All your files now belong to us

Peter Wood
Chief Executive Officer
First Base Technologies LLP
Ransomware:
All your files now belong to us
The future and impact of ransomware

© First Base Technologies 2016
Founder and CEO - First Base Technologies LLP
• Engineer, IT and information security professional since 1969
• Fellow of the BCS, the Chartered Institute for IT
• Chartered IT Professional
• CISSP
• Senior Member of the Information Systems Security Association (ISSA)
• 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group
• Member of the Institute of Information Security Professionals
• Member of the BCS Information Risk Management and Assurance Group
• Chair of white-hats.co.uk
• UK Programme Chair for the Corporate Executive Programme
• Member of ACM, IEEE, First Forensic Forum (F3), Institute of Directors
• Member of Mensa
Peter Wood

Introduction
Ransomware:

Definition
Ransomware is a type of malware that prevents or limits users
from accessing their system, either by locking the system's
screen or by locking the users' files unless a ransom is paid
More modern ransomware families, collectively categorised as
crypto-ransomware, encrypt certain file types on infected
systems and force users to pay the ransom through certain
online payment methods to get a decrypt key
Source: http://www.trendmicro.com/vinfo/us/security/definition/Ransomware

Scale
Source: http://phishme.com/q1-2016-sees-93-phishing-emails-contain-ransomware/

Business impact
• Ransom ‘fee’
• User support during incident
• Lost user productivity
• Recovery and restoration
• Crisis management
• Press and PR
• Communicating with customers and
business partners
• Post-incident analysis
• Planning for mitigating controls
• Implementing mitigating controls
• Testing mitigating controls

Target systems
• PCs and laptops
• Mobile devices
• Servers
• Networks
• Databases
• Cloud systems
• Online backups
• Real-time DR systems
• ICS / SCADA systems

Infection
• Downloaded onto systems when unwitting users visit
malicious or compromised websites
• Arrives as a payload dropped or downloaded by other malware
• Delivered as attachments from spammed email
• Downloaded from malicious pages through malvertisements*
• Dropped by exploit kits onto vulnerable systems
Source: http://www.trendmicro.com/vinfo/us/security/definition/Ransomware
* an online advertisement that is infected with malicious code

Evolution
Ransomware:

Evolution: RaaS

Evolution: Try before you buy
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-
ransomware.pdf

Evolution: IoT

Evolution: Office 365
22 June: Avanan's Cloud Security Platform detected a massive
attack against its customers that were using Office 365
The zero-day Cerber ransomware was spread through email and
encrypted users’ files using macros
This malware played an audio file, informing the user that the
computer’s files have been encrypted while a warning message
was displayed on screen
Source: http://www.avanan.com/resources/attack-on-office-365-corporate-users-with-zero-day-ransomware-virus

Evolution: worm behaviour
Source: https://blog.knowbe4.com/microsoft-alert-zcryptor-ransomware-with-worm-feature

Targeted Ransomware
Ransomware:

Targeted ransomware: Samas
Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-
modus-operandi/
Infection chain diagram:
How Ransom:MSIL/Samas
gets into the system

Samas distribution 17 March 2016

Targeted ransomware: Samas
• In March 2016, the FBI posted alert about SAMAS as a very real
threat to enterprises/businesses
• Specifically, its ability to encrypt files not only on the system it infects
but also those shared on the affected organisation’s network
• It also goes after network-stored backups, clearly in an attempt to
undermine the typical recommendations for dealing with ransomware
• Threat actors currently using SAMAS are also taking advantage of the
malware’s ability to enact a persistent infiltration to “manually locate
and delete” the mentioned backups
• Its routines seemingly mirror those of a typical targeted attack: it
uses other malicious components to do penetration tests against its
target servers as well as scan them for vulnerabilities in its quest to
infiltrate
Source: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fbi-posts-warning-
about-ransomware-that-goes-after-backups

Samas case study
• MedStar, a non-profit group that runs 10 hospitals in the
Baltimore and Washington area, was attacked with Samas in
April 2016
• The IT department detected the intrusion in their servers and
stopped the ransomware from spreading by shutting down
most of its network operations
• The engineers also successfully restored three main clinical
systems from backup
• This quick and active approach ultimately saved not only the
hospital reputation but also the lives of admitted patients,
said Ann Nickels, a spokeswoman for the MedStar medical
system
Source: http://thehackernews.com/2016/04/hospital-ransomware.html

Defences and Responses
Ransomware:

Paying the ransom
In the first three months of 2016, attacks cost victims more than
$200 million. The total cost in 2015 was $325 million, so we’re
going to see much more dismal results as the year goes on.
Source: http://www.datto.com/blog/ransomware-attacks-skyrocketing-in-2016
Beware: UltraDeCryptor does not deliver the decryption routines
after you pay
Source: https://blog.knowbe4.com/ultradecryptor-ransomware-does-not-decrypt-your-files
Some vendors offer decryption tools for some ransomware: AVG,
Kaspersky, Trend Micro, etc.
Source: http://www.thewindowsclub.com/list-ransomware-decryptor-tools

Defend yourself!
1. Air-gapped backups
2. Backups of cloud data
3. Encrypted backups of key data on write-once
media (DVD, Blu-ray)
4. Regular server and database patching
5. Endpoint patching (ref Secunia)
6. Ad blocking software for browsers
7. Secure home networks for employees
8. Regular testing of the kill chain (e.g. phishing)
9. Intensive anti-ransomware training for all staff
10. Keep up to date on the evolution of ransomware

Peter Wood
Chief Executive Officer
First Base Technologies LLP
peter@firstbase.co.uk
http://firstbase.co.uk
twitter: @peterwoodx
Need more information?

All your files now belong to us

More Related Content

All your files now belong to us

Editor's Notes