Upload File

ransomware: history, histrionics, and “honor”- the...

  • Home
  • Documents
  • Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The
20
Ransomware: History, Histrionics, and “Honor”- The Intersection of Preparation and Prevention February 24, 2017 Emily R. Fedeles [email protected] James A. Sherer Breach Hotline: 855-217-5204 [email protected] www.dataprivacymonitor.com

Upload: others

Post on 16-Oct-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

Ransomware: History, Histrionics, and “Honor”- The Intersection of Preparation and Prevention

February 24, 2017 Emily R. Fedeles

[email protected] James A. Sherer Breach Hotline: 855-217-5204 [email protected] www.dataprivacymonitor.com

Page 2: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

JamesSherer,Partner

2

JamesShererisapartnerintheNewYorkofficeofBakerHostetler,wherehechairstheInforma<onGovernanceprac<ceteamandservesaspartoftheE-DiscoveryAdvocacyandManagementandPrivacyandDataProtec<ongroups.JamesassistswithoversightofdiscoveryandElectronicallyStoredInforma<onissuesforfirmclients.Jamesisalsotaskedwith“deepdive”technologicalandcaselaw-relatedassignmentsforomnibusmo<onsandcasestrategy.James’sworkfocusesonadvisingonmerger&acquisi<onduediligence;informa<ongovernanceprac<cesandpoliciesforclients;andclientcorporatestructureandbusinessofferingsregardinginterna<onaldataprivacyrequirements.

JamesholdsanMBA,hasCIPP/US,CIPP/E,CIPM,andFIPdataprivacyprofessionalcreden<als,theCIPandIGPinforma<ongovernancedesigna<ons,andtheCEDSeDiscoveryspecialistcreden<al.JamesisamemberofTheSedonaConference®WorkingGroupsOne,Six,andElevenandhasservedonSearch,AchievingQuality,DataPrivacyandSecurity,andMerger&Acquisi<onDra\ingTeams.HeisalsoamemberoftheNewYorkStateBarAssocia<onEDiscoveryCommi]eeaswellastheNewYorkeDiscoveryCounselRoundtable.

Page 3: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

EmilyFedeles,Associate

3

EmilyFedelesisanassociateintheNewYorkofficeofBakerHostetler,whereshemaintainsageneralli<ga<onprac<ceandservesaspartofboththeE-DiscoveryAdvocacyandManagementandthePrivacyandDataProtec<ongroups.Emilyregularlyworkswithclientsacrossmul<pleindustrysectorsonawiderangeofma]ers,includingassis<ngwiththeoversightofdiscoveryandElectronicallyStoredInforma<onissuesaswellasdevelopingli<ga<onandregulatoryresponsestodatabreaches.

PriortojoiningBakerHostetler,Emilyprac<cedli<ga<oninGeneva,Switzerland,whereshedevelopedawealthofexperiencerela<ngtocross-borderli<ga<onanddiscoveryissuesanddataprivacyandsecurityconsidera<ons.ShebeganherlegalcareerasanassociateinFlorida,whereshewasamemberoffourtrialteamsformul<-milliondollarcasesinbothstateandfederalcourt.

Emilya]endedEmoryUniversityforbothundergradandlawschool,wheresheheldaninternshipwithTheAtlantaSpiritandservedasajuvenilepublicdefenderundertheThirdYearPrac<ceAct.SheisamemberoftheInterna<onalAssocia<onofPrivacyProfessionals(CIPP/E)andTheSedonaConference®

WorkingGroupsOne,Six,andEleven.Emilyhaswri]enandspokenone-discoveryandprivacyissueswithapar<cularfocusontheimpactsofemergingtechnologiessuchascorporate“BringYourOwnDevice”programs.

Page 4: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

Agenda

•  RansomwareExplained•  HistoryofRansomware

–  RansomwareasaProcess–  RansomwareasaBusiness

•  DefendingagainstandRespondingtoRansomware–  Ransomware’sDirectImpact–  Ransomware’sIndirectImpact–  RansomwareResponse

•  Prac<calandLegalChallenges

•  FutureofRansomware

4

Page 5: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

5

WhatisRansomware?

Page 6: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

RansomwareUnpacked

•  Whatisransomware?•  Maliciousso\warethatexploitsordamagesatargetby

infec<ngacomputerorsystem•  Maybespreadinavarietyofways•  A]ackersaregeengsmarterindeliverymethods

•  Whatformsdoesransomwaretake?•  Canbecategorizedbasedontheformofa]ackthat

ransomwaretakes•  Lockerransomware,cryptoransomware,hybridapproaches

6

Page 7: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

HowRansomwareWorks

•  Encryptsorotherwisedeniesaccesstothedata

•  Atnextlog-in,thevic<mgetsamessagethathisdataisbeingheldhostageun<lapaymentismade

•  Typicallyincludesafast-approachingdeadline,some<mesincludesancillarythreatstodisclosethedatapublicly

7

Page 8: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

HowVic<msPay

•  Ransompaymentsgenerallymustbemadeinadigitalcurrency(Bitcoin)

•  A]ackersremainanonymousandtransac<onsarevirtuallyuntraceable

•  Nomiddle-maninvolved•  Someevenoffer“customerservice”•  Strategicdecisionwhethertopay

8

Page 9: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

HowOrganiza<onsareDamaged

Monetary•  Ransompayment•  Lostprofitswhilebusinessopera<onshalted•  CostofengagingoutsideIT/forensicsconsultant•  Breachresponsecostsifpersonaldataaccessed•  Poten<alregulatoryfinesorli<ga<oncosts

Non-monetary•  Reputa<ondamage•  Disrup<onofcustomeraccesstovitalservices•  Nightmareofpoten<albreachifpersonaldataaccessed

9

Page 10: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

10

RansomwarethroughtheDecade(s)

Page 11: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

•  Late1980s-early2000s–  Minorinconvenience–  Paymentlargelyunnecessary

•  2005resurgence–  Actuallysuccessfulindisablingmachines–  Precursortowhatweseetoday

•  2013-present–  Fastspreading–  Growingexponen<allyinnumberandpossibleofdevicesitmayeffect

•  Emergenceofsmartphonevariants

11

TheRiseofRansomware

Page 12: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

TheRiseofRansomware

12

Page 13: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

13

RansomwarebyIndustry

Page 14: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

Protec<ngAgainstandRespondingtoRansomware

Page 15: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

•  Implementrobustbackupandrecoverypoliciesandprocedures–  Backupstobemaintainedseparatefromthemain

network,preferablyoff-site

•  Thoroughdatasecuritytraining•  Workforceeduca<on•  So\waresolu<onstoblockincomingmalware•  Stayontopofthelatestdevelopments

15

RansomwareDefense

Page 16: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

•  Technicalandadministra<vesolu<ons–  Disableuseofvulnerableplugins–  Deployintrusionpreven<on–  U<lizeendpointsecurityso\ware–  Keepan<virusprotec<onup-to-date–  Ensuresecuritypatchesareinstalledpromptly

16

RansomwareDefense

Page 17: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

•  July2016–theDepartmentofHealthandHumanServices,OfficeforCivilRightsreleasesguidanceonhowtheagencyinterpretsransomwarea]acksonHIPAAcovereden<<esandbusinessassociates–  “Whenelectronicprotectedhealthinforma<on(ePHI)is

encryptedastheresultofaransomwarea]ack,abreachhasoccurredbecausetheePHIencryptedbytheransomwarewasacquired….unlessthecovereden<tyorbusinessassociatecandemonstratethatthereisa‘…lowprobabilitythatthePHIhasbeencompromised,’basedonthefactorssetforthintheBreachNo<fica<onRule.”

17

OCRGuidance

Page 18: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

•  Willpaymentresultinreleaseofdevicesorareneweddemandforanincreasedpayment?

•  Lawenforcementwillnotadviseacompanywhetherornottopay,thoughmayprovideanecdotalevidenceorinforma<onaboutapar<cular“brand”ofransomware

•  MayviolateOfficeofForeignAssetsControl(OFAC)restric<ons

•  Mayresultinfurtherdemands

18

ToPayorNotToPay?

Page 19: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

•  PaymenttypicallymustbemadeinBitcoin–  Availability–  VulnerabilityandVic<mIden<fica<on–  Taxablestatus

•  RansompaymentsarenotendorsedbytheUSA•  OFACRestric<ons•  Execu<veOrder13694CybercrimeRestric<ons

19

PaymentandLogis<cs

Page 20: Ransomware: History, Histrionics, and “Honor”- The ...jolt.richmond.edu/files/2016/02/James-Sherer-and-Emily-Fedeles... · Ransomware: History, Histrionics, and “Honor”- The

JamesA.ShererPartner,BakerHostetler–[email protected]@jamesshererEmilyR.FedelesAssociate,BakerHostetler–[email protected]@emilyrfedeles

20

Ques<ons?


A RANSOMWARE TALE

Ransomware- success stories Triangle InfoSeCon · Ransomware Ransomware WannaCry,Petya,CryptoLocker,and TeslaCrypt are some of the more notable examples of such ransomware. In general,

Ransomware - asecuritysite.com · Types •Locker Ransomware. Locks the computer. •Crypto Ransomware. Requires decryption key. •Master Boot Record Ransomware. Attack MBR so that

Ransomware ly

LockBit Ransomware

Cybercrime Tactics & Techniques: Q2 2019 Ransomware ......Ransomware shifts to business targets » Consumer ransomware drops -12% YoY & -25% QoQ » Business focused ransomware increase

CYBEREASON VS RANSOMWARE

Ransomware Threat Report : WannaCry · Ransomware Threat Report : WannaCry IN-DEPTH COVERAGE AND INSIGHTS OF THE WANNACRY RANSOMWARE FROM ARMOR’S SECURITY EXPERTS

Ransomware: your money or your bytes Version 2.0, updated ...€¦ · Center joint Ransomware Guide6 • Microsoft - Human-operated ransomware attacks: A preventable disaster7 •

Defend Your Data from Ransomware Attacksdiscover.zyxel.com/rs/471-TTL-126/images/Ransomware...Defend Your Data from Ransomware Attacks The Threat of Ransomware The WannaCry attack

Ransomware Payment: Legality, Logistics, …...• Ransomware start-up costs are cheap. Ransomware software is readily and easily available – and is extraordinarily inexpensive

Easy way to uninstall PadCrypt ransomware: Remove PadCrypt ransomware

Thermostat Ransomware

Hive Ransomware

An Enterprise Guide to Preventing Ransomware Attacksstratxsolutions.com/...black_ebook_ransomware_0912.pdf · AN ENTERPRISE GUIDE TO PREVENTING RANSOMWARE ATTACKS Ransomware isn’t

Threat Alert NotPetya Ransomware Attack...The NotPetya Ransomware Attack June 2017 A Deep Dive into the NotPetya Ransomware Attack This is a new variant of the Petya ransomware family

Vortrag Ransomware CC BY-SA - edvgt.de¶rn... · EDV-Gerichtstag 2016, Jörn Erbguth, [email protected] Funktionsweise Ransomware 1. Ransomware infiziert Rechner 8

Ransomware: Modern Day PiratesRansomware • What is ransomware • History of ransomware • Actors and their motivations • Anatomy of a ransomware attack • Cost of a ransomware

Ransomware: The Known and Unknown€¦ · Can I get ransomware from removable devices? Can I get ransomware from social media? Can a hacker infect me with ransomware through other

RANSOMWARE - healthyagingcore.ca

UNMASKING RANSOMWARE

Ransomware Eradication using Biomorphic Perimeterisation€¦ · recover from NotPetya. Types of Ransomware (Device Target) Ransomware Device Targets Device Targets are Different

Ransomware: Wannacry

CROWDSTRIKE // WHITE PAPER RANSOMWARE A GROWING …€¦ · CROWDSTRIKE // WHITE PAPER RANSOMWARE A GROWING ENTERPRISE THREAT ... the sheer volume of ransomware variants released

Ransomware Response Guide

The Histrionics

Ransomware and tips to prevent ransomware attacks

MAPPING THE RANSOMWARE LANDSCAPE - Bitpipedocs.media.bitpipe.com/io_13x/io_137963/item_1550281/Mapping T… · 2 RANSOMWARE GUIDE: MAPPIN THE RANSOMWARE LANSCAPE SCOPE OF THE THREAT

Ransomware Handbook

RANSOMWARE PROTECTION€¦ · RANSOMWARE PROTECTION UIDE . ... Exploitation Exploit Mitigations Application Behavior Payload Execution ... PREVENTION AGAINST RANSOMWARE

Histrionics Obsessive-Compulsive Schizophrenia DissociativeDisorder Bipolar or Manic-Depressive Disorder Borderline Personality disorder

Education Unplugged: Mobile Learning Comes of Age Hysteria, History, and Histrionics

Ransomware Cyber Threat Acronis Infographicdownload.acronis.com/...Ransomware_Threat_Acronis... · RANSOMWARE THE NEW CYBER THREAT AND HOW TO STOP IT RANSOMWARE: hackers hold your

Understanding Ransomware: Impact, Evolution and Defensive ...€¦ · 14/07/2014  · 3 Evolution of Ransomware 3.1 Historic Examples of Ransomware Ransomware trojans appeared as

Business Guide to Ransomware - IT Best of Breed · 2017-05-15 · Business Guide to Ransomware Table of Contents: 1. Introduction to Ransomware 2. Ransomware as a Service 3. Dissection