7. January 28, 2017
“One of Europe's top hotels has admitted they had to pay
thousands in Bitcoin ransom to cybercriminals who managed
to hack their electronic key system, locking hundreds of guests
out of their rooms until the money was paid.”
http://www.thelocal.at/20170128/hotel-ransomed-by-hackers-as-guests-locked-in-rooms
11. February 1, 2017
“Texas police in the town of Cockrell Hill have lost eight years’
worth of digital evidence after getting hit by a ransomware
attack in December and refusing to pay up. … The email
planted a virus that then corrupted all files on the server. In the
end, they destroyed all Microsoft Office documents –
including Word and Excel files – as well as all bodycam
video, some photos, some in-car video, and some police
department surveillance video, dating back as early as 2009.”
https://nakedsecurity.sophos.com/2017/02/01/eight-years-worth-of-police-evidence-wiped-out-in-ransomware-attack/
14. February 2016
“A Hollywood hospital has been crippled by a cyberattack,
with crooks reportedly holding its data hostage and
demanding 9,000 in Bitcoin – about $3.4 million – to give
it back.”
They ended up paying $17,000 but went without
computers for ten days. Patients were diverted to other
hospitals.
https://nakedsecurity.sophos.com/2016/02/16/hollywood-hospital-held-to-ransom-by-cybercrooks/
Photo by Junkyardsparkle via Wikimedia Commons
18. 62 new ransomware families in 2016
Ransomware attacks on businesses increased threefold. = from an attack
every 2 minutes to one every 40 seconds
Ransomware attacks on small businesses increased eightfold from Q3
2015 to Q3 2016.
A single cryptomalware attack can cost SMBs $99k.
One in five small and medium-sized business who paid the ransom never
got their data back.
A Few Unsettling Facts about Ransomware
19. According to a 2016 survey from Osterman Research, almost one
out of every two participants indicated their organization had
suffered at least one ransomware attack in the past 12 months.
Less than half of ransomware victims fully recover their data,
even with backup.
Common reasons for incomplete backup recovery included
unmonitored and failed backups, loss of accessible backup drives
that were also encrypted, and loss of between 1-24 hours of data
from the last incremental backup snapshot.
More Unsettling Facts about Ransomware
Best Practices for Dealing With Phishing and Ransomware; An Osterman Research White Paper, August 2016
21. There are basically two different types
of ransomware:
• lockers
• encryptors
22. The first type, known as “Blockers,” “Lockers,” or
“WinLockers,” lock the computer screen and prevent the
victim from accessing the device.
A ransom demand appears on the screen, typically
masquerading as a notice from a law enforcement,
reporting that the victim has accessed illegal web content
and indicating that they must pay a fine.
23.
24. A variant is “MBR ransomware,” which infects the
“master boot record” (MBR), causes the normal boot
process to be interrupted. Again, attackers then exploit
the situation by displaying a ransom demand.
25. The second kind is more insidious:
Crypto-ransomware or “encryptors” encrypt most
types of files available to users, including “.doc,” “.xls,”
“.pdf,” and “.jpg.” The attackers then demand a ransom
in exchange for the promise to restore the data by
providing decryption keys to their files.
It doesn’t discriminate: it impacts individuals and
organizations from every region and industry around the
world.
26.
27. Distinguishing these types is
important:
It’s relatively easy to survive a locker or an MBR
variant, but it can be a real challenge to deal with
crypto-ransomware.
28. In any case, ransomware is a type of
malware that cybercriminals use to
extort money from their victims.
Ransomware is extortion,
plain and simple.
29. Symantec ISTR Special Report: Ransomware and Businesses 2016
The average ransom
demand has more
than doubled in the
past year. It’s now
$679, up from $294 at
the end of 2015.
30. Who are the victims?
Consumers are the most likely victims, due to weak or
missing security.
Organizations
43%Consumers
57%
31. How Does It Work?
Understanding the risks we face
32. Social Media
Ransomware, like any malware, can enter
your network and infect your computer in
many ways, including on USB devices, via
booby-trapped websites that exploit
software vulnerabilities, brute-forcing login
credentials, “malvertising,” and even via an
existing malware infection.
Malvertising, where malicious ads are placed on
legitimate ad services and then appear on
trusted websites
35. • Opens a malicious email attachment that directly installs
the ransomware on a user’s computer.
• Opens a malicious email attachment that initiates a
second-stage delivery through a downloader (often a
macro), that then downloads and installs the ransomware.
• Clicks on a link embedded in an email that points to an
exploit kit that leads to malware being installed.
Infection occurs if the user
50. The use of different programming languages—JavaScript,
PHP, PowerShell—used to evade detection by security
products
Additional features beyond locking devices or encrypting
files: searching for Bitcoin wallets or adding infected
computers to botnets
The threat of posting the victim’s files, including pictures
and videos, on the internet.
51. And then there’s “Ransomware as
a Service” (RaaS)
Now available on the Dark Web
52. "Satan is a free to use ransomware kit, you only need to
register on the site to start making your viruses. Satan only
requires a user name and password to create an account,
althrough, if you wish, you can set a public key for two-factor
authentication. Satan has a initial fee of 30% over the
victim's payment, however, this fee will get lower as you get
more infections and payments. All of the user transactions
are covered by the server, you'll always get what the victim
paid, minus the fee of course.
https://www.scmagazine.com/devilish‐new‐ransomware‐hits‐the‐street/article/636444/
Devilish New Ransomware Hits the Street
53. When creating your malware you can specify the ransom
value (in bitcoins), …
• Satan is free. You just have to register on the site.
• Satan is very easy to deploy, you can create your
ransomware in less than a minute.
• Satan uses TOR and Bitcoin for anonymity.
• Satan's executable is only 170kb.
Devilish New Ransomware Hits the Street
55. Up till recently, there has been a strange balance of trust
between the cybercriminals and their victims. You pay, we
return your files. So far, this has worked and ransomware has
thrived.
So it attracts amateur cybercriminals and we’re seeing the
development of ransomware of poor quality, lacking in the
assurance that cryptokeys will work and that the data isn’t
damaged.
Ransomware is becoming the victim of its success
57. Preventive Steps: 1
Having a sound backup strategy is a strong first step.
Here’s why:
The newest strains of Cryptolocker and its cousins not only
traverse the network, they infect the “previous versions,” or
shadow copies, that Windows makes.
It’s also possible for unencrypted backups to be infected
and encrypted, making them worthless as a tactic to avoid
paying a ransom.
58. Many organizations and individuals rely on online backup
strategies, backing up to a cloud service that by design
always needs a network connection. This “ease of use”
makes it very easy for ransomware to encrypt those backups
too.
Having a sound backup strategy is a strong first step.
Preventive Steps: 1
63. Install software patches and updates as soon as
they become available.
Ransomware attackers frequently rely on people using
outdated software with known vulnerabilities that they can
exploit to infiltrate your network. Inconsistent patching and
outdated software leave organizations exposed.
Make it a practice to update your software regularly—
operating systems and the installed applications. Patching
commonly exploited third-party software like Acrobat Reader
and Flash will prevent many attacks from being successful.
Preventive Steps: 2
64. Completely Remove Adobe Flash
If you use several browsers on
Windows, you may have more than a
single version of Flash Player
installed. Remove them all in one fell
swoop:
First, open the Control Panel. Next,
select "Programs and Features" to
view your installed applications.
Here, select each of the plugins
associated with Adobe Flash Player
in turn and click "Uninstall."
66. Most networks are “flat,” with little or no segmentation
between functional areas. Segmentation can be used to stop
or slow the lateral movement of malware and intruders.
Network segmentation limits the resources that a hacker can
access. Place your most sensitive data or systems into
dediated, shares, subnets, or VLANS.
Then restrict access to sensitive data—follow the principle of
least privilege.
Preventive Steps: 3
Protect your data: Segment your network.
67. Preventive Steps: 4
It’s true that antivirus solutions are good at eliminating
other threats, but they are lousy at detecting
ransomware, but they are getting better. Have both
anti-malware software and a software firewall to help
you identify threats or suspicious behavior.
Have up-to-date malicious software defenses—antivirus
and firewall products—running on all devices
68. Preventive Steps: 5
Use strong passwords that cannot be brute-forced by
remote criminals.
Set unique passwords for different accounts to reduce the
potential risk. (and get a password manager)
If you’re using “123456”, you’re not alone: nearly 17% of
users had “secured” their accounts with “123456”, with the
next most common password being “123456789”.
https://blog.keepersecurity.com/2017/01/13/most-common-passwords-of-2016-research-study/
69. Preventive Steps:6-7
Disable macros in Microsoft Office files
Show hidden file extensions
By default, Windows and OSX hide known file extensions. So
one popular method hackers use to make malware appear
safe is to name files with double extensions, like “.PDF.EXE.”
Enable the ability to see the full file-extensions, so it’s easier
to spot suspicious files.
70. Preventive Steps: 8-9
Install a browser add-on to block popups as they can also
pose an entry point for ransom Trojan attacks.
Disable file sharing
This way, if you happen to get hit, the ransomware
infection will stay isolated to your machine only.
71. Preventive Steps: 10
Switch off unused networking connections
WiFi connections, Bluetooth, and infrared ports are all potential
attack vectors. If you don’t use these services, disable them.
And be very wary of Open WiFi.
72. Preventive Steps: 11
Deactivate AutoPlay.
This way, harmful processes won’t be
automatically launched from external media, such
as USB memory sticks or other drives.
73. Preventive Steps: 12
Change the Windows default behavior to open
JavaScript files (.js, .jse) with Notepad, and not
Windows Script Host. Windows Script Host (WSH) can
grant malicious script a lot of the same run privileges
as an executable.
74. What if it’s part of your job to receive files from unknown people?
Lots of employees receive emails from unknown people:
• HR Representatives
• Finance – Accounts Payable/Receivable
Upload them to VirusTotal, a free
service that will run them past scores of
different anti‐virus scanners.
https://www.virustotal.com/en/
Preventive Steps: 13
75. Preventive Steps: 14
But the Number One strategy for avoiding
ransomware—as well as most other
computer-related issues—is:
Train your staff in the dangers of
phishing and malware, and help them
recognize dangers when they come
knocking at the door.
A solid Security Awareness Program is crucial to keeping
your organization and your staff safe.
76. Security Awareness
User education is the key to preventing
ransomware.
Teach your staff to refrain from opening attachments or
clicking on links that look suspicious.
Create a culture of awareness. Discuss these
Issues and current events in cybersecurity.
79. First things first: stop the spread of the infection
Disconnect the device from WiFi or unplug it from the
network immediately. This will decrease the number of files
that get encrypted.
Plus you’ll cut down on the infection from machine to
machine.
When you discover an infection, act fast
80. Check the No More Ransom project website
a non-commercial initiative involving public and private
organizations throughout the world that aims to spread a better
understanding of ransomware and help people recover their
data.
Check to see if there’s a decryption tool available that could
help get your files back. You should also report incidents to
your local law enforcement immediately,
https://www.nomoreransom.org/
81. If the No More Ransom project website can’t help, try
this:
Use System Restore to get back to a known-clean
state.
If you have System Restore enabled on your Windows
machine, you might be able to take your system back
to a known-clean state. Many ransomware variants will
prevent this from succeeding, but it’s worth a try.
82. Also worth a try:
If your ransomware is counting down to disaster, set the
BIOS clock back.
Some ransomware variants have a payment timer that
increases the price for your decryption key after a set
time. You may be able to give yourself additional time by
setting the BIOS clock back to a time before the deadline
window is up.
83. If there aren’t any tools to crack the encryption, power
down the endpoint and then reimage it.
Eliminating ransomware will require wiping the system
totally, then reinstalling a fresh copy of the operating
system before reconnecting it to any network.
87. There’s no agreement in the Information
Security community.
Experts are mixed on the wisdom of paying
the demanded ransom. Even the FBI has
changed its position on paying. So
consider your options carefully.
88. My personal advice:
Don’t pay the ransom.
Paying it can make your organization an even bigger target.
It could also increase the chance that the next ransom will
be higher.
It also encourages cybercriminals and might not result in
the recovery of the affected files.
89. Remember that you’re dealing with criminals.
There’s no guarantee that files will be unlocked,
and there’s an increased likelihood of being
attacked again.
Even if the hackers provide the
encryption key, they could have
already exfiltrated data that could
be sold or posted on the Deep
Web.
Trust me!
90. And now for:
The Bigger Picture
Enough of these problems!
How about a comprehensive solution!?
91. “Cybercriminals are often not geniuses
for a very good reason. They don't
need to be. We make it too easy for
them to succeed.”
Graham Cluley, Feb. 6, 2017
He wants to promote “active security” –
active as in “getting off your arse and
doing something.
https://www.grahamcluley.com/security‐firms‐need‐stop‐exaggerating‐hackers‐abilities‐hype‐products/
92. With a Cybersecurity framework, organizations
can assess and improve their ability to
prevent, detect, and respond to cyber attacks.
A framework provides a way to classify
cybersecurity outcomes and a methodology to
assess and manage those outcomes.
Get Yourself a Cybersecurity Framework
94. • NIST 800-53 + National Institute of Standards and Tech.
• FISMA = Federal Information Security Management Act
• DIACAP = DoD Information Assurance Certification and Accreditation
Process
• SOX = Sarbanes-Oxley Act of 2002
• GLBA = or Gramm-Leach-Bliley Act
• PCI-DSS = Payment Card Industry Data Security Standard
• NERC = North American Electric Reliability Corporation
• CIP = Certified IRBProfessional
• ISO 27000 Series = Int’l Org. for Standardization
• HITECH Act of 2009
There’s no
shortage of
standards to
consider:
95. “A lot of times, enterprises just don’t know where and how,
or what to do. Where’s the next dollar best spent?”
“This is about priority.”
Tony Sager, former head of the NSA’s Systems &
Network Attack Center, now with the SANS Institute
96. Since the early 2000s, the NSA had been working
on a list of security controls that were most effective
in stopping known attacks.
The key: “no control should be made a priority
unless it could be shown to stop or mitigate a known
attack.”
97. The second key: NSA was already working on
collaboration with two nonprofit organizations:
The SANS Institute — a cooperative research and
education organization, “the most trusted and by far the
largest source of information security training and
security certification in the world.
The Center for Internet Security — “works on
enhancing cyber security readiness and response of
public and private sector entities.”
98. Eventually, more than 100 public and private
organizations joined in, as well as a few companies
involved in incident response, including McAfee and
Mandiant.
The two main elements:
1) The only justification for a control was actual
attack information.
2) The feeling among the participants that they were
active contributors to protecting the country.
99. The clear consensus:
Just 20 Critical Controls could address
the most prevalent attacks that government,
industry, and the private sector face.
https://www.cisecurity.org/
100.
101. Spoiler Alert:
Most of these controls are standard procedure or
“Best Practices” in network administration.
Chances are that you’ve implemented many of them
yourself.
There really shouldn’t be any surprise here.
102. 1. Inventory of Authorized Devices on network
2. Inventory of all Software
3. Secure Configurations for all devices
4. Continuous Vulnerability Assessment
5. Controlled Use of Admin Privileges
Meeting the first five can reduce your risk of
attack by 85%
105. You can make concrete, measurable steps
in improving your networks by putting into
place, over time, some or most (if not all) of
these controls. Yes it takes time, but it
really does pay off.
It works to improve your security posture
vis-à-vis real-world security threats.
107. Thanks very much for your attention!
Any questions or comment?
Q and A
Roger Hagedorn
Email: roger.hagedorn@gmail.com
108. I’d like to thank two colleagues:
Ian Anderson
IT Security Manager
City of Oklahoma City
for sharing their presentation “Deploying the Critical
Security Controls Like a Boss!” and for allowing me to use
a few of their slides.
Jon Tidwell
IT Security Officer
Collin County Government
109. Symantec ISTR Special Report: Ransomware and Businesses 2016
KASPERSKY SECURITY BULLETIN 2016.
https://securelist.com/files/2016/12/KSB2016_Story_of_the_Year_ENG.pdf
Best Practices for Dealing With Phishing and Ransomware
An Osterman Research White Paper, August 2016
CIS—Center for Internet Security
https://www.cisecurity.org/
SANS Institute Newsbites
https://www.sans.org/newsletters/newsbites/newsbites.php
Graham Cluley –Latest computer security news, opinion and advice
https://www.grahamcluley.com/
Naked Security – Computer Security News, Advice and Research
https://nakedsecurity.sophos.com/
The Hacker News—Security in a Serious Way
http://thehackernews.com
References