what you need to know about ransomware

Trainers Underground

What you need to know about Ransomware

Presenters Robert De Roeck from Indiana University

Donald Hester from Las Positas College / Maze & Associates


Covering Today Statistics The Costs Attack Vectors Prevention and

Mitigation Typical Marks The Ransom

The Criminals Predictions References


What is Ransomware?“Ransomware is a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is

paid. Ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs the malware, or through drive-

by downloads (which does not require user-initiation) from a compromised Web site.” Source FBI


1989

Dec 11, 1989 was the first Ransomware called AIDs


42% to 70% have paid


93%

of organizations that were hit by ransomware had antivirus anti-

malware


31%

have been victims multiple time (recent news indicates this may

increase)


25%

did not get their data back even after they paid


10 to 400There were 10 different families of ransomware a few years ago now there are over 400 families as of the

first quarter 2017


20% paid over $40,000

25% paid $25k – $40k


$500 to $2000Demand range for small businesses or individuals

seems to range from $500 to $2000


$240,000,000DOJ estimates $240 million in ransoms were paid in

2015


$1,000,000,000DOJ estimates $1 billion in ransoms were paid in 2016


$17,000,000,000Ransoms estimated to increase to $17 billion by 2021


Other CostsWho is willing to pay more for your data than you?


Things to Remember Ransom – most fees

have been reasonable.

Consulting costs Lost revenue 63%

report loss and 48% report downtime

Incident response costs

Forensics – you need to prevent future attacks

Insurance


2010 insurance against sea pirates (like Somali pirates) paid out $448 million in ransoms but brought in $1.85 billion in insurance premiums. The

other problem is will they pay? Most cyber insurance carriers have stipulations similar to PCI. In other words, if you don’t have controls in

place they don’t pay.


Attack VectorsWhat are the typical ways they get in?


Attack Vectors Flash Java Browser Email Unpatched systems Internet facing servers


Emails One example was a wave

file that looked like it came from the phone system

GoldenEye ransomware targets human resources departments because they're used to opening emails and attachments from unknown sources


Prevention and MitigationWhat can be done?


Typical Marks Medical Transportation Local Government Education IoT Hotels (key card access) Individuals Organizations that lean to the left political spectrum Shotgun


The CriminalsKnow your enemy… Sun Tzu


Motivation

Financial incentives are typically the motivation of the hackers.


ServiceMost cyber-criminals treat this as a business. To the point they have customer service to assist victims.


ReputationHackers have a reputation, and if they have a reputation for not giving your files back after you pay, word will get around, and people won’t pay.


Market ForcesThey don’t try to price organizations out of the market. Organizations without money are less likely to pay large ransoms.


R & D

Investment. Cyber-criminals spend money on R&D to better perfect the process.


Other MarketsThey also sell ransomware starter kit for anyone who wants to get in on the action, some for as little as 1 bitcoin.


CompetitionCyber-criminal organizations fight against each other as well. One hacker group hacked another group and released the keys to their ransomware.


Code of Ethics


Prevention and MitigationWhat can be done?


Prevention & Mitigation Back-ups, air gap (BCP) Risk Assessment Patch management Configuration management Vulnerability scanning Whitelisting applications Anti-malware is critical but

not enough

Network isolation and segmentation

Insurance Have a bitcoin account

established Block Ips (In & Out) Monitor activity on systems DLP or audit logs Incident Response


To pay or not to pay, that is the question.


“The general advice is not to pay the ransom. By sending

your money to cybercriminals you’ll only confirm that

ransomware works, and there’s no guarantee you’ll get the decryption key you need in

return.”


Options If you pay, you will either get your data back or not. If you don’t pay, you can try to recover and possibly recover

your data. You can try tools or backups. New option criminals are offering is if you get two of your friends

infected and they pay, you can get your decryption for free. Some of cyber-criminals will negotiate on time, money, or for

proof the files can be recovered. Report the incident to authorities.


25%

did not get their data back even after they paid


Paying the ransom feeds the beast and perpetuates the problem. Criminals will keep going where they can make money and if people are

willing to pay the hackers will keep targeting them. An easy pay day for hackers. Don’t be an easy mark.


Predictions

We will also see an increase in doxware.


www.learnsecurity.org/tu

what you need to know about ransomware

Technology