Upload
hackit-ukraine
View
191
Download
0
Embed Size (px)
Citation preview
Nick Bilogorskiy
o Facebook, Cyphorto Борьба с Вирусами и Киберпреступностью.o Нова Юкрейн и диаспора в Сан-Франциско.
Who am I?
Nick [email protected] USA: +1-408-203-4323Tel Ukraine: +38-063-315-7774 www.novaukraine.org
San Francisco
SILICON VALLEY
facebook.com/OpenUkraineOfficeNow
FoundedIn 2011 by a team of
security experts.
Launched our Advanced Threat Defense Platform
product in Q3 2013
HQLocated in the heart
of Silicon ValleySanta Clara, CA
80+ people
Funding Winning!
Network-Based Next Generation APT Defense
Correlated VisibilityNext-Gen Perimeter Defense
with Lateral Movement
Virtualized DeploymentFlexible Software-based
Security Solution
Dynamic Detection Machine Learning plusBehavioral Inspection
CYPHORT THREAT DEFENSE PLATFORM
Headquarters
Branch
Branch
Branch
Collector
Cyphort Core InspectionAnalytics
CorrelationCollection
Collector
Collector
Cyphort Architecture Advantage
Collector:HeadquartersWeb Traffic
Collector:Branch Office Web Traffic
Collector:Data Center
Collector:Email
Collect
InfectionVerification (Native, Carbon-Black, Tanium, Confer)
Mitigation & Enforcement
Publish Blocking DataTo Existing: FW, IPS and SWG
API based or manual
{ Verify infection on suspect endpoints before cleaning }
Act
API
API
Cyphort Global Security Services
Cyphort Core Multi-method Inspection
Machine Learning AnalyticsCorrelation
User &Asset Data
Inspection
Analytics
Correlation
Inspect
Cyphort Golden Image
ЦелиГражданское обществоБорьба с коррупциейГуманитарная помощьПомощь перемещённым лицамОбразовательные программыПопуляризация Украины в США
Помощь семьям
100 коробок с одеждой
ДеньгамиPayPal [email protected]
ВременемEmail [email protected]
Рассказать о нас LIKE facebook.com/novaukraine.org
novaukraine.org
Как помочь
What is Ransomware
Ransomware is any malware that demands the user pay a ransom.
There are two types of ransomware: lockers and crypters.
Kovter Lockers
o More IOT (Internet Of Things) security incidents
Prediction #4 Crypters
TOR Primer
• easy to use, • fast, • publicly available, • decentralized, and • Provides anonymity, which
serves to encourage extortion.
Bitcoin Primer
How often do you backup?
Computer Backup Frequency 2008-2015 (BackBlaze data)
Frequency 2008 2009 2010 2011 2012 2013 2014 2015Daily 6% 6% 8% 6% 10% 10% 9% 8%Other 56% 57% 58% 60% 10% 59% 63% 67%Never 38% 37% 34% 34% 31% 29% 28% 25%
The Ransomware Business Model
o 90% of people do not backup dailyo Data Theft in placeo Anonymity (TOR, Bitcoin)o Operating with impunity in Eastern Europeo Extortiono Focus on ease of use to drive conversion
o Currently 50% pay the ransom, it was 41% 2 years ago
z
Bitcoin Ransom Sent C&C
Server
Private Key Sent
Locked Files
Unlocked Files
The Ransomware Business Model
HOSPITALSHollywood Presbyterian Medical Center , Kentucky Methodist Hospital, Alvarado Hospital Medical Center and King's Daughters' Health, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, Baltimore’s Union Memorial Hospital, and many others
POLICETewksbury Police Department Swansea Police DepartmentChicago suburb of Midlothian Dickson County, TennesseeDurham, N.H Plainfield, N.JCollinsville, Alabama,hackers in Detroit demanded $800,000 in bitcoin after they had encrypted the city's database.
Known Victims… So far
SCHOOLS GOVERNMENT321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security.
South Carolina school district paid $10,000 . A New Jersey school district was hit, holding up the computerized PARCC exams.Follett Learning's Destiny library management software, which is used in US schools is vulnerable to SamSam ransomware.
Apr 30, 2016: In the past 48 hours, the House Information Security Office has seen an increase of attacks on the House Network […] focused on putting “ransomware” on users’ computers.[…] .As part of that effort, we will be blocking access to YahooMail on the House Network until further notice.
Recorded Future
Stats
500% growth last year
Ransomware: The Price You Pay
2014 - $24 M. | 2015 - $24 M. | 2016 - $209 M in Q1
o network mitigationo network countermeasureso loss of productivityo legal feeso IT serviceso purchase of credit monitoring
services for employees or customerso Potential harm to an organization’s
reputation.
Ransomware: Additional Costs
2016 Ransomware tricks
1. Targeting businesses (e.g. hospitals) rather than individuals.
2. Deleting files at regular intervals to increase the urgency to pay ransom faster – Jigsaw
3. Encrypting entire drives - Petya4. Encrypting web servers data -
RansomWeb, Kimcilware
2016 Ransomware tricks
5. Encrypting data on unmapped network drives DMA Locker, CryptoFortress
6. Deleting or overwriting cloud backups.
7. Encrypting each file with its own unique key - Rokku
2016 Ransomware tricks
8. Targeting non-Windows platforms – SimpleLocker, KeRanger
9. Using the computer speaker to speak to the victim - Cerber
10. Ransomware as a service – Tox11. Using counter-detection malware
armoring, anti-VM and anti-analysis functions - CryptXXX
Cerber Bitcoin Mixing service
o Cerber distributes ransomware through affiliates
o At least 150,000 victims a month
o tens of thousands of Bitcoin wallets in the mixing service
o 20% cut
Checkpoint
IOT - Smart TV Ransomware
o Flocker Ransomwareinfects Smart TVs
o aka Frantic Locker
o locks screen and demands $200 in iTunes gift cards
IOT Thermostat Ransomware
o proof-of-concept ransomware for smart thermostats at DEFCON
o Locks temperature at 99 degrees until the owner pays a ransom to obtain a PIN which would unlock it.
HiddenTear – PokemonGo ransomware
o Hidden-Tear, is masquerading as a Pokémon GO application for Windows.
o targeting Arabic userso This one spreads by copying
the executable to all drives with autorun
CuteRansomware uses Google Docs
How do Users get Ransomware?
Osterman research
Tips to Avoid Ransomware Infection
o Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps
o Use network protectiono Use a comprehensive endpoint security
solution with behavioral detectiono Turn Windows User Access Control ono Block Macros
Tips to Avoid Ransomware Infection
o Be skeptical: Don’t click on anything suspicious
o Block popups and use an ad-blockero Override your browser’s user-agent*o Consider Microsoft Office viewerso Disable Windows Script Host
Tips to Avoid Losing Data to Ransomware
o Identify Ransomware and look for a decryptor:
o Shadow Copieso Turn off computer at first signs of infection
o Remember: the only effective ransomware defense is backup
https://id-ransomware.malwarehunterteam.com/
Tips to Avoid Losing Data to Ransomware
o List of free decryptors: http://bit.ly/decryptors
Malvertising
Malvertising is the use of online advertising to spread malware.
Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.
Anti-Malvertising.com
What is Malvertising
How Malvertising works
df
UserVisits a popular
website, gets infected via exploit kit
WebsiteServes a banner ad,
sometimes malicious
AttackerCreates and injects malware ads into advertising network
Advertising NetworkSelects an ad based on auction, sends to the website
Rise of Malvertising
2014 2015 20160
500
1000
1500
2000
2500
Malvertising domains
Techniques to avoid detection
o Enable malicious payload after a delay
o Only serve exploits to every 10th user
o Verifying user agents and IP addresses
o HTTPS redirectors