Professional Documents
Culture Documents
$1B
Estimated annual
ransomware payments $84K
Typical cost of recovery
from a ransomware
attack
$7.5B
Cost of ransomware to
U.S. in 2019
56%
Growth of ransomware
attacks for 2018-2019
$6T
Global costs of
cybercrime by 2021
*Ransomware makes up a large
share 42%
Percentage of public sector
organizations suffering
ransomware attacks in last 12
months
4
What is ransomware?
malicious software,
or “malware”, that
locks access to a
computer system or
files by encrypting
its data, until a
Ransomware is ransom is paid.
a type of
5
Threat Overview
d
r
a
n
s
o
L m
a
c p
k a
y
o m
f e
n
r t
e s
p
o w
r o
t r
i s
n e
g n
a t
n h
e d
e
c s
y t
c r
l u
e c
t
i
Consid
v
e
Significant risk to
Nation’s networks
6
Brief History C
r
y
p
t
o
T L
The first
known o
malware c
extortion k
attack. e
Joseph r
Popp
creates i
the AIDS n
Trojan, or
t
r
"PC
o
Cyborg."
d
u
c
e
s
t
h
e
u
se of
Bitcoin to
pay
ransom
demands,
and
procures
an
estimated
$27
million in
ransom
payments
over two
months.
Ransom
ware
variants
explode.
e n s
Gpco
de.A
K is
the
first
varia
nt
detec
ted
using
a
1024
-bit
RSA
key,
maki
ng
decry
ption
infea
sible
witho
ut a
conc
erted
distri
buted
comp
uting
ms, a
1989 1996 2008 2010 2013 2014 2017
i
A non-encrypting
ransomware variant,
A WinLock
d send a premium rate SMS
a (around $10) to receive an
m unlock code. The scam
spread through Russia and
L neighboring countries and
. allegedly earned over $16
million.
Y
o
u
n
g
a
n
d
M
o
t
i
Y
u
n
g
How it works
d
e
cr
y
pt
io
n
k
e
y
1• Attacker o
• Phishing emails
s r
• Malicious attachments
request r
• Drive-by downloading
paymen
el
t
e
(ransom
) to a
decrypt s
the e
system d
2• Threate at
n to a
destroy
8
Who is susceptible?
Well… basically…
EVERYONE!
9
Who is susceptible?
on
their
compu E
ter or d
1• Home- networ u
users c
k is at a
2• Businesses risk. ti
o
3• Individuals n
4• Organizatio M
ns Gover
nment
Agen
Anyone with cies
important
data stored H
ealt
hcar
e
Energy &
Utilities
R
et
ai
l
Finance
10
Identify the Signs of Ransomware
What are the indicators of a ransomware attack?
1• You are locked out!
2• Odd file extensions appended to filenames
3• Intimidating messages
1• “Your computer has been infected with a
virus. Click here to resolve the issue.”
2• “Your computer was used to visit websites with
illegal content. To unlock your computer, you
must pay a $100 fine.”
3• “All files on your computer have been encrypted.
You must pay this ransom within 72 hours to
regain access to your data.”
11
Ransomware Prevention and Mitigation
12
Ransomware Prevention and Mitigation
13
Ransomware Prevention and Mitigation
14
Ransomware Response Checklist
16
Ransomware Case Studies
17
Global Logistics Company (GLC)
Scenario Overview
1• June 2017
2• Global shipping corporation
3• 10 day response
4• “Collateral damage”
Attack Vector
1• NotPetya
2• Gained entry via accounting software
3• Hackers hijacked software update servers
18
Global Logistics Company (GLC)
Exploits
1• EternalBlue and Mimikatz
1• EternalBlue takes advantage of a
vulnerability in a particular Windows protocol
2• Mimikatz could pull passwords out of RAM
and use them to hack into other machines with the
same credentials
2• The Microsoft EternalBlue vulnerability patch
did not work in tandem with Mimikatz
Global Logistics Company (GLC)
Impacts
1• Purely destructive goal: irreversible encryption
2• Paralyzed shipping operations
3• Tens of thousands of affected endpoints
throughout GLC’s global corporate enterprise
4• Over $300M in corporate losses
5• Over $10 billion in losses across all victims
Global Logistics Company (GLC)
Scenario Overview
1• December 2018
2• Major newspaper distributor
Attack Vector
1• Ryuk malware
2• Enters through other malware or remote desktop vulnerability
3• Infects network and automatically spreads
24
Major US Newspaper
production and
manufacturing
Exploits process servers
were infected,
1• Weak
privilege Delayed
management production of
multiple
2• Security
patches failed tonational
hold when serversnewspapers,
were brought backby a full day in
online, causing re-some cases
infection Attack was meant
to disable
Impact infrastructure
1• News
2
5
Major US Newspaper
discovered
How was the attack
Mitigated?
From an IMR
standpoint… Isolated
malicious code and
1• How was thisinfected servers
attack Identified?
How did the
1• Server organization Recover?
outage led to
disabled printing Operational
transmission within 24 hours
2• Ransom Identified need to
note wasimprove privilege
management
26
Large US City
Scenario Overview
1• A U.S. city was the target of a large ransomware attack in March 2018
2• Hackers demanded over $50K in bitcoin
3• Many city offices were closed for over 5 days due to the attack
Attack Vector
1• SamSam
2• Targeted U.S. government and infrastructure in 2018 causing $30M in losses
27
Large US City
xploited an unknown
JBoss application
and Microsoft
Exploits
Remote Desktop
1• Brut Protocol
e forcevulnerability
attack
guessed Attackers
weak escalated
password privileges,
s making the
1• Eattack even
more damaging
28
Large US City
processing of
cases at Municipal
Court
Impacts
Stopped online
1• 5 ofor in person
13 localmunicipal payments
governme
Years’ worth
nt
of data lost
departme
nts Cost over
$2.6M in
2• Polic
emergency efforts
e had to
write One third of
incident software and
reports byapplications
hand remained affected
3• Force6 months post-
d manualattack
29
Large US City
From an IMR standpoint…
1• How was this attack Identified?
1• Outages on numerous applications and services
2• How mitigated?
1• Immediate shutdown of most of city’s network
3• How recovered?
1• City officials quickly reached out for help
2• Worked with their information management team to identify
the threat and its magnitude, and to protect the perimeter
of the technology footprint
30
L
Knowledge Check
31
Knowledge Check
p
p
Which y
describes
the typical
way d
ransomwar
i
e is spread
today? s
k
❍ s
F
l ❍
o S
h d
a s
r
i ❍
n P
g h
i
p s
a h
s i
s n
w g
o
r e
m i
a n
i g
l
s a
❍ V
U P
s N
32
Knowledge Check
p
p
Which y
describes
the typical
way d
ransomwar
e is spread i
today?
s
k
❍
s
F
l
❍
o
S o
h r
a d
r s
i
n P
h
g
i
s
p
h
a
i
s n
s g
w
e i
m n
a g
i
l a
s
V
❍ P
U N
s
33
Knowledge Check
e
Ransomware
❍
only impacts
businesses. F
a
❍
l
T
s
r
e
u
3
4
Knowledge Check
u
e
Ransomware
only impacts
businesses.
F
a
❍
l
T
s
r
e
3
5
Knowledge Check
Your
des
ktop
Commo
n is
indicator lock
s of a ed,
ransom
with
ware
attack a
include mes
all the sag
following
e
except:
displ
❍ aye
d unlo
ck it.
a ❍Y
b our
o files
u hav
t e
new
h file
o exte
w nsio
ns
t app
o end
ed
t s.
o ❍Your network is
running extremely
slow.
f
❍You are prompted
i
with a notification
l
claiming your
e
computer has been
n
infected with a virus,
a
and you must click a
m link to resolve the
e issue.
36
Knowledge Check
Your
des
Commo ktop
n
indicator is
s of a lock
ransom
ed,
ware
attack with
include
a
all the
following mes
except: sag
e
❍
d ut
i how
s to
p unlo
l ck it.
a ❍Y
y our
e files
d hav
e
a new
b file
o exte
n ed
s to
i filen
o ame
n s.
Your network is
s running extremely
slow.
❍You are prompted
a
with a notification
p claiming your
p computer has been
e infected with a virus,
and you must click a
n
link to resolve the
d
issue.
37
Knowledge Check
kup your data
❍Update and patch
your systems
What
measures ❍
can you
E
take to
help n
prevent
becoming s
a u
casualty
of r
ransomw
are? e
❍Bac
y
o
u s
r o
l
s u
e t
c i
u o
r n
i s
t
y a
r e
e
❍
u A
p l
l
t
o o
f
d
a t
t h
e o
v
a e
b
38
Knowledge Check
kup your data
❍Update and patch
your systems
What
measures ❍
can you E
take to
help n
prevent s
becoming
u
a
casualty r
of e
ransomw
are?
y
❍Bac o
u l
r u
t
s i
e o
c n
u s
r
i a
t r
y e
s u
o p
t o
o f
d t
a h
t e
e
a
b
A o
l v
l e
39
Knowledge Check
u
e
Cost of
ransomwa
re to the ❍
U.S. in
F
2019 was
$1 Trillion. a
l
❍
s
T
e
r
40
Knowledge Check
r
u
Cost of e
ransomwa
re to the
U.S. in
2019 was F
$1 Trillion. a
l
❍
s
T
e
4
1
Knowledge Check
D
e
Ransomware
s
can do the
following: t
r
❍Make
o
computer files
inaccessible y
❍Block
network
d
access
a
❍
t
a t
❍ e
l a
l b
o v
f e
42
Knowledge Check
e
s
Ransomware t
can do the r
following:
o
❍Make y
computer files
inaccessible d
❍Block a
network t
access a
❍
D
h
A e
l
l a
b
o o
f v
e
t
43
Knowledge Check
d computers
❍
Which of C
the r
following e
is NOT a
priority a
during t
immediat e
e
ransomw
are a
response:
r
❍Isola
te a
infecte
n n
s t
o
m r
w e
a s
r p
e o
n
i s
n e
c
i p
d l
e a
n p
❍ d
S a
e t
c a
u
r o
e r
b s
a y
c s
k t
u e
m ❍Contact law
enforcement
s
44
Knowledge Check
d computers
Which of C
the r
following e
is NOT a a
priority t
during e
immediat
e a
ransomw
are
r
response:
a
n
❍Isola
s
te
infecte o
m o
w n
a s
r e
e
p
i l
n a
c n
i
d ❍
e S
n e
t c
u
r r
e e
s
p b
a o
c r
k
u s
p y
s
d t
a e
t m
a s
❍Contact law
enforcement
45
Knowledge Check
r
u
Paying
e
ransom
will ensure
that your
systems/d ❍
evices/dat F
a are
decrypted. a
l
❍ s
T e
46
Knowledge Check
r
u
Paying e
ransom
will ensure
that your
systems/d F
evices/dat
a
a are
decrypted. l
s
❍ e
T
47
Knowledge Check
i
t
What is the
most
c
requested
form of a
ransom r
payment?
d
❍
C ❍
r W
e i
d r
e h
e
t r
r e
a u
n m
s
f ❍
e B
r i
t
❍ c
E o
t i
n
48
Knowledge Check
i
t
What is the
most
c
requested
form of a
ransom r
payment?
d
❍
C ❍
r W
e i
d r
e
❍
t E
r t
a h
n e
s r
f e
e u
r m
Bitcoin
49
Knowledge Check
u
e
Reports of
ransomware
attacks go ❍
back the
early F
1970’s. a
l
❍
s
T
e
r
50
Knowledge Check
r
u
Reports of e
ransomware
attacks go
back the
early F
1970’s.
a
l
❍
s
T
e
5
1
Key Takeaways
r n
c t
i
R s r
e e e
v s
i y p
e o o
w u n
r s
a e
n i
d n p
c l
e i a
x d n
e e
t a
i r
o
Practice e
n
goo
e
d
t v
cyb
o e
er n
hygi
g t
ene
l s
o
b a
a n
P l d
a
y r a
a p
a n p
t s l
t o y
e m
n w l
e itel
s ist
s ap
o pli
n ca
tio
s
ns
4 Li
l 1 Ba
mi
e ck
t
a up
pri
r dat
vil
a
n eg
2 Up
e es
dat
d 5 E
e
m
se plo
cur y
ity m
sol ulti
uti fac
on tor
s au
3 Wh th
entication em in
6 Browse ail g
safely ha
7 Secure ndl
52
Additional Ransomware Resources
53