ransomware - nist computer security resource center · demand soared in 2016. o once infected many...
Post on 09-Jun-2020
0 Views
Preview:
TRANSCRIPT
Title
Presenter Date
Ransomware
Bill WrightGovernment Affairs
6/29/2017
2Copyright © 2017 Symantec Corporation
CRYPTO RANSOMWARE
“FEE”
LOCKER RANSOMWARE
“FINE”
FAKE AV
“CLEAN”
MISLEADING APP
“FIX”
2014-20172012-20132010-2011
Evolution path
2016 Internet Security Threat Report Volume 21 2
2005-2009
3Copyright © 2017 Symantec Corporation
36% Increase in Ransomware Attackso Highly profitableo Low Barrier to Entry
- Multiple Software as a Service offerings available
2017 Internet Security Threat
3
4Copyright © 2017 Symantec Corporation
3x as many new ransomware families in 2016
42017 Internet Security Threat
2014 20162015
101
3030
5Copyright © 2017 Symantec Corporation
Ransomware Detections by Country
o With 34% of all attacks, US the region most affected by Ransomware
o Attackers target countries that can pay the largest ransom
o Number of internet connected computers also effect the numbers
o But US also has characteristic that is driving up the cost of the ransom
2017 Internet Security Threat
5
6Copyright © 2017 Symantec Corporation
Average Ransom Demando The average starting ransom
demand soared in 2016.o Once infected many threats
raise price if ransom not paid by deadline
o Some criminals will negotiate
o Targeted businesses will see higher demands
o Highest ransom demand for single machine seen in 2016 - $28,730 (Ransom.Mircop)
2017 Internet Security Threat
6
2015
$1,077
$294
2016
7Copyright © 2017 Symantec Corporation
What is Driving Up the Ransom Demand?
o There does not appear to be price sensitivity among victims, especially in the US- As long as victims willing
to pay, criminals can raise the price
Percentage of Consumers Who Pay Ransom
2017 Internet Security Threat
7
64%US
34%Globally
8Copyright © 2017 Symantec Corporation
WannaCry RansomwareGenerating Significant Global Attention
9Copyright © 2017 Symantec Corporation
10Copyright © 2017 Symantec Corporation
WannaCry Ransomware: Basics of the AttackSecurity Stack
• Microsoft announces SMB vulnerability and patch within MS17-010
• Shadowbrokers release EternalBlue in their datadumpwhich exploits this Microsoft SMB vulnerability
• WannaCry is seen in the wild and initial compromise vector unknown
• WannaCry encrypts files for ransom on host and propagates to other unpatched/unprotected hosts
Internet
11Copyright © 2017 Symantec Corporation
12Copyright © 2017 Symantec Corporation
Attribution: Possibly Lazarus Group• Code used/borrowed from other Lazarus attacks• Earlier versions of WannaCry found on computers with
Lazarus tools• Precedence exists: SWIFT Attacks $81million
13Copyright © 2017 Symantec Corporation
Public Private Partnership: WannaCryDHS’s National Cybersecurity and Communications Integration Center (NCCIC)
Cyber Threat Alliance
14Copyright © 2017 Symantec Corporation
Petya Ransomware
15Copyright © 2017 Symantec Corporation
Petya
16Copyright © 2017 Symantec Corporation
Looking Ahead
Q&A
Copyright 2017, Symantec Corporation
Thank You!
Ransomware
18Copyright © 2017 Symantec Corporation
Symantec’s Timeline of WannaCrySymantec Blocked 22M Attempted Attacks on Nearly 300,000 Endpoint Systems
Microsoft announces vulnerability MS17-010
and releases patchWannaCry is first seen in the wild
Symantec Global Intelligence Network
instantly adapts providing protection to SEP14 and
Blue Coat ProxySG
Continuous Protection
Critical Systems Protection (CSP)
Data Center Security (DCS)Cloud Workload Protection
(CWP)IT Management System (ITMS)
Control Compliance Suite (CCS)
Malware Analysis / CynicMSSP
Cyber Security Services
April 14
ShadowBrokersrelease
EternalBlue
Symantec delivers further updates to protect against potential new variants for SEP14, SEP12 and Norton
Symantec delivers protection to block SMB exploitation of MS17-010
including blocking for EternalBlue for SEP14, SEP12 and Norton
March 14 May 2 May 12 – 1AM Central US May 12– 3PM Central US
Symantec Endpoint Advanced Machine Learning and Norton
automatically block most variants of WannaCry
top related