Ransomware, RATs & other Big Trends in Cybersecurity Nick Bilogorskiy @belogor Stephen Harrison EverSec Group
Ransomware, RATs & other Big Trends in Cybersecurity
Nick Bilogorskiy@belogor
Stephen HarrisonEverSec Group
Agenda
o Eversec introo How Ransomware workso Malvertisingo RATS: Remote Access Trojans o Wrap-up and Q&A
3
Customers look to EverSec for…o Security Design, Analysis, & Implementation Assistanceo Security Assessmentso Cyber Penetration Testingo Remediation Serviceso Integration Skillso Managed Serviceso Dark Net Recono Customized Hacking/Incident Response Training
4
$1+CYBERCRIME NOW
trillion industry
100+ nations
CYBER WARFARE
WHAT’S CHANGED?
✚ Over 95% of breaches occur behind perimeter firewalls.
✚ 71% of security breaches involve user devices.✚ 51% of breaches involve corporate servers.
5
EverSec’s Charter – 100% Network, Data, & EP Security…o Advanced Breach Detection {ABD}o End Point Detection & Response {EDR}o Advanced Data Loss Prevention {ADLP}o Mobile & BYOD Securityo Threat Intelligence Operationalizationo Incident Response Orchestrationo Cloud Infrastructure Security
6
Vetting The Security Landscape, so our Clients Don’t Have To…
“EverSec Group has pulled away from the pack of me-too security solution providers … willing to wager on security startups that are turning network
security and endpoint security into outdated concepts.”- CRN.com, February 26, 2015
Trusted Security Advisor
7
8
Gartner Group Has Found That…
40% of enterprises will have formal plans to address cyber security business disruption by 2018
60% of enterprise information security budgets will be allocated to rapid detection and response approaches (up from less than 10% in 2014) by 2020
What is Ransomware
Ransomware is any malware that demands the user pay a ransom.
There are two types of ransomware: lockers and crypters.
Kovter Lockers
o More IOT (Internet Of Things) security incidents
Prediction #4 Crypters
TOR Primer
• easy to use, • fast, • publicly available, • decentralized, and • Provides anonymity, which
serves to encourage extortion.
Bitcoin Primer
How often do you backup?
Computer Backup Frequency 2008-2015 (BackBlaze data)
Frequency 2008 2009 2010 2011 2012 2013 2014 2015Daily 6% 6% 8% 6% 10% 10% 9% 8%Other 56% 57% 58% 60% 10% 59% 63% 67%Never 38% 37% 34% 34% 31% 29% 28% 25%
The Ransomware Business Model
o 90% of people do not backup dailyo Data Theft in placeo Anonymity (TOR, Bitcoin)o Operating with impunity in Eastern Europeo Extortiono Focus on ease of use to drive conversion
o Currently 50% pay the ransom, it was 41% 2 years ago
z
Bitcoin Ransom Sent C&C
Server
Private Key Sent
Locked Files
Unlocked Files
The Ransomware Business Model
HOSPITALSHollywood Presbyterian Medical Center , Kentucky Methodist Hospital, Alvarado Hospital Medical Center and King's Daughters' Health, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, Baltimore’s Union Memorial Hospital, and many others
POLICETewksbury Police Department Swansea Police DepartmentChicago suburb of Midlothian Dickson County, TennesseeDurham, N.H Plainfield, N.JCollinsville, Alabama,hackers in Detroit demanded $800,000 in bitcoin after they had encrypted the city's database.
Known Victims… So far
SCHOOLS GOVERNMENT321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security.
South Carolina school district paid $10,000 . A New Jersey school district was hit, holding up the computerized PARCC exams.Follett Learning's Destiny library management software, which is used in US schools is vulnerable to SamSam ransomware.
Apr 30, 2016: In the past 48 hours, the House Information Security Office has seen an increase of attacks on the House Network […] focused on putting “ransomware” on users’ computers.[…] .As part of that effort, we will be blocking access to YahooMail on the House Network until further notice.
Recorded Future
Stats
500% growth last year
Ransomware: The Price You Pay
2014 - $24 M. | 2015 - $24 M. | 2016 - $209 M in Q1
o network mitigationo network countermeasureso loss of productivityo legal feeso IT serviceso purchase of credit monitoring services for
employees or customerso Potential harm to an organization’s reputation.
Ransomware: Additional Costs
2016 Ransomware tricks
1. Targeting businesses (e.g. hospitals) rather than individuals.
2. Deleting files at regular intervals to increase the urgency to pay ransom faster – Jigsaw
3. Encrypting entire drives - Petya4. Encrypting web servers data -
RansomWeb, Kimcilware
2016 Ransomware tricks
5. Encrypting data on network drives - even on those ones that are not mapped - DMA Locker, Locky, Cerber and CryptoFortress
6. regular intervals to increase the urgency to pay ransom faster – Jigsaw
7. Deleting or overwriting cloud backups.8. Encrypt each file with its own unique key - Rokku
2016 Ransomware tricks
9. Targeting non-Windows platforms – SimpleLocker, DogSpectus, KeRanger
10. Using the computer speaker to speak audio messages to the victim - Cerber
11. Ransomware as a service – Tox12. Using counter-detection malware armoring, anti-
VM and anti-analysis functions - CryptXXX
How do Users get Ransomware?
Osterman research
Tips to Avoid Ransomware Infection
o Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps
o Use network protectiono Use a comprehensive endpoint security
solution with behavioral detectiono Turn Windows User Access Control ono Block Macros
Tips to Avoid Ransomware Infection
o Be skeptical: Don’t click on anything suspicious
o Block popups and use an ad-blockero Override your browser’s user-agent*o Consider Microsoft Office viewerso Disable Windows Script Host
Tips to Avoid Losing Data to Ransomware
o Identify Ransomware and look for a decryptor:
o Shadow Copieso Turn off computer at first signs of infection
o Remember: the only effective ransomware defense is backup
https://id-ransomware.malwarehunterteam.com/
Tips to Avoid Losing Data to Ransomware
o List of free decryptors: http://bit.ly/decryptors
Malvertising
Malvertising is the use of online advertising to spread malware.
Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.
Anti-Malvertising.com
What is Malvertising
How Malvertising works
df
UserVisits a popular
website, gets infected via exploit kit
WebsiteServes a banner ad,
sometimes malicious
AttackerCreates and injects malware ads into advertising network
Advertising NetworkSelects an ad based on auction, sends to the website
Rise of Malvertising
2014 2015 20160
500
1000
1500
2000
2500
Malvertising domains
Techniques to avoid detection
o Enable malicious payload after a delay
o Only serve exploits to every 10th user
o Verifying user agents and IP addresses
o HTTPS redirectors
Who is to blame for Malvertising?
Popular websites Ad exchanges Ad networks Users Browsers
Malvertising
o Advertising networks get millions of submissions, and it is difficult to filter out every single malicious one.
o Attackers will use a variety of techniques to hide from detection by analysts and scanners
o Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.
RATsRemote Access Trojans
o First seen: Nov 2014, new versions throught 2015
o Target: North American and European Banks
o Distribution: Spam mails with Word Documents
o Some version use p2p over http for carrying out botnet communication
o Uses web injects to carry out man-in-browser attack
o Uses VNCo It is both a RAT tool and a banking Trojan
Dridex malware
Endpoints
Web
Deception
NetworkBehavior Email
Need complete & correlated Visibility
Summary1. Ransomware evolved into a major threat allowing criminals
to easily monetize malware infections via Bitcoin
2. Every platform is vulnerable to ransomware.
3. Backup your files! Since decrypting encrypted files is not always possible frequent backups become even more critical. And keep your backup offline.
4. Malvertising is on pace to have a record year.
5. Must use defense-in-depth techniques powered by machine learning to defeat malware at every stage of the kill chain.
Thank You!