CSCD 434 Spring 2019 Lecture 10 Attacks for Profit Ransomeware 1

Introduction Today ... Ransomeware Definition Scope – How bad is it? Those Responsible Infections Details Clean-up and Prevention

Introduction Ransomware Is a type of malware that takes control over a computer or computer system by encrypting all the data on the drive Data is then held at ransom until a predetermined cost is paid. Due tocryptocurrencies (e.g., bitcoins) for payment it is difficult to track those demanding the ransom making it tough to prosecute

Ransomeware Consequences Financial Ransoms through ransomware continue to grow in costs as ransomware methods become more sophisticated Outside of the ransom, costs due to downtime, recovery, and security maintenance can be considerable Legal Privacy and security negligence may constitute legal ramifications based on state and federal policies and regulations (e.g. HIPAA) Personal lawsuits may be leveled if there is perceived harm

Ransomeware Consequences Reputation Ransomware events have become a hot topic and speak poorly of victims regardless of the exact circumstances Patient’s may be hesitant to initiate or reconsider care if they perceive that a provider is unsafe with their health data Customers of any organization, Bank, store or other company likewise won’t trust their data is safe

Who is Targetted by Ransomeware

Ransomware on pace to be 1 billion dollar business in 2016 2016 Is a Ransomware Horror Show Ransomware on pace to be 1 billion dollar business in 2016 CNN Money new estimates from FBI show that costs from so-called ransomware have reached an all-time high.  Cyber-criminals collected $209 million in first three months of 2016 by extorting businesses and institutions to unlock computer servers. 10

2018 Ransomeware Stats Damages from ransomware are expected to rise to $11.5 billion this year, 2018 https://www.backblaze.com/blog/complete-guide-ransomware/

History of Ransomeware

Ransomeware History

A Short History & Evolution of Ransomware Ransomware attacks cause downtime, data loss, possible intellectual property theft, and ransomware attack is looked at as a possible data breach 16

Newest Ransomware And Groups Responsible

Groups and Exploits Infamous Shadow Brokers hacker group active since 2016 has been responsible for leaking several NSA exploits, zero-days and hacking tools EternalBlue, is an exploit developed by U.S. National Security Agency (NSA) according to testimony by former NSA employees It was leaked by Shadow Brokers on April 14, 2017 Used as part of worldwide WannaCry ransomware attack on May 12, 2017 Exploit was also used to help carry out the 2017 NotPetya attack on June 27, 2017 Also reported to be used as part of Retefe banking trojan since at least September 5, 2017

Eternal Blue Description EternalBlue exploits a vulnerability in Microsoft's Server Message Block (SMB) protocol Vulnerability is known as CVE-2017-0144 in Common Vulnerabilities and Exposures (CVE) Database Can you guess what kind of vulnerability? Exists because SMB Version 1 server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on target computer

Eternal Blue Description March 14, 2017, Microsoft issued security bulletin MS17-010, detailing flaw plus announced that patches had been released for all Windows versions Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016 Good Analysis of the Exploit https://www.scribd.com/document/365063744/Etern alBlue-RiskSense-Analysis-1-2

Scope of Damage via WannaCry Many Windows users had not installed patches when, on May 12, 2017, WannaCry ransomware attack used EternalBlue vulnerability to spread itself By end of 2018, millions of systems were still vulnerable to EternalBlue This has led to millions of dollars in damages due primarily to ransomware worms WannaCry, NotPetya and BadRabbit Extimated impact of WannaCry, NotPetya and BadRabbit have caused over $1 billion worth of damages in over 65 countries

Ransomeware Operation

What Gets Encrypted

TOR Used to Communicate Announimously

Ransomeware Recovery

Steps to Recovery 1 — Isolate the Infection 2 — Identify the Infection Rate and speed of ransomware detection is critical in combating fast moving attacks before they succeed in spreading across networks and encrypting vital data 2 — Identify the Infection Most often ransomware will identify itself when it asks for ransom There are numerous sites that help identify ransomware, ID Ransomware, https://id- ransomware.malwarehunterteam.com/index.php The No More Ransomware! Project https://www.nomoreransom.org/en/index.html provides the Crypto Sheriff https://www.nomoreransom.org/crypto- sheriff.php?lang=en to help identify ransomware.

Steps to Recovery 3 — Report to the Authorities You’ll be doing everyone a favor by reporting all ransomware attacks to the authorities. The FBI urges ransomware victims to report ransomware incidents regardless of the outcome

4 — Determine Your Options Steps to Recovery 4 — Determine Your Options Your options when infected with ransomware are: Pay the ransom Try to remove malware Wipe system(s) and reinstall from scratch It’s generally considered a bad idea to pay the ransom. Paying the ransom encourages more ransomware, and often unlocking encrypted files is not successful In recent survey, more than three-quarters of respondents said their organization is not at all likely to pay ransom in order to recover their data (77%) Only a small minority said they were willing to pay some ransom

Steps to Recovery 5 — Restore or Start Fresh You can try to remove malware from your systems or Wipe your systems and reinstall from safe backups and clean OS and application sources Recommended It’s Best to Wipe All Systems Completely !!! Surest way of being certain that malware or ransomware has been removed from a system is to do a complete wipe of all storage devices and reinstall everything from scratch https://www.backblaze.com/blog/complete- guide-ransomware/

Prevention

Ransomware Prevention

Ransomware Prevention

Ransomware Prevention 3. Operating System Ensure security patching is turned on Use application whitelisting Only known programs allowed to run

Ransomware Prevention 4. Hardware

Ransomware Prevention 5. User Training

Make Sure Backups Work !!! Can actually test your backups periodically to insure they work

Summary Each decade there arises a new security threat 70’s, 80’s and into 90’s – Era of the Virus Late 80’s, 90’, 2000 – Era of the Worm 90’s, 2000 and up – Rootkits, Trojans 2010 into today – Ransomeware What’s next?

The End