Preventing Ransomware by Adopting a Risk-Based Model

Preventing ransomware by adopting a risk-based model

Adam Harrison EMEA Lead, IBM Security X-Force Incident Response

Colin Sheppard EMEA Lead, IBM Security X-Force RED Malware trends

Destructive attacks are estimated to cost an average of $239 million, over 60 times more than the average cost of a data breach.

Throughout 2019, X-Force IRIS responded to ransomware engagements in 12 different countries in 5 different continents and across 13 different industries.

RaaS

1989 2005 2012 2013 2014 2015 2015 2016 2017 2017 AIDS Trojan Archievu Reveton CryptoLocker CTB TeslaCrypt Petya SamSam WannaCr Cryptocurrenc s Locker Chimera Cryptolocke JigSaw y y Mining LowLevel0 r Service ZCryptor NotPetya Malware 4

Victim Targeting

Opportunist: • Drive by Download • Phishing campaigns

Increasing Sophistication: • Worm Capability

Targeted Attacks: • Targeted Attacks • Domain Compromise Predicated • Access Resale

Cryptocurrency Mining Malware

Activity levels tied to market conditions

Two Types: • Malicious mining via compromised websites, also known as cryptojacking.

• Malware-based cryptomining attacks on a user’s device. This activity relies on the device’s central processing unit (CPU) power.

Extortion Tactics

Not new but increasing • Reveton (2012) • Chimera (2015)

Requires an increased dwell time on the part of the malicious actor.

Combats the ‘Restore from Backup’ approach

IBM Security / © 2020 IBM Corporation 6 Recommendations 5 Use threat 4 intelligence to Implement understand risks to 3 Vulnerability and your organization Use in-depth table- Patch Management 2 top and cyber Processes range exercises to Build (or engage) prepare for 1 an expert incident potential incidents Resiliency Implement and response team test a robust backup policy, to include offline backups of key data.

Preparation

March 14 Microsoft releases patch for CVE-2017-0144

April 14 Shadow Brokers release EternalBlue exploit

May 10 CVE-2017-0144 exploit released on ExploitDB

May 12 WannaCry attacks begin

May 13 Estimated 230k computers infected resulting in $4 billion in financial losses

Source: : X-Force Red vulnerability management client statistics

Application development at DevOps speed

Convergence of IT and OT

Growing number of mobile & remote devices

Migration to containers & microservices

Infrastructure

CVE-2020-17084 CVSS 3: 8.8 CVE-2017-0147 CVSS 3: 5.9 Microsoft Exchange Server Remote Code Execution Windows SMB Information Disclosure No available exploits 14 known exploits No malware variants 56 malware variants

Source: : X-Force Red vulnerability management client statistics

Prioritization based on static CVSS Prioritization based on dynamic threat score or scanner score. intel and business impact.

Fragmented visibility across Complete visibility across infrastructure, cloud, and IoT. infrastructure, cloud, and IoT/OT.

Focused on reducing the number of Focused on responding to discovered outstanding vulnerabilities. risk within target timeframes.

IT resistant due to crushing demand to Collaboration between security and IT patch everything. due to shared incentives.