re claims seminar an introduction to the “business of ... presentation.pdfreinsurance association...
TRANSCRIPT
10/4/2017
1
New York, New YorkOctober 12, 2017
An Introduction to the “Business of Ransomware” & the WannaCry Attack
Reinsurance Association of America Re Claims Seminar
Carl H Poedtke, IIIOf Counsel
DLA Piper LLP (US)
What this Introduction Will Touch On Today
Introduction to Ransomware
WannaCry – May 2017
The Epidemic
Security Steps
1
10/4/2017
2
1 Introduction to Ransomware
What is Ransomware?
Ransomware:
Malicious software that when run prevents access to computer files via encryptionor a locking mechanism (a majority involve encryption)
3
10/4/2017
3
What is Ransomware? (Cont.)
Ransomware searches for and makes files inaccessible
It is malware that can troll through network files, locating and encrypting what is important to the user (e.g., .jpg, .docx, .pptx, .pdf)
The result is the loss of use of the computer / device and the inability to access data
4
Ransomware Strategy: Hijacking Information & Extortion
Block user access to data via encryption
Make retrieval impossible or very difficult without the decryption key
Communication of these facts to the user on the disabled computer’s screen
Leverage the circumstances for ransom
5
10/4/2017
4
How Does Ransomware UsuallyReach Your Computer / Network?
Decades ago Ransomware was delivered the old fashioned way, via mail and floppy disk
Today malicious software generally accesses computer networks via:
Compromised Websites (Drive-By Downloads/Malvertising)
Email (email attachments/phishing)
6
Without Warning, or After Reboot, a Message Can Appear (e.g.,CryptoLocker)
7
10/4/2017
5
Ransomware Attackers Want Ransom Payment
Encryption process will appear difficult or impossible to overcome
User is in fear of losing critical commercial and/or personal data
Payment process is easy
Bitcoin is the preferred method of payment
8
What is Bitcoin?
Bitcoin is an electronic currency invented in 2009
The first decentralized digital currency
Key aspects:
No transaction fees (optional)
No central bank (no middle man) or assets backing Bitcoin
Significant user privacy via anonymous transactions
Not related to any country
Transactions are similar to sending cash digitally and are not reversible
Stored in “digital wallet”; essentially a virtual money account. Only identifier in transaction is the Wallet ID.
9
10/4/2017
6
Luring the Payment
Attackers use time pressure to extract payment
“Early bird” specials
As time passes, ransom increases & files may be deleted
Urgency builds as time runs short
10
Another Sample (Zerolocker)
11
10/4/2017
7
Luring the Payment (Cont.)
The process can look very normal / corporate
The amount is generally designed to lure the user in to a cost-benefit analysis of paying (e.g. $300, $600), but can be greater (often $2,500 as reported in recent surveys)
The process becomes individualized to the user, with an identification number and language of the user’s location
Attackers localize content via “geo-locating” IP addresses that identify the computer’s location
12
Luring the Payment (Cont.)
When you pay, what do you get?
Criminals promise the “decryption key” to unlock data
No guarantee it will work, and not immune from further attack
13
10/4/2017
8
Who is a Ransomware Target?
Ransomware is an equal opportunity hazard
Distribution is often indiscriminate, resulting in infections of a broad array of systems globally
Hospitals
Schools
Police Departments
Corporations
Churches
Private Citizens
Governments, Etc.
14
Primary Targets?
Industry monitors and experts find that:
Public administration,
Healthcare, and
Financial Services
are targeted substantially more in attacks than other industries
15
10/4/2017
9
Victims Have Paid to Avoid Risk of Loss and Minimize Interruption to Services or Business
One Example: Hollywood Presbyterian Medical Center, L.A. Cal. Feb. 2016
Network infiltration left employees unable to access hospital network and e-medical records system
Operations fell back to paper and fax machines
Hospital concluded “quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.”
Appx. $17,000 paid in Bitcoin
16
Victims Have Paid (cont.)
Another Example: Nayana, a South Korean Web hosting company with thousands of customers
Attacked with Erebus Ransomware on June 10, 2017
153 servers infected
Attackers demanded $4 million in Bitcoin, negotiations settled on $1 million (397.6 Bitcoin)
Largest known ransom payment to date
17
10/4/2017
10
Recent Estimates / Observations
Est. 4,000 Ransomware attacks daily; 250% increase over 2016
Unknown percentage of victims pay ransoms (some est. are as high as 48%)
Single attacks can generate highly lucrative returns
Tens of millions in extortion payments
Est. $1 billion+ in losses in 2016
18
Recent Estimates / Observations (cont.)
Average ransom demand increasing (the greater the leverage, the higher the ransom)
Potential number of future infections are enormous, and organizations can expect to be repeatedly attacked
Impact to business can be severe (financial and reputational) and potentially catastrophic
Est. 2017 damage costs will exceed $5 billion, factoring in ransoms, recovery, loss of data, downtime and loss of productivity
19
10/4/2017
11
Global Policy Discouraging Payment
Cyber monitors, commentators and law enforcement globally urge victims not to pay
No guarantee of decryption
Paying ransom incentivizes criminals and funds the development of further schemes
20
2 WannaCry
10/4/2017
12
May 12-15, 2017 – WannaCry
22
WannaCry Ransom Demand
$300 ransom demand
3 days to pay
Doubles to $600
If no payment within a week, threat of loss of information
Simple payment and decryption opportunity offered
23
10/4/2017
13
WannaCry Background
Complex Ransomware created from hacking tools purportedly leaked from the National Security Agency
Key aspects included “Eternal Blue” and “DoublePulsar”
Leaked in April 2017 by a hacker group known as “The Shadow Brokers”
24
How Did It Spread?
Eternal Blue code exploited a Server Message Block (SMB) protocol (providing shared access to files, etc.) vulnerability
The vulnerability had been identified and Microsoft released patches as part of a March 2017 Security Update (MS17-010) for all Windows versions still being supported (e.g. Windows 8.1, Windows 10, Windows Server 2008, 2012 & 2016)
All unpatched systems (e.g. Windows XP, or organizations that simply did not install the announced patch) were at risk
Eternal Blue exploited vulnerable systems, implanted DoublePulsar, which in turn installed the Ransomware
25
10/4/2017
14
How Did It Spread? (cont.)
WannaCry Ransomware checked for disk drives, network shares, storage devices, etc. mapped to letters, e.g. “C/”, “D/”. “P/”
Checked for files with common extensions (.PDF, .doc, .xls, etc., and encrypted them (see following slide)
Temporary and shadow files were deleted and the ransom note was delivered to the user’s screen
26
File Extensions Encrypted
.der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max,
.ods, .ots, .sxc, .stc, .dif, .slk, .odp, .otp, .sxd, .std, .uop, .odg,
.otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb,
.mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp,
.pas, .asm, .cmd, .bat, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp,
.java, .jar, .class, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf,
.avi,.mov, .mkv, .flv, .wma, .mid, .djvu, .svg, .psd, .nef, .tiff, .tif,
.cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip,
.rar, .tgz, .tar, .bak, .tbk, .paq, .arc, .aes, .gpg, .vmx, .vmdk, .vdi,
.sldm, .sldx, .sti, .sxi, .hwp, .snt, .onetoc2, .dwg, .pdf, .wks, .rtf,
.csv, .txt, .vsdx, .vsd, .edb, .eml, .msg,.ost, .pst, .potm, .potx,
.ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx,
.xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot,
.docm, .docb, .docx, .doc.
27
10/4/2017
15
How Did It Spread? (cont.)
Infection continued to spread across systems with the SMB vulnerability at a rapid pace
Unique in that it locked one machine and other vulnerable machines on a network without any further user involvement (a “cryptoworm”)
Capable of spreading and finding external facing hosts on internet with vulnerable systems (“weaponized”)
28
How Widespread Was the Impact?
The attack spread quickly around the globe, hitting, among other notables, the UK National Health Service, Spain’s Telefonica, and Fed Ex
Tens of thousands of organizations impacted
Source: MalwareTech
A Global Attack: Hundreds of Thousands of Computers in Over 150 Countries
29
10/4/2017
16
AS BAD AS IT WAS, IT COULD HAVE BEEN WORSE
Early during attack a researcher noticed certain code of the malware could be registered as a domain name and communication with a “host” name would cause the malware to exit the system
This simple discovery was effectively a “kill switch” for the attack and prevented a further major spread of the malware (although new versions were soon detected)
Additionally, public awareness resulted in quick patching of systems around the world during following days, blunting the attack
Before the attack ended, it is believed over $130K had been paid
30
3 The Epidemic
10/4/2017
17
The Epidemic of Ransomware
Monetary incentive creates sophisticated criminals
Business model and simple process entices payment
Criminals will continue to prey upon vulnerable victims
Revenue sharing among cyber criminals (“affiliates”) is growing, with distributors and authors agreeing to percentages of returns (Ransom as a Service)
Devices and Internet of Things at risk
Slightest amount of success can generate large returns
32
Recipe for a Dangerous Outbreak
Incentives to seek lucrative returns
Teamwork, “affiliations” of distributers and authors
Creative Research and Development of new sophisticated methods
Vulnerable targets
33
10/4/2017
18
Involvement of Hostile Nations?
On June 14, 2017, the Washington Post reported that the “NSA has linked the Wannacry Computer worm to North Korea”, based on leaked NSA assessment information
(https://www.washingtonpost.com/world/national-security/the-nsa-has-linked-the-wannacry-computer-worm-to-north-korea/2017/06/14/101395a2-508e-11e7-be25-3a519335381c_story.html?hpid=hp_hp-more-top-stories_northkoreacyber744pm% 3Ahomepage%2Fstory&utm_term=.12c543b61454
On September 12, 2017, CNN reported on North Korea’s strategy to steal and amass Bitcoin
(http://money.cnn.com/2017/09/12/technology/north-korea-hackers-bitcoin/index.html?iid=ob_homepage_tech_pool)
34
Many Variations of Ransomware To Date May Only Be the Tip of the Iceberg
35
10/4/2017
19
NotPetya – JUNE 27, 2017
Attack similar to WannaCry (including Eternal Blue) originated in Ukraine via tax preparation software update (M.E.Doc)
Malware was able to build lists of targets and administrative credentials and spread inside infected networks and continued, interrupting businesses as it spread, with majority of infections occurring in Ukraine (including banks, metro, Chernobyl monitoring) and in Germany
Major entities around the world also severely impacted
Looked like Ransomware, but rather than encrypt files malware denied access to systems by rendering master files unreadable
Attack intended to wipe devices and destroy data, not ransom
36
4 SECURITY
10/4/2017
20
Protecting Your Networks Key Industry Recommendations
Active O/S: Use only actively supported operating systems with security updating
Apply Patches: Ensure the additions of “patches” with security updates to infrastructure as soon as possible
Anti-Malware: Apply anti-malware software and acquire regular malware signature updates (including Anti-Ransomware tools)
Backup Plan: Emergency recovery plan that has a “Backup and Restore” strategy from offline sources (goal to avoid offline exposure to attack). Test it regularly!
38
Protecting Your Networks Key Industry Recommendations (cont.)
Application Whitelisting: To prevent malicious software and non-approved programs from running
Spam Filters: Engage spam filters to prevent “phishing” emails from directly reaching end users and use technology to authenticate inbound emails
Email Scanning: Scan all email to detect threats and prevent from reaching end user
Automated Scanning: Automated anti-virus and anti-malware should conduct regular testing and scan all software downloading
39
10/4/2017
21
Protecting Your Networks Key Industry Recommendations (cont.)
Limit Privileges: Limit privileges and access to that which is necessary for users, and configure network access (write access to files, directories, shares) in conformance with limitations
Internal Appliances: Segmenting your networks
Education: Educate everyone in organization, top to bottom, in identifying cyber scams and malicious emails and links. There is always human error, but this is a critical and simple form of defense
Resource Commitment: Educate organization on the need for vigilance and resource commitment necessary to protect against ever increasing threats
40
NYDFS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) – Effective March 1, 2017
Requires Covered Entities to, among other things:
Conduct periodic risk assessments
Maintain a cybersecurity program based on assessments designed to:
Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information
Use defensive infrastructure and implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts
Detect, respond to and recover from Cybersecurity Events to mitigate any negative effects and restore normal operations and services
Fulfill applicable regulatory reporting obligations
See also NAIC Insurance Data Security Model Law (8/17)
41
10/4/2017
22
Various Resources & Reading
Microsoft, Customer Guidance for WannaCrypt Attacks (May 12, 2017)
Ransomware Attacks Rise 250 Percent in 2017, Hitting U.S. Hardest (http://newsweek.com/ransomware-attacks-rise-250-2017-us-wannacry-614034)
Druva Annual Ransomware Report, Executive Brief (2017 Survey) (https://go.druva.com/2017-Survey-Ransomware-Report.html)
Ransomware Roadmap: Where Cybercriminals Will Attack Next (Code42 White Paper)
U.S. Department of Justice, How to Protect Your Networks from Ransomware (https://www.justice.gov/criminal-ccips/ccips-documents-and-reports, https://www.justice.gov/criminal-ccips/file/872771/download)
How to Protect Yourself from the Global Ransomware Attack (Washington Post, May 15, 2017)
Talos, WANNACRY, Executive Summary (May 12, 2017)
Talos, New Ransomware Variant “Nyetya” Compromises Systems Worldwide (June 27, 2017)
Talos, The MeDoc Connection (July 5, 2017)
McAfee Labs, Understanding Ransomware and Strategies to Defeat It (White Paper)
Ransomware: A Growing Menace, Symantec Security Response
42
Various Resources & Reading (cont.)
Everything You Need to Know About the Wannacry / Wcry / WannaCrypt Ransomware (https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/)
How to Accidentally Stop a Global Cyber Attack (MalwareTech, May 13, 2017)
CERT.be, Wannacry (May 16, 2017 White Paper)
CERT-MU, The Wannacry Ransomware (May 2017 White Paper)
CERT-MU, The Petya Cyber Attack, (June 2017 White Paper)
Despite Wannacry, Open SMB Ports Persist (June 21, 2017) (https://www.windowsitpro.com/security/despite-wannacry-open-smb-ports-persist)
A History of Ransomware: The Biggest and Worst Ransomware Attacks of All Time (July 27, 2017) (https://digitalguardian.com/author/nate-lord)
Ransomware and Recent Variants (Alert TA16-091A), (https://www.us-cert.gov/ncas/alerts/TA16-091A)
Ransomware and Encryption Attacks- How Recent Attacks Can Inform Effective Prevention and Response Efforts, (Advisen Front Page News, Sep. 19. 2017)
New York State Department of Financial Services 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies
43
10/4/2017
23
g{tÇ~ lÉâ4
Carl H Poedtke, III Of Counsel DLA Piper LLP (US) Chicago, Illinois T: (312) 368-7294 E: [email protected]
The information, perspectives and impressions contained in these slides and communicated during their presentation are those of the speaker alone. They are offered strictly for educational/informational purposes.