Expert research contributed by the following ICIT Fellows: Danyetta Magana (ICIT Fellow – President, Covenant Security Solutions) Igor Baikolov (ICIT Fellow – Chief Scientist, Securonix) Brian Contos (ICIT Fellow – Vice President & Chief Security Strategist, Securonix) John Menkhart (ICIT Fellow – Vice President, Federal, Securonix) George Kamis, (ICIT Fellow – CTO, Forcepoint Federal) Stacey Winn (ICIT Fellow - Senior Product Marketing Manager, Public Sector, Forcepoint) Thomas Boyden (ICIT Fellow – Managing Director, GRA Quantum) Kevin Chalker (ICIT Fellow – Founder & CEO, GRA Quantum) John Sabin (ICIT Fellow – Director of Network Security & Architecture, GRA Quantum) 1 Contents Introduction: .............................................................................................................................................................. 3 Origins of Ransomware: ........................................................................................................................................ 6 Overview of Ransomware: ................................................................................................................................... 8 Types of Ransomware: .......................................................................................................................................... 9 Locker Ransomware: ........................................................................................................................................ 9 Crypto Ransomware: ...................................................................................................................................... 10 Active Examples of Crypto ransomware: ............................................................................................... 12 Hybrid Ransomware: ...................................................................................................................................... 16 Delivery Channels: ................................................................................................................................................. 16 Traffic distribution system (TDS): ............................................................................................................ 16 Malvertisement: ................................................................................................................................................ 17 Phishing Emails: ................................................................................................................................................ 17 Downloaders: ..................................................................................................................................................... 17 Social Engineering: .......................................................................................................................................... 18 Self-Propagation: .............................................................................................................................................. 18 Ransomware as a Service (RaaS): .............................................................................................................. 18 Targets for Ransomware: ................................................................................................................................... 19 The Average User: ............................................................................................................................................ 20 Businesses: .......................................................................................................................................................... 20 Law Enforcement and Government Agencies: ..................................................................................... 21 Emergency Services: ....................................................................................................................................... 22 Healthcare Organizations: ............................................................................................................................ 22 Educational Institutions: ............................................................................................................................... 22 Religious Organizations: ................................................................................................................................ 22 Financial Institutions: ..................................................................................................................................... 23 Target Systems: ...................................................................................................................................................... 23 Personal computers: ....................................................................................................................................... 23 Mobile devices: .................................................................................................................................................. 24 Servers: ................................................................................................................................................................. 25 IoT Devices: ......................................................................................................................................................... 25 Critical Systems: ................................................................................................................................................ 26 The Economy of Ransomware: ........................................................................................................................ 26 2 Payment Mediums: .......................................................................................................................................... 28 How Profitable is Ransomware?: ............................................................................................................... 29 Mitigation: ................................................................................................................................................................. 29 Have a Dedicated Information Security Team: .................................................................................... 29 Training and Awareness: .............................................................................................................................. 30 Layered Defenses: ............................................................................................................................................ 30 Policies and Procedures: ............................................................................................................................... 31 When Compromises Occur: ............................................................................................................................... 31 Option1: Engage the Incident Response Team: ................................................................................... 32 Option 2: Try to Implement a Solution without an Information Security Team: ................... 32 Option 3: Attempt to Recover the Data: .................................................................................................. 33 Option 4: Do Nothing: ..................................................................................................................................... 33 Option 5: Pay the Ransom: ........................................................................................................................... 33 Option 6: A Hybrid Solution: ........................................................................................................................ 34 Conclusion: ............................................................................................................................................................... 34 Sources: ...................................................................................................................................................................... 35 Appendix A: Ransomware File Extension and Identifiable Notes ..................................................... 39 File extensions appended to files: ................................................................................................................. 39 Known ransom note files: ................................................................................................................................ 39 Appendix B: Locky Domains For February 2016 through March 2016: ......................................... 40 3 Introduction: 2016 is the year ransomware will wreak havoc on America’s critical infrastructure community. New attacks will become common while unattended vulnerabilities that were silently exploited in 2015 will enable invisible adversaries to capitalize upon positions that they have previously laid claim. “To Pay or Not to Pay”, will be the question fueling heated debate in boardrooms across the Nation and abroad. Ransomware is less about technological sophistication and more about exploitation of the human element. Simply, it is a digital spin on a centuries old criminal tactic. Early in the evolution of structured path systems, the most direct roadways that connected civilization were predominantly used by more privileged members of society and armies. Eventually those who could afford horses or carriages