Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landscape

Your Money or Your Data:Ransomware, Cyber Security and

Today’s Threat Landscape

How to cope in Today’s World

Roger HagedornIT Security Analyst for the City of Minneapolis

Introduction:Three Tales of Woe

One: A New Spin on Staycations

the Romantik Seehotel Jaegerwirt, a luxurious 4‐star hotel on the Alpine Turracher Hoehe Pass in Austria

January 28, 2017

“One of Europe's top hotels has admitted they had to pay thousands in Bitcoin ransom to cybercriminals who managed to hack their electronic key system, locking hundreds of guests out of their rooms until the money was paid.”

http://www.thelocal.at/20170128/hotel-ransomed-by-hackers-as-guests-locked-in-rooms

The Culprit:

Two: A Tale of the New Southwest

https://nakedsecurity.sophos.com/2017/02/01/eight-years-worth-of-police-evidence-wiped-out-in-ransomware-attack/

February 1, 2017

“Texas police in the town of Cockrell Hill have lost eight years’ worth of digital evidence after getting hit by a ransomware attack in December and refusing to pay up. … The email planted a virus that then corrupted all files on the server. In the end, they destroyed all Microsoft Office documents –including Word and Excel files – as well as all bodycam video, some photos, some in-car video, and some police department surveillance video, dating back as early as 2009.”

https://nakedsecurity.sophos.com/2017/02/01/eight-years-worth-of-police-evidence-wiped-out-in-ransomware-attack/

Three: A Real Tale of Life and Death

Hollywood hospital held to ransom by cybercrooks

February 2016

“A Hollywood hospital has been crippled by a cyberattack, with crooks reportedly holding its data hostage and demanding 9,000 in Bitcoin – about $3.4 million – to give it back.”

They ended up paying $17,000 but went without computers for ten days. Patients were diverted to other hospitals.

https://nakedsecurity.sophos.com/2016/02/16/hollywood-hospital-held-to-ransom-by-cybercrooks/

Photo by Junkyardsparkle via Wikimedia Commons

2016: the Year of Ransomware

In 2016, Ransomware emerged as one of the most dangerous cyberthreats facing both organizations and consumers.

http://www-03.ibm.com/press/us/en/pressrelease/51230.wss

According to FBI and IBM research, global losses now running to …

62 new ransomware families in 2016

Ransomware attacks on businesses increased threefold. = from an attack every 2 minutes to one every 40 seconds

Ransomware attacks on small businesses increased eightfold from Q3 2015 to Q3 2016.

A single cryptomalware attack can cost SMBs $99k.

One in five small and medium-sized business who paid the ransom never got their data back.

A Few Unsettling Facts about Ransomware

According to a 2016 survey from Osterman Research, almost one out of every two participants indicated their organization had suffered at least one ransomware attack in the past 12 months.

Less than half of ransomware victims fully recover their data, even with backup.

Common reasons for incomplete backup recovery included unmonitored and failed backups, loss of accessible backup drives that were also encrypted, and loss of between 1-24 hours of data from the last incremental backup snapshot.

More Unsettling Facts about Ransomware

Best Practices for Dealing With Phishing and Ransomware; An Osterman Research White Paper, August 2016

What is Ransomware?

Defining our terms

There are basically two different types of ransomware:

• lockers

• encryptors

The first type, known as “Blockers,” “Lockers,” or “WinLockers,” lock the computer screen and prevent the victim from accessing the device.

A ransom demand appears on the screen, typically masquerading as a notice from a law enforcement, reporting that the victim has accessed illegal web content and indicating that they must pay a fine.

A variant is “MBR ransomware,” which infects the “master boot record” (MBR), causes the normal boot process to be interrupted. Again, attackers then exploit the situation by displaying a ransom demand.

The second kind is more insidious:

Crypto-ransomware or “encryptors” encrypt most types of files available to users, including “.doc,” “.xls,” “.pdf,” and “.jpg.” The attackers then demand a ransom in exchange for the promise to restore the data by providing decryption keys to their files.

It doesn’t discriminate: it impacts individuals and organizations from every region and industry around the world.

Distinguishing these types is important:It’s relatively easy to survive a locker or an MBR variant, but it can be a real challenge to deal with crypto-ransomware.

In any case, ransomware is a type of malware that cybercriminals use to extort money from their victims.

Ransomware is extortion, plain and simple.

Symantec ISTR Special Report: Ransomware and Businesses 2016

The average ransom demand has more than doubled in the past year. It’s now $679, up from $294 at the end of 2015.

Who are the victims?Consumers are the most likely victims, due to weak or missing security.

Organizations43%Consumers

57%

How Does It Work?

Understanding the risks we face

Social Media

Ransomware, like any malware, can enter your network and infect your computer in many ways, including on USB devices, via booby-trapped websites that exploit software vulnerabilities, brute-forcing login credentials, “malvertising,” and even via an existing malware infection.

Malvertising, where malicious ads are placed on legitimate ad services and then appear on trusted websites

But the number one infection vector is . . .

… malicious spam email

a.k.a., “phishing”

• Opens a malicious email attachment that directly installs the ransomware on a user’s computer.

• Opens a malicious email attachment that initiates a second-stage delivery through a downloader (often a macro), that then downloads and installs the ransomware.

• Clicks on a link embedded in an email that points to an exploit kit that leads to malware being installed.

Infection occurs if the user

Here’s how it works:

Phishing email

Website exploit Desktop

infected

Local files encrypted

Attached storage/backup

Files and other data copied to criminals

Typical Ransomware Attack

gets encrypted

Phishing email

Website exploit Desktop

infected


PCs with open shares


Typical Ransomware Attackget encrypted

Phishing email

Website exploit

Servers and File shares


Typical Ransomware Attack

encrypted

Desktop infected


The following are real phish designed to lead to infection and ransomware

Don’t trust this link. It might look OK but if you hover your cursor over it without clicking, you can see where it really takes you . . .

bobby.cathy

The problem with email is:you can’t be sure who the

sender really is.

Why “phishing”?

Scammers throw out electronic bait and

then wait for someone to “bite.”

Image by ToastyKen via Flickr CC BY 2.0

Typical phishing ploys• A notification from the post office or shipment company—DHS, FedEx, etc.—concerning problems with a delivery

• An invoice or overdue alert from some provider concerning some bill

• An alert from the IRS that taxes are owed

• An offer of a free gift card if you act now.

• An online provider’s alert that the account has expired or the password needs changing

Disturbing New TrendsIn Ransomware

The use of different programming languages—JavaScript, PHP, PowerShell—used to evade detection by security products

Additional features beyond locking devices or encrypting files: searching for Bitcoin wallets or adding infected computers to botnets

The threat of posting the victim’s files, including pictures and videos, on the internet.

And then there’s “Ransomware as a Service” (RaaS)

Now available on the Dark Web

"Satan is a free to use ransomware kit, you only need to register on the site to start making your viruses. Satan only requires a user name and password to create an account, althrough, if you wish, you can set a public key for two-factor authentication. Satan has a initial fee of 30% over the victim's payment, however, this fee will get lower as you get more infections and payments. All of the user transactions are covered by the server, you'll always get what the victim paid, minus the fee of course.

https://www.scmagazine.com/devilish‐new‐ransomware‐hits‐the‐street/article/636444/

Devilish New Ransomware Hits the Street

When creating your malware you can specify the ransom value (in bitcoins), …

• Satan is free. You just have to register on the site.• Satan is very easy to deploy, you can create your

ransomware in less than a minute.• Satan uses TOR and Bitcoin for anonymity.• Satan's executable is only 170kb.

Devilish New Ransomware Hits the Street

https://blog.knowbe4.com/cyberheistnews-vol-7-7-alert-dyna-crypt-ransomware-steals-and-deletes-your-data

DynA-Crypt Ransomware Steals &Deletes Your Data

…put together using a malware creation kit by people that are not very experienced, but have a lot of destruction in mind.

It not only encrypts your data, but also tries to steal a ton of information from a victim's computer.

It also deletes files without backing them up anywhere.

Up till recently, there has been a strange balance of trust between the cybercriminals and their victims. You pay, we return your files. So far, this has worked and ransomware has thrived.

So it attracts amateur cybercriminals and we’re seeing the development of ransomware of poor quality, lacking in the assurance that cryptokeys will work and that the data isn’t damaged.

Ransomware is becoming the victim of its success

Protecting Yourself andYour Organization

preventive steps to consider

Preventive Steps: 1

Having a sound backup strategy is a strong first step. Here’s why:

The newest strains of Cryptolocker and its cousins not only traverse the network, they infect the “previous versions,” or shadow copies, that Windows makes.

It’s also possible for unencrypted backups to be infected and encrypted, making them worthless as a tactic to avoid paying a ransom.

Many organizations and individuals rely on online backup strategies, backing up to a cloud service that by design always needs a network connection. This “ease of use” makes it very easy for ransomware to encrypt those backups too.

Having a sound backup strategy is a strong first step.

Preventive Steps: 1

So add an offline backup as part of your strategy.

Since any attached device will be encrypted, the storage must be external and not mapped or connected to the device after the backup is completed.

Back up at least once a week, and more often if need be, to disk or USB device, and then immediately disconnect that media from your network and store it somewhere safe.


Preventive Steps: 1

The more frequent the backup, the less data is lost.

Backup frequency should be based on the strategic importance of the data and how much data the organization can afford to lose.


Remember:

Backups are the only legitimate way to avoid paying the ransom.

So…

Preventive Steps: 1

Remember to back up your data

Preventive Steps: 1

Install software patches and updates as soon as they become available.Ransomware attackers frequently rely on people using outdated software with known vulnerabilities that they can exploit to infiltrate your network. Inconsistent patching and outdated software leave organizations exposed.

Make it a practice to update your software regularly—operating systems and the installed applications. Patching commonly exploited third-party software like Acrobat Reader and Flash will prevent many attacks from being successful.

Preventive Steps: 2

Completely Remove Adobe Flash

If you use several browsers on Windows, you may have more than a single version of Flash Player installed. Remove them all in one fell swoop:

First, open the Control Panel. Next, select "Programs and Features" to view your installed applications. Here, select each of the plugins associated with Adobe Flash Player in turn and click "Uninstall."

Remember:

Inconsistent patching and outdated software leave organizations exposed.

Preventive Steps: 2

Most networks are “flat,” with little or no segmentation between functional areas. Segmentation can be used to stop or slow the lateral movement of malware and intruders.

Network segmentation limits the resources that a hacker can access. Place your most sensitive data or systems into dediated, shares, subnets, or VLANS.

Then restrict access to sensitive data—follow the principle of least privilege.

Preventive Steps: 3

Protect your data: Segment your network.

Preventive Steps: 4

It’s true that antivirus solutions are good at eliminating other threats, but they are lousy at detecting ransomware, but they are getting better. Have both anti-malware software and a software firewall to help you identify threats or suspicious behavior.

Have up-to-date malicious software defenses—antivirus and firewall products—running on all devices

Preventive Steps: 5

Use strong passwords that cannot be brute-forced by remote criminals.Set unique passwords for different accounts to reduce the potential risk. (and get a password manager)

If you’re using “123456”, you’re not alone: nearly 17% of users had “secured” their accounts with “123456”, with the next most common password being “123456789”.

https://blog.keepersecurity.com/2017/01/13/most-common-passwords-of-2016-research-study/

Preventive Steps:6-7

Disable macros in Microsoft Office files

Show hidden file extensionsBy default, Windows and OSX hide known file extensions. So one popular method hackers use to make malware appear safe is to name files with double extensions, like “.PDF.EXE.” Enable the ability to see the full file-extensions, so it’s easier to spot suspicious files.

Preventive Steps: 8-9

Install a browser add-on to block popups as they can also pose an entry point for ransom Trojan attacks.

Disable file sharingThis way, if you happen to get hit, the ransomware infection will stay isolated to your machine only.

Preventive Steps: 10

Switch off unused networking connectionsWiFi connections, Bluetooth, and infrared ports are all potential attack vectors. If you don’t use these services, disable them.

And be very wary of Open WiFi.


Deactivate AutoPlay.This way, harmful processes won’t be automatically launched from external media, such as USB memory sticks or other drives.


Change the Windows default behavior to open JavaScript files (.js, .jse) with Notepad, and not Windows Script Host. Windows Script Host (WSH) can grant malicious script a lot of the same run privileges as an executable.

What if it’s part of your job to receive files from unknown people?Lots of employees receive emails from unknown people:• HR Representatives• Finance – Accounts Payable/Receivable

Upload them to VirusTotal, a free service that will run them past scores of different anti‐virus scanners.

https://www.virustotal.com/en/



But the Number One strategy for avoiding ransomware—as well as most other computer-related issues—is:

Train your staff in the dangers of phishing and malware, and help them recognize dangers when they come knocking at the door.

A solid Security Awareness Program is crucial to keeping your organization and your staff safe.

Security Awareness

User education is the key to preventingransomware.

Teach your staff to refrain from opening attachments or clicking on links that look suspicious.

Create a culture of awareness. Discuss theseIssues and current events in cybersecurity.

Tell Everyone:

Think before you click or download anything.

What if you become infected?

First things first: stop the spread of the infection

Disconnect the device from WiFi or unplug it from the network immediately. This will decrease the number of files that get encrypted.

Plus you’ll cut down on the infection from machine to machine.

When you discover an infection, act fast

Check the No More Ransom project website

a non-commercial initiative involving public and private organizations throughout the world that aims to spread a better understanding of ransomware and help people recover their data.

Check to see if there’s a decryption tool available that could help get your files back. You should also report incidents to your local law enforcement immediately,

https://www.nomoreransom.org/

If the No More Ransom project website can’t help, try this:

Use System Restore to get back to a known-clean state.

If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. Many ransomware variants will prevent this from succeeding, but it’s worth a try.

Also worth a try:

If your ransomware is counting down to disaster, set the BIOS clock back.

Some ransomware variants have a payment timer that increases the price for your decryption key after a set time. You may be able to give yourself additional time by setting the BIOS clock back to a time before the deadline window is up.

If there aren’t any tools to crack the encryption, power down the endpoint and then reimage it.

Eliminating ransomware will require wiping the system totally, then reinstalling a fresh copy of the operating system before reconnecting it to any network.

In an ideal world, you would have already planned for this eventuality, just as you might prepare to cope with a tornado or fire.

Work with your senior management, communications staff, and possibly legal council to develop a plan of action in the event your organization is hit with ransomware.

Prepare for the worst and you’ll be able to weather the storm.

Risk Management in an Ideal World

To Pay or Not to Pay

It’s an important question

Alas, poor Yorick!

You may find yourself pondering this ugly question:

Should I just pay up?

There’s no agreement in the Information Security community.

Experts are mixed on the wisdom of paying the demanded ransom. Even the FBI has changed its position on paying. So consider your options carefully.

My personal advice:

Don’t pay the ransom.

Paying it can make your organization an even bigger target.

It could also increase the chance that the next ransom will be higher.

It also encourages cybercriminals and might not result in the recovery of the affected files.

Remember that you’re dealing with criminals. There’s no guarantee that files will be unlocked, and there’s an increased likelihood of being attacked again.

Even if the hackers provide the encryption key, they could have already exfiltrated data that could be sold or posted on the Deep Web.

Trust me!

And now for:The Bigger Picture

Enough of these problems! How about a comprehensive solution!?

“Cybercriminals are often not geniuses for a very good reason. They don't need to be. We make it too easy for them to succeed.”

Graham Cluley, Feb. 6, 2017

He wants to promote “active security” –active as in “getting off your arse and doing something.

https://www.grahamcluley.com/security‐firms‐need‐stop‐exaggerating‐hackers‐abilities‐hype‐products/

With a Cybersecurity framework, organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks.

A framework provides a way to classify cybersecurity outcomes and a methodology to assess and manage those outcomes.

Get Yourself a Cybersecurity Framework

COBIT? NIST? ISO27000? SANS?

Pick a framework… any framework

• NIST 800-53 + National Institute of Standards and Tech.

• FISMA = Federal Information Security Management Act

• DIACAP = DoD Information Assurance Certification and Accreditation Process

• SOX = Sarbanes-Oxley Act of 2002

• GLBA = or Gramm-Leach-Bliley Act

• PCI-DSS = Payment Card Industry Data Security Standard

• NERC = North American Electric Reliability Corporation

• CIP = Certified IRBProfessional

• ISO 27000 Series = Int’l Org. for Standardization

• HITECH Act of 2009

There’s no shortage of standards to consider:

“A lot of times, enterprises just don’t know where and how, or what to do. Where’s the next dollar best spent?”

“This is about priority.”

Tony Sager, former head of the NSA’s Systems & Network Attack Center, now with the SANS Institute

Since the early 2000s, the NSA had been working on a list of security controls that were most effective in stopping known attacks.

The key: “no control should be made a priority unless it could be shown to stop or mitigate a known attack.”

The second key: NSA was already working on collaboration with two nonprofit organizations:

The SANS Institute — a cooperative research and education organization, “the most trusted and by far the largest source of information security training and security certification in the world.

The Center for Internet Security — “works on enhancing cyber security readiness and response of public and private sector entities.”

Eventually, more than 100 public and private organizations joined in, as well as a few companies involved in incident response, including McAfee and Mandiant.

The two main elements:1) The only justification for a control was actual

attack information. 2) The feeling among the participants that they were

active contributors to protecting the country.

The clear consensus:

Just 20 Critical Controls could address the most prevalent attacks that government, industry, and the private sector face.

https://www.cisecurity.org/

Spoiler Alert:

Most of these controls are standard procedure or “Best Practices” in network administration.

Chances are that you’ve implemented many of them yourself.

There really shouldn’t be any surprise here.

1. Inventory of Authorized Devices on network2. Inventory of all Software3. Secure Configurations for all devices4. Continuous Vulnerability Assessment5. Controlled Use of Admin Privileges

Meeting the first five can reduce your risk of attack by 85%

Use this framework to assess your current status

Use this framework for strategic security planning

You can make concrete, measurable steps in improving your networks by putting into place, over time, some or most (if not all) of these controls. Yes it takes time, but it really does pay off.

It works to improve your security posture vis-à-vis real-world security threats.

Wrapping Things Up

Thanks very much for your attention!

Any questions or comment?

Q and ARoger Hagedorn

Email: [email protected]

I’d like to thank two colleagues:

Ian AndersonIT Security ManagerCity of Oklahoma City

for sharing their presentation “Deploying the Critical Security Controls Like a Boss!” and for allowing me to use a few of their slides.

Jon TidwellIT Security Officer

Collin County Government

Symantec ISTR Special Report: Ransomware and Businesses 2016

KASPERSKY SECURITY BULLETIN 2016. https://securelist.com/files/2016/12/KSB2016_Story_of_the_Year_ENG.pdf

Best Practices for Dealing With Phishing and RansomwareAn Osterman Research White Paper, August 2016

CIS—Center for Internet Securityhttps://www.cisecurity.org/

SANS Institute Newsbiteshttps://www.sans.org/newsletters/newsbites/newsbites.php

Graham Cluley –Latest computer security news, opinion and advicehttps://www.grahamcluley.com/

Naked Security – Computer Security News, Advice and Researchhttps://nakedsecurity.sophos.com/

The Hacker News—Security in a Serious Wayhttp://thehackernews.com

References

Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landscape

Technology

Transcript of Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landscape