confronting the ransomware crisis 4-20-16 -...

1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.

Confronting the Ransomware Crisis: Best Practices for Securing Your BusinessDan Maier, VP of Marketing, CYREN

2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.

CYREN Powers the World’s Security

500K+ Threat collection points

600M+Users protected

17B+Daily transactions

130M+Threats blocked

3©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.

CYRENENTERPRISE SOLUTIONS

WEB SECURITYCYREN WebSecurity web policy enforcement and cyber-‐threat

protection for your business with SaaS simplicity, including zero-‐day malware protection delivered via

our cloud sandbox array technology.

EMAIL SECURITYCYREN EmailSecurity provides

worry-‐free email security with SaaS simplicity, blocking threats and

protecting your users’ inboxes with industry-‐leading protection against

malware, phishing and spam.


• What is “ransomware”?

• Potential impact on your business

• Best practices for defending your organization

Agenda


• Malicious software (malware)

• Designed to block access to a computer system

• Until a sum of moneyis paid

What is “ransomware”?


How does ransomware work?

1Malware DeliveryYou receive a spam messagecontaining malware or amalicious URL

2Ransomware DownloadThe malware downloadssome version of ransomware.

3EncryptionThe ransomwareencrypts your files

4Ransom NoticeYou’re given a ransom noticewith a deadline

5PaymentYou are required to pay withBitcoins via TOR

6DecryptionAttacker provides decryption keyupon receipt of payment


Common ransomware found in the wild

RevetonAug 2012

Dirty DecryptJul 2013

CryptoLocker 1.0Sep 2013

CryptoLocker 2.0Dec 2013

CryptoWallJan 2014

TorrentLockerJan 2014

KolerMay 2014

CTB-‐LockerJul 2014

CitroniJul 2014

TeslaCryptFeb 2015

CryptoWall 2.0Mar 2015

CryptoWall 3.0Nov 2015

CryptoWall 4.0Nov 2015

Linux Encoder 1.0Dec 2015

Linux Encoder 2.0, 3.0Jan 2016

LockyFeb 2016


• Email attachment is the main method of infection• Targets all versions of Windows• Searches for files with certain extensions: doc,

docx, wps, xls, xlsx, ppt, pptx, mdb, pst, rtf, pdf, eps, jpg, dng, psd, raw, cer, crt, pfx, …

• Encrypts files with a 2048-‐bit RSA key pair• Paying the ransom results in decryption of the files• No way to decrypt the files without the private key

CryptoLocker – ransomware done well


• Malware delivery: • Massive spam blasts• 1.5M emails in 24 hours

• Infection vector: • Malicious document

attachments• Javascript• Every malware

attachment unique

Locky ransomware -‐ massively deployed

Emails with Lockymalware attachments (blue and red graphs)are a high percentage of unwanted email received

Messages/sec received by one of CYREN’s honeypots


Two paths to Locky ransomware


Sample Locky malicious spam email

Source: Bleeping Computer


Fake invoice email installs Locky ransomware





Agenda


Ransomware on the rise

“…paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital's computer systems…”

“An estimated US $325 million in damages

“Horry County Schools paid nearly $10,000 to hackers who attacked the district’s network”


Ransomware Case Study: Financial Services

CryptoLockerAttack Attack #1

Attack emails sent containing CryptoLocker 1,352

Emails evaded security/received by employees 114

Emails opened/malware downloaded 9

Recovery Effort• 9 employees had their accounts locked, and machines re-‐imaged• 6769 on-‐network fileshares had to be restored from backup• 11 IT staff – 121 hours effort (infrastructure management)• 9 Computer Emergency Response Team (CERT) resources – 108 hours effort• 4 Executive briefings over 5 days -‐ 45 hours of management overhead





Agenda


Ransomware is like any other malware…

Exploit Dropper/ Downloader

• Crimeware• Worm• Bot (Zeus, etc.)• RansomwareInstalls malware

Downloadsmalware

Infection via spam, phishing, drive-‐by download…

Compromises your PC

Connects to C&C server


What are the most common infection vectors?

Phishing (Email)67%

Exploit Kits (Web)31%

Other2%

CRYPTOWALL 3.0 -‐ INFECTION VECTORS

Source: Cyber Threat Alliance


Kill chain analysis of a malware attack

1ReconnaissanceHarvesting email addresses,conference information, etc.

2WeaponizationCoupling exploit with backdoorinto deliverable payload

3DeliveryDelivering weaponized bundleto the victim via email, web, usb…

4ExploitationExploiting a vulnerability toexecute code on victim’s system

5InstallationInstalling malware on the asset

6Command & Control (C2)Command channel for remotemanipulation of victim’s system

7Action on ObjectivesLateral movement, dataexfiltration, disruption, etc.

• Email security (anti-‐spam, anti-‐virus)• Web security (URL filtering, anti-‐virus, sandboxing)

• Endpoint protection• Patches and updates

• Web security

• Web security


IMPROVE YOUR PREVENTION• Email security gateway

• 91% of attacks start in email

• Stop spam, viruses before they reach your users

• Web security gateway• Stop malware downloads, malicious URLs

• Stop C&C communications, data exfiltration

• Network sandboxing• Identify and stop never-‐before-‐seen malware

• Endpoint security with active monitoring• Make sure its up to date

• Security training• Social engineering, don’t click that link…

How to avoid being a ransomware victim

IMPROVE YOUR DETECTION/RESPONSE• Backup and recovery

• Implement it

• Test it

• Network shares• Avoid mapping network drives with large file

repositories (or no write permissions)


1. Pay up (get your data back)• 2048-‐bit encryption if virtually un-‐crackable• If you need to get your data back, you may need to pay

2. Re-‐image your computer (lose your data)• If your data is backed up, then you may be able to simply re-‐image

your computer and restore the backed-‐up files• Check to ensure that your backup files didn’t get encrypted by the

attack

What to do if you get infected with ransomware?

Once your files are encrypted, there’s not much you can do.


How can CYREN help stop ransomware?

WEB SECURITY• Block malicious/compromised web sites• Block phishing and botnet sites

• Block malicious file downloads• Inline anti-‐virus scanning• SSL inspection• Sandboxing/zero-‐day threat protection

EMAIL SECURITY• Anti-‐spam

• Anti-‐malware

• Anti-‐phishing

• Virus outbreak detection


�es

• Block malicious file downloads• Inline anti-‐virus scanning• SSL inspection• Sandboxing/zero-‐day threat protection

• Anti-‐malware

• Anti-‐phishing

• Virus outbreak detection

©2014. CYREN Ltd. All Rights Reserved.All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.

Questions

To Learn More or Request a Demo:http://www entry-eds.s .com

�

or

Us: Contact

NareshTTAsia

hnares @ttasia.com(852) 2526-5111

Choithramani

�

confronting the ransomware crisis 4-20-16 -...

Documents