CISA | CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
Defend Today, Secure Tomorrow Ransomware Campaign Overview
David Stern 2 October 15, 2020 Ransomware What is it? Malware designed to make data or hardware inaccessible to the victim until a ransom is paid.
Examples . Cryptolocker Why should you care? . Winlock . Often downloaded as malicious email links . Cryptowall . Damage to both financial stability and reputation . Reveton . No guarantee that you will get your data back, ransomware even if you pay . Bad rabbit . Often used as a decoy for other malicious activity . Crysis . Wannacry
3 Malware What is it? Any software intended to… . Damage . Disable Examples . Or give someone unauthorized access to your . Ransomware computer or other internet-connected device . Adware . Botnets Why should you care? . Rootkits . Most cybercrime begins with some sort of . Spyware malware. You, your family, and your personal . Viruses information is almost certainly at risk if malware . Worms finds its way onto your computer or devices.
4 Cyber Threats of Today
• Ransomware • WannaCry • REvil/ Sodinokibi (targeting MSPs) • Ryuk (targeting medical, education, SLTT) • Robinhood, Maze, Fobos, CovidLock, CryptoLocker, ,Pysa, VoidCrypt…
• malware • [Remote Access Trojans] Trickbot, Emotet, LokiBot • [wiperware] NotPetya
• Threats to External Dependencies • 3rd party vendors, service providers, infrastructure providers • Supply chain Cyber Attacks: Step-By-Step
Remote worker/ distance learning
Establish foothold, maintain presence, escalate permissions From [email protected]
Would This Subject Response Required ASAP– Covid-19 Preparedness Email Fool You? Covid-19 Prepardness Tom, Due to the ongoing corona virus outbreak, “Your Company Name” is actively taking safety precations by instituting a Comunicable Disease Management Policy. The policy is a part of our organizatinal preparedness, and we require all employees to read and acknowledge the policy by the end of the day. www.fakewebsite.com/gotcha.exe Also we are currenting collecting donations for frontline workers here. Click or tap to follow link. Sincerely Yours, BossMann
REPLY
7 Protective Measures - 1
IT Security Professionals and Leadership - The Essentials
• Inventory all technology and information • Have a plan for responding to cyber assets. incidents
• Deploy antivirus on all servers and • Develop and strengthen situational workstations awareness
• Backup data regularly • Implement a secure network architecture
• Implement good patch management practices • Implement innovative security awareness training • Implement strong user management practices. • Conduct internal audits and periodic cyber assessments
8 Protective Measures - 2
Organizational Leaders • Know business risks and treat cyber as a business risk, to operations and to supply chains
• Foster a culture of operational resilience and cyber readiness
• Incorporate cybersecurity as a part of business strategy, including all external relationships
• Build a network of trusted relationships with sector partners and government agencies for access to timely cyber threat information, incident reporting, and response coordination
End Users • Participate in security awareness training and have an awareness of the threats
• Be aware of your digital footprint and know the end-user security features available to you
• Know the data backup options available and ensure locally stored data is backed up
• Be vigilant, accountable, and report incidents and suspicious activity immediately
9 CISA Ransomware Resources
CISA.gov/ransomware . Ransomware Guide . CISA INSIGHTS: Ransomware Outbreak . NEW! Toolkit, fact sheet, and images . Alerts and Statements . US-CERT activity alerts on ransomware threats . Joint statements on ransomware with our partners . Guides and Services . Cyber Hygiene Services . TTX Exercises . Factsheets and Infographics . Protect Your Center From Ransomware poster . Ransomware: What It Is and What To Do About It . Training and Webinars . Trends and Predictions in Ransomware (Cyber Summit 2020) . CDM Training . Incident Response Training Series . Combating Ransomware Webinar
David Stern 10 October 15, 2020 Cyber Incident Reporting
When to Report:
If there is a suspected or confirmed cyber attack or incident that:
• Affects core government or critical infrastructure functions; • Results in the loss of data, system availability; or control of systems; • Indicates malicious software is present on critical systems
11 CISA | CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
No-Cost CISA Cybersecurity Services • Preparedness Activities • Response Assistance • Cybersecurity Assessments • 24/7 Response assistance and malware analysis • Cybersecurity Training and Awareness • Incident Coordination • Cyber Exercises and “Playbooks” • Threat intelligence and information sharing • Information / Threat Indicator Sharing • National Cyber Awareness System • Cybersecurity Advisors – Regionally deployed advisors • Vulnerability Notes Database • Incident response coordination • Information Products and Recommended • Public Private Partnership Development Practices • Advisory assistance and cybersecurity assessments CISA Contact Information Benjamin Gilbert, CISSP, CRISC, CEH [email protected] Cybersecurity Advisor, CISA Region III [email protected] CISA URL https://www.cisa.gov Call 1-888-282-0870 To Report a Cyber Incident to CISA Email [email protected] visit https://www.cisa.gov