Professional Documents
Culture Documents
Don'T Wake Up To A Ransomware Attack: Cisa - Cybersecurity and Infrastructure Security Agency
Don'T Wake Up To A Ransomware Attack: Cisa - Cybersecurity and Infrastructure Security Agency
Enabling Objectives
• Define ransomware
• Be able to identify signs of a ransomware attack
• Learn mitigation steps of ransomware attacks
• Understand how to recover from a ransomware attack
• Understand impacts of ransomware attacks though case studies
2
Agenda
2
Introduction and Overview IMR 3 Case Studies 4 Knowledge Check
1 • Course Description • Identification • Global Logistics Company
• Learning Objectives • Mitigation • Local Government
• Overview • Response/Recovery • Major US Newspaper
3
$1B $84K
Typical cost of
Estimated annual
recovery from a
ransomware
ransomware
payments
attack
$7.5B 56%
Growth of
Cost of
ransomware
ransomware to
attacks for 2018-
U.S. in 2019
2019
$6T
Global costs of 42%
cybercrime by 2021 Percentage of public
*Ransomware makes up sector organizations
a large share
suffering ransomware
attacks in last 12
months
Presenter’s Name
4
May 11, 2020
What is ransomware?
5
Threat Overview
Lack of reporting
and ransom
payments worsen
the cycle
Consider attacks
physically
destructive
Significant risk to
Nation’s networks
6
Brief History
Adam L. Young and Moti Yung introduce a A variant is discovered that spreads
proof of concept for data kidnapping attacks through a specific line of network-
using public key cryptography attached storage devices.
A non-encrypting ransomware variant, WinLock, required
victims to send a premium rate SMS (around $10) to receive
an unlock code. The scam spread through Russia and
neighboring countries and allegedly earned over $16 million.
7
How it works
Encrypts
• Phishing emails • Attackers request payment
• Locks computer (ransom) to decrypt the system
• Malicious attachments • Blocks network access • Threaten to destroy decryption
• Drive-by downloading • Files are inaccessible key or release data
Infects Extorts
8
Who is susceptible?
Well… basically…
EVERYONE!
9
Who is susceptible?
Education
• Home-users
Government
• Businesses Agencies
• Individuals
Most Healthcare
• Organizations
commonly
targeted
Energy &
sectors Utilities
Anyone with important data stored on
their computer or network is at risk.
Retail
Finance
10
Identify the Signs of Ransomware
What are the indicators of a ransomware attack?
• You are locked out!
• Odd file extensions appended to filenames
• Intimidating messages
• “Your computer has been infected with a
virus. Click here to resolve the issue.”
• “Your computer was used to visit websites
with illegal content. To unlock your computer,
you must pay a $100 fine.”
• “All files on your computer have been
encrypted. You must pay this ransom within
72 hours to regain access to your data.”
11
Ransomware Prevention and Mitigation
12
Ransomware Prevention and Mitigation
13
Ransomware Prevention and Mitigation
14
Ransomware Response Checklist
15
Ransomware Recovery
16
Ransomware Case Studies
17
Global Logistics Company (GLC)
Scenario Overview
• June 2017
• Global shipping corporation
• 10 day response
• “Collateral damage”
Attack Vector
• NotPetya
• Gained entry via accounting software
• Hackers hijacked software update servers
18
Global Logistics Company (GLC)
Exploits
• EternalBlue and Mimikatz
• EternalBlue takes advantage of a vulnerability
in a particular Windows protocol
• Mimikatz could pull passwords out of RAM and
use them to hack into other machines with the
same credentials
• The Microsoft EternalBlue vulnerability patch did
not work in tandem with Mimikatz
19
Global Logistics Company (GLC)
Impacts
• Purely destructive goal: irreversible encryption
• Paralyzed shipping operations
• Tens of thousands of affected endpoints
throughout GLC’s global corporate enterprise
• Over $300M in corporate losses
• Over $10 billion in losses across all victims
20
Global Logistics Company (GLC)
21
Global Logistics Company (GLC)
22
Global Logistics Company (GLC)
23
Major US Newspaper
Scenario Overview
• December 2018
• Major newspaper distributor
Attack Vector
• Ryuk malware
• Enters through other malware or remote desktop vulnerability
• Infects network and automatically spreads
24
Major US Newspaper
Exploits
• Weak privilege management
• Security patches failed to hold when servers were
brought back online, causing re-infection
Impact
• News production and manufacturing process
servers were infected,
• Delayed production of multiple national
newspapers, by a full day in some cases
• Attack was meant to disable infrastructure
25
Major US Newspaper
26
Large US City
Scenario Overview
• A U.S. city was the target of a large ransomware attack in March 2018
• Hackers demanded over $50K in bitcoin
• Many city offices were closed for over 5 days due to the attack
Attack Vector
• SamSam
• Targeted U.S. government and infrastructure in 2018 causing $30M in losses
27
Large US City
Exploits
• Brute force attack guessed weak passwords
• Exploited an unknown JBoss application and
Microsoft Remote Desktop Protocol vulnerability
• Attackers escalated privileges, making the attack
even more damaging
28
Large US City
Impacts
• 5 of 13 local government departments
• Police had to write incident reports by hand
• Forced manual processing of cases at Municipal
Court
• Stopped online or in person municipal payments
• Years’ worth of data lost
• Cost over $2.6M in emergency efforts
• One third of software and applications remained
affected 6 months post-attack
29
Large US City
From an IMR standpoint…
• How was this attack Identified?
• Outages on numerous applications and services
• How mitigated?
• Immediate shutdown of most of city’s network
• How recovered?
• City officials quickly reached out for help
• Worked with their information management team to
identify the threat and its magnitude, and to protect the
perimeter of the technology footprint
30
L
Knowledge Check
31
Knowledge Check
❍Floppy disks
❍Sharing passwords
❍Phishing emails
❍Using a VPN
32
Knowledge Check
❍Floppy disks
❍Sharing passwords
Phishing emails
❍Using a VPN
33
Knowledge Check
❍True
❍False
34
Knowledge Check
❍True
False
35
Knowledge Check
❍Your desktop is locked, with a message displayed about how to unlock it.
❍Your files have new file extensions appended to filenames.
❍Your network is running extremely slow.
❍You are prompted with a notification claiming your computer has been infected with a virus,
and you must click a link to resolve the issue.
36
Knowledge Check
❍Your desktop is locked, with a message displayed about how to unlock it.
❍Your files have new file extensions appended to filenames.
Your network is running extremely slow.
❍You are prompted with a notification claiming your computer has been infected with a virus,
and you must click a link to resolve the issue.
37
Knowledge Check
What measures can you take to help prevent becoming a casualty of ransomware?
38
Knowledge Check
What measures can you take to help prevent becoming a casualty of ransomware?
39
Knowledge Check
❍True
❍False
40
Knowledge Check
❍True
False
41
Knowledge Check
42
Knowledge Check
43
Knowledge Check
44
Knowledge Check
45
Knowledge Check
❍True
❍False
46
Knowledge Check
❍True
False
47
Knowledge Check
❍Credit card
❍Wire transfer
❍Ethereum
❍Bitcoin
48
Knowledge Check
❍Credit card
❍Wire transfer
❍Ethereum
Bitcoin
49
Knowledge Check
❍True
❍False
50
Knowledge Check
❍True
False
51
Key Takeaways
Back up data
Update security solutions
Practice good cyber Whitelist applications
hygiene Limit privileges
Employ multifactor authentication
Browse safely
Secure email handling
Pay attention to global
ransomware events and
apply lessons learned
52
Additional Ransomware Resources
53