Nick Bilogorskiy

o Facebook, Cyphorto Борьба с Вирусами и Киберпреступностью.o Нова Юкрейн и диаспора в Сан-Франциско.

Who am I?

Nick Bilogorskiynick@novaukraine.orgTel USA: +1-408-203-4323Tel Ukraine: +38-063-315-7774 www.novaukraine.org

San Francisco

SILICON VALLEY

facebook.com/OpenUkraineOfficeNow

FoundedIn 2011 by a team of

security experts.

Launched our Advanced Threat Defense Platform

product in Q3 2013

HQLocated in the heart

of Silicon ValleySanta Clara, CA

80+ people

Funding Winning!

Network-Based Next Generation APT Defense

Correlated VisibilityNext-Gen Perimeter Defense

with Lateral Movement

Virtualized DeploymentFlexible Software-based

Security Solution

Dynamic Detection Machine Learning plusBehavioral Inspection

CYPHORT THREAT DEFENSE PLATFORM

Headquarters

Branch

Branch

Branch

Collector

Cyphort Core InspectionAnalytics

CorrelationCollection

Collector

Collector

Cyphort Architecture Advantage

Collector:HeadquartersWeb Traffic

Collector:Branch Office Web Traffic

Collector:Data Center

Collector:Email

Collect

InfectionVerification (Native, Carbon-Black, Tanium, Confer)

Mitigation & Enforcement

Publish Blocking DataTo Existing: FW, IPS and SWG

API based or manual

{ Verify infection on suspect endpoints before cleaning }

Act

API

API

Cyphort Global Security Services

Cyphort Core Multi-method Inspection

Machine Learning AnalyticsCorrelation

User &Asset Data

Inspection

Analytics

Correlation

Inspect

Cyphort Golden Image

ЦелиГражданское обществоБорьба с коррупциейГуманитарная помощьПомощь перемещённым лицамОбразовательные программыПопуляризация Украины в США

Помощь семьям

100 коробок с одеждой

ДеньгамиPayPal donate@novaukraine.org

ВременемEmail volunteer@novaukraine.org

Рассказать о нас LIKE facebook.com/novaukraine.org

novaukraine.org

Как помочь

What is Ransomware

Ransomware is any malware that demands the user pay a ransom.

There are two types of ransomware: lockers and crypters.

Kovter Lockers

o More IOT (Internet Of Things) security incidents

Prediction #4 Crypters

TOR Primer

• easy to use, • fast, • publicly available, • decentralized, and • Provides anonymity, which

serves to encourage extortion.

Bitcoin Primer

How often do you backup?

Computer Backup Frequency 2008-2015 (BackBlaze data)

Frequency 2008 2009 2010 2011 2012 2013 2014 2015Daily 6% 6% 8% 6% 10% 10% 9% 8%Other 56% 57% 58% 60% 10% 59% 63% 67%Never 38% 37% 34% 34% 31% 29% 28% 25%

The Ransomware Business Model

o 90% of people do not backup dailyo Data Theft in placeo Anonymity (TOR, Bitcoin)o Operating with impunity in Eastern Europeo Extortiono Focus on ease of use to drive conversion

o Currently 50% pay the ransom, it was 41% 2 years ago

z

Bitcoin Ransom Sent C&C

Server

Private Key Sent

Locked Files

Unlocked Files

The Ransomware Business Model

HOSPITALSHollywood Presbyterian Medical Center , Kentucky Methodist Hospital, Alvarado Hospital Medical Center and King's Daughters' Health, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, Baltimore’s Union Memorial Hospital, and many others

POLICETewksbury Police Department Swansea Police DepartmentChicago suburb of Midlothian Dickson County, TennesseeDurham, N.H Plainfield, N.JCollinsville, Alabama,hackers in Detroit demanded $800,000 in bitcoin after they had encrypted the city's database.

Known Victims… So far

SCHOOLS GOVERNMENT321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security.

South Carolina school district paid $10,000 . A New Jersey school district was hit, holding up the computerized PARCC exams.Follett Learning's Destiny library management software, which is used in US schools is vulnerable to SamSam ransomware.

Apr 30, 2016: In the past 48 hours, the House Information Security Office has seen an increase of attacks on the House Network […] focused on putting “ransomware” on users’ computers.[…] .As part of that effort, we will be blocking access to YahooMail on the House Network until further notice.

Recorded Future

Stats

500% growth last year

Ransomware: The Price You Pay

2014 - $24 M. | 2015 - $24 M. | 2016 - $209 M in Q1

o network mitigationo network countermeasureso loss of productivityo legal feeso IT serviceso purchase of credit monitoring

services for employees or customerso Potential harm to an organization’s

reputation.

Ransomware: Additional Costs

2016 Ransomware tricks

1. Targeting businesses (e.g. hospitals) rather than individuals.

2. Deleting files at regular intervals to increase the urgency to pay ransom faster – Jigsaw

3. Encrypting entire drives - Petya4. Encrypting web servers data -

RansomWeb, Kimcilware

2016 Ransomware tricks

5. Encrypting data on unmapped network drives DMA Locker, CryptoFortress

6. Deleting or overwriting cloud backups.

7. Encrypting each file with its own unique key - Rokku

2016 Ransomware tricks

8. Targeting non-Windows platforms – SimpleLocker, KeRanger

9. Using the computer speaker to speak to the victim - Cerber

10. Ransomware as a service – Tox11. Using counter-detection malware

armoring, anti-VM and anti-analysis functions - CryptXXX

Cerber Bitcoin Mixing service

o Cerber distributes ransomware through affiliates

o At least 150,000 victims a month

o tens of thousands of Bitcoin wallets in the mixing service

o 20% cut

Checkpoint

IOT - Smart TV Ransomware

o Flocker Ransomwareinfects Smart TVs

o aka Frantic Locker

o locks screen and demands $200 in iTunes gift cards

IOT Thermostat Ransomware

o proof-of-concept ransomware for smart thermostats at DEFCON

o Locks temperature at 99 degrees until the owner pays a ransom to obtain a PIN which would unlock it.

HiddenTear – PokemonGo ransomware

o Hidden-Tear, is masquerading as a Pokémon GO application for Windows.

o targeting Arabic userso This one spreads by copying

the executable to all drives with autorun

CuteRansomware uses Google Docs

How do Users get Ransomware?

Osterman research

Tips to Avoid Ransomware Infection

o Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps

o Use network protectiono Use a comprehensive endpoint security

solution with behavioral detectiono Turn Windows User Access Control ono Block Macros

Tips to Avoid Ransomware Infection

o Be skeptical: Don’t click on anything suspicious

o Block popups and use an ad-blockero Override your browser’s user-agent*o Consider Microsoft Office viewerso Disable Windows Script Host

Tips to Avoid Losing Data to Ransomware

o Identify Ransomware and look for a decryptor:

o Shadow Copieso Turn off computer at first signs of infection

o Remember: the only effective ransomware defense is backup

https://id-ransomware.malwarehunterteam.com/

Tips to Avoid Losing Data to Ransomware

o List of free decryptors: http://bit.ly/decryptors

Malvertising

Malvertising is the use of online advertising to spread malware.

Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages.

Anti-Malvertising.com

What is Malvertising

How Malvertising works

df

UserVisits a popular

website, gets infected via exploit kit

WebsiteServes a banner ad,

sometimes malicious

AttackerCreates and injects malware ads into advertising network

Advertising NetworkSelects an ad based on auction, sends to the website

Rise of Malvertising

2014 2015 20160

500

1000

1500

2000

2500

Malvertising domains

Techniques to avoid detection

o Enable malicious payload after a delay

o Only serve exploits to every 10th user

o Verifying user agents and IP addresses

o HTTPS redirectors