ncsc speaker
Upload: royal-united-services-institute-for-defence-and-security-studies
Post on 28-Jan-2018
80 views
TRANSCRIPT
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Ransomware: Past, Present, and Future
By A Cyber Security Advisor
NCSC
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
What is the NCSC?The new National Cyber Security Centre is the UK’s authority on cyber security and part of GCHQ.
The NCSC brings together cyber security into a single, expert organisation building on the best of what we already have and combining the functions of:
• CESG• CERT-UK• Cyber related aspects of Centre for the Protection of National Infrastructure• Centre for Cyber Assessment
2
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
3
Where we are based
Cheltenham
London Victoria
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
4
Our Organisation
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
5
What we do:
We understand cyber security:Sharing our knowledge, we identify and address systemic vulnerabilities
We respond to cyber security incidents:Managing serious security breaches, we reduce the harm they cause to the UK
We nurture our national cyber security capability:Providing leadership on critical issues, harnessing talent and technology
We reduce risks to the UK:We help public and private sector organisations secure their networks
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
About Me: The Details
Over 40 years in the IT Industry:• Career divided between private and public sectors• Involved in IT / Cyber security since 2004• Joined NCSC in 2016• Work with companies in the Communications, IT Services and Space
sectors of the CNI• Government Chair of the Space Information Exchange since 2016
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
• The Basics• How It All Began• Current Edition• Back to the Future• How to Prepare: Now, and in the Future
Ransomware:Past, Present and Future
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Wikipedia’s definition of ransomware:
“Ransomware is computer malware that installs covertly on a victim'sdevice (e.g., computer, smartphone, wearable device) and that eithermounts the cryptoviral extortion attack from cryptovirology that holds thevictim's data hostage, or mounts a cryptovirology leakware attack thatthreatens to publish the victim's data, until a ransom is paid.”1
In short: an entity renders data or a device inaccessible, then demandspayment for its ‘release’
1 Wikipedia https://en.wikipedia.org/wiki/Ransomware
Ransomware: The Basics
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Purpose: Money!!!!
and relatively lower risk than traditional kidnap, ransom, and extortion methods.
• Direct Revenue Generation: $1 Billion in 20162
• Top Impacted Countries: United States, Japan, United Kingdom, Italy, Germany, and Russia3
• Most Prevalent attack vectors: misleading apps, fake antivirus scams4
• Average Ransom Demand: Range between $500-$20005
• Business Costs: $75 Billion per year6
2, 5, 6: Rock, Tracy. “Ransomware Statistics 2016-2017: A Scary Trend in Cyberattacks” February 27, 2017. Invenio IT. http://invenioit.com/security/ransomware-statistics-2016/
3 and 4: Savage, Kevin. Coogan, Peter. Lau, Hon. “The Evolution of Ransomware” August 6, 2015. Symantec.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf
Ransomware: The Basics
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
The original “kidnap, ransom, and extortion” (KRE) technique• Used in ancient times for payment, bargaining, warfare• Still used in parts of the world today
Well-known Cases:• Richard the Lionheart (1192)• Charles Lindbergh Jr (1932) – “The Lindbergh Baby”• Peter Weinberger (1956) – Changed kidnapping laws in US• Patty Hearst (1974)
Ransomware: How it all began
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Enter Technology:First known ransomware attack using encryption
• AIDS Trojan (1989) written by Joseph Popp
• Software Expiration Pop-Up Notice
• $189 US Ransom
• Poorly written
• Symmetric Cryptography
Ransomware: How it all began
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Learn and Improve from the mistakes of others• Adam Young and Moti Yung experiment (1996)• Encrypt with public key and ransom the private key• Introduced concept of ‘electronic money’ extortion
Ransomware: How it all began
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Examples of extortion through ransomware:• Gpcode, Gpcode.AG, Gpcode.AK (varients)• TROJ.RANSOM.A• Archiveus• Krotten• Cryzip• MayArchive
As advancing technologies grew, so did the size of encryption keys:
Ransomware: Where it all began
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Four Flavours:
Crypto ransomware Mobile ransomwareLocker ransomware Leakware (aka Doxware)
Ransomware: Current Edition
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Crypto Ransomware:
An infection encrypting data within a computer or system, denying crypto keys until a ransom is paid.
Ransomware: Current Edition
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
*different to preventing access to files or data, which is crypto ransomware
Ransomware: Current EditionLocker Ransomware * :
An infection locking a computer or device, denying access until a ransom is paid.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Ransomware: Current EditionMobile Ransomware:
Blockers; payloads are commonly an APK file installed on user’s mobile to lock access to the device, or mobile application(s) access. Online synchronization negates the incentive to encrypt data, so limited to denying access to mobile use.
*Instances vary based on type of mobile device – i.e., Android vs iOS
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Example: Ashley Maddison
Ransomware: Current EditionLeakware:
Also known as Doxware: this form of malicious activity combines ‘doxing’ andransomware. It combines both encryption of data and the collection/theft ofpersonal information for the use of future extortion activities.“…instead of locking up your sensitive data and making them inaccessible toyou, it makes them accessible to everybody – unless you pay up.”7
7 Littlejohn Shinder, Debra. The Evolution of Extortionware. February 7, 2017. GFI Tech Talk. https://techtalk.gfi.com/the-evolution-of-extortionware/
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Technology advances much faster than implementation of security measures.
WannaCry (aka: WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor)• Date: 12 May 2017 – Present• Location(s): Everywhere!• Ransom Demand: $300-$600• Cause: EternalBlue exploit / Failure to patch• Damage Thus Far: Over 200K victims and more than 230K
computers infected8
8 https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Ransomware: Back to the future
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Technology advances much faster than implementation of security measures.
Petya (AKA NotPetya. Varients included Petna, Pneytna, Goldeneye)• Date: 27 June 2017 onwards• Location(s):Ukraine: - spreading westward • Ransom Demand: $300 in bitcoins – but were they after money?• Cause: EternalBlue exploit / Failure to patch• Damage thus far: Epicentre was Ukraine, but included UK and US
Ransomware: Back to the future
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Technology advances much faster than implementation of security measures.
“Mr Smith Group”
The US TV network has refused to pay a multimillion dollar ransomdemand to the hackers, who compromised the network’s systems inJuly and have since leaked a series of embarrassing documents, emailsand unaired shows, including Game of Thrones and Curb YourEnthusiasm.
Ransomware: Back to the future
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Evolution and Innovation:Stealthier: searching for a bigger ‘pay-load’• Long-term game • Less about data than entire business
• Infrastructure• Operations
• E.g. Hospitals, Power Grids
Ransomware: Back to the future
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Evolution and Innovation:Stealthier: searching for a bigger ‘pay-load’• Long-term game • Less about data than entire business
• Infrastructure• Manufacture• Operations
E.g. UK Space Industry
Ransomware: Back to the future
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
What does the “entire business” mean?
Not limited to data sets or system access, but also:• Incident Response• Backups• Restoration/Recovery Operations
Ransomware: Back to the future
Leading to:
Total Organisational Paralysis
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
What you are (hopefully?) doing now:
• Business Risk Assessment
• Data Recovery (backups)
• Detection
• Disaster Recovery Plan
Ransomware: How to prepare –now
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
What to Do in the Future:
• Dependable Data Recovery Solutions• Updated Backup Systems• Cyber Insurance?• Exercise, Exercise, Exercise!!!!!• Crypto Currency
Ransomware: How to prepare –in the future
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
How have you been Impacted? What lessons have you learned?
If not …………….?
Ransomware:
For further information see: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
28
For further information see: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware