Adrian Aron

Consultant Systems Engineer

Oct 2016

Cisco Security

Ransomware Defense

Agenda

Ransomware?

The Anatomy of an Attack Video

Cisco Ransomware Defense Solutions

Ransomware is a Massive Market

Size of the

ransomware market

– $1B and growing

$1B

$209M in

Q1 CY2016

$209M

YoY growth of 1000%

since CY2015

1000%

The Evolution of Ransomware Variants

2001

GPCoder

2005 2012 2013 2014

Fake Antivirus

2006

First commercial

Android phone

2007

QiaoZhaz

2008 2015 2016

CRYZIP

Redplus

Bitcoin Network Launched

Reveton.ARansomlock

Dirty DecryptCryptorbitCryptographic LockerUrausy

Cryptolocker

CryptoDefenseKolerKovterSimple LockerCokriCTB-LockerTorrentLockerCoinVaultSvpeng

TeslaCrypt

VirlockLockdroidReveton

ToxCrypvaultDMALockChimeraHidden TearLockscreenTeslaCrypt 2.0

Cryptowall

SamSamLocky

CerberRadamantHydraCryptRokkuJigsawPowerWare

7ev3nKeRangerPetyaTeslaCrypt 3.0TeslaCrypt 4.0TeslaCrypt 4.1

How Ransomware Works

!

!

EMAIL-BASED INFECTION

Files Inaccessible

Email w/ Malicious Attachment

Ransomware Payload

Encryption Key C2 Infrastructure

Encryption Key C2

Infrastructure

Files Inaccessible

!

WEB-BASED INFECTION

Encryption Key C2

Infrastructure

User Clicks a Link or Malvertising

Ransomware Payload

MaliciousInfrastructure

Play the Video: “Anatomy of an Attack”

https://youtu.be/4gR562GW7TI

Let’s Review the Steps of the Attack

The hacker used a valid

looking email to deliver a file

to employees.

Except the originating

domain name wasn’t exact

quallcart.com

The hacker then built enough

“trust” in the email to get

employees to open the file.

The malicious file

executed on the

employee’s laptop.

The first payload, is a

ransomware attack,

used as decoy.

Ultimately, the hacker stole

customer data & financial

information from the

organization.

The side payload, was used

to exfiltrate data.

Ransomware Defense Solutions

Architectural Force MultiplierRansomware defense

NGFW with AMP AMP for Endpoints Network as a Sensor

and Enforcer

OpenDNS Umbrella

Extend Security off Network

+ +

Reinforce the Perimeter

Protect Key Endpoints

Leverage the Network

+

Cisco Email Security with

AMP would have

inspected the email and

detected the malware.

Initial SPF, DKIM and

DMARK checks can easily

spot this type of e-mail.

Cisco AMP for Endpoints

would have detected and

blocked the ransomware on

the laptops and prevented the

PDF attachment from

opening.

Cisco Umbrella and

Firepower NGFW would

have blocked the

ransomware from calling

out to the internet.

Simple Open Automated

Effective Security