6. Copyright2016,SymantecCorporation
• Email
– Link to malicious file on Dropbox & Co.
– Office document with malicious macro
– Script file (JavaScript, VBS, PowerShell, …)
• Sometimes in container (Zip, RAR, HTA, WSF, LNK,…) with password
• Infected Websites
– Web exploit toolkits (1.4 Mio attacks blocked / day)
• Rig, Magnitude etc.
– Malvertisement
• With any coding language out there
– Incl. Python, Powershell, JS, Google's Go Language,…
The common infection vector
6Hard work never killed anyone, but why take the chance?
13. Copyright2016,SymantecCorporation
Show me the money
13
$372.53
$294.14
$679.65
$0
$100
$200
$300
$400
$500
$600
$700
$800
2014 2015 2016
• Ransom is usually requested in Bitcoins
• The average ransom has more than doubled last year
Artificial intelligence is no match for natural stupidity.
14. Copyright2016,SymantecCorporation
How to make even more money?
• Payment features
– Tesla chat support and free sample decryption
– CryptXXX steals Bitcoin wallet data
– Cerber adds machines to botnet to carry out DDoS attacks.
– Use of Amazon/iTunes/phone gift cards instead of Bitcoins
• New threats added to ransom note
– Chimera threatens to post personal data online
– Jigsaw deletes random files over time
– Stampado re-encrypts already encrypted files from other cryptolockers
– Virolock Spreads to shares and cloud storage as fileinfector
14I didn't say it was your fault, I said I was blaming you.
15. Copyright2016,SymantecCorporation
Where are the victims?
15
3%Canada
8%
5%
United
Kingdom
Belgium
Netherlands
India3%
Italy
3%
4% Germany
2%
Australia
4%
8% Japan
United
States
31%
Is “NO” the correct answer to this question?
Currently big wave in Brazil
16. Copyright2016,SymantecCorporation
16
Businesses as a target
43% of ransomware infections occur inside organizations
Employees like to open private emails at work
Smith & Wesson: The original point and click interface.
17. Copyright2016,SymantecCorporation
Advanced attack techniques
17
Recent ransomware attacks use tactics and techniques typically seen in “APT”-style attacks
Infiltration Exploit server-side vulnerabilities to gain access to the network.
Reconnaissance
Attackers gather information that may help in later stages of the attack,
such as back-up policy. Information gathered may also be used in the
ransom note.
Lateral movement
Attackers use publicly available tools to plot out and traverse the
network and gain access to strategic locations like ICS or DB systems
Stealth
Once the attack has been successfully carried out the attackers attempt
to hide their tracks by removing any tools used.
What happens if you get scared half to death, twice?
18. Copyright2016,SymantecCorporation
Example: SamSam case
• Entry point was unpatched web server; exploited JBoss vulnerability with JexBoss
• Used psExec and retrieved passwords to traverse the network
• Deleted backups to make recovery difficult
• Deployed SamSam strain of ransomware
• Removed copies of malware and associated tools to hide tracks
• Ransom was 1.5 Bitcoin (~US$989) for each computer
18Everyone is entitled to his own opinion, but not to his own facts.
19. Copyright2016,SymantecCorporation
Further TTPs seen
• Attack remote access tools
– Bruteforcing passwords for RDP, Teamviewer, VNC, FTP, …
• Exploit webserver and jump further from there
– SQLinjection to modify DB content
• Spear phishing
• Some groups try POS or BEC scams first, and then move to ransomware
• Some «ATP» groups use ransomware instead of wiper to hide intention
19I can explain it to you, but I can not undestand it for you
Not very sophisticated
But often successful
20. Copyright2016,SymantecCorporation
What are they after?
• Documents
• Databases (encrypt data or change password)
• Fileshares/cloud (even if not mapped: passwords from mimikatz or enumtools)
• Websites
– E.g. added «mcrypt_encrypt()» to DB calls
• The backups (to delete them, infect them or encrypt them)
• In some rare cases industrial controller, more likely classical blackmailing
20If I agreed with you we’d both be wrong
21. Copyright2016,SymantecCorporation
Victim organization profile
Services
37.8%
Manufacturing
17.2%
Public Administration
10.2%
Finance, Insurance, &
Real Estate
9.8%
Wholesale
8.9%
Transportation,
Comms, & Utilities
6.6%
Retail
4.3%
Construction
3.9%
Mining
1.0%
Agri, Forestry, & Fishing
0.5%
What about
Healthcare?
Healthcare seeing more
targeted attacks and
therefore not reflected in
the numbers
21All generalizations are false.
23. Copyright2016,SymantecCorporation
Protection strategies
• Backup your data (out of reach!)
• Keep your system and software up-to-date
• Doublecheck shared folders
– Does it auto sync to cloud?
– How is your fileserver protected?
• Follow best practices (2FA, security software,…)
– Disable scripts, powershell etc. if you dont use it
• Be prepared - play the exercise drill
• Some have experimented with «honeyfiles» and «folder-sinkholes»
23Always remember you're unique, just like everyone else.
25. Copyright2016,SymantecCorporation
100 new families identified in 2015, most not sophisticated
Scripts are popular to evade first-step detection
Employees in organizations represent 43% of infections
There are ransomware groups going after organizations
Most attacks are not targeted, but still devastating
It is profitable for the attackers, so it won’t go away overnight
Summary – keep your data safe!
25Better to understand a little than to misunderstand a lot.