How to Defend Against Ransomware Threats So You Don’t Become a Hostage Matt Kaneko Solution Tech lead architect BRKSEC-2140 Agenda • Introduction • Ransomware 101 • Ransomware Defence Overview • Solution Architecture • Layers of Defence • Conclusion Ransomware: A Growing Threat for Government Agencies “On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015.” US Department of Homeland Security, July 11, 2016 IBM report, “Ransomware: How Consumers and Businesses Value Their Data” “NHS (National Health Service) organisations have reported they have suffered a ransomware attack. This is not targeted at the NHS. It is an international attack. A number of countries and organisations have been affected.” Theresa May, British Prime Minister May 12th, 2017 CNN: More than 45,000 malicious computer attacks across 74 countries in the initial 10 hours of outbreak. BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 NHS ransomware cyber attack spreads worldwide Internet of Things A Top Cybersecurity Ransomware Makes Firm Says Is Targeting Ransomware Big Ransomware Attacks US Companies Of Business for Are Getting Worse All Sizes Cyber Criminals BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 *Malwarebytes State of Malware Report 2017 BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Ransomware Trends 1 year ago - Industry Top Targets for Ransomware 28% Manufacturing 54% Healthcare 29% Education Tech 35% 44% Banking Ransomware Victims by Industry Source: Oct 2016 survey of 1138 companies by KnowBe4 BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 May 2017 - Industry Top Targets for Ransomware Business & Professional Services 23% 28% Government Healthcare 15% Retail 19% Other 15% NTT Security Global Threat Intelligence Report BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Ransomware Trends Smaller Aim for 2016 scale profit Global scale Professional & timing uplift 2017 (fame) Target 2017- Decoy Business attacks 2018 disruption BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 WHAT WOULD YOU DO - IF? BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Ransomware is a Business Conversation ➢ Down Time Impact – How Much Money do you lose with every hour of downtime? ➢ How much Information (customer, production, patient, client, service, sales, …) can you afford to never get back? ➢ Level of Business Disruption until it factors into your quarterly earnings? BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Ransomware 101 Ransomware: Easy Profits • Most profitable malware in history • Lucrative: Direct payment to attackers! • Markets and Markets predict ransomware will be a $17 billion business by 2021 • A relatively new development in this criminal industry is RaaS: o No coding skills needed by attacker o Developer receives a monthly payment and/or a percentage of profits • It’s not about just the ransom any longer, criminals use ransomware to distract the company while they spread through the network and steal information BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 The Evolution of Ransomware Variants The confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for TeslaCrypt victims to pay have caused an explosion of ransomware Locky variants. Cryptowall 73V3N Keranger WannaCry CRYZIP First commercial Fake Petya /Nyetya PC Android phone Cryptolocker Teslacrypt 3.0 Cyborg Antivirus Redplus Teslacrypt 4.0 Virlock Teslacrypt 4.1 Lockdroid Reveton 1989 2001 2005 2006 2007 2008 2012 2013 2014 2015 2016 2017 > Worm type ransomware CryptoDefense Koler Tox QiaoZhaz Reveton Kovter Cerber GPCoder Cryptvault Radamant SamSam Ransomlock Simplelock DMALock Cokri Hydracrypt Chimera Rokku Bitcoin CBT-Locker Hidden Tear TorrentLocker Jigsaw network launched Dirty Decrypt Lockscreen Powerware Cryptorbit Virlock Teslacrypt 2.0 Cryptographic Locker CoinVault Urausy Svpeng BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Nyetya Ransomware BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Typical Ransomware Infection Problem: People and Businesses can be taken hostage by malware that locks up critical resources Infection C2 Comms & Encryption Request Vector Asymmetric of Files of Ransom Key Exchange Ransomware Ransomware Ransomware holds Owner/company frequently uses takes control of those systems files challenged to pay the web and email targeted systems ‘hostage’ ‘ransom’ (bitcoins) to free the system BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 YOUR FILES ARE ENCRYPTED BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 A Successful Attack Becomes Personal Emotional Something Personal Customers, important patients, clients, taken, and students – you don’t have Panic ‘Why Me’ PEOPLE SUFFER the control to get it back Trust is Violated Pay – or Else Crisis BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Ransomware Problem Problem Effect Customers can be taken hostage by This can be catastrophic to businesses for a malware that locks up critical resources – period of time Ransomware • Hospitals taking care of patients and losing • Ransomware gains access to systems the ability to give them real-time care through web and email (admittance, surgeries, medications, etc.) • Ransomware takes control of those • Public safety not being able to respond systems, and holds those systems to emergency incidents ‘hostage’ until the owner/company • Financial banking systems offline agrees to pay the ‘ransom’ (bitcoins) to from trading or banking activities free the system • Manufacturing production downtime – direct hit to bottom line BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Ransomware Defence Overview Cisco Ransomware Defence Solution Solution to Prevent, Detect, and Contain Ransomware Attacks Cisco Ransomware Defence Solution is not a silver bullet, and not a guarantee. It does help to: Prevent Stop it at Detect Work to Perform incident ransomware the systems contain it response from getting into before it gains when it is from expanding to to fix the vulnerabilities the network command present in additional systems and areas that where possible and control the network and network areas were attacked Recommends best practice backup and recovery policies be implemented and tested This solution helps to keep business operations running with less fear of being taken hostage and losing control of critical systems BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 How Ransomware Works User Clicks a Link Initial Exploit Command & Ransomware Key retrieval or Malvertising Ad Using Angler or Control callback payload and payment other malware kits downloaded information Email w/ Malicious and installed Attachment Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT KIT SITES AND C2 DOMAINS MALVERTISING C2 Web Angler Malicious link Infrastructure Nuclear PHISHING File RANSOMWARE Neutrino SPAM drop PAYLOAD Email attachment BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Most Ransomware Relies on DNS and C2 Callbacks Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT KIT SITES AND C2 DOMAINS MALVERTISING C2 Web Angler Malicious link Infrastructure Nuclear PHISHING File RANSOMWARE Neutrino SPAM drop PAYLOAD Email attachment BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Ransomware Examples that use DNS for Command & Control (C2) Callbacks Encryption Key Payment MSG NAME* DNS IP NO C2 TOR PAYMENT Locky DNS SamSam DNS (TOR) TeslaCrypt DNS CryptoWall DNS TorrentLocker DNS PadCrypt DNS (TOR) CTB-Locker DNS FAKBEN DNS (TOR) PayCrypt DNS KeyRanger DNS *Top variants as of March 2016 BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Ransomware Kill Chain - Seven Stages of an Attack TARGET COMPROMISE BREACH RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST ATTACKER INFRASTRUCTURE FILES/PAYLOADS USED BY ATTACKER USED BY ATTACKER BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Capabilities Needed to Break the Kill Chain Threat intelligence – Knowledge of Client Security – Inspect files for existing Ransomware and Ransomware and Virus’s, communication vectors quarantine and remove E-mail security – Block Segment infrastructure – Ransomware attachments and links Authenticate access, separate traffic based on role and policy Web Security – Block web Intrusion Prevention - Block communication to infected sites attacks, exploitation and and files intelligence gathering DNS Security - Break the Monitor Infrastructure DNS Command & Control call back communications – Identify and alert on abnormal traffic flows BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Capability Defence against the “Kill Chain” TARGET COMPROMISE BREACH RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST Host