www.SCStateHouse.gov Michael Lauth, Security Analyst

RansomwareWhat is Ransomware?

• Is computer malware which loads a cryptovirology attack• It then demands a ransom payment of some sort to restore your files

How does it work?1. [attacker→victim] The attacker generates a key pair and places the corresponding

public key in the malware. The malware is released.2. [victim→attacker] When the malware decides to attack, it generates a random

symmetric key and encrypts the victim's data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim's data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertextand e-money to the attacker.

3. [attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with his private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key.

How Ransomware Spreads

• Email

• Web ‘drive by’ downloaders

• USB sticks and devices

Spear Phishing is #1 Way Ransomware is Delivered94% of people could not tell the difference between a real email vs. a spear phishing email

Source: intermedia.net/report/ransomware

Risks and Impact of Ransomware

• Inadequate protection of email can easily lead to a

ransomware attack

• ‘An ounce of prevention is worth a pound of cure’ is

particularly true

• Ransomware encryption is so advanced that even law enforcement agencies like the FBI are unable to decrypt it

• The impact of ransomware is immediate

• Ransom payments• Remediation time and costs• Business disruption• Brand damage

T H E I M P A C T O F T H E C U R R E N T M O D E L

$3.5M AVERAGE COST OF A BREACH

Median number of days before detection

205 DAYS

To respond to a breach

32 DAYS

Of companies learned they were

breached from an external entity

69%

Of organizations were breached

3/4 had active command and control

communications

97%

SOURCE: MANDIANT M-TRENDS REPORT / PONEMON COST OF DATA BREACH STUDY

CYBER SECURITY’S MAGINOT LINE: A REAL-WORLD ASSESSMENT OF THE DEFENSE-IN-DEPTH MODEL

T H I N K L I K E Y O U R A T T A C K E R

WHO ARE THEY?HAVE THEY GAINED

ACCESS?HOW DO YOU STOP THEM?

‣ Teams of humans targeting

you

‣ Highly tailored and

customized attacks

‣ Need insight on which

adversaries may be targeting

your industry

‣ Removing malware doesn’t

eliminate the attacker

‣ Need threat intel that detects

malware linked to known

adversary groups

‣ Attackers evade detection by

using existing tools and

protocols

‣ However they use them in

identifiable ways

‣ Need attacker profiles that

details tools, techniques and

procedures employed by

adversaries

What SC doesSouth Carolina uses a layered approach

Network Traffic1. Active layer of ACL’s on our edge router & Internal connections2. Application based firewall (NGFW)3. IPS/IDS4. Advanced Anti-Malware product5. Endpoint protection

Our email security is also layered1. Standard anti-spam firewall2. Advanced Anti-Malware product3. Exchange rules

We have had great success with products from FireEye for Advanced Malware protection and detection.

Malware DetectionHere are some reports on malware detection

These are malware ridden packages which made it past our standard anti-spam product Cisco Ironport. The Ironport has an AV engine in use from Sophos.

Malware Detection

Example of a document which made it past out first layer of protection but picked up by the FireEye.

Questions

ContactMichael Lauth

michaellauth@scstatehouse.gov