN DEPTH DEFENSE IN BREADTHApplied Across Each Use Case to Appropriate Level
REDUCE ATTACK SURFACES
DEPLOY CRYPTO KEYS
CREATE SECURE PEOPLE, PROCESSES & SYSTEMS
APPLYING DEFENSE IN DEPTH & BREADTH
29PROPRIETARY & CONFIDENTIAL
#1: Backup Your Data• Regular and consistent backups along with tested and
verified restores.
• Keep a recent backup copy offsite and offline.
• Multi-Level Security• Physical Infrastructure• Network Security
• System Security• Data & Application Security
DEFENSE IN DEPTH
30PROPRIETARY & CONFIDENTIAL
#2: Email Filtering & Phishing Awareness
• Multi-Level Security• Physical Infrastructure• Network Security
• System Security• Data & Application Security
DEFENSE IN DEPTH • Don’t click on links without scrutinizing the email to make sure it’s legitimate
• Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
• Filter Email
• Block dangerous email attachments– ZIP, RAR, EXE, SCR, JavaScript, etc.
• Block macro-enabled content– Work, Excel, PowerPoint
– Very prolific attack vector
31PROPRIETARY & CONFIDENTIAL
#3: Antivirus
• Multi-Level Security• Physical Infrastructure• Network Security
• System Security• Data & Application Security
DEFENSE IN DEPTH • Exploit kits hosted on compromised websites are commonly used to spread malware.
• Regular patching of vulnerable software is necessary to help prevent infection.
32PROPRIETARY & CONFIDENTIAL
#4: Updated Patches & Software
• Multi-Level Security• Physical Infrastructure• Network Security
• System Security• Data & Application Security
DEFENSE IN DEPTH • Be sure all system and application patches are current.
• Keeps you safer from drive-by downloads, Samsam attacks
33PROPRIETARY & CONFIDENTIAL
#5: Settings & Access Control
• Multi-Level Security• Physical Infrastructure• Network Security
• System Security• Data & Application Security
DEFENSE IN DEPTH • Show hidden file-extensions
• Disable files running from AppData/LocalAppData folders
– %APPDATA%
– %TEMP%
• Disable RDP
• Limit end user access to mapped drives
• Install Firewall and block Tor, I2P and restrict to specific ports
34PROPRIETARY & CONFIDENTIAL
Resources• Very good Ransomware Tracker:
https://ransomwaretracker.abuse.ch/
• Shodan HQ
https://www.shodan.io/
• Crypolocker Prevention Kit
https://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated