What is Ransomware? How To defend against the Attack?

Otto Lee CISSP CSSLPMembership Chair - (ISC)2 Hong Kong ChapterVice Chairperson - Professional Information

Security Association (PISA)

3

Agenda

» Ransomware» 5 phases of attack» 6 steps of defense» Future trend

4

What’s Ransomware?

5

“A type of malicious software designed to block access to a computer system until a sum of money is paid”

What’s Ransomware?

6

“A type of malicious software designed to block access to a computer system until a sum of money is paid”

What’s Ransomware?

7

“A type of malicious software designed to block access to a device until a sum of money is paid”

Latest news

8(From BBC)

Timeline (2010 – 2017)

9(From F-Secure)

Common types

10

» Crypto Ransomware• Locky: 2016, infecting users via malicious Microsoft Office attachments to

emails• Bitcryptor and CoinVault: 2015• TeslaCrypt: 2015• CryptoWall: 2014• CTB-Locker: 2014• TorrentLocker: 2014• CryptoLocker: 2013

» Locker Ransomware• Reveton: 2012, locking users' computers by preventing them from logging in

» Mac Ransomware• KeRanger: 2016, the first piece of ransomware to successfully infect Mac

computers running OS X

1) Exploitation and infection2) Delivery and execution3) Backup removal4) File encryption5) User notification and clean-up

11

5 Phases of attack

1) Exploitation and infection

12

» E-mails / Social Media• Links• Attachments

» Websites• File downloads• Vulnerable browser/plugins• Malvertising

Malvertising

13(From Malwarebytes)

2) Delivery and execution

14

» Ransomware executable to be delivered to the victim’s system

» Sometimes, there is no file» Take a few seconds» Delivered via an encrypted channel

3) Backup removal

15

» Target the backup files and folders on the system and removes them to prevent restoring from backup

» Delete all of the volume shadow copies from the system

» Look for folders containing backups and then forcefully remove those files, even if a program is holding a lock to those files

4) File encryption

16

» Perform a secure key exchange with the command and control (C2) server

» Use strong encryption such as AES 256» Some encrypt locally without connecting to

the internet» Handle file naming and encryption differently» Take from a few minutes to a couple of hours

5) User notification and clean-up

17

» Present the demand instructions» Give victim a few days to pay, and after that

time the ransom increases» Clean itself off the victimised system so as not

to leave behind

i. Preparationii. Detectioniii. Containmentiv. Decryptionv. Eradicationvi. Recovery

18

6 steps of defense

i. Preparation

19

» Patch aggressively» Create and protect your backups» Prepare a response plan» Assign least privileges» Connect with threat intelligence sources» Protect your endpoints» Educate users» Buy insurance

ii. Detection

20

» Set up your defence devices» Screen email for malicious links and payloads» Use rule blocks for executables» Look for signs of encryption and notification

iii. Containment

21

» Kill the running processes» Isolate the infected endpoint

iv. Decryption

22

» https://noransom.kaspersky.com/» https://www.avast.com/ransomware-

decryption-tools» http://www.avg.com/ww-en/ransomware-

decryption-tools» https://success.trendmicro.com/solution/111

4221-downloading-and-using-the-trend-micro-ransomware-file-decryptor

v. Eradication

23

» Replace» Rebuild» Clean

vi. Recovery

24

» Restore from a clean backup» Look for the infection vector» Notify law enforcement if appropriate

Future trend

25

1) Ransomware will become just another tool in the hacker utility belt, e.g., Ransomware as a Service (RaaS)

2) More attacks are designed to publicly shame the victims

3) More examples using no executable as a means of evading detection

4) Ransomware spam campaigns will target the security of webmail providers

5) If there is a decline in ransomware it will be because of law enforcement action

Takeaways (For end-user)

26

1) Backups, backups, backups — and test those backups regularly2) Keep web browsers and plug-ins such as Adobe Flash and Microsoft

Silverlight updated, and prioritize patching new releases3) Uninstall any browser plug-ins that are not required4) Disable Microsoft Office macros by default5) Maintain copies of your files, particularly sensitive or proprietary data,

in a separate secure location. Back-up copies of sensitive data should not be readily accessible from local networks i.e. store the back up offline.

6) Never open attachments included in unsolicited emails. Be very vigilant about links contained in emails, even if the link appears to be from someone you know

7) Keep your anti-virus software up to date8) Enable automated patches for your operating system and web browser9) Only download software, especially free software, from sites you know

and trust10) Don’t pay the ransom

Takeaways (For organization)

27

1) Backups, backups, backups — and test those backups regularly2) Keep web browsers and plug-ins such as Adobe Flash and Microsoft

Silverlight updated, and prioritize patching new releases3) Uninstall any browser plug-ins that are not required for business

purposes, and prevent users from re-installing them4) Disable Microsoft Office macros by default, and selectively enable them

for those who need macros5) Scan incoming emails for suspicious attachments, including examining all

compressed attachments6) Automatically quarantine any email that has an attachment containing a

script or a .scr file7) Disable or remove the PowerShell, wscript, and cscript executables on all

non-administrative workstations8) Do not give all users in the organization local administrative access to

their workstations9) Use threat intelligence to gain visibility into your organization’s external

threat environment and monitor for any emerging ransomware threats to your organization

(ISC)2 Hong Kong Chapter / PISA

28

» Professional Information Security Association (PISA)» A not-for-profit organization for local information

security professionals» Focus on developing the local information security

market with a global presence in the industry» Missions

• To facilitate knowledge and information sharing among the PISA members

• To promote the highest quality of technical and ethical standards to the information security profession

• To promote best-practices in information security control• To promote security awareness to the IT industry and

general public in Hong Kong

Security Congress APAC 2017

This year’s tracks include:• Cloud Security• Critical National Information Infrastructure (CNII)• Emerging Technologies and Security• Governance, Risk and Compliance• Professional Development• Security Operations

Security Congress APAC 2017 - Registration is Now OpenEngage with over 350 information security professionals in this 2-day multi-stream conference as cybersecurity expertsand industry thought leaders from around the world share their knowledge and international best practices throughpresentations, case studies, hands-on workshop and interactive discussions.

Enjoy a 25% Student Discount

http://apaccongress.isc2.org/events/-isc-security-congress-apac-2017/custom-21-

7f805a6862a3494891be229fb5ef7af2.aspxFor inquiries:

http://apaccongress.isc2.orgsecuritycongressapac@isc2.org

Contact of (ISC)2 HK Chapter / PISA

30

Web Site:» http://www.pisa.org.hk

Membership Information:» http://www.pisa.org.hk/membership» Free for Student Members