Title Ransomware

Presenter Date Bill Wright 6/29/2017 Government Affairs Evolution path MISLEADING APP FAKE AV LOCKER RANSOMWARE CRYPTO RANSOMWARE

2005-2009 2010-2011 2012-2013 2014-2017

“FIX” “CLEAN” “FINE” “FEE”

2016 Internet Security Threat Report Copyright © 2017 Symantec Corporation 2 Volume 21 2 36% Increase in Ransomware Attacks

o Highly profitable o Low Barrier to Entry - Multiple Software as a Service offerings available

Copyright © 2017 Symantec Corporation 3 2017 Internet Security Threat 3

3x as many new ransomware families in 2016

101

30 30

2014 2015 2016

Copyright © 2017 Symantec Corporation 4 2017 Internet Security Threat 4

Ransomware Detections by Country

o With 34% of all attacks, US the region most affected by Ransomware o Attackers target countries that can pay the largest ransom o Number of internet connected computers also effect the numbers o But US also has characteristic that is driving up the cost of the ransom

Copyright © 2017 Symantec Corporation 5 2017 Internet Security Threat 5

Average Ransom Demand The average starting ransom $1,077 o demand soared in 2016. Once infected many threats o raise price if ransom not paid by deadline Some criminals will o negotiate Targeted businesses will see o higher demands Highest ransom demand for $294 o single machine seen in 2016 - $28,730 (Ransom.Mircop) 2015 2016

Copyright © 2017 Symantec Corporation 6 2017 Internet Security Threat 6

What is Driving Up the Ransom Demand?

Percentage of Consumers Who Pay Ransom 64% US o There does not appear to be price sensitivity among victims, especially in the 34% US Globally - As long as victims willing to pay, criminals can raise the price

Copyright © 2017 Symantec Corporation 7 2017 Internet Security Threat 7

WannaCry Ransomware Generating Significant Global Attention

Copyright © 2017 Symantec Corporation 8 Copyright © 2017 Symantec Corporation 9 WannaCry Ransomware: Basics of the Attack

Security Stack Internet

• Microsoft announces SMB vulnerability and patch within MS17-010 • Shadowbrokers release EternalBlue in their datadump which exploits this Microsoft SMB vulnerability • WannaCry is seen in the wild and initial compromise vector unknown • WannaCry encrypts files for ransom on host and propagates to other unpatched/unprotected hosts

Copyright © 2017 Symantec Corporation 10 Copyright © 2017 Symantec Corporation 11 Attribution: Possibly Lazarus Group

• Code used/borrowed from other Lazarus attacks • Earlier versions of WannaCry found on computers with Lazarus tools • Precedence exists: SWIFT Attacks $81million

Copyright © 2017 Symantec Corporation 12 Public Private Partnership: WannaCry

DHS’s National Cybersecurity and Communications Integration Center (NCCIC)

Cyber Threat Alliance

Copyright © 2017 Symantec Corporation 13 Petya Ransomware

Copyright © 2017 Symantec Corporation 14 Petya

Copyright © 2017 Symantec Corporation 15 Looking Ahead Q&A

Copyright © 2017 Symantec Corporation 16 Ransomware

Thank You!

Copyright 2017, Symantec Corporation Symantec’s Timeline of WannaCry Symantec Blocked 22M Attempted Attacks on Nearly 300,000 Endpoint Systems

Symantec delivers protection to Symantec delivers further Microsoft announces block SMB exploitation of MS17-010 updates to protect against Continuous Protection vulnerability MS17-010 including blocking for EternalBlue for WannaCry is first potential new variants for and releases patch SEP14, SEP12 and Norton seen in the wild SEP14, SEP12 and Norton Critical Systems Protection (CSP) Data Center Security (DCS) March 14 April 14 May 2 May 12 – 1AM Central US May 12– 3PM Central US Cloud Workload Protection (CWP) IT Management System (ITMS) Control Compliance Suite ShadowBrokers Symantec Endpoint Symantec Global (CCS) release Advanced Machine Intelligence Network Malware Analysis / Cynic EternalBlue Learning and Norton instantly adapts providing MSSP automatically block most protection to SEP14 and Cyber Security Services variants of WannaCry Blue Coat ProxySG

Copyright © 2017 Symantec Corporation 18