Ransomware:

The Not So Good, Really Bad and Truly Ugly!

Erich Kron
Security Awareness Advocate
KnowBE4

24 April 2018 1
WELCOME
To receive your CPE
credit:
1. Complete 3 checkpoints
Audio is streamed over your computer. or
2. Watch the recorded version
from the beginning to the
Dial-in numbers and codes are on the left. very end.
3. Don’t forget to take the
Have a question for the speaker? Access the Q&A tab. survey!

Technical issues? Access the Help tab.

Use the Papers tab to
Questions or suggestions? Visit https://support.isaca.org find the following:
1. PDF Copy of today’s
presentation.
2. CPE job aid.
TODAY’S SPEAKER

Erich Kron

Security Awareness Advocate

KnowBe4
AGENDA

• Current phishing trends

• Ransomware and how it is infecting networks

• Recovering from an attack

• Effective mitigation strategies

Phishing:
By The
Numbers

5
 Employees Are the Last Line of
Defense

A staggering • 91% of successful data breaches

started with a spear phishing attack

91%
of successful data breaches started
with a spear phishing attack
• CEO fraud (aka Business Email
Compromise) estimated to exceed
$9 billion in 2018

• W-2 scams social engineer

Accounting/HR to send tax forms to
the bad guys
 The Costs of Breaches and
Ransomware Attacks

• In 2017 Ransomware grew

300% over 2016

$11.5bil • Ransomware is predicted to

exceed damages of $11.5
billion by 2019, and continues
to grow

• Over 153,000 users were hit

by mobile ransomware in
2016
 Why Do People Click
On Phishing Links So
Quickly?
Recent studies show that over

54.9%
of users click on a phishing link
in under 60 minutes
Ransomware:
Know The
Enemy

9
The Anatomy of a Ransomware
Attack

-- sort of --
Internet

11
 Recent Attacks
City of Atlanta

• SamSam Variant
• Ransom demand is 6,800 per machine or $51,000 for all
• Outages include customer-facing applications, online bill payment
and court-related information access
• "We don't know the extent so we just ask that you be vigilant, all of
us are subject to this attack, if you will. Many of us pay our bills
online, we have direct deposit, so go online and check your bank
statements.” - Mayor Keisha Lance Bottoms
 Recent Attacks

Hancock Health, Greenfield, Indiana

• Variant of SamSam
• Ransom paid was roughly $55,000
• They paid the ransom even though they had good backups, because
it was easier than having to restore all of the damage

• The hacker gained access to the system through the hospital’s

remote-access portal using an outside vendor’s credentials
 Recent Attacks
Allscripts.com

• Variant of SamSam (not the same one as Hancock)

• Impacted business for 8 days, potentially impacting 45,000 physician
practices and 180,000 physicians and countless patients

• The brought in
incident response teams from Microsoft and Cisco
and got Mandiant involved as well

• Now, there is a class-action suit filed on behalf of the practices and

physicians impacted
 Recent Attacks
Mecklenburg County, North Carolina

• An employee opened a malicious email attachment

• Ransomware subsequently encrypted the County’s files and also
loaded a crypto-mining program
• LockCrypt strain with a $23,000 ransom demand hit 48 servers
• “I don’t think we were targeted, I don’t think we were at fault.
There have been many, many institutions that have been breached. I
think we do everything we can to keep our firewall secure.” -
County manager Dena Diorio
 Recent Attacks

Cockrell Hill Police Department, Texas

• “OSIRIS” variant of Locky ransomware infection causes the loss
of 8 years of police department evidence

• The Chief said. “Our automatic backup started after the infection,
so it just backed up infected files”

• The press release states that this is the result of a phishing email
 Recent Attacks
Licking County, OH
• Ransomware took online access and landline phones were
down.

• More than 1,000 government computer systems shut down.

• 911 center computers were down and they had to log contacts
manually.

• County auditor Mike Smith found a bright side and said,

“Apparently, our clock still works.”
 Infected Apps: LeakerLocker distributed via Google Play Store

• This is Android Doxware

• Does not root, relies on permissions

granted during install and locks the
screen

• Found in"Wallpapers Blur HD" and

"Booster & Cleaner Pro" apps

• Both were part of a rewards program

that paid to install an app

Image Source: bleepingcomputer.com/

 Ransomware as a Service (RaaS)
Ransomware as a Service

• This is designed to let people that are not technical set up attacks
• Different ways of doing this, for example, Philadelphia is $400, Dot
is free with a 50/50 split of profits, Saturn and Cerber RaaS models
are free with a 70/30 affiliate/malware developer split

Image Credit : bleepingcomputer.com

19
The Future of Ransomware
 Protecting Your Organization
• Train Your Users – This is our number one suggestion because it works. An untrained staff is
an incident waiting to happen. Most technical solutions are reactive and respond after an attack.
It is important to have them to minimize the damage, but we prefer to prevent the attack

• Have Weapons-Grade Backups – Backups do no good if they are encrypted by the

ransomware, so they have to be isolated from the network

• Segment the Network – Marketing computers rarely need to have network access to the SQL
servers or accounting systems

• Principle of Least Privilege – Not everyone should be an administrator. The less access users
have, the less malware can spread

• Remove Internet Facing RDP – If you need remote access, VPN first

• Keep Up With Patches – OS and applications need to be kept patched

19
 How can we protect our current businesses?

• Give the users a way to

provide the suspect email
to someone that can
review it

• “Train your employees

with regard to phishing,
and provide them with a
quick and easy way to
report suspicious emails.”
-2017 Verizon DBIR

19
 Other Threat Vectors

• Don’t plug random stuff in to your devices

• USB thumb drives are fast and can hold a lot of

data.
• A recent study carried out by a team lead by Elie
Bursztein, the Google anti-fraud and abuse
research team lead, dropped almost 300 thumb
drives on the University of Illinois Urbana-
Champaign campus. 98% of the drives were
picked up and in 45% of those, people picked
up the drives AND clicked on the files.
• These were regular low-tech USB sticks, not
HID devices like the Rubber Ducky.

19
 Other Threat Vectors
• Don’t plug your devices in to random stuff

• Juice-Jacking is using a USB charging kiosk or

other device to pull data from a cell phone or
other device.

• Don’t plug in to unsecured or public charging kiosks.

• Don’t ever use a strangers laptop to charge your

device no matter how bad you need to check the
football scores.

• Use a “USB Condom” if in questionable scenarios. Pwn-o-Matic

19
 Users:
Arm Them
For Battle

25
 Comprehensive Programs Work
• Most security awareness programs are still too superficial and done for compliance
reasons

• What is missing is the correct estimation of the adversary being faced and the degree of
commitment an organization has to have to stave of attacks

• Training on its own, typically once a year, isn’t enough

• Simulated phishing of groups of employees on

its own doesn’t work

• But together, they can be combined to greatly

increase effectiveness

19
 Training:
How To Do It
Right

27
 Build A Security Awareness
Program That WORKS!
Baseline Testing
We provide baseline testing to assess the Phish-prone™
percentage of your users through a free simulated phishing
attack.

Train Your Users

The world's largest library of security awareness training content;
including interactive modules, videos, games, posters and
newsletters. Automated training campaigns with scheduled reminder
emails.

Phish Your Users

Best-in-class, fully automated simulated phishing attacks, hundreds of
templates with unlimited usage, and community phishing templates.

See the Results

Enterprise-strength reporting, showing stats and graphs for both
training and phishing, ready for management. Show the great
ROI!

3
 Security Awareness Training Program That Works

• Drawn from a data set of over

six million users
• Across nearly 11K
organizations
• Segmented by industry type
and organization size
• 241,762 Phishing Security
Tests (PSTs)
 About Us
• The world’s most popular integrated Security Awareness
Training and Simulated Phishing platform
Over

17,000
• Based in Tampa Bay, Florida, founded in 2010

• CEO & employees are ex-antivirus, IT Security pros

• Former Gartner Research Analyst, Perry Carpenter is our

Chief Evangelist and Strategy Officer

Customers • 200% growth year over year

• We help thousands of
organizations manage the
problem of social
engineering

1
QUESTIONS?
This training content (“content”) is provided to you without warranty, “as is” and “with all
faults”. ISACA makes no representations or warranties express or implied, including
those of merchantability, fitness for a particular purpose or performance, and non-
infringement, all of which are hereby expressly disclaimed.

You assume the entire risk for the use of the content and acknowledge that: ISACA has
designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls that
are not included may not be appropriate; ISACA does not claim that use of the content
will assure a successful outcome and you are responsible for applying professional
judgement to the specific circumstances presented to determining the appropriate
procedures, tests, or controls.

Copyright © 2018 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR
ATTENDING THIS
WEBINAR

33