CISA | CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

DON’T WAKE UP TO A RANSOMWARE ATTACK

Learning Objectives
Terminal Objective
Understand the fundamentals of ransomware and the impact it
can have on your organization

Enabling Objectives
• Define ransomware
• Be able to identify signs of a ransomware attack
• Learn mitigation steps of ransomware attacks
• Understand how to recover from a ransomware attack
• Understand impacts of ransomware attacks though case studies

2
Agenda
2
Introduction and Overview IMR 3 Case Studies 4 Knowledge Check
1 • Course Description • Identification • Global Logistics Company
• Learning Objectives • Mitigation • Local Government
• Overview • Response/Recovery • Major US Newspaper

3
 $1B $84K
Typical cost of
Estimated annual
recovery from a
ransomware
ransomware
payments
attack

$7.5B 56%
Growth of
Cost of
ransomware
ransomware to
attacks for 2018-
U.S. in 2019
2019

$6T
Global costs of 42%
cybercrime by 2021 Percentage of public
*Ransomware makes up sector organizations
a large share
suffering ransomware
attacks in last 12
months
Presenter’s Name
4
May 11, 2020
What is ransomware?

Ransomware is a type of malicious software, or

“malware”, that locks access to a computer
system or files by encrypting its data, until a
ransom is paid.

5
Threat Overview

Lack of reporting
and ransom
payments worsen
the cycle

Consider attacks
physically
destructive

Significant risk to
Nation’s networks

6
Brief History

The propagation of CryptoLocker introduces the use of

The first known malware extortion Bitcoin to pay ransom demands, and procures an estimated
attack. Joseph Popp creates the $27 million in ransom payments over two months.
AIDS Trojan, or "PC Cyborg." Ransomware variants explode.

WannaCry uses the exploit vector EternalBlue to infect over

Gpcode.AK is the first variant detected using a 230,000 computers in over 150 countries, including
1024-bit RSA key, making decryption infeasible government agencies, national healthcare systems, and
without a concerted distributed computing effort. Fortune 50 companies in an unprecedented scale of attack.

1989 1996 2008 2010 2013 2014 2017

Adam L. Young and Moti Yung introduce a A variant is discovered that spreads
proof of concept for data kidnapping attacks through a specific line of network-
using public key cryptography attached storage devices.
A non-encrypting ransomware variant, WinLock, required
victims to send a premium rate SMS (around $10) to receive
an unlock code. The scam spread through Russia and
neighboring countries and allegedly earned over $16 million.
7
How it works

Encrypts
• Phishing emails • Attackers request payment
• Locks computer (ransom) to decrypt the system
• Malicious attachments • Blocks network access • Threaten to destroy decryption
• Drive-by downloading • Files are inaccessible key or release data

Infects Extorts

8
Who is susceptible?

Well… basically…

EVERYONE!

9
Who is susceptible?

Education
• Home-users
Government
• Businesses Agencies
• Individuals
Most Healthcare
• Organizations
commonly
targeted
Energy &
sectors Utilities
Anyone with important data stored on
their computer or network is at risk.
Retail

Finance
10
Identify the Signs of Ransomware
What are the indicators of a ransomware attack?
• You are locked out!
• Odd file extensions appended to filenames
• Intimidating messages
• “Your computer has been infected with a
virus. Click here to resolve the issue.”
• “Your computer was used to visit websites
with illegal content. To unlock your computer,
you must pay a $100 fine.”
• “All files on your computer have been
encrypted. You must pay this ransom within
72 hours to regain access to your data.”

11
Ransomware Prevention and Mitigation

Actions for Today – Make Sure You’re Not Tomorrow’s Headline:

1. Backup your data offline

2. Manage patches
3. Update security solutions
4. Prepare your incident response plan
5. Maintain global situational awareness

12
Ransomware Prevention and Mitigation

Actions to Recover If Impacted – Don’t Let a Bad Day Get Worse:

1. Ask for help!

2. Work with experts
3. Isolate infection
4. Review the connections
5. Prioritize recovery

13
Ransomware Prevention and Mitigation

Actions to Secure Your Environment Going Forward –

Don’t Let Yourself be an Easy Mark:
1. Practice good cyber hygiene
2. Segment networks
3. Develop containment strategies
4. Know your system’s baseline
5. Review recovery procedures

14
Ransomware Response Checklist

• Isolate the infected computer immediately

• Isolate or power-off affected devices
• Immediately secure backup data or systems
• Contact law enforcement
• Secure partial portions of the ransomed data that might exist
• Change all online account passwords and network passwords
• Delete Registry values and files

15
Ransomware Recovery

• It’s difficult; get help!

• Ransom payment is risky and
incentivizes attacks
• Planning and preparation are key

16
Ransomware Case Studies

• Global Logistics Company

• Local Government
• Major US Newspaper

17
Global Logistics Company (GLC)

Scenario Overview
• June 2017
• Global shipping corporation
• 10 day response
• “Collateral damage”

Attack Vector
• NotPetya
• Gained entry via accounting software
• Hackers hijacked software update servers

18
Global Logistics Company (GLC)

Exploits
• EternalBlue and Mimikatz
• EternalBlue takes advantage of a vulnerability
in a particular Windows protocol
• Mimikatz could pull passwords out of RAM and
use them to hack into other machines with the
same credentials
• The Microsoft EternalBlue vulnerability patch did
not work in tandem with Mimikatz

19
Global Logistics Company (GLC)

Impacts
• Purely destructive goal: irreversible encryption
• Paralyzed shipping operations
• Tens of thousands of affected endpoints
throughout GLC’s global corporate enterprise
• Over $300M in corporate losses
• Over $10 billion in losses across all victims

20
Global Logistics Company (GLC)

How was the attack Identified?

• Messages on user screens
• Ransom demand for $300 (Bitcoin)
• Some computers spontaneously restarted
• 7 minutes to infect global network

21
Global Logistics Company (GLC)

How did GLC Mitigate?

• Computers turned off
• Machines manually unplugged from the
network
• Entire global network was disconnected
within 2 hours of initial indications

22
Global Logistics Company (GLC)

How did the GLC Recover?

• Human resilience, openness, and transparency
• Impromptu Emergency Operations Center (EOC)
• Augmented staff with outside expertise
• Purchased new equipment
• Effort hinged on a single surviving domain controller
• 10 days to rebuild entire network
• Reissued personal computers to most staff after 2
weeks
• 2 months until full system recovery
• In the wake of NotPetya, approvals for security
measures were immediate

23
Major US Newspaper

Scenario Overview
• December 2018
• Major newspaper distributor

Attack Vector
• Ryuk malware
• Enters through other malware or remote desktop vulnerability
• Infects network and automatically spreads

24
Major US Newspaper

Exploits
• Weak privilege management
• Security patches failed to hold when servers were
brought back online, causing re-infection
Impact
• News production and manufacturing process
servers were infected,
• Delayed production of multiple national
newspapers, by a full day in some cases
• Attack was meant to disable infrastructure

25
Major US Newspaper

From an IMR standpoint…

• How was this attack Identified?
• Server outage led to disabled printing transmission
• Ransom note was discovered
• How was the attack Mitigated?
• Isolated malicious code and infected servers
• How did the organization Recover?
• Operational within 24 hours
• Identified need to improve privilege management

26
Large US City

Scenario Overview
• A U.S. city was the target of a large ransomware attack in March 2018
• Hackers demanded over $50K in bitcoin
• Many city offices were closed for over 5 days due to the attack

Attack Vector
• SamSam
• Targeted U.S. government and infrastructure in 2018 causing $30M in losses

27
Large US City
Exploits
• Brute force attack guessed weak passwords
• Exploited an unknown JBoss application and
Microsoft Remote Desktop Protocol vulnerability
• Attackers escalated privileges, making the attack
even more damaging

28
Large US City
Impacts
• 5 of 13 local government departments
• Police had to write incident reports by hand
• Forced manual processing of cases at Municipal
Court
• Stopped online or in person municipal payments
• Years’ worth of data lost
• Cost over $2.6M in emergency efforts
• One third of software and applications remained
affected 6 months post-attack

29
Large US City
From an IMR standpoint…
• How was this attack Identified?
• Outages on numerous applications and services
• How mitigated?
• Immediate shutdown of most of city’s network
• How recovered?
• City officials quickly reached out for help
• Worked with their information management team to
identify the threat and its magnitude, and to protect the
perimeter of the technology footprint

30
L

Knowledge Check

31
Knowledge Check

Which describes the typical way ransomware is spread today?

❍Floppy disks
❍Sharing passwords
❍Phishing emails
❍Using a VPN

32
Knowledge Check

Which describes the typical way ransomware is spread today?

❍Floppy disks
❍Sharing passwords
Phishing emails
❍Using a VPN

33
Knowledge Check

Ransomware only impacts businesses.

❍True
❍False

34
Knowledge Check

Ransomware only impacts businesses.

❍True
False

35
Knowledge Check

Common indicators of a ransomware attack include all the following except:

❍Your desktop is locked, with a message displayed about how to unlock it.
❍Your files have new file extensions appended to filenames.
❍Your network is running extremely slow.
❍You are prompted with a notification claiming your computer has been infected with a virus,
and you must click a link to resolve the issue.

36
Knowledge Check

Common indicators of a ransomware attack include all the following except:

❍Your desktop is locked, with a message displayed about how to unlock it.
❍Your files have new file extensions appended to filenames.
Your network is running extremely slow.
❍You are prompted with a notification claiming your computer has been infected with a virus,
and you must click a link to resolve the issue.

37
Knowledge Check

What measures can you take to help prevent becoming a casualty of ransomware?

❍Backup your data

❍Update and patch your systems
❍Ensure your security solutions are up to date
❍All of the above

38
Knowledge Check

What measures can you take to help prevent becoming a casualty of ransomware?

❍Backup your data

❍Update and patch your systems
❍Ensure your security solutions are up to date
All of the above

39
Knowledge Check

Cost of ransomware to the U.S. in 2019 was $1 Trillion.

❍True
❍False

40
Knowledge Check

Cost of ransomware to the U.S. in 2019 was $1 Trillion.

❍True
False

41
Knowledge Check

Ransomware can do the following:

❍Make computer files inaccessible

❍Block network access
❍Destroy data
❍All of the above

42
Knowledge Check

Ransomware can do the following:

❍Make computer files inaccessible

❍Block network access
❍Destroy data
All of the above

43
Knowledge Check

Which of the following is NOT a priority during immediate ransomware response:

❍Isolate infected computers

❍Create a ransomware incident response plan
❍Secure backup data or systems
❍Contact law enforcement

44
Knowledge Check

Which of the following is NOT a priority during immediate ransomware response:

❍Isolate infected computers

Create a ransomware incident response plan
❍Secure backup data or systems
❍Contact law enforcement

45
Knowledge Check

Paying ransom will ensure that your systems/devices/data are decrypted.

❍True
❍False

46
Knowledge Check

Paying ransom will ensure that your systems/devices/data are decrypted.

❍True
False

47
Knowledge Check

What is the most requested form of ransom payment?

❍Credit card
❍Wire transfer
❍Ethereum
❍Bitcoin

48
Knowledge Check

What is the most requested form of ransom payment?

❍Credit card
❍Wire transfer
❍Ethereum
Bitcoin

49
Knowledge Check

Reports of ransomware attacks go back the early 1970’s.

❍True
❍False

50
Knowledge Check

Reports of ransomware attacks go back the early 1970’s.

❍True
False

51
Key Takeaways

Review and exercise your

incident response plan

Practice good cyber
hygiene
Pay attention to global
ransomware events and
apply lessons learned
 Back up data
 Update security solutions
 Whitelist applications
 Limit privileges
 Employ multifactor authentication
 Browse safely
 Secure email handling

52
Additional Ransomware Resources

• US CERT Website: Ransomware

• Ransomware: What It Is and What To Do About It
• CISA Insights: Ransomware Outbreak
• Center for Internet Security: Ransomware

53