Srinivas Thimmaiah | Ransomware | 14 Feb 2017 1

RANSOMWAREFriend or Foe ?

By: Srinivas ThimmaiahDate: 14 Feb 2017

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

About me

An seasoned Information Security professional, speaker & blogger having around 13+ years of rich and insightful work experience in the areas of Information Security Assurance, Governance, Risk Management, BCM, Supplier Management, Awareness, IT Security, operational excellence and also in influencing team members and management.

CISM, ISO 27001 certified, CISCO certified Information Security & IT Security experienced professional.

Page 2

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

Agenda What is ransomware Evolution of ransomware Types of ransomware Who are my target Top 3 ransomware strains of 2016 Trends of 2016 & ‘17 Case study Protect yourself Conclusion

Page 3

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

What is RansomwareRansomware is computer malware that installs covertly on a victim's device (computer, smartphone, etc), executes a cryptovirology attack that adversely affects it, and demands a ransom payment to decrypt it or not publish it.

Ran some where

Page 4

Source: https://en.wikipedia.org/wiki/Ransomware

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

Evolution of ransomware

Page 5Source: https://blog.knowbe4.com/a-short-history-evolution-of-ransomware

1989AIDS/PC Cyborg trojan

2006PGP Coder Encryption trojan

2014Cryptodenfenseransomware

2016Lockyransomware

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

Types of Ransomware

Encry

ption

Ranso

mware

Lock Screen Ransomware Master boot record

Ransomware

Encrypts files/folders

Lock screen and demand payments

Interrupts the normal boot process

Page 6

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

Who are my targetYou ever can Pay Ransom are my

“Target”

Business users• Technology dependent• Data (customer)• Stakeholder management

Public/Government agencies • Data (confidential/secret)• Technical support• Reputation

*.wb2*.mdf*.dbf*.psd*.pdd*.eps*.ai*.indd *.cdr*.dng *.3fr*.arw*.srf*.sr2*.bay*.crw

Home users• Personal data• Data backup• Technical support

Page 7

Source: Symantec

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

Top 3 Ransomware Strains of 20161. LockyLocky is ransomware malware released in 2016. It is delivered by email (that was allegedly an invoice requiring payment) with an attached Microsoft Word document that contains malicious macrosResearchers detected the first sample of Locky in February 2016. Shortly thereafter, it made a name for itself when it infected the computer systems at Hollywood Presbyterian Medical Center in southern California. Officials chose to temporarily shut down the hospital’s IT system while they worked to remove the ransomware, a decision which caused several departments to close and patients to be diverted elsewhere. But without working data backups, the executives at Hollywood Presbyterian ultimately decided to pay the ransom.

2. Teslacrypt

TeslaCrypt is a malicious program that encrypts users' files using AES encryption.

After months of tracking TeslaCrypt across spam campaigns and exploit kit attacks, security researchers at the Slovakian IT security firm ESET learned its developers intended to abandon the ransomware. The researchers contacted the developers and requested the master decryption key. In response, TeslaCrypt’s authors published the key, which ESET used to make a free decryption utility. Victims of the ransomware can now use this tool to regain access to their files.

3. HddcryptorHDDCryptor is a nasty family of ransomware. It’s capable of enumerating existing mounted drives and encrypting all files as well as finding and accessing previously connected drives and disconnected network paths.

Researchers first detected HDDCryptor in September 2016. Two months later, the ransomware made headlines when it infected 2,000 systems at the San Francisco Municipal Transport Agency (SFMTA), or “Muni,” and demanded ransom. Fortunately, the attack did not affect SFMTA’s rail and bus service, and the public agency said it would use its working backups to restore access to its systems.

Page 8Source: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/top-10-ransomware-strains-2016/

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

Trends of 2016 & ‘17

Source: proofpoint.com

Growth in Distribution

Total ransomware has grown 80% in 2016

Ransomware 2016

Page 9

Ransomware 2017 Projection

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

Cont..

Source: http://www.slideshare.net/JohnCABambenek/cryptolocker-andfriends-bhusa14http://www.darkreading.com/ransomware-attack-on-cctv-cameras-in-washington-dc-ahead-of-trump-inauguration/d/d-id/1328016

Page 10

Ransomware Attack On CCTV Cameras In Washington DC Ahead Of Trump Inauguration

Hotel hit by ransomware attack, report of guests trapped

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

Case study

Page 11

Real Time Experience

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

Protect yourself

Awareness

Page 12

Don’t get tricked

Effective Backup Management

Use of Antimalware software

Whitelisting program Effective Patch

Management

Srinivas Thimmaiah | Ransomware | 14 Feb 2017

Conclusion

Reason why we should pay…

Data is costlier than I pay ransom

Business priorities To avoid reputation loss Interest over time

Reason why we should NOT pay…

May repeat again Next ransom will be higher Criminal can’t be trusted Encouraging criminals

may be yes may be no may be yes and no

Page 13

Srinivas Thimmaiah | Ransomware | 14 Feb 2017 Page 14

Questions

Srinivas Thimmaiah | Ransomware | 14 Feb 2017 Page 15