Trainers Underground
What you need to know about Ransomware
Presenters Robert De Roeck from Indiana University
Donald Hester from Las Positas College / Maze & Associates
Trainers Underground
Covering Today Statistics The Costs Attack Vectors Prevention and
Mitigation Typical Marks The Ransom
The Criminals Predictions References
Trainers Underground
What is Ransomware?“Ransomware is a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is
paid. Ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs the malware, or through drive-
by downloads (which does not require user-initiation) from a compromised Web site.” Source FBI
Trainers Underground
10 to 400There were 10 different families of ransomware a few years ago now there are over 400 families as of the
first quarter 2017
Trainers Underground
$500 to $2000Demand range for small businesses or individuals
seems to range from $500 to $2000
Trainers Underground
Things to Remember Ransom – most fees
have been reasonable.
Consulting costs Lost revenue 63%
report loss and 48% report downtime
Incident response costs
Forensics – you need to prevent future attacks
Insurance
Trainers Underground
2010 insurance against sea pirates (like Somali pirates) paid out $448 million in ransoms but brought in $1.85 billion in insurance premiums. The
other problem is will they pay? Most cyber insurance carriers have stipulations similar to PCI. In other words, if you don’t have controls in
place they don’t pay.
Trainers Underground
Attack Vectors Flash Java Browser Email Unpatched systems Internet facing servers
Trainers Underground
Emails One example was a wave
file that looked like it came from the phone system
GoldenEye ransomware targets human resources departments because they're used to opening emails and attachments from unknown sources
Trainers Underground
Typical Marks Medical Transportation Local Government Education IoT Hotels (key card access) Individuals Organizations that lean to the left political spectrum Shotgun
Trainers Underground
ServiceMost cyber-criminals treat this as a business. To the point they have customer service to assist victims.
Trainers Underground
ReputationHackers have a reputation, and if they have a reputation for not giving your files back after you pay, word will get around, and people won’t pay.
Trainers Underground
Market ForcesThey don’t try to price organizations out of the market. Organizations without money are less likely to pay large ransoms.
Trainers Underground
R & D
Investment. Cyber-criminals spend money on R&D to better perfect the process.
Trainers Underground
Other MarketsThey also sell ransomware starter kit for anyone who wants to get in on the action, some for as little as 1 bitcoin.
Trainers Underground
CompetitionCyber-criminal organizations fight against each other as well. One hacker group hacked another group and released the keys to their ransomware.
Trainers Underground
Prevention & Mitigation Back-ups, air gap (BCP) Risk Assessment Patch management Configuration management Vulnerability scanning Whitelisting applications Anti-malware is critical but
not enough
Network isolation and segmentation
Insurance Have a bitcoin account
established Block Ips (In & Out) Monitor activity on systems DLP or audit logs Incident Response
Trainers Underground
“The general advice is not to pay the ransom. By sending
your money to cybercriminals you’ll only confirm that
ransomware works, and there’s no guarantee you’ll get the decryption key you need in
return.”
Trainers Underground
Options If you pay, you will either get your data back or not. If you don’t pay, you can try to recover and possibly recover
your data. You can try tools or backups. New option criminals are offering is if you get two of your friends
infected and they pay, you can get your decryption for free. Some of cyber-criminals will negotiate on time, money, or for
proof the files can be recovered. Report the incident to authorities.
Trainers Underground
Paying the ransom feeds the beast and perpetuates the problem. Criminals will keep going where they can make money and if people are
willing to pay the hackers will keep targeting them. An easy pay day for hackers. Don’t be an easy mark.