exhibitor session: fortinet

Fortinet

© Copyright Fortinet Inc. All rights reserved.

Adrian Louth


2016 Ransomware Review

4

61%

39%

Exploit Kits

Exploit Kits Related to Ransomware Other Exploit Kits

67%

33%

Data Loss

Experienced Data Loss No Data Loss

93%

7%

Email

Phishing related to Ransomware Other Phishing

42%

58%

Businesses Affected

Affected in last year Unaffected last year

x3 increase in attacks against Businesses

5

Some Good News


Why Ransomware?

7

Business Case – Research from Jamison Utter

Ransomware With 90 Days Support cost $3,000 » Guaranteed 10% infection rate

Expect 0.5% pay out

SEO and Traffic Acquisition campaign $3,000» Guaranteed traffic rates 20,000 clicks a day.

Ransom one Bitcoin approx. $300 at the time.

8

The Maths

20,000 visitors x 10% Infection Rate

= 2,000 Infections per day

2,000 x 0.5% pay-outs = 10 pay-outs per day

10 pay-outs x $300 x 90 days

= $270,000

9

RaaS with Petya

10

Stages of RansomwareE

xplo

itation a

nd

Infe

ction

Phishing and Human errors are the primary mechanism to exploit a system.

Deliv

ery

and

Execution

Once the initial exploit has been used the ransomware executable is delivered and persistence is established

Backup C

orr

uption

Backup systems and files are targeted, notably shadow copies, etc. to ensure the disruption is maximised

File

Encry

ption

Ransomware will perform a secure key exchange with it’s Command and Control Server and use the keys to perform the encryption

Ransom

Dem

and

The user is notified of the ransom demand which often increase after a period of time.

15 Minutes


Pay or Not Pay?

12

Pay The Piper?

%X $Cost of recovering data or system?

Either way you should rebuild the system and

identify the infection path or you will be hit again.

Cost of Ransom and Likelihood of

being given the keys to restore.

13

Some Campaigns are known to not give out recovery keys.

Others have helpdesk numbers and are willing to discount.

About 20% of people who pay don’t get their files back.

When you’ve paid you may be targeted again.

Pay the Piper?


Turn Off and Go Home?

15

What can we do?

Backup

Patch

Manage Privilege and Control Access, Disable Macros

Educate Staff

16

What can we do?

Get BitcoinsKnow where to find Decryptors

Have a plan and exercise it


Real Business Example

18

Real World Example

• Attacks 2-3 times a week

• Approximately 7-10 infections per week

• Targeting Senior Executives (Whaling)

• Each Instance of Ransomware Costing

Approximately £1,000

• £1,000 x 7 x 52 = £364,000 pa

19

How does Fortinet help?

Source: Verizon 2016 Data Breach Investigations Report, April 2016

Code

ContinuumKnown Good

Probably

GoodMight be Good

Completely

Unknown

Somewhat

Suspicious

Very

SuspiciousKnown Bad

Security

TechnologiesWhitelists

Reputation:

File, IP, App,

Email App

Signatures,

Digitally singed

files

Sandboxing Heuristics

Reputation:

File, IP, App,

Email Generic

Signatures

Blacklists

Signatures

99.5%*Of Malware samples are

Unique to an Organization

20

Fortinet Co-ordinated Security Fabric

Known threats on

web/messaging traffic

blocked on the NGFW,

Secure Email Gateway

and the End Point

Unknown URLs and Files

submission to FortiSandbox

FortiSandbox to deliver

URL and AV DB

updates for malicious

or suspicious detection.

Mail Server

FortiGateNGFW

Internet

FortiSandbox

FortiClient

FortiMail


Future for Ransomware

22

Ransom of Things

23

Hackers Breached the Hotel’s door systems and caused the

room doors to lock.

The Hotel ended up having to pay about $1,800 in Bitcoins to

regain control of the system.

“We were at maximum capacity with 180 guests and decided that

it was better to give in” Managing Director, Christoph Brandstaetter

Thank you

exhibitor session: fortinet

Education