Topic 1 - Ransomware and Intrusion

Pathways
Introduction

• Jeremy Koster
• 20 years in Information / Cyber Security
• Qualifications and industry certifications
• Experience
• Lecturing for IT Masters and CSU for 11 years
Ransomware

• Scourge of modern IT
• Big business
• Accelerating
• Almost as big as BEC (business email compromise)
• Why now?

• PREVENTION IS BETTER THAN CURE

History of Ransomware

• 1980 – AIDS trojan – send $189 to restore computer

• 2010 – WinLock – send message to premium SMS

$10

• 2013 – Cryptolocker – bitcoin payment

• May 2017 – WannaCry – EternalBlue

• June 2017 – Petya/NotPetya - GRU

Ransomware Targets

• June 2017 – Merck, $870m

• June 2017 – Maersk, shipping and logistics, $300m
• March 2019 – Norsk Hydro, Norwegian aluminum
manufacturing plant switches to manual processes, $75m
• July 2020 – Garmin, paid $10m
• May 2021 – Colonial Pipeline, paid $4.4m
Ransomware Variants and Gangs

• Hive – RaaS affiliate ransomware variant

• AlphV (BlackCat) – RaaS, some Australian victims

• Lapsus$ - Ransome for stolen source code

• Ryuk/Conti – Distributed by Russian crime gang

• LockBit – Russian RaaS, uses vulnerabilities

• DarkSide – Russian group (disbanded?)

Who are they?
Why do they do it?
Compromised Credentials
Exposed passwords
• Password dumps
• Phishing
• Credential stuffing
• Same passwords used on multiple services
• Password recycling

Used on
• Office 365
• VPN entry points
• Remote access (RDP, Citrix, TeamViewer)
• SSH
• Corporate systems
Vulnerable Perimeter Systems

Vulnerabilities:
• VPN Gateways
• Citrix Servers
• RDP (BlueKeep)

Webservers
• PHP, Log4shell, WordPress
• Webshells
• Pivot into corporate
Email delivery - Emotet
Emotet Campaigns
• Missing wallet
• Termination
• Pay rise
• Invoice

Emotet Technical Delivery

• Contains malicious JavaScript
• Password protected Word and Excel files
• OneDrive URL to Zip file
• XLL files

Internal phishing
Google search for interesting files
Credential protection

- Strong passwords
- Varied passwords
- Password manager
- HaveIbeenpwned and similar - monitoring
- Deep Web / Dark Net monitoring
- Off-boarding
- Account cleanup
Multifactor Authentication (MFA/2FA)

- Email verification
- Location
- SMS
- Authenticator (OTP)
- Authenticator (push)
- Yubikey / FIDO
Email filtering and URL re-writing

- Spam filters
- Graylisting
- SPF/DKIM
- DMARC
- Link re-write/proxying
- Not perfect, adds delay
- Keeps a record of visits
- Good if blacklist is current
- Purge capability
- Corporate proxies
Malicious files on workstations

- Antivirus
- Endpoint detection and response
- Application allow-listing
- Limit local admin rights
- Patch Windows
- Patch (Browsers, PDF readers, Office App)
User behaviour

- General staff
- Training
- Security conscious
- Phishing simulations
- Target vulnerable or valuable staff
- Report security to Help Desk
- Staff with special access
- Finance/HR
- IT
- Executives
Perimeter systems

- Vendor advisories
- Third party monitoring
- Patching processes
- VPN appliances
- Citrix, RDP, SSH, VNC
- Web applications
- No console access
Additional IT Masters Resources
Free Short Courses University Subjects
• CISSP (Updated) • Information Security
• Masterclass: Comparative Cloud Technology • Pen Testing
• Project Management Updated: PMBOK7 • Hacking Countermeasures
• Applied Digital Marketing Strategies • Cyberwarfare & Terrorism
• PRINCE2, Scrum, Agile methodologies and more… • Cyber Security Fundamentals
• Dark Web
Postgraduate Courses • Digital Forensics
• Graduate Certificate or Master in Cyber Security • Professional Systems Security
• Graduate Certificate or Master in Business
Administration (Computing) And many more…
• Graduate Certificate or Master in Cloud Computing &
Virtualisation
Attention Attendees:
Remember to type your messages to all panellists and attendees