THIS COMPUTER HAS BEEN…. WHAT DO I DO NOW?

Paul Seldes, FPEM, CEM, FMI ntb group, LLC Director of Operations I DON’T HAVE TO BE HERE RANSOMWARE DEFINED

Ransomware is a type of malicious software used by cybercriminals that is designed to extort money from their victims, either by

• Encrypting data on the disk or OR • By blocking access to the system CAN IT HAPPEN TO ME?

56% increase in ransomware attacks 2018-2019 (DHS- CISA)

$84,000 typical cost of recovery $6 TRILLION cybercrime global costs by 2021 HOW IT WORKS RANSOMWARE IS A GROWTH INDUSTRY

Cost of ransomware to the US in 2019 was $7.5 billion

Ransomware attacks are also known as BGH 2020: $10 billion ? 2021: $15 billion? 2022: $20 billion? CRYPTOLOCKER – FIRST GLOBAL RANSOMWARE CAMPAIGN

500,000 victims Between $3 and $27 million in payments

June 2014 CRYPTOLOCKER – FIRST GLOBAL RANSOMWARE CAMPAIGN

There is a $3 million reward for information leading to his arrest (FBI) June 2014 AND SO IT GOES

Over 100 variants between 2014 and 2019. WANNACRY – MAY 2017 WORLDWIDE ATTACK

 In order to spread like a worm, utilized an exploit called ETERNALBLUE, one of the leaked NSA hacking tools released by the Shadow Brokers hacking group in April 2017  The patch for the vulnerability was available for 59 days prior to the attack  Hit critical infrastructure in some countries such as Germany and Russia. In the U.K., the health care sector received a hard hit: hospitals had to turn away patients, reroute ambulances, paralyze emergency services, and reschedule surgeries and appointments WANNACRY – MAY 2017 WORLDWIDE ATTACK

 In order to spread like a worm, utilized an exploit called ETERNALBLUE, one of the leaked NSA hacking tools released by the Shadow Brokers hacking group in April 2017  The patch for the vulnerability was available for 59 days prior to the attack  Hit critical infrastructure in some countries such as Germany and Russia. In the U.K., the health care sector received a hard hit: hospitals had to turn away patients, reroute ambulances, paralyze emergency services, and reschedule surgeries and appointments WHO IS TARGETED? HOW-WHAT-WHY

 Do not open links in email messages unless it is 100% trusted  Go to the website and access your account directly  Use cyber-security software that offers a full solution (virus, malware, ransomware, trojans, phishing, spam)  Implement a firewall security solution SIMPLE RULES  Back up and Restore  Automated: 3 copies, 2 formats, 1 air-gapped from network  Patch  Update OS and security components  Password  Use strong passwords (AmIk#1!zQlmx07%)  Educate  Train employees on phishing, awareness, best practices SIMPLE RULES Tw o -factor authentication is a security process in which the user provides two  Control Access means of identification from separate categories of credentials; one is typically a  physical token, such as a card, and the other 2-factor authentication is typically something memorized, such as a  No Open Wireless security code.  Use Security Software (Symantec, MacAfee, BitDefender, TrendMicro)  Don’t click financial links in emails  DON’T PAY THE RANSOM  Get Pro Help IF YOU HAVE BEEN HACKED

 1. Ask for help!  2. Work with experts  3. Isolate infection  4. Review the connections  5. Prioritize recovery CASE STUDY

 A U.S. city was the target of a large ransomware attack in March 2018  Hackers demanded over $50K in bitcoin  Many city offices were closed for over 5 days due to the attack  Attack Vector - SamSam  Brute force attack guessed weak passwords and exploited an application weakness  Targeted U.S. government and infrastructure in 2018 causing $30M in losses CASE STUDY - IMPACT

 5 of 13 local government departments  Police had to write incident reports by hand  Forced manual processing of cases at Municipal Court  Stopped online or in person municipal payments  Years’ worth of data lost  Cost over $2.6M in emergency efforts  One third of software and applications remained affected 6 months post-attack CASE STUDY - RESOLUTION

 The attack was identified due to outages with numerous applications and services.  The city quickly shut down most of the city network  The city quickly reached out for help and created a special management and technology team to work with a cybersecurity vendor. TAKEAWAYS

Next week you should:  Backup all your devices (just in case you have not done this yet)  In the first three months following this presentation you should:  Configure 3-2-1 backup  Choose and install comprehensive anti-malware solution  Within six months you should:  Implement all ransomware prevention practices at home and at workplace Q&A You can ask questions now Or Wait until YOU have been hacked!

Paul Seldes https://www.cisa.gov/ 772-538-2154

Cybersecurity and Infrastructure Security Agency [email protected]