CISA | CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

DON’T WAKE UP TO A RANSOMWARE ATTACK

Learning Objectives
Enabling Objectives
Terminal Define ransomware
Objective Be able to identify
Understand signs of a ransomware
attack
the
Learn mitigation
fundamentals steps of ransomware
of attacks
ransomware Understand how to
recover from a
and the ransomware attack
impact it can Understand impacts of
have on your ransomware attacks though
case studies
organization
2
Agenda
Introduction and Overview IMR Case Studies Knowledge Check
• Course Description • Identification • Global Logistics Company
• Learning Objectives • Mitigation • Local Government
• Overview • Response/Recovery • Major US Newspaper

$1B
 Estimated annual
ransomware payments $84K
Typical cost of recovery
from a ransomware
attack
$7.5B
Cost of ransomware to
U.S. in 2019
56%
Growth of ransomware
attacks for 2018-2019
$6T
Global costs of
cybercrime by 2021
*Ransomware makes up a large
share 42%
Percentage of public sector
organizations suffering
ransomware attacks in last 12
months
4
What is ransomware?
malicious software,
or “malware”, that
locks access to a
computer system or
files by encrypting
its data, until a
Ransomware is ransom is paid.
a type of

5
Threat Overview
d

r
a
n
s
o
L m
a
c p
k a
y
o m
f e
n
r t
e s
p
o w
r o
t r
i s
n e
g n

a t
n h
e d
e
c s
y t
c r
l u
e c
t
i
Consid
v
e

Significant risk to
Nation’s networks

6
Brief History C
r
y
p
t
o
T L
The first
known o
malware c
extortion k
attack. e
Joseph r
Popp
creates i
the AIDS n
Trojan, or
t
r
"PC
o
Cyborg."
d
u
c
e
s

t
h
e

u
se of
Bitcoin to
pay
ransom
demands,
and
procures
an
estimated
$27
million in
ransom
payments
over two
months.
Ransom
ware
variants
explode.
 e n s

Gpco
de.A
K is
the
first
varia
nt
detec
ted
using
a
1024
-bit
RSA
key,
maki
ng
decry
ption
infea
sible
witho
ut a
conc
erted
distri
buted
comp
uting
ms, a
 1989 1996 2008 2010 2013 2014 2017
i
A non-encrypting
ransomware variant,
A WinLock
d send a premium rate SMS
a (around $10) to receive an
m unlock code. The scam
spread through Russia and
L neighboring countries and
. allegedly earned over $16
million.
Y
o
u
n
g

a
n
d

M
o
t
i

Y
u
n
g
How it works
d
e
cr
y
pt
io
n
k
e
y
1• Attacker o
• Phishing emails
s r
• Malicious attachments
request r
• Drive-by downloading
paymen
el
t
e
(ransom
) to a
decrypt s
the e
system d
2• Threate at
n to a
destroy
8
Who is susceptible?

Well… basically…

EVERYONE!
9
 Who is susceptible?
on
their
compu E
ter or d
1• Home- networ u
users c
k is at a
2• Businesses risk. ti
o
3• Individuals n
4• Organizatio M
ns Gover
nment
Agen
Anyone with cies
important
data stored H
 ealt
hcar
e

Energy &
Utilities

R
et
ai
l

Finance
10
 Identify the Signs of Ransomware
What are the indicators of a ransomware attack?
1• You are locked out!
2• Odd file extensions appended to filenames
3• Intimidating messages
1• “Your computer has been infected with a
virus. Click here to resolve the issue.”
2• “Your computer was used to visit websites with
illegal content. To unlock your computer, you
must pay a $100 fine.”
3• “All files on your computer have been encrypted.
You must pay this ransom within 72 hours to
regain access to your data.”
11
 Ransomware Prevention and Mitigation

Actions for Today – Make Sure You’re Not Tomorrow’s Headline:

1. Backup your data offline

2. Manage patches
3. Update security solutions
4. Prepare your incident response plan
5. Maintain global situational awareness

12
 Ransomware Prevention and Mitigation

Actions to Recover If Impacted – Don’t Let a Bad Day Get Worse:

1. Ask for help!

2. Work with experts
3. Isolate infection
4. Review the connections
5. Prioritize recovery

13
 Ransomware Prevention and Mitigation

Actions to Secure Your Environment Going Forward –

Don’t Let Yourself be an Easy Mark:
1. Practice good cyber hygiene
2. Segment networks
3. Develop containment strategies
4. Know your system’s baseline
5. Review recovery procedures

14
 Ransomware Response Checklist

1• Isolate the infected computer immediately

2• Isolate or power-off affected devices
3• Immediately secure backup data or systems
4• Contact law enforcement
5• Secure partial portions of the ransomed data that might exist
6• Change all online account passwords and network passwords
7• Delete Registry values and files
15
 Ransomware Recovery
payment is
risky and
incentivizes
1• It’s difficult; getattacks
help!
Planning and
2• Ransom preparation are
key

16
 Ransomware Case Studies

1• Global Logistics Company

2• Local Government
3• Major US Newspaper

17
 Global Logistics Company (GLC)

Scenario Overview
1• June 2017
2• Global shipping corporation
3• 10 day response
4• “Collateral damage”

Attack Vector
1• NotPetya
2• Gained entry via accounting software
3• Hackers hijacked software update servers

18
 Global Logistics Company (GLC)

Exploits
1• EternalBlue and Mimikatz
1• EternalBlue takes advantage of a
vulnerability in a particular Windows protocol
2• Mimikatz could pull passwords out of RAM
and use them to hack into other machines with the
same credentials
2• The Microsoft EternalBlue vulnerability patch
did not work in tandem with Mimikatz
 Global Logistics Company (GLC)

Impacts
1• Purely destructive goal: irreversible encryption
2• Paralyzed shipping operations
3• Tens of thousands of affected endpoints
throughout GLC’s global corporate enterprise
4• Over $300M in corporate losses
5• Over $10 billion in losses across all victims
 Global Logistics Company (GLC)

How was the attack Identified?

1• Messages on user screens
2• Ransom demand for $300 (Bitcoin)
3• Some computers spontaneously restarted
4• 7 minutes to infect global network
 Global Logistics Company (GLC)

How did GLC Mitigate?

1• Computers turned off
2• Machines manually unplugged from
the network
3• Entire global network was disconnected
within 2 hours of initial indications
 Global Logistics Company (GLC)

How did the GLC Recover?

1• Human resilience, openness, and transparency
2• Impromptu Emergency Operations Center (EOC)
1• Augmented staff with outside expertise
2• Purchased new equipment
3• Effort hinged on a single surviving domain controller
4• 10 days to rebuild entire network
5• Reissued personal computers to most staff after 2
weeks
6• 2 months until full system recovery
7• In the wake of NotPetya, approvals for
security measures were immediate
 Major US Newspaper

Scenario Overview
1• December 2018
2• Major newspaper distributor

Attack Vector
1• Ryuk malware
2• Enters through other malware or remote desktop vulnerability
3• Infects network and automatically spreads

24
 Major US Newspaper
production and
manufacturing
Exploits process servers
were infected,
1• Weak
privilege Delayed
management production of
multiple
2• Security
patches failed tonational
hold when serversnewspapers,
were brought backby a full day in
online, causing re-some cases
infection Attack was meant
to disable
Impact infrastructure
1• News
2
5
 Major US Newspaper
discovered
How was the attack
Mitigated?
From an IMR
standpoint… Isolated
malicious code and
1• How was thisinfected servers
attack Identified?
How did the
1• Server organization Recover?
outage led to
disabled printing Operational
transmission within 24 hours
2• Ransom Identified need to
note wasimprove privilege
management

26
 Large US City

Scenario Overview
1• A U.S. city was the target of a large ransomware attack in March 2018
2• Hackers demanded over $50K in bitcoin
3• Many city offices were closed for over 5 days due to the attack

Attack Vector
1• SamSam
2• Targeted U.S. government and infrastructure in 2018 causing $30M in losses

27
 Large US City
xploited an unknown
JBoss application
and Microsoft
Exploits
Remote Desktop
1• Brut Protocol
e forcevulnerability
attack
guessed Attackers
weak escalated
password privileges,
s making the
1• Eattack even
more damaging

28
 Large US City
processing of
cases at Municipal
Court
Impacts
Stopped online
1• 5 ofor in person
13 localmunicipal payments
governme
Years’ worth
nt
of data lost
departme
nts Cost over
$2.6M in
2• Polic
emergency efforts
e had to
write One third of
incident software and
reports byapplications
hand remained affected
3• Force6 months post-
d manualattack
29
 Large US City
From an IMR standpoint…
1• How was this attack Identified?
1• Outages on numerous applications and services
2• How mitigated?
1• Immediate shutdown of most of city’s network
3• How recovered?
1• City officials quickly reached out for help
2• Worked with their information management team to identify
the threat and its magnitude, and to protect the perimeter
of the technology footprint
30
L

Knowledge Check
31
Knowledge Check
p
p
Which y
describes
the typical
way d
ransomwar
i
e is spread
today? s
k
❍ s
F
l ❍
o S
h d
a s
r
i ❍
n P
g h
i
p s
a h
s i
s n
w g
o
r e
m i
a n
i g
l
s a

❍ V
U P
s N
32
Knowledge Check
p
p
Which y
describes
the typical
way d
ransomwar
e is spread i
today?
s
k
❍
s
F
l
❍
o
S o
h r
a d
r s
i
n P
h
g
i
s
p
h
a
i
s n
s g
w
e i
m n
a g
i
l a
s
V
❍ P
U N
s
33
Knowledge Check
e

Ransomware
❍
only impacts
businesses. F

a
❍
l
T
s
r
e
u

3
4
Knowledge Check
u
e
Ransomware
only impacts
businesses.
F
a
❍
l
T
s
r
e
3
5
Knowledge Check
Your
des
ktop
Commo
n is
indicator lock
s of a ed,
ransom
with
ware
attack a
include mes
all the sag
following
e
except:
displ

❍ aye
d unlo
ck it.
a ❍Y
b our
o files
u hav
t e
new
h file
o exte
w nsio
ns
t app
o end
ed
t s.
o ❍Your network is
running extremely
slow.
f
❍You are prompted
i
with a notification
l
claiming your
e
computer has been
n
infected with a virus,
a
and you must click a
m link to resolve the
e issue.

36
Knowledge Check
Your
des
Commo ktop
n
indicator is
s of a lock
ransom
ed,
ware
attack with
include
a
all the
following mes
except: sag
e
❍
d ut
i how
s to
p unlo
l ck it.
a ❍Y
y our
e files
d hav
e
a new
b file
o exte
n ed
s to
i filen
o ame
n s.
Your network is
s running extremely
slow.
❍You are prompted
a
with a notification
p claiming your
p computer has been
e infected with a virus,
and you must click a
n
link to resolve the
d
issue.
37
Knowledge Check
kup your data
❍Update and patch
your systems
What
measures ❍
can you
E
take to
help n
prevent
becoming s
a u
casualty
of r
ransomw
are? e

❍Bac
y
o
u s
r o
l
s u
e t
c i
u o
r n
i s
t
y a
r e
e
❍
u A
p l
l
t
o o
f
d
a t
t h
 e o
v
a e
b

38
Knowledge Check
kup your data
❍Update and patch
your systems
What
measures ❍
can you E
take to
help n
prevent s
becoming
u
a
casualty r
of e
ransomw
are?
y
❍Bac o
u l
r u
t
s i
e o
c n
u s
r
i a
t r
y e

s u
o p
t o
o f

d t
a h
t e
e
a
b
A o
l v
l e
39
Knowledge Check
u

e
Cost of
ransomwa
re to the ❍
U.S. in
F
2019 was
$1 Trillion. a

l
❍
s
T
e
r
40
Knowledge Check
r
u
Cost of e
ransomwa
re to the
U.S. in
2019 was F
$1 Trillion. a
l
❍
s
T
e

4
1
Knowledge Check
D

e
Ransomware
s
can do the
following: t

r
❍Make
o
computer files
inaccessible y
❍Block
network
d
access
a
❍
t
a t

❍ e

l a

l b

o v

f e

42
Knowledge Check
e
s
Ransomware t
can do the r
following:
o

❍Make y

computer files
inaccessible d
❍Block a
network t
access a
❍
D
 h
A e
l
l a
b
o o
f v
e
t
43
Knowledge Check
d computers
❍
Which of C
the r
following e
is NOT a
priority a
during t
immediat e
e
ransomw
are a
response:
r
❍Isola
te a
infecte
n n
s t
o
m r
w e
a s
r p
e o
n
i s
n e
c
i p
d l
e a
n p

❍ d
S a
e t
c a
u
r o
e r

b s
a y
c s
k t
u e
 m ❍Contact law
enforcement
s

44
Knowledge Check
d computers

Which of C
the r
following e
is NOT a a
priority t
during e
immediat
e a
ransomw
are
r
response:
a
n
❍Isola
s
te
infecte o
m o
w n
a s
r e
e
p
i l
n a
c n
i
d ❍
e S
n e
t c
u
r r
e e
s
p b
a o
c r
k
u s
p y
s
d t
a e
t m
a s
❍Contact law
enforcement
45
Knowledge Check
r

u
Paying
e
ransom
will ensure
that your
systems/d ❍
evices/dat F
a are
decrypted. a

l
❍ s
T e
46
Knowledge Check
r
u

Paying e
ransom
will ensure
that your
systems/d F
evices/dat
a
a are
decrypted. l
s
❍ e
T
47
Knowledge Check
i
t
What is the
most
c
requested
form of a
ransom r
payment?
d

❍
C ❍

r W

e i

d r
e h
e
t r
r e
a u
n m
s
f ❍
e B
r i
t
❍ c
E o
t i
 n

48
Knowledge Check
i
t
What is the
most
c
requested
form of a
ransom r
payment?
d

❍
C ❍

r W

e i

d r
e
❍
t E
r t
a h
n e
s r
f e
e u
r m
Bitcoin

49
Knowledge Check
u

e
Reports of
ransomware
attacks go ❍
back the
early F
1970’s. a

l
❍
s
T
e
r
50
Knowledge Check
r
u

Reports of e
ransomware
attacks go
back the
early F
1970’s.
a
l
❍
s
T
e

5
1
Key Takeaways
r n
c t
i
R s r
e e e
v s
i y p
e o o
w u n
r s
a e
n i
d n p
c l
e i a
x d n
e e
 t a
i r
o
Practice e
n
goo
e
d
t v
cyb
o e
er n
hygi
g t
ene
l s
o
b a
a n
P l d
a
y r a
a p
a n p
t s l
t o y
e m
n w l
e itel
s ist
s ap
o pli
n ca
tio
s
ns
4 Li
l 1 Ba
mi
e ck
t
a up
pri
r dat
vil
a
n eg
2 Up
e es
dat
d 5 E
e
m
se plo
cur y
ity m
sol ulti
uti fac
on tor
s au
3 Wh th
 entication em in
6 Browse ail g
safely ha
7 Secure ndl

52
 Additional Ransomware Resources

1• US CERT Website: Ransomware

2• Ransomware: What It Is and What To Do About It
3• CISA Insights: Ransomware Outbreak
4• Center for Internet Security: Ransomware

53