1. 1. Ransomware Prepare: Have a Plan Jim Olmstead Incident Response Consultant
2. 2. Ransomware It is Prevalent It is Profitable If you Pay the ransom, you provide incentive for the Bad Actors to continue Lets break the cycle Prepare now 2
3. 3. Threat Vectors Delivery methods of ransomware Email (Mass spam and possible targeted spam) Locky, Teslacrypt, Exploits weaknesses in your security Launched by employees eager to click on email Hack and Attack Samsa, Samas (aka, samsam.exe and other variant names) Secure: Computers on your network and under your control (Password & Kerberos Reset) 3rd Party Vendor or Unmanaged systems on your network Review computers placed in your DMZ and their connectivity back to your network 3
4. 4. Response: Initial If infected, immediately detach the system from your network Physically disconnect system, or use Host Intrusion Protection System (HIPS) Automate the response if a detection occurs, or Manually isolate Ensure your Anti-Virus is up-to-date with signatures Schedule FULL (Daily) workstations and Servers Any excluded systems or portions of systems MUST be scanned Schedule Additional (Daily) targeted scans Remediate the system or wipe it clean? Have you done enough to prepare? 4
5. 5. Response: Be Proactive - Prepare BACKUP your data to an offsite location or detach your backup storage Block or reduce access to Open and Mapped Shares Update, Upgrade, and patch your Operating System (OS) Use Whitelisting / Application Control Block and Filter email & attachments Remove or reduce Remote Desktop (RDP) use Educate your end-users (To be Suspicious of email and attachments) Run up-to-date Anti-virus protection & signatures (Use extra.dats) 5
6. 6. Be Ready- Prepare Now Incidents are going to happen Incidents are part of doing business Need for an endpoint solution & other security products Have a Plan before you have the Need to Respond 6
7. 7. The RansomWare Landscape @ChristiaanBeek
8. 8. TeslaCrypt CryptoWall Crysis Locky Reveton CryptoFortress Criakl Tobfy CTB-Locker LockScreen CrypTear Samas Other 8 RansomWare Statistics Q1 - 2016 272,712 240,767 674,778 Jan Feb Mar
9. 9. 9 In Q1 2016, TeslaCrypt hit many European countries, where Turkey was hit the most according to our statistics.
10. 10. Countries hit by RansomWare 10
11. 11. 11 Where we started with around 10 families in Jan 2016, Currently we are tracking 57+ different ransomware families..
12. 12. Observations Q1 - Ransomware as a Service increased massively - Source-code for ransomware publicly available - Targeted ransomware campaign on mostly Healthcare industry - Ransomware encrypting Master-Boot-Record - Apple users hit with Ransomware - Ransomware going after web-content management systems 12
13. 13. #who s behind ransomware? Wannabee Affiliate Organized Crime
14. 14. Wannabee
15. 15. Wannabee
16. 16. Affiliate
17. 17. Ransomware as a Service Botnet Affiliate/Service Provider RAAS Operator Cash Management
18. 18. Organized Crime Experienced group Involved in multiple (ransomware) campaigns Fast response times Server image for fast deployment Cautious in affiliate program Tracking news, forums around their product and adjust
19. 19. Profitable business?
20. 20. SamSa example 45.00 BT 40.00 BTC 21.94 BTC 22.00 BTC 22.00 BTC 40.00 BTC $100,000.00 so far...
21. 21. What is Intel Security doing about it?
22. 22. Ransomware Kill-chain Btc wallet2 Exploit Kits URL URL URL URL Many transactions Btc wallet1 Final Wallets Delivery Infrastructure Infection Back end Infrastructure Payment Infra Phishing URL Attachment Victim infected Proxy servers Proxy URL 1 Proxy URL 2 Proxy URL X Distribution servers Btc wallet3
23. 23. What is Intel Security doing about it? Ransomware Focused group on ransomware Participate in investigations and operations with Law Enforcement and other Vendors Innovating new technology 23
24. 24. What can we expect next? Compared to 2015, we already have seen a few new directions like targeted ransomware and encrypting full systems. We expect that embedded devices, more targeted attacks on certain industries and related business applications will increase in 2016 and beyond. 24
25. 25. There is Hope!! - Petya (boot-disk encryption) - Teslacrypt (older versions) - TorrentLocker - Jigsaw ransomware - Linux.Encoder - Double-DMA 25
26. 26. Ransomware Recommendations Josh Thurston Security Strategist Office of the CTO
27. 27. Avoid Risk Filter run-rate threats and protect data to reduce exploitable surface area and operational burden Mitigate Risk Optimize decision making Compress mean time to resolution Minimize impact Reduce Risk Isolate signal from noise for rapid, hi-fidelity risk comprehension and response prioritization Threat Defense Lifecycle 27 Applied integration, automation, and orchestration driving a defense lifecycle Disrupt in-bound attacks Control data access Automate defensive workflow Illuminate low-threshold breaches Discover unmanaged systems Monitor data access Contain and repair compromised systems Programmatically share intelligence Adjust and extend policies Optimize Resources
28. 28. Protect Recommendations Patch management and Hygiene Tune VirusScan and Endpoint Security Access Protection Rules KB81095 and KB54812 Use GTI and leverage +4 million unique ransomware signatures Use HIPS signatures to limit unknown processes 3894 Prevent SVCHOST.exe executing non Windows .exes 6010 and 6011 to block the injection immediately Use Whitelisting / Application Control Fortify critical Systems Legacy Operating Systems & Applications 28
29. 29. Protect Recommendations Use Web Security to stop threats before they get to the endpoint 29 Filter Known Bad Sandbox / Reverse- engineering (zero-day) Real-time Behavioral Emulation (zero-day) McAfee Web Protection McAfee ATD Dynamic and Static Analysis Gateway Anti-Malware AV Input Quantity Depth of Inspection
30. 30. Detect Recommendations 30 Limit software installs with VSE access protection rules Use HIPS & Change Control to block changes from unapproved processes Use TIE to detect new PEs Use Sandboxing / ATD to inspect grey files upon execution Use IPS to block TOR traffic used by ransomware to obfuscated communications Integrate Endpoint with Network to reveal malicious process communications
31. 31. Correct Recommendations 31 Use ATD to educate TIE reputations DB Use AR to hunt for latent malicious code and eradicate USE SIEM and IPS to discover and blacklist malicious IPs Use frequent backups to restore systems (last resort)
32. 32. Neutralize Emerging Threats Safeguard Vital Data Optimize Security Operations Fortify Critical Environments Intel Security: Capability Offerings Endpoint Protection Network Security Data Security Web Security Security Management Endpoint Detection & Response Server Security Threat Sandboxing Security Services Threat Intelligence
33. 33. 33