confronting the ransomware crisis 4-20-16 -...
TRANSCRIPT
1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
Confronting the Ransomware Crisis: Best Practices for Securing Your BusinessDan Maier, VP of Marketing, CYREN
2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
CYREN Powers the World’s Security
500K+ Threat collection points
600M+Users protected
17B+Daily transactions
130M+Threats blocked
3©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
CYRENENTERPRISE SOLUTIONS
WEB SECURITYCYREN WebSecurity web policy enforcement and cyber-‐threat
protection for your business with SaaS simplicity, including zero-‐day malware protection delivered via
our cloud sandbox array technology.
EMAIL SECURITYCYREN EmailSecurity provides
worry-‐free email security with SaaS simplicity, blocking threats and
protecting your users’ inboxes with industry-‐leading protection against
malware, phishing and spam.
4©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
• What is “ransomware”?
• Potential impact on your business
• Best practices for defending your organization
Agenda
5©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
• Malicious software (malware)
• Designed to block access to a computer system
• Until a sum of moneyis paid
What is “ransomware”?
6©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
How does ransomware work?
1Malware DeliveryYou receive a spam messagecontaining malware or amalicious URL
2Ransomware DownloadThe malware downloadssome version of ransomware.
3EncryptionThe ransomwareencrypts your files
4Ransom NoticeYou’re given a ransom noticewith a deadline
5PaymentYou are required to pay withBitcoins via TOR
6DecryptionAttacker provides decryption keyupon receipt of payment
7©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Common ransomware found in the wild
RevetonAug 2012
Dirty DecryptJul 2013
CryptoLocker 1.0Sep 2013
CryptoLocker 2.0Dec 2013
CryptoWallJan 2014
TorrentLockerJan 2014
KolerMay 2014
CTB-‐LockerJul 2014
CitroniJul 2014
TeslaCryptFeb 2015
CryptoWall 2.0Mar 2015
CryptoWall 3.0Nov 2015
CryptoWall 4.0Nov 2015
Linux Encoder 1.0Dec 2015
Linux Encoder 2.0, 3.0Jan 2016
LockyFeb 2016
8©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
• Email attachment is the main method of infection• Targets all versions of Windows• Searches for files with certain extensions: doc,
docx, wps, xls, xlsx, ppt, pptx, mdb, pst, rtf, pdf, eps, jpg, dng, psd, raw, cer, crt, pfx, …
• Encrypts files with a 2048-‐bit RSA key pair• Paying the ransom results in decryption of the files• No way to decrypt the files without the private key
CryptoLocker – ransomware done well
9©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
• Malware delivery: • Massive spam blasts• 1.5M emails in 24 hours
• Infection vector: • Malicious document
attachments• Javascript• Every malware
attachment unique
Locky ransomware -‐ massively deployed
Emails with Lockymalware attachments (blue and red graphs)are a high percentage of unwanted email received
Messages/sec received by one of CYREN’s honeypots
10©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Two paths to Locky ransomware
11©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Sample Locky malicious spam email
Source: Bleeping Computer
12©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Fake invoice email installs Locky ransomware
13©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
• What is “ransomware”?
• Potential impact on your business
• Best practices for defending your organization
Agenda
14©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Ransomware on the rise
“…paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital's computer systems…”
“An estimated US $325 million in damages
“Horry County Schools paid nearly $10,000 to hackers who attacked the district’s network”
15©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Ransomware Case Study: Financial Services
CryptoLockerAttack Attack #1
Attack emails sent containing CryptoLocker 1,352
Emails evaded security/received by employees 114
Emails opened/malware downloaded 9
Recovery Effort• 9 employees had their accounts locked, and machines re-‐imaged• 6769 on-‐network fileshares had to be restored from backup• 11 IT staff – 121 hours effort (infrastructure management)• 9 Computer Emergency Response Team (CERT) resources – 108 hours effort• 4 Executive briefings over 5 days -‐ 45 hours of management overhead
16©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
• What is “ransomware”?
• Potential impact on your business
• Best practices for defending your organization
Agenda
17©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Ransomware is like any other malware…
Exploit Dropper/ Downloader
• Crimeware• Worm• Bot (Zeus, etc.)• RansomwareInstalls malware
Downloadsmalware
Infection via spam, phishing, drive-‐by download…
Compromises your PC
Connects to C&C server
18©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
What are the most common infection vectors?
Phishing (Email)67%
Exploit Kits (Web)31%
Other2%
CRYPTOWALL 3.0 -‐ INFECTION VECTORS
Source: Cyber Threat Alliance
19©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Kill chain analysis of a malware attack
1ReconnaissanceHarvesting email addresses,conference information, etc.
2WeaponizationCoupling exploit with backdoorinto deliverable payload
3DeliveryDelivering weaponized bundleto the victim via email, web, usb…
4ExploitationExploiting a vulnerability toexecute code on victim’s system
5InstallationInstalling malware on the asset
6Command & Control (C2)Command channel for remotemanipulation of victim’s system
7Action on ObjectivesLateral movement, dataexfiltration, disruption, etc.
• Email security (anti-‐spam, anti-‐virus)• Web security (URL filtering, anti-‐virus, sandboxing)
• Endpoint protection• Patches and updates
• Web security
• Web security
20©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
IMPROVE YOUR PREVENTION• Email security gateway
• 91% of attacks start in email
• Stop spam, viruses before they reach your users
• Web security gateway• Stop malware downloads, malicious URLs
• Stop C&C communications, data exfiltration
• Network sandboxing• Identify and stop never-‐before-‐seen malware
• Endpoint security with active monitoring• Make sure its up to date
• Security training• Social engineering, don’t click that link…
How to avoid being a ransomware victim
IMPROVE YOUR DETECTION/RESPONSE• Backup and recovery
• Implement it
• Test it
• Network shares• Avoid mapping network drives with large file
repositories (or no write permissions)
21©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
1. Pay up (get your data back)• 2048-‐bit encryption if virtually un-‐crackable• If you need to get your data back, you may need to pay
2. Re-‐image your computer (lose your data)• If your data is backed up, then you may be able to simply re-‐image
your computer and restore the backed-‐up files• Check to ensure that your backup files didn’t get encrypted by the
attack
What to do if you get infected with ransomware?
Once your files are encrypted, there’s not much you can do.
22©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
How can CYREN help stop ransomware?
WEB SECURITY• Block malicious/compromised web sites• Block phishing and botnet sites
• Block malicious file downloads• Inline anti-‐virus scanning• SSL inspection• Sandboxing/zero-‐day threat protection
EMAIL SECURITY• Anti-‐spam
• Anti-‐malware
• Anti-‐phishing
• Virus outbreak detection
32©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
�es
• Block malicious file downloads• Inline anti-‐virus scanning• SSL inspection• Sandboxing/zero-‐day threat protection
• Anti-‐malware
• Anti-‐phishing
• Virus outbreak detection
©2014. CYREN Ltd. All Rights Reserved.All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Questions
To Learn More or Request a Demo:http://www entry-eds.s .com
�
or
Us: Contact
NareshTTAsia
hnares @ttasia.com(852) 2526-5111
Choithramani
�