sign in sign up
<<
Home , Crimeware

IN THE NEWS

Monitor and Matrix Monday June 7, 2021 IN THE NEWS RANSOMWARE What is It? • Ransomware is . The demand payment, often via bitcoin or prepaid credit card, from victims in order to regain access to an infected device and the data stored on it. Why does ransomware matter?

• Because of the ease of deploying ransomware, cybercriminals increasingly rely on such malware attacks to generate profits. PHASE 1: EXPLOITATION AND • For an attack to be successful, the malicious INFECTION ransomware file needs to execute on a computer. This is often done through a email or an exploit kit—a type of malicious toolkit used to exploit security holes in software applications for the purpose of spreading malware.

Source Five Steps to Defend Against Ransomware | LogRhythm PHASE 2: DELIVERY AND • Following the exploit process, the actual EXECUTION ransomware executable will be delivered to the victim’s system. Typically, this process takes a few seconds, depending on network latencies. We often see the executable files being placed in folders beneath the user’s profile. It’s good to know this for detection purposes, because your organization can monitor for those events to set up a line of defense. PHASE 3: BACKUP SPOLIATION • A few seconds after the malware is executed, the ransomware targets the backup files and removes them to prevent restoring from backup. This is unique to ransomware. Other types of crimeware and even APTs don’t bother to delete backup files. Ransomware variants will try and remove any means that the victim has to recover from the attack without paying the ransom. PHASE 4: FILE • Once the backups are completely removed, the malware will perform a secure key exchange with the command and control (C2) server, establishing those encryption keys that will be used on the local system. Unfortunately, most of the variants today use strong encryption, such as AES 256, so the victim isn’t going to be able to break the encryption on their own. Encryption and Decryption

Ransomware uses a combination of algorithms to encrypt the files. At first, the file may be encrypted with using a symmetric encryption process, making it unable to be opened. As a second layer of defense, the size of the file may be changed by adding a second algorithm in the header of the already encrypted code PHASE 5: USER NOTIFICATION • With the backup files removed and the AND CLEAN UP encryption dirty work done, the demand instructions for extortion and payment are presented. Quite often, the victim is given a few days to pay, and after that time the ransom increases. Once paid, the malware cleans itself off the victimized system so as not to leave behind significant forensic evidence that would help build better defenses against the malware. 1 in 3,000 emails that pass security filters contains malware, including ransomware. (Fortinet)

On average, targeted organizations pay a ransom of RANSOMWARE $233,817. (Coveware) BY THE NUMBERS The average downtime due to a ransomware attack is 19 days. (Coveware)

Only 26% of targeted organizations pay the ransom, but not all get their data back. (Sophos) IN-BOUND E- MAIL MAY 31 –

JUN 4 • 28,022 e-mails from outside the city domain

• 6417 e-mails from city- to-city domains

• Assume city to city emails are “ok”

• 9 e-mails are likely to contain malware that make it through our filters RANSOMWARE - ATTACK ON DATA, ACCESS, AND AVAILABILITY 2020

• Current Targets • Hospitals and Medical Groups • Governments • Education • Unpatched systems in any sector • Users of Social Media • Disinformation Campaigns • Stress – COVID-19 and Election RANSOMWARE - ATTACK ON DATA, ACCESS, AND AVAILABILITY 2021

• Current Targets are Mission Critical • Supply-line providers – gas, oil, food • Transportation • Hospitals and Medical Groups • Governments • Infrastructure – Water, Wastewater • Education • Communications • Unpatched systems in any sector • Why Worry? • Loss of Public Trust • Financial Loss • Time Loss • Data RANSOMWARE - ATTACK ON • Systems dependent on safety and DATA, ACCESS, security AND • Threat actors often sow the malware AVAILABILITY weeks before activating it, waiting for moments when they believe they can extract the highest payments • What Can We Do? Be Prepared! • Prevention • Backup • 2FA • Up to Date Patches RANSOMWARE • Scams and Phishing Education ATTACK ON DATA, ACCESS, • Detection AND • User Behavior Recognition AVAILABILITY • Isolate • Alert • Action • Lockout • Response and Recovery Plan IF YOU THINK YOU’VE BEEN EXPOSED TO RANSOMWARE, PHISH OR OTHER THREAT 01 02 03 Contact Explain what, Work with IS on Information when and how it incident response Services ASAP happened X4280 TO LEARN MORE ABOUT RANSOMWARE

• Cybersecurity and Infrastructure Security Agency CISA • Guide and Checklists

• Sophos Information and Prevention

• KnowBe4 – Ransomware Information and Prevention

• Five Steps to Defend Against Ransomware | LogRhythm Please type your questions in the chat box. QUESTIONS Thank You!