eversec + cyphort: big trends in cybersecurity

Ransomware, RATs & other Big Trends in Cybersecurity

Nick Bilogorskiy@belogor

Stephen HarrisonEverSec Group

Agenda

o Eversec introo How Ransomware workso Malvertisingo RATS: Remote Access Trojans o Wrap-up and Q&A

3

Customers look to EverSec for…o Security Design, Analysis, & Implementation Assistanceo Security Assessmentso Cyber Penetration Testingo Remediation Serviceso Integration Skillso Managed Serviceso Dark Net Recono Customized Hacking/Incident Response Training

4

$1+CYBERCRIME NOW

trillion industry

100+ nations

CYBER WARFARE

WHAT’S CHANGED?

✚ Over 95% of breaches occur behind perimeter firewalls.

✚ 71% of security breaches involve user devices.✚ 51% of breaches involve corporate servers.

5

EverSec’s Charter – 100% Network, Data, & EP Security…o Advanced Breach Detection {ABD}o End Point Detection & Response {EDR}o Advanced Data Loss Prevention {ADLP}o Mobile & BYOD Securityo Threat Intelligence Operationalizationo Incident Response Orchestrationo Cloud Infrastructure Security

6

Vetting The Security Landscape, so our Clients Don’t Have To…

“EverSec Group has pulled away from the pack of me-too security solution providers … willing to wager on security startups that are turning network

security and endpoint security into outdated concepts.”- CRN.com, February 26, 2015

Trusted Security Advisor

7

8

Gartner Group Has Found That…

40% of enterprises will have formal plans to address cyber security business disruption by 2018

60% of enterprise information security budgets will be allocated to rapid detection and response approaches (up from less than 10% in 2014) by 2020

What is Ransomware

Ransomware is any malware that demands the user pay a ransom.

There are two types of ransomware: lockers and crypters.

Kovter Lockers

o More IOT (Internet Of Things) security incidents

Prediction #4 Crypters

TOR Primer

• easy to use, • fast, • publicly available, • decentralized, and • Provides anonymity, which

serves to encourage extortion.

Bitcoin Primer

How often do you backup?

Computer Backup Frequency 2008-2015 (BackBlaze data)

Frequency 2008 2009 2010 2011 2012 2013 2014 2015Daily 6% 6% 8% 6% 10% 10% 9% 8%Other 56% 57% 58% 60% 10% 59% 63% 67%Never 38% 37% 34% 34% 31% 29% 28% 25%

The Ransomware Business Model

o 90% of people do not backup dailyo Data Theft in placeo Anonymity (TOR, Bitcoin)o Operating with impunity in Eastern Europeo Extortiono Focus on ease of use to drive conversion

o Currently 50% pay the ransom, it was 41% 2 years ago

z

Bitcoin Ransom Sent C&C

Server

Private Key Sent

Locked Files

Unlocked Files

The Ransomware Business Model

HOSPITALSHollywood Presbyterian Medical Center , Kentucky Methodist Hospital, Alvarado Hospital Medical Center and King's Daughters' Health, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, Baltimore’s Union Memorial Hospital, and many others

POLICETewksbury Police Department Swansea Police DepartmentChicago suburb of Midlothian Dickson County, TennesseeDurham, N.H Plainfield, N.JCollinsville, Alabama,hackers in Detroit demanded $800,000 in bitcoin after they had encrypted the city's database.

Known Victims… So far

SCHOOLS GOVERNMENT321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security.

South Carolina school district paid $10,000 . A New Jersey school district was hit, holding up the computerized PARCC exams.Follett Learning's Destiny library management software, which is used in US schools is vulnerable to SamSam ransomware.

Apr 30, 2016: In the past 48 hours, the House Information Security Office has seen an increase of attacks on the House Network […] focused on putting “ransomware” on users’ computers.[…] .As part of that effort, we will be blocking access to YahooMail on the House Network until further notice.

Recorded Future

Stats

500% growth last year

Ransomware: The Price You Pay

2014 - $24 M. | 2015 - $24 M. | 2016 - $209 M in Q1

o network mitigationo network countermeasureso loss of productivityo legal feeso IT serviceso purchase of credit monitoring services for

employees or customerso Potential harm to an organization’s reputation.

Ransomware: Additional Costs

2016 Ransomware tricks

1. Targeting businesses (e.g. hospitals) rather than individuals.

2. Deleting files at regular intervals to increase the urgency to pay ransom faster – Jigsaw

3. Encrypting entire drives - Petya4. Encrypting web servers data -

RansomWeb, Kimcilware


5. Encrypting data on network drives - even on those ones that are not mapped - DMA Locker, Locky, Cerber and CryptoFortress

6. regular intervals to increase the urgency to pay ransom faster – Jigsaw

7. Deleting or overwriting cloud backups.8. Encrypt each file with its own unique key - Rokku


9. Targeting non-Windows platforms – SimpleLocker, DogSpectus, KeRanger

10. Using the computer speaker to speak audio messages to the victim - Cerber

11. Ransomware as a service – Tox12. Using counter-detection malware armoring, anti-

VM and anti-analysis functions - CryptXXX

How do Users get Ransomware?

Osterman research

Tips to Avoid Ransomware Infection

o Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps

o Use network protectiono Use a comprehensive endpoint security

solution with behavioral detectiono Turn Windows User Access Control ono Block Macros

Tips to Avoid Ransomware Infection

o Be skeptical: Don’t click on anything suspicious

o Block popups and use an ad-blockero Override your browser’s user-agent*o Consider Microsoft Office viewerso Disable Windows Script Host

Tips to Avoid Losing Data to Ransomware

o Identify Ransomware and look for a decryptor:

o Shadow Copieso Turn off computer at first signs of infection

o Remember: the only effective ransomware defense is backup

https://id-ransomware.malwarehunterteam.com/

Tips to Avoid Losing Data to Ransomware

o List of free decryptors: http://bit.ly/decryptors

http://bit.ly/decryptors

Malvertising

Malvertising is the use of online advertising to spread malware.

Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.

Anti-Malvertising.com

What is Malvertising

How Malvertising works

df

UserVisits a popular

website, gets infected via exploit kit

WebsiteServes a banner ad,

sometimes malicious

AttackerCreates and injects malware ads into advertising network

Advertising NetworkSelects an ad based on auction, sends to the website

Rise of Malvertising

2014 2015 20160

500

1000

1500

2000

2500

Malvertising domains

Techniques to avoid detection

o Enable malicious payload after a delay

o Only serve exploits to every 10th user

o Verifying user agents and IP addresses

o HTTPS redirectors

Who is to blame for Malvertising?

Popular websites Ad exchanges Ad networks Users Browsers

Malvertising

o Advertising networks get millions of submissions, and it is difficult to filter out every single malicious one.

o Attackers will use a variety of techniques to hide from detection by analysts and scanners

o Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains.

RATsRemote Access Trojans

o First seen: Nov 2014, new versions throught 2015

o Target: North American and European Banks

o Distribution: Spam mails with Word Documents

o Some version use p2p over http for carrying out botnet communication

o Uses web injects to carry out man-in-browser attack

o Uses VNCo It is both a RAT tool and a banking Trojan

Dridex malware

Endpoints

Web

Deception

NetworkBehavior Email

Need complete & correlated Visibility

Summary1. Ransomware evolved into a major threat allowing criminals

to easily monetize malware infections via Bitcoin

2. Every platform is vulnerable to ransomware.

3. Backup your files! Since decrypting encrypted files is not always possible frequent backups become even more critical. And keep your backup offline.

4. Malvertising is on pace to have a record year.

5. Must use defense-in-depth techniques powered by machine learning to defeat malware at every stage of the kill chain.

Thank You!