2. About me
An seasoned Information Security professional, speaker & blogger having around
13+ years of rich and insightful work experience in the areas of Information
Security Assurance, Governance, Risk Management, BCM, Supplier
Management, Awareness, IT Security, operational excellence and also in
influencing team members and management.
CISM, ISO 27001 certified, CISCO certified Information Security & IT Security
experienced professional.
Srinivas Thimmaiah | Ransomware | 14 Feb 2017 Page 2
4. What is Ransomware
Ransomware is computer malware that installs covertly on a victim's device (computer, smartphone, etc),
executes a cryptovirology attack that adversely affects it, and demands a ransom payment to decrypt it or not
publish it.
Ran some where
Srinivas Thimmaiah | Ransomware | 14 Feb 2017 Page 4
Source: https://en.wikipedia.org/wiki/Ransomware
6. Types ofRansomware
Lock Screen Ransomware
Encryptsfiles/folders
Lock screen and
demand payments
Interruptsthe normal boot process
Srinivas Thimmaiah | Ransomware | 14 Feb 2017 Page 6
7. Who are my target
Youever can Pay Ransom are my“Target”
Businessusers
• Technologydependent
• Data(customer)
• Stakeholdermanagement
Public/Government agencies
• Data(confidential/secret)
• Technicalsupport
• Reputation
*.wb2*.mdf*.dbf*.psd*.pdd*.eps*.ai*.indd *.cdr*.dng *.3fr*.arw*.srf*.sr2*.bay*.crw
Home users
• Personaldata
• Databackup
• Technicalsupport
Srinivas Thimmaiah | Ransomware | 14 Feb 2017 Page 7
Source:Symantec
8. Top3 Ransomware Strainsof 2016
1. Locky
Locky isransomwaremalware releasedin2016.It isdeliveredby email(that wasallegedlyaninvoice requiringpayment)with anattachedMicrosoftWorddocumentthat containsmaliciousmacros
Researchers detected the first sample of Locky in February 2016. Shortly thereafter, it made a name for itself when it infected the computer systems at Hollywood Presbyterian Medical Center in southern California.
Officials chose to temporarily shut down the hospital’s IT system while they worked to remove the ransomware, a decision which caused several departments to close and patients to be diverted elsewhere. But without
working databackups,the executivesat HollywoodPresbyterianultimatelydecidedtopaytheransom.
2.Teslacrypt
TeslaCryptisa maliciousprogram thatencryptsusers'filesusing AES encryption.
After months of tracking TeslaCrypt across spam campaigns and exploit kit attacks, security researchers at the Slovakian IT security firm ESET learned its developers intended to abandon the ransomware. The researchers
contacted the developers and requested the master decryption key. In response, TeslaCrypt’s authors published the key, which ESET used to make a free decryption utility. Victims of the ransomware can now use this tool
toregainaccesstotheirfiles.
3.Hddcryptor
HDDCryptoris a nastyfamilyof ransomware.It’scapableof enumeratingexistingmounteddrivesandencryptingallfilesaswell asfindingandaccessingpreviouslyconnecteddrivesanddisconnectednetworkpaths.
Researchers first detected HDDCryptor in September 2016. Two months later, the ransomware made headlines when it infected 2,000 systems at the San Francisco Municipal Transport Agency (SFMTA), or “Muni,” and
demandedransom.Fortunately,theattack didnot affectSFMTA’srail andbusservice, andthe publicagencysaidit woulduseits workingbackupstorestoreaccesstoitssystems.
Srinivas Thimmaiah | Ransomware | 14 Feb 2017 Page 8
Source: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/top-10-ransomware-strains-2016/
9. Trends of2016 & ‘17
Source:proofpoint.com
GrowthinDistribution
Total ransomware has grown 80% in 2016
Ransomware2016
Srinivas Thimmaiah | Ransomware | 14 Feb 2017 Page 9
Ransomware2017 Projection
13. Conclusion
Reason whywe should pay…
Data is costlier than I pay ransom
Business priorities
To avoid reputation loss
Interest over time
Reason whywe should NOT pay…
Mayrepeat again
Next ransom will be higher
Criminalcan’t be trusted
Encouraging criminals
may be yes maybe no
maybe yes and no
Srinivas Thimmaiah | Ransomware | 14 Feb 2017 Page 13