[PPT] - After WannaCry: Getting Ahead of Ransomware Tim Bandos, Sr. PowerPoint Presentation

SLIDE 1

After WannaCry: Getting Ahead of Ransomware

Tim Bandos, Sr. Director of Cybersecurity, Digital Guardian

SLIDE 2

Tim Bandos

2

Tim Bandos

Sr. Director of Cybersecurity

CISSP, CISA, CEH & CASS

Prior Experience: Global Cybersecurity Manager, 12+ years @ Fortune 100 Company

Incident Response & Threat Intelligence
Penetration Testing & Vulnerability

Assessments

Risk Management & Compliance
Auditing & Internal Control Evaluations

SLIDE 3

3 Confidential

Agenda

Ransomware Overview
The WannaCry Outbreak
Incident Response Plan
Prevention Measures
Digital Guardian Protection

SLIDE 4

“The cybercriminals behind ransomware do not particularly care who their victims are, as long as they are willing to pay the ransom.”

4 Confidential

SLIDE 5

What Is Ransomware

Ransomware is a type of malware that prevents or limits users

from accessing their system, either by locking the system's screen

r by locking the users' files unless a ransom is paid.
Two Types:

5

Lock Screen – Shows a full screen message that prevents you from accessing PC Crypto – Alters your files so you can no longer open and view them

Confidential

SLIDE 6

How Ransomware (Typically) Works

6

User Clicks on a Link

r an Attachment in

Email Encryption of files

ccurs within minutes
r even seconds!

Once encryption is complete, a ransom is displayed with X amount of time to pay for decryption key

Confidential

SLIDE 7

Ransomware Evolution

Can you guess when the first appearance of Ransomware

surfaced?

7 Confidential

SLIDE 8

Ransomware Stats

8

97% 71% 95%

f phishing emails

are now delivering ransomware

f organizations

who are targeted by ransomware end up infected

f ransomware

victims refused to pay the ransom

Delivery Mechanisms % of Ransomware Victims Using Security Solutions at Time of Attack

Confidential

SLIDE 9

Strains of Ransomware

9 Confidential

SLIDE 10

Confidential 10

SLIDE 11

WannaCry Ransomware Outbreak

Confidential 11

WannaCry started on Friday, 12 May 2017 targeting

vulnerabilities on Microsoft Windows operating system

Infected more than 230,000 computers in more than 150 countries
Once a system is affected, the payload displays a message informing the user that files have been

encrypted, and subsequently demands a payment of $300 in bitcoin within three days.

SLIDE 12

Affected Windows Versions

Confidential 12

It was during the WannaCry outbreak that researchers discovered the worm

nly worked reliably on

Windows 7, causing errors on other platforms, including Windows XP

SLIDE 13

How Does WannaCry Spread?

WannaCry uses the ‘Eternal Blue’ Windows vulnerability that spreads like a

worm

Any vulnerable computer open to the internet is at risk
The initial means of infection—how the first computer in an organization is

infected—remains unconfirmed.

Confidential 13

SLIDE 14

EternalBlue Exploit – Timeline

Confidential 14

March 14, 2017 – Microsoft Patch Released for MS17-010 April 14, 2017 - EternalBlue Unveiled by Shadow Brokers – NSA Leak April 28, 2017 – EternalBlue exploit used by Cryptocurrency Mining Malware May 12, 2017 – WannaCry Ransomware Attack

SLIDE 15

WannaCry – Execution

Confidential 15

1) Once vulnerability is exploited, a malicious executable is pushed down to endpoint 2) Executable installs, the ransomware deletes any existing backups 3) Malware creates copies of itself for persistence 4) Searches for files within specific extensions and encrypts files 5) Victim then receives ransom message demanding payment in untraceable bitcoins

SLIDE 16

Malware Fail

Malware hates being analyzed and

tends to build in safeguards against running in sandboxed environments

WannaCry did this by hardcoding a

domain name in it’s code and would kill itself if it were able to reach said domain name.

A security researcher registered this

domain which instructed every WannaCry variant to cease running on any infected machine that was connected to the internet.

Confidential 16

SLIDE 17

Next Day…

Confidential 17

SLIDE 18

Infections Continue..

Multiple variants of the WannaCry ransomware emerged

and are being copied & distributed by multiple parties.

CopyCat attackers infect additional computers for their
wn gain.

Confidential 18

SLIDE 19

Next .. EternalRocks Emerges

Successor to WannaCry Ransomware
More dangerous because it exploits 7 NSA tool exploits

versus just 2 used by WannaCry.

Has potential to spread faster and infect more systems
No kill-switch
At this point, the malware doesn’t appear to drop
Ransomware. But could be paving the way for what’s to

come.

Confidential 19

ETERNALBLUE DOUBLEPULSAR ETERNALCHAMPION ETERNALROMANCE ETERNALSYNERGY SMBTOUCH ARCHITOUCH

EXPLOITS

SLIDE 20

“The greatest threat to a business in the 21st century could come from an unknown person on the other side of the world.”

20 Confidential

SLIDE 21

You’re Infected…

21 Confidential

SLIDE 22

Now What?

First off, take a deep breathe and don’t panic
DO NOT pay the Ransom.
Key Ransomware Objective: Instill Fear & Uncertainty
What are my options?
If you do not have a backup, fear not. Encrypted files from some strains
f ransomware can actually be decrypted for free (including WannaCry)
Go to https://www.nomoreransom.org/

22 Confidential

SLIDE 23

Incident Response Plan

A Cyber Security Incident Response Plan provides a formal, coordinated approach to responding to cyber security incidents affecting information assets.

Defines:

Incident classification
Roles and responsibilities
Incident reporting and escalation
Communication channels for information flow
Outlines the overall incident response processes

23 Confidential

SLIDE 24

Incident Responders Field Guide

24

Preparation Detection & Reporting Triage & Analysis Containment & Neutralization Post-Incident Activity

CRISIS

Public

https://info.digitalguardian.com/ebook-incident- responder-field-guide.html

5 Incident Response Phases

SLIDE 25

Prevention: Tips from Tim

1. PATCH MANAGEMENT – Staying on top of recently released

patches for the Operating System / 3rd Party Applications 2. Email Filtering – Actively filtering email attachment types that are potentially dangerous 3. End User Education – Teaching users how to identify potentially malicious links and attachments 4. Install Ad Blockers – Help protect against malicious ads from legitimate sites 5. Exploit Prevention – Microsoft’s Enhanced Mitigation Experience Toolkit 6. Backup & Recovery – Implement an effective backup plan in case you need to restore 7. Data Protection Suite – Consider leveraging a Data Loss Prevention technology with the ability to prevent malware infections and ransomware attempts to encrypt files.

25 Confidential

SLIDE 26

Confidential 26

WannaCry Tweets

SLIDE 27

May 12 2017: When you look up after a bite of your Taco Salad..

Confidential 27

SLIDE 28

Future of Ransomware

We expect to see the ransomware threat

landscape sustain, if not exceed, momentum levels observed over the past several years.

Cyber extortion operations, as a whole, have

gained significant notoriety in the past year, with illicit profits garnered from highly publicized campaigns

Capitalizing on this momentum, ransomware

developers are continuing to expand & establish newly created ransomware variants for use in future campaigns.

Confidential 28

SLIDE 29

Confidential 29

SLIDE 30

DG Protects Against Advanced Threats Including Ransomware

30

Digital Guardian’s ATP sees this

EXECUTION INFILTRATION

BACKDOOR INSTALLATION

COMMAND & CONTROL PERSISTENCE EXFILTRATION

ESCALATION OF PRIVILEGES

LATERAL MOVEMENT Identification of the weakest link and exploiting Malware installed

n targeted

system(s). Adversary’s communication with their own infrastructure. Adversary commands running

n compromised

system(s). Presence on the compromised system through system restarts

r privileged

credentials loss Obtaining a higher level of permissions for full control Moving across an environment from one system to the next. The removal of data to an external location.

… So you can stop these!

Spear Phishing Attack Exploits Malicious Network Operations Malware Attacks Registry Modifications Privilege Misuse Exploits Data Theft

SLIDE 31

ATP Stops Ransomware

Confidential 31

Behavioral rules detect and BLOCK advanced threats across entire attack lifecycle

EXPLOIT

Email attachment contains encrypted archive file with windows exploit which bypasses email defenses

INSTALL

Exploit installs ransomware that infects computer

ENCRYPT

Files on the computer are encrypted

DATA COMPROMISE

Ransomware encrypts 20,000+ additional files on mounted file servers

INFILTRATION

Targeted Phishing Email Informational Rule: Double click on Email Attachment Block Rule: Script Launched off Archive Block Rule: Known Ransomware Process Launch Block Rule: Ransomware File Extensions & Note Creation Block Rule: Mass Editing of Files Block Rule: Volume Shadow Copy Deletion Block Rule: Ransomware Outbound TCP Connection

SLIDE 32

Managed Security Programs

Confidential 32

Achieve faster time to value with data loss prevention as a service Get the latest defense strategies and intelligence now Let us discover, monitor and protect your regulated data

SLIDE 33

Our Service for Advanced Threat Protection

Confidential 33

Technology

Detection and Response Technology that Delivers

Data Aware Threat Protection

People

Cyber Security Experts led by a Fortune 100 Cyber Defense Leader

Process

Proven Methodology for Managed IR and Threat Hunting

+ +

Proven Methodology

SLIDE 34

ONGOING THREAT INTELLIGENCE Our team harnesses both externally and internally generated intelligence feeds for immediate detection based on known threat activity.

What You Get: MSP for ATP

Confidential 34

PREVENT ATTACKS IN REAL-TIME

Dedicated team of analysts constantly review your data for anomalous behavior and alert you immediately upon discovery.
Alerts generated by our MSP team will provide you with a summary of what’s been detected and include details such as entrance

vector, root cause, endpoints affected, etc. 24/7 SUPPORT Round the clock support on any questions or requests regarding the service or around threats that have been discovered within the client’s environment. FULLY MANAGED ATP INFRASTRUCTURE

Implementation and management of your advanced threat protection infrastructure.
No in-house infrastructure, training or subject expertise required.

ONGOING IMPROVEMENT OF YOUR SECURITY POSTURE Monthly expert risk analysis to assess, iterate and improve your incident response policies and procedures. PROACTIVE THREAT HUNTING AND INCIDENT RESPONSE With its proven incident response and threat hunting methodologies, our MSP team hunts, detects and responds to attacks in real-time.

SLIDE 35

Digital Guardian

Founded 2003 to protect all data

against theft

Began with protecting IP on the

endpoint - the most challenging use case

Simplified compliance and cloud

data protection with DG appliance

Launched industry’s first Managed

Security Program for DLP and ATP

Only security company 100% focused
n protecting sensitive data from

loss or theft

Confidential 35

#1 IP Protection

SLIDE 36

Thank You

Any questions?

SLIDE 37

Digital Guardian’s Next Webinar

“Real World Scenarios - Stopping PHI risk

with DLP”

July 20th @ 2:00PM EDT
Chris Leffel, Healthcare Security Expert, Digital Guardian
Watch this webcast to learn:
How to provide patient centric data protection?
Case studies on PHI – Inspired by true stories
Recommendations on DLP implementation methodologies

37