SPARC: SBA Preventive and Agile Ransomware Controls · 4/27/2016 SPARC: SBA Preventive and Agile...

Author Christoph Mahrl Version 1.0

Date 27. April 2016

SPARC: SBA Preventive and Agile Ransomware Controls

The SBA Research Approach for Effective Defense against

Ransomware-based Attacks

4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 2/19

Table of Contents

1 Introduction ...................................................................................................................................... 3

2 Executive Summary ........................................................................................................................ 4

3 Evolution of Ransomware ............................................................................................................ 5

4 Statistics and Predicts .................................................................................................................... 8

5 SBA Preventive and Agile Ransomware Controls .............................................................. 10

SPARC 1: Security Awareness ....................................................................................................... 10

SPARC 2: Breach Detection System ............................................................................................. 11

SPARC 3: Endpoint Security Solution ......................................................................................... 12

SPARC 4: Network Segmentation ................................................................................................ 13

SPARC 5: Access Control and Rights Management................................................................. 13

SPARC 6: Application and Directory Whitelisting .................................................................. 14

SPARC 7: Data Recovery Strategy ................................................................................................ 15

SPARC 8: Incident Response and Business Continuity ......................................................... 15

SPARC 9: Contact Security Vendors and Authorities ............................................................. 17

SPARC 10: Cybercrime Insurance ................................................................................................ 18

6 References ...................................................................................................................................... 19


1 Introduction

Ransomware is currently hyped all over the media with dedicated headlines one after

another. Many sophisticated ransomware variants like TeslaCrypt, KeRanger, Locky are

currently in circulation threatening home users and huge organizations alike.

The intention of this type of malicious software is to render computer and / or data

useless in order to blackmail victims, making them pay ransom money for recovery. The

evolution of ransomware shows various techniques ranging from very simple up to more

advanced techniques in order to disable computers or render stored data unusable. Lately

it became common that ransomware apply cryptographic measures specifically designed

to encrypt valuable data. After encryption, a ransom message (see Figure 1) is then

displayed to the user leaving him with essentially two choices:

1. Pay the requested ransom money within a period of time to (hopefully) obtain a

decryption key.

2. Refuse to pay, taking the risk of a possible permanent loss of involved data.

Figure 1 - Example of a Ransomware Message 1

The purpose of this whitepaper is to provide a security guide for organizations to be

prepared for incidents concerning ransomware. It discusses proactive and reactive

security controls recommended for implementation in order to establish an effective

ransomware defense.

1 http://thehackernews.com/search/label/CryptoLocker

… to obtain the private key for this computer,

which will automatically decrypt files, you

need to pay 100 USD …

Any attempt to remove or damage this

software will lead to the immediate

destruction of the private key by the server.


2 Executive Summary

Ransomware with cryptographic capabilities (also: crypto locker) that render valuable data

of victims useless are very widespread lately. Without precautionary measures, a

ransomware infection can have a devastating and costly impact on business ranging

from small operational interruptions to even a permanent shutdown of the business.

Therefore, this whitepaper discusses various security controls (see Figure 2) recommended

for implementation in order to cope with the impact of a compromising and therefore to

preserve daily business.

Building an effective defense against ransomware requires both a proactive and reactive

approach. Proactive security controls (e.g. network segmentation, access control

management, etc.) are designed to harden an environment against attacks in order to either

reduce the impact of a successful attack or prevent the attack at all. On the other hand,

reactive security controls (e.g. incident response management, data recovery, insurance,

etc.) deal with being able to correctly detect, respond and recover from attacks in an

effective and efficient way.

Figure 2 - Overview of SBA Security Controls for Defense against Ransomware

In general, information security should be seen as iterative process that has to be reviewed

and refined regularly to keep up with up-to-date security standards. This can be a

challenging task as new technologies and attacks emerge and evolve in a very fast pace.

It is not the question if but when a security incident will happen. So when reading this

whitepaper ask yourself if your company’s security controls currently in place can actually

handle ransomware-based attacks or incidents respectively.

Proactive

Reactive

•SPARC 1: Security Awareness•SPARC 2: Breach Detection System•SPARC 3: Endpoint Security Solution•SPARC 4: Network Segmentation•SPARC 5: Access Control and Rights Management•SPARC 6: Application and Directory Whitelisting

•SPARC 7: Data Recovery Strategy•SPARC 8: Incident Response and Business Continuity•SPARC 9: Contact Security Vendors and Authorities•SPARC 10: Cybercrime Insurance


3 Evolution of Ransomware

The basic idea of ransomware is nothing new. First incidents of malicious software that

demanded a ransom to be paid in order to remove prior applied restrictions already date

back to 1989.

At this time, the so called AIDS Trojan malware counted the number of system boots of a

DOS2 machine. After exceeding a pre-defined limit of boot counts, the malware triggered a

malicious payload. It hid directories, encrypted the names of all files on the drive C: and

would eventually claim that the “user’s license” had expired. To “renew” the license and

therefore to recover the victim machine’s system, the affected user had to make a payment

of $189.

Figure 3 - The History of Ransomware (ESET)

Although the AIDS Trojan laid the foundation of a new malware category, ransomware had

disappeared for many years. Only in 2005 a new family of ransomware, named Gpcode

emerged. Gpcode was one of the first ransomware that used cryptographic techniques to

encrypt the actual files on the hard disk. Since then the popularity of ransomware increased

steadily and different types have emerged. In recent years, criminal organizations regularly

release new major variants of ransomware multiple times almost every year (see Figure 3).

Beside crypto ransomware, other types of ransomware have evolved over time. In general,

these include:

• Masqueraded Applications

Early ransomware disguised as legitimate applications such as performance

enhancement tools or endpoint security solutions. These fake tools led the user to

believe that the computer would suffer from several issues that consequently would

affect computer performance or security respectively. Users were then informed

2 Disk Operating System

AIDS-Trojan1989

2005Gpcode

Winlock2010

2012Reveton

Crypto-locker2013

2014Crypto-

wall

Tesla-crypt2015

2016Locky


that the corresponding tool could fix these “issues” but in order to resolve them the

user had to pay a small fee for a license in advance. Obviously, the tools did not fix

anything and the victim was cheated.

• Computer Locker

Ransomware of this type is designed to deny access to a computer by locking or

restricting capabilities of available interfaces. Interfaces include:

o Graphical User Interfaces (Operating System, Applications, etc.)

o Human Interface Devices (Mouse, Keyboard, etc.)

This means that if a system is compromised with a computer locker ransomware,

access to the underlying system is denied. The user would then be asked to pay

ransom to regain access again. Limited interface capabilities would then allow the

victim to enter e.g. numbers to indicate the payment code only.

• Data Locker

As mentioned previously, ransomware with cryptographic capabilities are very

common lately. In contrast to computer locker, this type of ransomware “locks” data

stored on the computer or even on the network by encrypting them. Without the

corresponding decryption-key data cannot be unlocked anymore. After

compromising the system, its functionality is still fully retained as only user data

(e.g. photos, movies, data files, etc.) on the computer or network is encrypted. If no

backup of the data exists, the data is most probably lost. Data locker ransomware is

especially dangerous for businesses as one compromising could lead to loss of very

valuable data. Without a reasonable data recovery strategy, affected businesses will

probably go bankrupt.

When speaking of data locker there is and will not be any solution to reverse its

cryptographic actions without the corresponding decryption key. This is because data

locker ransomware follow a simple cryptographic pattern as depicted in Figure 4.

1. First, a random symmetric key is generated (e.g. 256-Bit AES Key).

2. The data locker builds a list of files that shall be encrypted. Each file in this list is

then encrypted using the prior generated key.

3. The symmetric key is then protected by encrypting it using an asymmetric

cryptographic algorithm (e.g. RSA). To do so a public key is downloaded from the

C&C server in the Internet.

4. The encrypted symmetric key is then embedded (together with the public key) into

the encrypted file.


Figure 4 - General Technique of Crypto Ransomware (Fischer, 2014)

As long as the private key is protected and kept secret by the C&C server, chances are low

for decrypting the files again. Early crypto ransomware often lacked proper key

management or key sizes leaving an open window for recovery measures. However, authors

of ransomware continuously improve their malicious software, so that nowadays recovery

can only be achieved with the corresponding decryption key. Nevertheless, there are still

ways to protect against ransomware. These proactive and reactive security controls are

explained in detail in section 5.

There are many attack vectors (see Figure 5) of how a system could get compromised by

ransomware, provided that no or only a few security controls are implemented.

Once a system is compromised due to exploitation of any arbitrary attack vector, it could

happen that the ransomware propagates within the respective network.

Crypto ransomware attacks are not only dangerous because of their data locking

techniques, but also because of their propagation capabilities. Hence, minimize attack

vectors and adhere to the ransomware security controls discussed later on.

Traffic Distribution System

Malvertisment

SpamDownloaders

Social Engineering

Figure 5 - Attack Vectors of Ransomware (Symantec Corporation, 2015)


4 Statistics and Predicts

The ransomware business is growing rapidly and with upcoming variants, it will remain a

major threat in the next years. One principal reason for the popularity of ransomware is

that more and more criminal organizations are seeking for easy ways of direct income.

Cyber criminals behind ransomware usually do not have specific targets. Their aim is to

infect as many systems as possible independent from its location or owner. This way cyber

criminals can demand a rather small ransom from each of their victims but in total they will

attain a vast amount of ransom money.

Figure 6 - Top Countries Affected by Crypto Ransomware (Symantec Corporation, 2015)

Ransomware is very widespread - out of 11 of the top 12 countries impacted by crypto

ransomware are member of the G20 organization. Yet occurrence of ransomware in

different countries varies greatly (see Figure 6). With the USA, Japan and UK ranking at the

top, the occurrence of ransomware stagnates rapidly with Germany being the last in the list.

According to Symantec, file-encrypting ransomware (e.g. TeslaCrypt, CryptoWall, etc.) are

predominant. Findings revealed that in 2015 over 64 percent of ransomware detected

have been crypto ransomware whereas the other 36 percent made up ransomware with

computer locking capabilities. It was also revealed that crypto ransomware gradually gains

more and more popularity amongst cyber criminals. This is probably because victims are

more willing to pay for lost data than for lost computing capabilities.

USA38%

Japan26%

UK11%

Italy7%

Australia4%

Netherlands3%

Russia3%

Canada3%

India3%

Germany2%


Another interesting study investigates how much and when victims do pay the demanded

ransom money. Usually the cyber criminals behind ransomware give victims multiple

opportunities to pay the ransom. When the “payment countdown” runs out, it is often

restarted again while usually demanding a higher ransom. With each iteration the amount

of ransom is increased drastically until a certain point is reached and the decryption key is

definitely deleted.

A research group at Dell published data about ransom payments of CryptoWall victims (see

Table 1). CryptoWall emerged in March 2014 and back then, it was one of the leading file-

encrypting ransomware. In Table 1 each row represents an iteration, which means that the

payment countdown ran out. Most of the victims that paid the ransom (about 64.6%), paid

the ransom of $500 in the period of the second iteration There has even been one victim

that paid an astonishing amount of $10.000 in the 9th iteration in order to recover the

encrypted data. Of nearly 625.000 infections only 1.683 (0.27%) victims paid the ransom

money, yet the cyber criminals could carry off a total of $1.101.900 over the course of only

six months.

Ransom Amount Number Paid Percentage

$200 6 0,4%

$500 1.087 64,6%

$600 3 0,2%

$750 122 7,2%

$1.000 399 23,7%

$1.500 27 1,6%

$1.750 1 <0,1%

$2.000 6 0,4%

$10.000 1 <0,1%

Table 1 - Distribution of Ransom Payments Made by CryptoWall Victims (Dell, 2014)

As long as victims imprudently pay ransom money that generate fast and direct cash for

cyber criminals, ransomware will not decline. In contrast, according to a report of Intel

Security the peak has not yet been reached and it is expected that the growth of ransomware

will continue in 2016. However, predicting the evolvement of the ransomware landscape

over the next couple of years is not that easy. Symantec believes that crypto ransomware

will probably soon reach its peak and then decline steadily. Yet with cyber criminals finding

other options and alternatives for fast cash, it is also believed that crypto ransomware will

relaunch within a period of two years after a rather short stagnation phase.


5 SBA Preventive and Agile Ransomware Controls

Many studies and predictions suggest that ransomware with file-encryption capabilities

will continue to grow, as more and more criminal organizations realize the great potential

for fast and easy cash by distributing ransomware. Since there is no and will never be a

simple solution for recovery of encrypted data, organizations must prepare beforehand in

order to cope with the impact of a compromising and therefore to preserve daily business.

SBA Research has come up with several proactive and reactive security controls explained

in detail below to set up an effective defense against ransomware attacks. It is highly

recommended to consider these security controls for implementation to increase resistance

against ransomware.

SPARC 1: Security Awareness

One security control against ransomware, that is obvious but hard to master, is awareness.

Employee awareness is not something that is simply achieved, but should be considered as

an iterative and ongoing process. There are many attack vectors allowing ransomware to

compromise whole enterprise networks. Many of those attack vectors (e.g. spam emails,

social engineering …) include the involvement of employees considering them as the

weakest link of the security chain.

Therefore, it makes sense to train staff properly to prevent an incident beforehand. Even if

an employee should fall for a spam message leading to the compromising of his or her

system, it is not that bad as long as the employee knows and follows strict rules of an

incident plan and immediately alerts the incident to the persons in charge. Employee

behavior like this will allow the incident response team (see SPARC 8: Incident Response

and Business Continuity) to take immediate actions initiating remediating measures to stop

propagation of ransomware and clear infected systems.

This means that employees being able to recognize malicious content (e.g. E-Mails,

malicious Websites, suspicious binary files …), to know what to do in certain situations and

who to inform in such cases should be the key goal of every security awareness

program.

With this goal in mind, it is recommended to develop a comprehensive security

awareness program. To help communicate core security messages, various types of

awareness training exist, e.g.:


• Classroom-type Training

o Lecture-based and interactive learning in classrooms.

• Security Awareness Website

o Website consisting of different sections and areas that should be covered.

Interactive content such as tutorials, videos, online quizzes etc. help users to

understand the content.

• Helpful Hints

o Complementary to other types of awareness training, helpful hints (e.g. tips,

reminders, visual aids, …) of key points emphasized in trainings will help

users to remember and deepen security awareness.

• Promotions

o Promoting security awareness across the entire enterprise is also a good

technique to improve security awareness continually amongst employees.

Possible methods of promotion include flyers, posters, catchy reminders or

phrases and more.

SPARC 2: Breach Detection System

Breach detection systems, also considered as the next generation of conventional

intrusion detection systems, help secure corporate networks by thoroughly inspecting

network traffic to detect malicious behavior and attacks. Inspection include extraction of

data such as files, mails and drive-by-downloads for further analysis by using a combination

of signature-, heuristics- and sandboxing-based techniques.

Breach detection systems play an integral part of cyber defense, especially when it comes

to defense against ransomware, providing both a proactive and reactive approach for

malware identification. In general, a breach detection system covers the following

functionalities:

• Signature-based and / or heuristics-based malware identification

• Network traffic analysis

• Sandboxing

• Browser emulation

• Domain reputation identification

• Response mechanism e.g. alerting, session termination etc.

• Reporting on compromised hosts


A breach detection system can be considered as a first technical measure in line that

identifies and in the best case even prevents ransomware from actually infecting hosts

within the corporate network. Lastline is one good example for a breach detection

platform that is currently deployed in many companies worldwide and provides businesses

with automated detection of active data breaches. Good detection rates of malicious files

and network traffic heavily rely on the engine as well as on threat intelligence data (e.g. file

reputation, IP reputation, URL reputation, etc.). To enhance detection rates further

malicious IP addresses and domains could be integrated manually into the breach detection

system (e.g. by using third-party threat intelligence data3). In the most recent malware

detection test conducted by the independent NSS Labs, Lastline managed to achieve an

overall malware detection rate of 98.6%.

Even though the malware detection rate of Lastline is relatively high, it also shows that

breach detection systems are not a panacea. In order to cope with ransomware attacks and

prevent financial damage additional security controls will have to be taken into account.

SPARC 3: Endpoint Security Solution

Endpoint security solutions provide another layer of security that might prevent

ransomware to be executed on a system. They should be considered as a complementary

security control that plays an important role in cases where breach detection systems fail

or simply cannot detect malicious activity (e.g. infection via portable USB drive, etc.).

A signature-based approach on host systems ensures that many (known) malicious files

or websites are blocked in advance before they can actually be executed on the system.

Obviously, detection rates heavily depend on current threat intelligent data that is obtained

from vendor-specific clouds. However, this approach would only provide protection against

ransomware that has already been examined and whose signatures have been pushed into

the threat intelligence cloud.

Therefore, make sure to deploy professional endpoint security solutions (independent from

the host’s operating system!) that provide additional security modules such as sandboxing,

intrusion prevention, application control, etc. Especially an application control module

that allows blacklisting/whitelisting of applications can be (if used correctly) an

3 https://ransomwaretracker.abuse.ch/


excellent “quick win” against ransomware. Whitelisting will be discussed in detail in

SPARC 6: Application and Directory Whitelisting.

Apart from application control, detection via dynamic techniques (such as sandboxing,

heuristics, etc.) should not be considered optional but necessary in order to have an

effective ransomware defense.

SPARC 4: Network Segmentation

Segmentation of the corporate network in separate zones, each meeting certain security

requirements, is one of the most important aspects when it comes to ransomware defense.

The purpose of segmentation is to keep a possible ransomware infection within a zone

and prevent it from spreading across the whole network.

This approach helps to limit damage and hence to lower expenses of remediating measures

as ransomware can only make data unusable it has access to. Obviously this only works if

proper rights management and access control mechanisms (see SPARC 5: Access Control

and Rights Management for details) are in place. If binaries are executed with privileged

access rights e.g. administrator account then the concept of network segmentation most

probably will not work, since administrators would have access to zones that ordinary users

usually do not have.

In general, segmenting networks the following zones are frequently implemented and

highly recommended:

• Public domain and guest zone

• External server zone / Demilitarized zone (DMZ)

• Internal server zone

• Internal client zones

• Internal system management zones

SPARC 5: Access Control and Rights Management

The reason why ransomware gains so much attention now is (amongst other things)

because companies often lack proper access control and rights management. This

could be fatal for organizations especially when experiencing a ransomware attack. The

impact of insufficient access control and rights management is almost identical to bad

network segmentation as it results in ransomware having access to resources that it

definitely should not have at all.


It is considered best practice to always adhere to the least-privilege principle, which means

that users should only have access to resources they really need. A worst case would be a

corporate file share that every user has unlimited access to. Without proper access control

settings, a ransomware with propagation capabilities could distribute with ease across the

whole network making the data of all affected hosts unusable. Incidents like this can easily

be prevented or at least mitigated if users only had access to resources they really need.

In general, when it comes to access control and rights management the following

questions should be asked and regularly assessed:

• What resources do users have access to?

• Are the access privileges sufficient (always adhere to least-privilege principle) for

the user’s role in order to cope with his or her daily work?

• Have users taken on new roles in the meantime?

• If so, do these users still have access privileges of their old role?

SPARC 6: Application and Directory Whitelisting

Many ransomware infections can be prevented beforehand by simply disallowing

execution of unknown or unwanted binaries. Various solutions exist for application

whitelisting, which means that only applications explicitly defined are allowed to be

executed. The opposite – application blacklisting – is also possible where explicitly

defined applications are not allowed to be executed. In general, a whitelisting approach

should be preferred over a blacklisting approach as it up front restricts users to only

required applications and per default blocks all other applications.

Since management of application whitelists can be an extensive task, especially in big

environments, directory whitelisting might be preferred. For instance, a malicious drive-

by downloader will most probably hide malware in system or configuration directories such

as %TMP% in which only temporary application data is stored and users actually do not

need privileges for execution. Often it is only necessary to prevent execution of binaries in

exactly these certain directories (e.g. C:\Windows, %TMP%, etc.) to avoid a ransomware

infection. In addition to withdrawing execution privileges of directories, preventing the

overall execution of scripts (e.g. *.bat, *.cmd, *.cs, *.reg, *.vbs, *.js …) could further minimize

the risks of a ransomware compromising.


SPARC 7: Data Recovery Strategy

The most obvious but also the most important security control for effective ransomware

defense is to have working and current backups that can be imported into systems in

order to guarantee availability of data. Meeting this security control will require a data

recovery strategy to be planned and tested thoroughly to be able to recover from disasters

at any possible time. In any case, there should be a plan that clarifies at least the following

questions:

• Who is responsible for backups?

• What systems or data are critical and therefore qualify for backups?

• When and what kind of backups are carried out?

• At what intervals are backups carried out?

• How long must data be retained?

• Are backup intervals actually sufficient to meet data retention criteria?

• Are backups stored offline (Ransomware could encrypt online “backups” on storage

systems)?

• Are backups valid and actually tested?

• Does a data recovery procedure exist and is responsible staff trained to conduct this

procedure?

There are many more things to be aware of when speaking of data recovery. The main goal

is to have valid and tested offline backups of critical systems or data stored somewhere

securely. These backups should be tested regularly to ensure everything is working as

expected and to train staff so that they are prepared for recovery in case of actual incidents.

SPARC 8: Incident Response and Business Continuity

The purpose of an incident response process is to ensure business continuity in the event

of an incident such as a ransomware attack by responding quickly and effectively to the

incident. A poorly conducted or even a non-existing process can have serious consequences

leading to business interrupts and possibly even to a permanent shutting down.

An incident response infrastructure is needed to speed up discovery of attacks and to

contain damage. A comprehensive incident response plan needs to be in place, including a

policy statement that defines terms, roles and responsibilities and provides step-by-step

instructions that should be followed in case of incidents.


The main goal of incident response management should be

• to limit the impact,

• to find and resolve the root cause of the incident,

• and to remediate caused damage (e.g. data recovery).

Incident response management is an iterative process consisting of various phases to

handle incidents effectively. Figure 7 depicts the lifecycle of the iterative incident response

process:

Figure 7 - Incident Response Lifecycle

1. Preparation

This step is crucial to ensure response actions are known and coordinated by

developing a formal incident response infrastructure.

2. Identification

In the second step, identification of incidents and escalation of the incidents to the

appropriate individuals takes places. Various security mechanisms (e.g. SIEM …) can

support security staff to identify them.

3. Containment

In phase three, incidents are examined and assessed to determine how far the

problem has spread and to prepare a proper response. Its main goal is to stop the

attacker, contain the damage and gain control of victim machines again.

4. Eradication

The root cause of the incident is investigated to understand the attack vector in

order to subsequently remove it and clean up any signs left over from the attack.

1. Preparation

2. Identification

3. Containment

4. Eradication

5. Recovery

6. Lessons Learned


5. Recovery

In the recovery phase machines are remediated (e.g. image restore …) and put back

into production to return to normal operational status. These machines are

periodically monitored to ensure the system has been remediated entirely.

6. Lessons Learned

Finally, the whole incident response process is reviewed using all acquired

information of the specific incident. The goal is to identify what went wrong and

what worked well to continuously improve the process.

SPARC 9: Contact Security Vendors and Authorities

When affected by ransomware one essential measure is to contact security vendors of

anti-malware solutions, CERTS (Cyber Emergency Response Team) and local

authorities. In case of an incident, vendors and CERTS might provide useful help/support

(especially if the IT security expertise of the affected company is low) to cope with

ransomware. There might also be the chance of obtaining a decryption key without paying

the demanded ransom as security vendors develop decryption tools4 for ransomware of

which the decryption keys were obtained by local authorities.

Ransomware incidents should be reported to authorities by filing a charge. This allows

authorities to conduct investigations in order to

• track down the flow of ransom money,

• to observe C&C server to obtain vital information,

• to confiscate participating systems or

• to locate and eventually arrest ransomware authors.

In addition, authorities provide dedicated contact points for organizations that fell victim to

ransomware. These contact points provide consultation and guidance to handle incidents.

Furthermore, companies will probably need a quick and uncomplicated way to contact their

respective vendor of endpoint security technologies (e.g. Anti-Virus). If the Anti-Virus

solution in place is not detecting the ransomware, customers will need a signature update

to prevent new infections.

4 https://noransom.kaspersky.com/


SPARC 10: Cybercrime Insurance

As a last resort, organizations can consider buying a cybercrime insurance. This allows

organizations to pass the risk of an expensive ransomware compromising on to a third

party. Depending on the contract, the subject matter of the insurance could include:

• costs of remediating measures (e.g. technicians, third party expertise, failover

services, …),

• value of lost data and

• demanded ransom money.

However, an insurance should only be seen as complimentary and not as primary

security control. It is not recommended to make use of an insurance only to avoid

implementing other suggested security controls.


6 References

Bundesamt für Sicherheit in der Informationstechnik. (2016). Ransomware:

Bedrohungslage, Prävention & Reaktion.

Dell. (2014). Threat Analysis CryptoWall Ransomware. Retrieved from SecureWorks:

https://www.secureworks.com/research/cryptowall-ransomware

ESET. (n.d.). The Evolution of Ransomware.

Fischer, T. (2014, December). Private and Public Key Cryptography and Ransomware.

Intel Security. (2016). McAfee Labs 2016 Threat Predictions.

SANS Institute. (2008). The Importance of Security Awareness Training.

SBA Research. (2015). Isolation of Legacy Systems.

Symantec Corporation. (2012). Ransomware: A Growing Menace.

Symantec Corporation. (2015). The evolution of ransomware.

Trend Micro. (n.d.). Ransomware. Retrieved from

http://www.trendmicro.com/vinfo/us/security/definition/Ransomware#The_Ev

olution_to_CryptoLocker

Date post:	12-May-2020
Category:	Documents
Upload:	others
View:	10 times
Download:	0 times

SPARC: SBA Preventive and Agile Ransomware Controls · 4/27/2016 SPARC: SBA Preventive and Agile...

Documents