exhibitor session: fortinet
TRANSCRIPT
Fortinet
© Copyright Fortinet Inc. All rights reserved.
Adrian Louth
© Copyright Fortinet Inc. All rights reserved.
2016 Ransomware Review
4
61%
39%
Exploit Kits
Exploit Kits Related to Ransomware Other Exploit Kits
67%
33%
Data Loss
Experienced Data Loss No Data Loss
93%
7%
Phishing related to Ransomware Other Phishing
42%
58%
Businesses Affected
Affected in last year Unaffected last year
x3 increase in attacks against Businesses
5
Some Good News
© Copyright Fortinet Inc. All rights reserved.
Why Ransomware?
7
Business Case – Research from Jamison Utter
Ransomware With 90 Days Support cost $3,000 » Guaranteed 10% infection rate
Expect 0.5% pay out
SEO and Traffic Acquisition campaign $3,000» Guaranteed traffic rates 20,000 clicks a day.
Ransom one Bitcoin approx. $300 at the time.
8
The Maths
20,000 visitors x 10% Infection Rate
= 2,000 Infections per day
2,000 x 0.5% pay-outs = 10 pay-outs per day
10 pay-outs x $300 x 90 days
= $270,000
9
RaaS with Petya
10
Stages of RansomwareE
xplo
itation a
nd
Infe
ction
Phishing and Human errors are the primary mechanism to exploit a system.
Deliv
ery
and
Execution
Once the initial exploit has been used the ransomware executable is delivered and persistence is established
Backup C
orr
uption
Backup systems and files are targeted, notably shadow copies, etc. to ensure the disruption is maximised
File
Encry
ption
Ransomware will perform a secure key exchange with it’s Command and Control Server and use the keys to perform the encryption
Ransom
Dem
and
The user is notified of the ransom demand which often increase after a period of time.
15 Minutes
© Copyright Fortinet Inc. All rights reserved.
Pay or Not Pay?
12
Pay The Piper?
%X $Cost of recovering data or system?
Either way you should rebuild the system and
identify the infection path or you will be hit again.
Cost of Ransom and Likelihood of
being given the keys to restore.
13
Some Campaigns are known to not give out recovery keys.
Others have helpdesk numbers and are willing to discount.
About 20% of people who pay don’t get their files back.
When you’ve paid you may be targeted again.
Pay the Piper?
© Copyright Fortinet Inc. All rights reserved.
Turn Off and Go Home?
15
What can we do?
Backup
Patch
Manage Privilege and Control Access, Disable Macros
Educate Staff
16
What can we do?
Get BitcoinsKnow where to find Decryptors
Have a plan and exercise it
© Copyright Fortinet Inc. All rights reserved.
Real Business Example
18
Real World Example
• Attacks 2-3 times a week
• Approximately 7-10 infections per week
• Targeting Senior Executives (Whaling)
• Each Instance of Ransomware Costing
Approximately £1,000
• £1,000 x 7 x 52 = £364,000 pa
19
How does Fortinet help?
Source: Verizon 2016 Data Breach Investigations Report, April 2016
Code
ContinuumKnown Good
Probably
GoodMight be Good
Completely
Unknown
Somewhat
Suspicious
Very
SuspiciousKnown Bad
Security
TechnologiesWhitelists
Reputation:
File, IP, App,
Email App
Signatures,
Digitally singed
files
Sandboxing Heuristics
Reputation:
File, IP, App,
Email Generic
Signatures
Blacklists
Signatures
99.5%*Of Malware samples are
Unique to an Organization
20
Fortinet Co-ordinated Security Fabric
Known threats on
web/messaging traffic
blocked on the NGFW,
Secure Email Gateway
and the End Point
Unknown URLs and Files
submission to FortiSandbox
FortiSandbox to deliver
URL and AV DB
updates for malicious
or suspicious detection.
Mail Server
FortiGateNGFW
Internet
FortiSandbox
FortiClient
FortiMail
© Copyright Fortinet Inc. All rights reserved.
Future for Ransomware
22
Ransom of Things
23
Hackers Breached the Hotel’s door systems and caused the
room doors to lock.
The Hotel ended up having to pay about $1,800 in Bitcoins to
regain control of the system.
“We were at maximum capacity with 180 guests and decided that
it was better to give in” Managing Director, Christoph Brandstaetter
Thank you