ransomware overview and examples never pay the ransom€¦ · Øtraditional computer virus Øa...
TRANSCRIPT
-
Ransomware Overview and ExamplesNever Pay the Ransom
-
About Us
Ø Founded in 2013
ØHeadquartered in Pelham, AL
Ø Focused 100% on Disaster Recovery and Business Continuity
ØActive in Local Government and Commercial Business
Ø Clients all over the US
-
Before We Begin
We aren’t here to scare you!
-
Ransomware Basics
What Ransomware Is
Ø Blocks access until a sum of money is paid
Ø Encrypts files the user has access to
Ø Informs user to pay ransom
ØOften uses social engineering
Ø Targeting with ransoms they think you’ll pay
-
History of Ransomware
OriginsØ First recorded in Eastern Europe in 2009
ØMostly targeting individual users
Ø Small ransoms usually around 100 Euros
Ø Less targeted and more of a shotgun approach
-
Who Is Doing This?
Individuals State ActorsGroups
North Korea• Attacks in 70 Countries• Hit British Health System
Russia• Attacks in Ukraine• Collateral Damage
-
Ransomware Basics
What Ransomware Isn’t
Ø Traditional Computer VirusØA virus is a type of malicious code or program written
to alter the way a computer operates and that is designed to spread from one computer to another.
Ø Traditional MalwareØMalware is traditionally built to steal data—which
means that malware designed in this way must usually “phone home” to its makers.
-
Ransomware Basics
Common Infection Vectors
Ø Spam emailsØ Ransomware is now more targeted to business
than home usersØMost attacks are very targetedØ End user training is criticalØGood email discipline is difficult but necessary
-
Ransomware Basics
Common Infection Vectors
ØHacked or Compromised WebpagesØ Compromised ads on legitimate sitesØ Sites created specifically for infection
-
Ransomware Basics
Common Infection Vectors
ØMixed attacksØ SamSam
Ø Exploits vulnerabilities in JbossØMiddleware platform on LinuxØ Creates openings into the networkØ Can wait till much later to actually
send ransomware payload
-
Prevention Strategies
End User Education
ØMost Ransomware infections come from end users clicking on or opening a file or email attachment.
Ø Educate users on Security Awareness and then use tools to reinforce a security culture.
ØUse third parties toolsØ Phishing Security TestØ Email Exposure TestingØ Ransomware Simulator Tool
-
Prevention Strategies
Email Filtering
Ø The better your spam filtering, the less likely you are to get a Ransomware email into your organization.
Ø Third party filtering can be useful to keep spam out of your environment from the outset.
Ø Specialized service / appliances will be better than built-in systems.
-
Prevention Strategies
Credit - PC Magazine 2017
-
Prevention Strategies
Credit - PC Magazine 2018
-
Prevention Strategies
Credit - PC Magazine 2018
-
Prevention Strategies
Credit - PC Magazine 2018
-
Prevention Strategies
Proven Backup Strategy
Ø The best prevention strategy for Ransomware is a solid backup strategy.ØAll servers should be backed up at a
minimum of once per hour (Critical servers even more often).
ØHybrid-Cloud strategy is best of breedØ Local backups for quick restoresØOffsite backups for business continuity
-
Remediation
Restore From Last Good Backup
ØFind the infected machineØWhen did the infection occur?ØOut with the bad ØIn with the good
-
Remediation
What if you don’t have a good backup?
ØHeartfelt and sincere prayerØ Try www.nomoreransom.orgØ Report the infection to law enforcement
Ø FBI recommends everyone report infectionsØ Pay the Ransom and hope for the best
Ø Please don’t do this
http://www.nomoreransom.org/
-
Remediation
Do not pay the ransom!!
Ø There is no guarantee that handing over the ransom will give you access to your files again.
Ø Paying the ransom could also make you a target for more malware.
Ø You may be furthering other criminal enterprises.ØOnly pay the ransom if the survival of the
company is on the line, at that point – why not?
-
Real World Examples
-
Real World Examples
From: Patrick Johnson Date: Monday, January 9, 2017 at 7:48 AMTo: Kevin Fuller Subject: City of Alabaster | Ransomware
Hey, wanted to let you know my nightmare has come true. We have an infection, however, I have used your system to successfully replace the infected data. Problem is I have not found the root cause computer which has the actual infection.
I may need to reach out, but right now I am ok.
Thanks and good morning,
Pat
-
This Didn’t End Well
Ø Potential client of ours calls and says he has gotten infected and last good backup is 2 months old.
ØWe went onsite and tried to help recovery using the system he had in place.
ØHe ended up having to restore the 2 month old data.
ØHe was subsequently terminated.
Real World Examples
-
Montgomery County, AL
Ø Ransomware infection affected every single department in the county.
ØWent to offsite backup location and found device was out of space.
Ø In the process of restoring the data, all backups were lost.
Ø Paid the ransom and got mostly back up and running.
Real World Examples
-
Real World Examples
-
NETWORK DOWN FORTWO DAYS
(FRIDAY & SATURDAY AFTER THANKSGIVING)
Real World Examples
-
SFMTAPROVIDES
RIDES A DAY735,000
Real World Examples
-
TOTALREVENUE
LOST
$2 – 3 MILLION!!
Real World Examples
-
City of Atlanta
Ø SamSam ransomware attack.
ØAffected 5 of 13 Departments
Ø Police Records
Ø Infrastructure Maintenance Requests
Ø Judicial System
ØWater Bills
ØWi-Fi at the Airport
Real World Examples
-
City of Atlanta
Ø 8 Contracts from Marchc 22 – April 2 for around $2.6M
Ø $600,000 Incident Repsonse
Ø $50,000 Crisis Communications
Ø Prevention would have cost 10-20% of the Remediation
Real World Examples
-
What’s next?Extortion isn’t going away
ØDamage costs predicted to exceed $11.5B by 2019ØAttacks every 14 seconds by 2019Ø Ransomware as a Service (RaaS)
-
RaaS
Credit – BleepingComputer.com
-
What’s next?Extortion isn’t going away
ØDamage costs predicted to exceed $11.5B by 2019ØAttacks every 14 seconds by 2019Ø Ransomware as a Service (RaaS)Ø Ransomware for Mobile is now emergingØ Internet connected devices could be next
-
Internet Connected Devices
-
What’s next?Extortion isn’t going away
ØDamage costs predicted to exceed $11.5B by 2019ØAttacks every 14 seconds by 2019Ø Ransomware as a Service (RaaS)Ø Ransomware for Mobile is now emergingØ Internet connected devices could be next
It’s not all bad news.Ø Law Enforcement will make some headwayØ Blocking technologies will start to catch up
-
Server Class Backup Appliance
Local File & Folder Restore
Local VirtualizationDaily Testing
Image Based BackupsUp to Every 5 Mins
Offsite ReplicationVia Encrypted Tunnel
West Coast Datacenter (UT)
East Coast Datacenter (PA)
Hybrid Cloud Backups
-
Failed Server can be booted as a Virtual Machine from the backup appliance
Recovery Scenarios – Single Server Failure
Failure of a Single Server or VM
Server Class Backup ApplianceImage Based BackupsUp to Every 5 Mins
-
Server Class Backup ApplianceImage Based BackupsUp to Every 5 Mins
All Servers Virtualized in the Cloud
Via Encrypted Tunnel
West Coast Datacenter (UT)
East Coast Datacenter (PA)
Recovery Scenarios – Loss of Entire Office
Loss of Entire Office
-
Why Use a Third Party for Backups?
Virtualization Technologies
Printers
Mobile DevicesEnd Users / Desktop Support
Athletic Systems
Server Maintenance
Backups
Finance Systems
Mobile Workforce
On Call
TelephonyWiFi Viruses and MalwareAccounting Systems
Email
-
Included Services
ServicesØDaily monitoring and managementØ Backup failure resolutionØAssistance in DR scenarios
Documentation and TestingØDR Document CreationØAnnual DR Testing
Ø Local Recovery ScenarioØ Cloud Recovery Scenario
-
Questions