Ransomware: Hard to Stop for Enterprises, Highly Profitable for Criminals

Raja MukerjiCo-Founder and President, ExtraHop Networks

Ransomware: Hard to Stop for Enterprises, Highly Profitable for

CriminalsRaja Mukerji

Co-Founder and President, ExtraHop Networks

Ransomware: Easy Money for Criminals1. A user’s machine gets infected with

malware

Client

Attacker

Mail ServerFile

Share

Client ClientClient

2. The malware downloads an encryption program

3. Begins encrypting files on the client

4. Spreads to network shares that the client is connected to

5. Spreads infected document(s) to other users/systems

6. Ransom is paid using Bitcoin, which is extremely difficult to track

Ransomware: Fast and Easy for Criminals

Ransomware Facts

Ransomware now makes up about 60 percent of malware infections encountered by Malwarebytes anti-virus software

The CryptoLocker strain of ransomware is responsible for $325 million in damages so far.

Hollywood Presbyterian Medical Center paid a $17,000 ransom after shifting to paper processes for one week.

The FBI has offered a $3 million reward for the arrest of Evgeniy Bogachev, believed to be linked to ransomware viruses.

Q4 2014Q1 2015

Q2 2015Q3 2015

0

50000

100000

150000

200000

250000

300000

350000

Number of users attacked by Trajon-Ransom malware tracked by Kaspersky Lab

The Problem: An M&M Security Model

?

Rogue Devices with Credentials

Ideal Solution Is Zero Trust

Insert your company logo here

Traditional Firewall

SDN routing

Clients Servers

Firewall

Agent-Based Firewall

Clients Servers

Agent-BasedFirewall

?

Detect Ransomware Behavior on the Network

Client

Attacker

Mail ServerFile

Share

SMTPHTTP

CIFS

CIFS

Client ClientClient

1. Detect ransomware activity on the network by analysing all CIFS WRITE operations in real time

2. Trace the infection to identify all infected clients and systems

3. Investigate the incident to identify “patient zero,” the source of the malware, and the attack vector

Analyze Data in Flight to Understand Risk

I know which clients I need to take offline.

I understand the extent of the impact down to the exact files that were overwritten.

I know which IP addresses to block.

I can easily investigate the incident to find “patient zero” and the attack vector.

I have alerts set up to immediately let me know when ransomware behavior is observed.

Most importantly … catch ransomware

attacks live, in real time

East-West Traffic Growth

3.34 ZB – 2014

24%Compound annual

growth rate

Source: Cisco Global Cloud Index 9.8 ZB – 2019

0123456789

Traffic within the Datacenter (East-West) Ze

taby

tes

Wire Data Analytics at Scale

1 Gbps/day =

11 TB5 Gbps/day =

54TB20 Gbps/day =

216 TBOne cylinder represents approximately 10TB of data.

40 Gbps/day =

432 TB

Wire Data = Risk Visibility

CVE Detection

Shellshock

HTTP.sys

Turla malware

Heartbleed

FREAK SSL/TLS

POODLE

Logjam

Compliance

SSH tunneling

Non-standard ICMP

Non-standard DNS

Non-standard HTTP

Disallowed file types

Invalid file extension writes

Blacklisted traffic

Encryption Profile

Certificate expiration

Key length

Outdated SSL sessions

MD5/SHA-1 cert signing

SSL traffic by port

Email encryption

Wild card certificates

Protocol Activity

Unencrypted FTP

Telnet

Gopher

TACACS

SNMP v1, v2, v2c

Finger

IRC

Application & User Behavior

Privileged user logins

Unauthorized connections

Lateral network traversal

Brute force attacks

Storage/DB access

Fraudulent transactions

Large data transfers

Unstructured Packets Structured Wire Data

Architecture MattersContinuous Packet Capture Stream Processing

How it works Write to disk first, then analyze Analyze first, then write to disk

Performance limits

Disk speed Bus throughput and RAM

Lookback Data typically stored for days Data typically stored for months

Packet capture Capture packets for all flows Capture packets for the flows you want

Cost More, bigger appliances with more storage (Up to 200+ TB on 3U appliance)

Fewer, smaller appliances with less storage (2.4 TB on 2U appliance)

CPUDisk

Wire

CPU Disk

Wire

Ransomware Detection Types

• Type 1: Checks for known file extensions that are commonly associated with ransomware attacks

• Type 2: Compares all file extensions against a “whitelist” to uncover potential attacks

• Type 3: Looks for WRITE activity that exceeds a configurable threshold

• Type 4: Advanced detection of instructional files typically associated with ransomware variants that are left behind during an attack

Rewind and Analyze (i.e. Forensics)

Observed CIFS WRITE activity on the network

Simple visual queries to target

ransomware activity

Questions?See an ExtraHop demo at booth #XXX