After WannaCry: Getting Ahead of Ransomware Tim Bandos, Sr. Director of Cybersecurity, Digital Guardian
Tim Bandos Prior Experience: Global Cybersecurity Tim Bandos Manager, 12+ years @ Fortune 100 Company Sr. Director of Cybersecurity CISSP, CISA, CEH & CASS Incident Response & Threat Intelligence Penetration Testing & Vulnerability Assessments Risk Management & Compliance Auditing & Internal Control Evaluations 2
Agenda Ransomware Overview The WannaCry Outbreak Incident Response Plan Prevention Measures Digital Guardian Protection Confidential 3
“The cybercriminals behind ransomware do not particularly care who their victims are, as long as they are willing to pay the ransom.” Confidential 4
What Is Ransomware Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid. Two Types: Lock Screen – Shows a full Crypto – Alters your files so screen message that prevents you can no longer open and you from accessing PC view them Confidential 5
How Ransomware (Typically) Works User Clicks on a Link Encryption of files Once encryption is or an Attachment in occurs within minutes complete, a ransom is Email or even seconds! displayed with X amount of time to pay for decryption key Confidential 6
Ransomware Evolution Can you guess when the first appearance of Ransomware surfaced? Confidential 7
Ransomware Stats 97% Delivery of phishing emails Mechanisms are now delivering ransomware 71% of organizations who are targeted % of Ransomware by ransomware end up infected Victims Using 95% Security Solutions at Time of Attack of ransomware victims refused to pay the ransom Confidential 8
Strains of Ransomware Confidential 9
Confidential 10
WannaCry Ransomware Outbreak WannaCry started on Friday, 12 May 2017 targeting vulnerabilities on Microsoft Windows operating system Infected more than 230,000 computers in more than 150 countries Once a system is affected, the payload displays a message informing the user that files have been encrypted, and subsequently demands a payment of $300 in bitcoin within three days. Confidential 11
Affected Windows Versions It was during the WannaCry outbreak that researchers discovered the worm only worked reliably on Windows 7, causing errors on other platforms, including Windows XP Confidential 12
How Does WannaCry Spread? WannaCry uses the ‘Eternal Blue’ Windows vulnerability that spreads like a worm • Any vulnerable computer open to the internet is at risk The initial means of infection — how the first computer in an organization is infected — remains unconfirmed. Confidential 13
EternalBlue Exploit – Timeline March 14, 2017 – Microsoft Patch Released for MS17-010 April 14, 2017 - EternalBlue Unveiled by Shadow Brokers – NSA Leak April 28, 2017 – EternalBlue exploit used by Cryptocurrency Mining Malware May 12, 2017 – WannaCry Ransomware Attack Confidential 14
WannaCry – Execution 1) Once vulnerability is exploited, a malicious executable is pushed down to endpoint 2) Executable installs, the ransomware deletes any existing backups 3) Malware creates copies of itself for persistence 4) Searches for files within specific extensions and encrypts files 5) Victim then receives ransom message demanding payment in untraceable bitcoins Confidential 15
Malware Fail Malware hates being analyzed and tends to build in safeguards against running in sandboxed environments WannaCry did this by hardcoding a domain name in it’s code and would kill itself if it were able to reach said domain name. A security researcher registered this domain which instructed every WannaCry variant to cease running on any infected machine that was connected to the internet. Confidential 16
Next Day… Confidential 17
Infections Continue.. Multiple variants of the WannaCry ransomware emerged and are being copied & distributed by multiple parties. CopyCat attackers infect additional computers for their own gain. Confidential 18
Next .. EternalRocks Emerges Successor to WannaCry Ransomware More dangerous because it exploits 7 NSA tool exploits versus just 2 used by WannaCry. Has potential to spread faster and infect more systems No kill-switch At this point, the malware doesn’t appear to drop EXPLOITS ETERNALBLUE Ransomware. But could be paving the way for what’s to DOUBLEPULSAR come. ETERNALCHAMPION ETERNALROMANCE ETERNALSYNERGY SMBTOUCH ARCHITOUCH Confidential 19
“The greatest threat to a business in the 21st century could come from an unknown person on the other side of the world.” Confidential 20
You’re Infected… Confidential 21
Now What? First off, take a deep breathe and don’t panic DO NOT pay the Ransom. Key Ransomware Objective: Instill Fear & Uncertainty What are my options? • If you do not have a backup, fear not. Encrypted files from some strains of ransomware can actually be decrypted for free (including WannaCry ) • Go to https://www.nomoreransom.org/ Confidential 22
Incident Response Plan A Cyber Security Incident Response Plan provides a formal, coordinated approach to responding to cyber security incidents affecting information assets. Defines: Incident classification Roles and responsibilities Incident reporting and escalation Communication channels for information flow Outlines the overall incident response processes Confidential 23
5 Incident Response Phases CRISIS Post-Incident Preparation Activity Containment Detection & & Reporting Neutralization Triage & Analysis Incident Responders Field Guide https://info.digitalguardian.com/ebook-incident- responder-field-guide.html Public 24
Prevention: Tips from Tim 1. PATCH MANAGEMENT – Staying on top of recently released patches for the Operating System / 3 rd Party Applications 2. Email Filtering – Actively filtering email attachment types that are potentially dangerous 3. End User Education – Teaching users how to identify potentially malicious links and attachments 4. Install Ad Blockers – Help protect against malicious ads from legitimate sites 5. Exploit Prevention – Microsoft’s Enhanced Mitigation Experience Toolkit 6. Backup & Recovery – Implement an effective backup plan in case you need to restore 7. Data Protection Suite – Consider leveraging a Data Loss Prevention technology with the ability to prevent malware infections and ransomware attempts to encrypt files. Confidential 25
WannaCry Tweets Confidential 26
May 12 2017: When you look up after a bite of your Taco Salad.. Confidential 27
Future of Ransomware We expect to see the ransomware threat landscape sustain, if not exceed, momentum levels observed over the past several years. Cyber extortion operations, as a whole, have gained significant notoriety in the past year, with illicit profits garnered from highly publicized campaigns Capitalizing on this momentum, ransomware developers are continuing to expand & establish newly created ransomware variants for use in future campaigns. Confidential 28
Confidential 29
DG Protects Against Advanced Threats Including Ransomware Digital Guardian’s ATP sees this BACKDOOR COMMAND & ESCALATION LATERAL INFILTRATION EXECUTION PERSISTENCE EXFILTRATION CONTROL OF PRIVILEGES MOVEMENT INSTALLATION Identification of Malware installed Adversary’s Adversary Presence on the Obtaining a Moving across an The removal of compromised the weakest link on targeted communication commands running higher level of environment data to an and exploiting system(s). with their own on compromised system through permissions for from one system external system(s). system restarts full control infrastructure. to the next. location. or privileged credentials loss … So you can stop these! Privilege Exploits Data Spear Exploits Malicious Malware Attacks Registry Modifications Misuse Theft Phishing Attack Network Operations 30
ATP Stops Ransomware Behavioral rules detect and BLOCK advanced threats across entire attack lifecycle INFILTRATION EXPLOIT INSTALL ENCRYPT DATA COMPROMISE Targeted Phishing Email Email attachment contains Exploit installs Files on the computer are Ransomware encrypts encrypted archive file with ransomware that infects encrypted 20,000+ additional files on windows exploit which computer mounted file servers bypasses email defenses Block Rule: Script Block Rule: Ransomware Launched off Archive File Extensions & Note Block Rule: Known Informational Rule: Block Rule: Mass Creation Ransomware Process Double click on Email Editing of Files Block Rule: Launch Block Rule: Volume Attachment Ransomware Outbound Shadow Copy Deletion TCP Connection Confidential 31
Managed Security Programs Achieve faster time to value with data loss prevention as a service Get the latest defense strategies and intelligence now Let us discover, monitor and protect your regulated data Confidential 32
Recommend
More recommend
