what is ransomware? how to - hkbuito.hkbu.edu.hk/.../2017-04-28_ransomware_hkbu_170428.pdf2017/04/28...
TRANSCRIPT
What is Ransomware? How To defend against the Attack?
Otto Lee CISSP CSSLPMembership Chair - (ISC)2 Hong Kong ChapterVice Chairperson - Professional Information
Security Association (PISA)
3
Agenda
» Ransomware» 5 phases of attack» 6 steps of defense» Future trend
4
What’s Ransomware?
5
“A type of malicious software designed to block access to a computer system until a sum of money is paid”
What’s Ransomware?
6
“A type of malicious software designed to block access to a computer system until a sum of money is paid”
What’s Ransomware?
7
“A type of malicious software designed to block access to a device until a sum of money is paid”
Latest news
8(From BBC)
Timeline (2010 – 2017)
9(From F-Secure)
Common types
10
» Crypto Ransomware• Locky: 2016, infecting users via malicious Microsoft Office attachments to
emails• Bitcryptor and CoinVault: 2015• TeslaCrypt: 2015• CryptoWall: 2014• CTB-Locker: 2014• TorrentLocker: 2014• CryptoLocker: 2013
» Locker Ransomware• Reveton: 2012, locking users' computers by preventing them from logging in
» Mac Ransomware• KeRanger: 2016, the first piece of ransomware to successfully infect Mac
computers running OS X
1) Exploitation and infection2) Delivery and execution3) Backup removal4) File encryption5) User notification and clean-up
11
5 Phases of attack
1) Exploitation and infection
12
» E-mails / Social Media• Links• Attachments
» Websites• File downloads• Vulnerable browser/plugins• Malvertising
Malvertising
13(From Malwarebytes)
2) Delivery and execution
14
» Ransomware executable to be delivered to the victim’s system
» Sometimes, there is no file» Take a few seconds» Delivered via an encrypted channel
3) Backup removal
15
» Target the backup files and folders on the system and removes them to prevent restoring from backup
» Delete all of the volume shadow copies from the system
» Look for folders containing backups and then forcefully remove those files, even if a program is holding a lock to those files
4) File encryption
16
» Perform a secure key exchange with the command and control (C2) server
» Use strong encryption such as AES 256» Some encrypt locally without connecting to
the internet» Handle file naming and encryption differently» Take from a few minutes to a couple of hours
5) User notification and clean-up
17
» Present the demand instructions» Give victim a few days to pay, and after that
time the ransom increases» Clean itself off the victimised system so as not
to leave behind
i. Preparationii. Detectioniii. Containmentiv. Decryptionv. Eradicationvi. Recovery
18
6 steps of defense
i. Preparation
19
» Patch aggressively» Create and protect your backups» Prepare a response plan» Assign least privileges» Connect with threat intelligence sources» Protect your endpoints» Educate users» Buy insurance
ii. Detection
20
» Set up your defence devices» Screen email for malicious links and payloads» Use rule blocks for executables» Look for signs of encryption and notification
iii. Containment
21
» Kill the running processes» Isolate the infected endpoint
iv. Decryption
22
» https://noransom.kaspersky.com/» https://www.avast.com/ransomware-
decryption-tools» http://www.avg.com/ww-en/ransomware-
decryption-tools» https://success.trendmicro.com/solution/111
4221-downloading-and-using-the-trend-micro-ransomware-file-decryptor
v. Eradication
23
» Replace» Rebuild» Clean
vi. Recovery
24
» Restore from a clean backup» Look for the infection vector» Notify law enforcement if appropriate
Future trend
25
1) Ransomware will become just another tool in the hacker utility belt, e.g., Ransomware as a Service (RaaS)
2) More attacks are designed to publicly shame the victims
3) More examples using no executable as a means of evading detection
4) Ransomware spam campaigns will target the security of webmail providers
5) If there is a decline in ransomware it will be because of law enforcement action
Takeaways (For end-user)
26
1) Backups, backups, backups — and test those backups regularly2) Keep web browsers and plug-ins such as Adobe Flash and Microsoft
Silverlight updated, and prioritize patching new releases3) Uninstall any browser plug-ins that are not required4) Disable Microsoft Office macros by default5) Maintain copies of your files, particularly sensitive or proprietary data,
in a separate secure location. Back-up copies of sensitive data should not be readily accessible from local networks i.e. store the back up offline.
6) Never open attachments included in unsolicited emails. Be very vigilant about links contained in emails, even if the link appears to be from someone you know
7) Keep your anti-virus software up to date8) Enable automated patches for your operating system and web browser9) Only download software, especially free software, from sites you know
and trust10) Don’t pay the ransom
Takeaways (For organization)
27
1) Backups, backups, backups — and test those backups regularly2) Keep web browsers and plug-ins such as Adobe Flash and Microsoft
Silverlight updated, and prioritize patching new releases3) Uninstall any browser plug-ins that are not required for business
purposes, and prevent users from re-installing them4) Disable Microsoft Office macros by default, and selectively enable them
for those who need macros5) Scan incoming emails for suspicious attachments, including examining all
compressed attachments6) Automatically quarantine any email that has an attachment containing a
script or a .scr file7) Disable or remove the PowerShell, wscript, and cscript executables on all
non-administrative workstations8) Do not give all users in the organization local administrative access to
their workstations9) Use threat intelligence to gain visibility into your organization’s external
threat environment and monitor for any emerging ransomware threats to your organization
(ISC)2 Hong Kong Chapter / PISA
28
» Professional Information Security Association (PISA)» A not-for-profit organization for local information
security professionals» Focus on developing the local information security
market with a global presence in the industry» Missions
• To facilitate knowledge and information sharing among the PISA members
• To promote the highest quality of technical and ethical standards to the information security profession
• To promote best-practices in information security control• To promote security awareness to the IT industry and
general public in Hong Kong
Security Congress APAC 2017
This year’s tracks include:• Cloud Security• Critical National Information Infrastructure (CNII)• Emerging Technologies and Security• Governance, Risk and Compliance• Professional Development• Security Operations
Security Congress APAC 2017 - Registration is Now OpenEngage with over 350 information security professionals in this 2-day multi-stream conference as cybersecurity expertsand industry thought leaders from around the world share their knowledge and international best practices throughpresentations, case studies, hands-on workshop and interactive discussions.
Enjoy a 25% Student Discount
http://apaccongress.isc2.org/events/-isc-security-congress-apac-2017/custom-21-
7f805a6862a3494891be229fb5ef7af2.aspxFor inquiries:
http://[email protected]
Contact of (ISC)2 HK Chapter / PISA
30
Web Site:» http://www.pisa.org.hk
Membership Information:» http://www.pisa.org.hk/membership» Free for Student Members