sign in sign up
<<
Home , Ryuk (ransomware)

Tactics & Techniques: Q2 2019 Retrospective Jarryd Boyd, Senior Engineer Who Am I?

Jarryd Boyd, Senior Sales Engineer

Years of experience fighting cyber threats, from the networks to the endpoint.

Deep seeded belief in multi layered security approaches

Has worked with fortune 500 companies and small businesses Key Takeaways

» Ransomware shifts to business targets » Consumer ransomware drops -12% YoY & -25% QoQ » Business focused ransomware increase by 365% YoY » Ryuk ransomware increase 88% QoQ » GandCrab ransomware decreased 33% QoQ » Ransomware against businesses is a better return on investment (ROI) » Ransomware evolution will continue, making it more difficult to defend against RANSOMWARE AIMS HIGHER Why the shift?

Business attacks have surged in 2019 » At least double the amount of public attacks in 2018 » Municipal networks have been identified as easy and valuable targets » Schools, healthcare facilities and manufacturing firms also big targets for these threats Why the shift?

Return on Investment » More Valuable Targets » Greater Ransom » Easier to spread » Payment is more likely Why the shift?

New Technologies » EternalBlue » WannaCry & NotPetya » & DETECTIONS Consumer Product Ransomware Detections 2018 – 2019 Business Product Ransomware Detections 2018 – 2019

Ransomware shifts from consumer to business REGIONAL BREAKDOWN Region Breakdown by Ransomware Detection Jun 2018 - Jun 2019 Business + Consumer Products

Asian Pacific Latin 7% America 10%

North America 48%

Europe, Middle East , Africa 35% Top 5 Ransomware Family by Region Jun 2018 - Jun 2019 Business + Consumer Products Samas

North America GandCrab Ryuk Troldesh Rapid

GandCrab Ryuk Europe, Middle East , Africa GandCrab Ryuk Troldesh Rapid Locky Cerber Troldesh Rapid Samas Locky Amnesia Latin America GandCrab Ryuk Rapid Locky Amnesia Cerber Cerber Spora

Asian Pacific GandCrab Ryuk Rapid Locky Cerber Spora United States

States Most Effected: » Texas » California » New York » Georgia » North Carolina Top 5 Ransomware Family Detections by Top 5 U.S. States Jun 2018 - Jun 2019 Business & Consumer Products 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Texas GandCrab Ryuk Troldesh

GandCrab California GandCrab Ryuk Rapid Cerber Ryuk Rapid Xorist Troldesh New York GandCrab Ryuk Rapid Xorist Cerber BTCWare Fantom Arestocrat Georgia GandCrab Rapid Troldesh BTCWare Memz

North Carolina GandCrab Ryuk Troldesh Fantom Memz RANSOMWARE FAMILIES GandCrab Ransomware » GandCrab Facts » Ransomware as a Service » Multiple Evolutions » Authors claim to have retired » Methods of infection » Exploits » Emails GandCrab Detections by Percentage Changes Jun 18 - Jun 19 Consumer & Business Products 1000% Fallout Exploit Kit spreads GandCrab using Flash and MS Excel exploits 850% 800%

600% Confluence vulnerability CVE- 2019-3396 used to compromise servers & spread GandCrab Windows Exploit Multiple campaigns CVE-2018-8120 used to 400% identified spreading spread GandCrab GandCrab Ransomware Consumer via malicious Word Fake CDC Flu e-mail 321% Business Percentage change Percentage used to spread 257% macros GandCrab v 5.2 via 200% 156% malicious Word macros 58% 45% GandCrab authors 14% -16% 135% -39% claim they are retiring -18% 0% 31% -37% 26% 4… -36% -14% -68% -53% -82% -41% -55% -89% -66%

-200% Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19 N=~4,000 Months Ryuk Ransomware » Ryuk Facts » First observed in mid 2018 » Most commonly seen business ransomware in 2019 » Part of the “Triple Threat” » Derived from the “Hermes” ransomware » Utilizes RSA 2048 & AES 256 Ryuk Detections by Percentage Changes 2019 Consumer & Business Products 2500% Ryuk actively spread as a via Trickbot Ryuk Detections Dec 18 - Jun 19 infections Consumer & Business Products 2163% Ryuk spread stays relatively steady 2000% during Q2 2019

1500%

Dec-18 Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19 1000% Consumer Business Percentage change Percentage Ryuk breaks headlines with Campaigns against organizations 500% holiday ransomware attack continue with a decline in consumer- against Tribune Publishing focused attacks 330%

64% 48% 50% 0% -31% -11% -7% -85% -57% -53%

-500% Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19 Months Rapid Ransomware » Rapid Facts » First discovered in 2017 » Spread through » Malicious e-mails » Manual Infection » Rapid infections went up 200% between May and June 2019 Rapid Ransomware Detections by Percentage Changes Jun 18 - Jun 19 Consumer & Business Products 250% New variant of Rapid using .guesswho extension 209% 200% 200% 191% New variant of Rapid using .GILLETTE extension 150%

122%

100% 102% Rapid spread via manual infection 71% Consumer through RDP exploits 50% Business Percentage change 27%

6% 10% 0% 0% -11% -15% Rapid v 3.0 campaign -23% using fake IRS e-mails -29% -50% -46% & malicious Word documents -69% -82% -78%

-100% Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19 Months Troldesh Ransomware » Troldesh Facts » Also Known As “Shade” » Been around for many years » Spread through malicious e- mail. » Utilized compromised CMS platforms to host » Historically focused on Russia until 2018. Troldesh Detections by Percentage Changes Jun 18 - JunRussian 19 focused e-mail campaign pushing Consumer & Business Products Troldesh/Shade via 300% malicious PDF 274% documents Compromised CMS, such as 275% WordPress, sites are used to 258% 250% download malware during malicious e-mail campaign

200% Troldesh/Shade Reported malicious social media spread beyond Russia, 175% links redirect users to to U.S., Japan and Troldesh/Shade infections 150% Russian focused e-mail other countries campaign pushing Troldesh/Shade via zipped Office 100% documents Consumer 75% Business Percentage change 50% 50% 41%

23% 21%

0% 0% -2%

-24% -59% -21%

-44% -50% -66% -72% -73%

-100% Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19 Months Locky Ransomware » Locky Facts » Offline since 2018 » First appeared in 2016 » Upgraded multiple times » Functionality to hide malware & better encryption Locky Detections Feb 16 - Jun 19 35000

Locky is first spotted in the wild 30000

25000 Locky returns with new anti-analysis tricks.

Necurs , 20000 which spread Locky, goes down

Locky takes a break for 3 15000 months to continue development Two new Locky variants discovered. 10000 Spreading via malicious spam using malicious Office or ZIP files. Locky fails to recover after cryptocurrency surge pushes 5000 ransomware to the background

0 Jul-16 Jul-17 Jul-18 Jan-17 Jan-18 Jan-19 Jun-16 Jun-17 Jun-18 Jun-19 Oct-16 Oct-17 Oct-18 Apr-16 Apr-17 Apr-18 Apr-19 Feb-16 Feb-17 Feb-18 Feb-19 Sep-16 Sep-17 Sep-18 Dec-16 Dec-17 Dec-18 Aug-16 Aug-17 Aug-18 Nov-16 Nov-17 Nov-18 Mar-16 Mar-17 Mar-18 Mar-19 May-16 May-17 May-18 May-19 Cerber Ransomware » Cerber Facts » First discovered March 2016 » First Ransomware as a service » Most commonly seen ransomware of 2016 » Dec 2017, five Romanian nationals were arrested. » Cerber went down shortly after that. Cerber Detections Mar 16 - Jun 19 Cerber teams up with Dridex 70000 distribution botnet using MS Office documents with malicious macro scripts Cerber is first 60000 spotted in the wild Cerber distributed via Malvertising with RIG & 50000 Magnitude exploit kits

Magnitude exploit kit adds feature to obscure 40000 New versions of Cerber Cerber detections distributed both through e-mail and exploit kits

30000

20000 Five Romanians behind distribution of Cerber and After arrest, Cerber activity CBT Locker are arrested quickly vanishes. Only cleanup detections from this 10000 point on.

0 Jul-16 Jul-17 Jul-18 Jan-17 Jan-18 Jan-19 Jun-16 Jun-17 Jun-18 Jun-19 Oct-16 Oct-17 Oct-18 Apr-17 Apr-18 Apr-19 Apr-16 Feb-17 Feb-18 Feb-19 Sep-16 Sep-17 Sep-18 Dec-16 Dec-17 Dec-18 Aug-16 Aug-17 Aug-18 Nov-16 Nov-17 Nov-18 Mar-17 Mar-18 Mar-19 Mar-16 May-17 May-18 May-19 May-16 PREDICTIONS The Ransomware of Tomorrow

Increased use of manual Additional ‘blended’ Ransomware will continue infections attacks to pair up other malware » We’ve seen an increasing » We will see continued » Much like we’ve seen with trend of manual attacks using development of infection Ryuk, Trickbot and Emotet ransomware methods that work off each » We are near the end of the » Manually disable security tools other. ‘single purpose’ malware era. » Greater risk to attacker if they » Automated + manual infection leave behind clues attacks are far more successful The Ransomware of Tomorrow

Additional development Consumer facing Ransomware use will of infection venues ransomware will vanish continue through the year » As we’ve seen with new » Ransomware has shown it is far » The trend of using ransomware exploits & malicious scripts more powerful against has become too popular to over the last year organizations avoid » Infection venues will always » Ransomware focused on » We will continue to see ransom be developed upon, to find a consumer is likely to be attacks throughout the year more effective way of attack. replaced by , » New approaches to security or crypto miners. technology and/or proactive efforts by companies should slow this down. Conclusion Ransomware is here to stay, at least for a while » Proactive protection is required » Detection based on behavior » Identification of valuable data to be better protected » Establishment of company wide guidance on ransomware » It’s not about if, but when » There are many avenues for infection when it comes to organizational networks » Methods that have worked for decades continue to work (i.e. spear ) » Providing users with options to report suspicious e-mails is a good first step » Attacks are a case by case situation » A single method for protection from ransomware may not be viable for all organizations » Paying the ransom depends on the overall cost to the organization » Getting back up and running is paramount

The Educational Threat Landscape Education Organization Overall Detections (June 2018–Aug 2019) Data has been normalized to identify trends 14,00 0 12,00 0 10,00 0

8,000

6,000

4,000

2,000

0 Sept June 3, July 23, Oct 31, Dec 20, Feb 8, Mar 30, May 19, July 8, Aug 27, 11, 2018 2018 2018 2018 2019 2019 2019 2019 2019 2018 Treasure Trove of Personal and Financial Data

STUDENT AND STAFF EDUCATION TECHNOLOGY PERSONALLY-IDENTIFIABLE PROVIDERS, VENDORS, OR INFORMATION THIRD-PARTY SUPPLIERS

PUBLIC COMMUNICATION FINANCIAL INFORMATION CHANNELS AND THE SCHOOL SYSTEM

Knowledge Share

Malwarebytes Prevention Layers

Anti-Exploit

Anti-Malware

Web Protection

Malwarebytes: Addressing Today’s Threat Landscape Malwarebytes: The Most Trusted Name in Security

BY THE NUMBERS ACCOLADES INNOVATION

500k 3M Remediation Global Downloads Events Per Day Research Team Per Day 8 PATENTED TECHNOLOGIES + 10 PENDING $150M - Including: $200M • Behavioral identification of ~25% Growth YoY Run Rate Tens of Thousands ransomware 35% R&D Spend Business, Cash of Business Flow Positive Customers • Machine Learning techniques Gartner positions Malwarebytes in the Visionary quadrant 2018 Magic Quadrant for Endpoint Protection Platforms • Fileless attack detection Effective Solution Components

PREVENT Multiple Protection Layers Effective Solution Components

DETECT Advanced Detection Techniques Effective Solution Components

RESPOND Comprehensive Remediation Malwarebytes Endpoint Protection and Response

We Don’t Just Find It. We Fix It.

EDR WITHOUT COMPLEXITY

UNMATCHED THREAT VISIBILITY

COMPREHENSIVE ATTACK CHAIN PROTECTION

#1 TRUSTED NAME IN REMEDIATION Protection, Detection, and Response Layers

Granular Endpoint Isolation Thorough Remediation Ransomware Rollback • Isolates endpoints to stop the • Cleans up primary payload • Performs just-in-time backups of bleeding • Detects and removes all dynamic file changes • Prevents malware from and related threat artifacts • Logs/associates changes with connecting to C&C • Minimizes end-user impact specific processes • Locks remote attackers out • Rollback damage up to 72 hours Let’s Take Your Questions

Try Now: malwarebytes.com/business/trial Learn More: malwarebytes.com/business See What Others Miss: malwarebytes.com/remediationmap THANK YOU