Beruflich Dokumente
Kultur Dokumente
▪ DOS Ransomware
[Data is encrypted
using Cryptolocker,
Like phones, servers,
Laptop etc.]
Variations of Ransomware
▪ Mobile Devices
▪ Smart Appliances
▪ Pyramid Scheme Incentive [Popcorn Ransomware, infect
two others and get your data back]
Components of Ransomware
▪ Deployment
– Drive-by download
▪ Occurs when a system automatically downloads a piece of malware or spyware
without the end user’s knowledge.
– Strategic web compromise
▪ (A subset of a drive-by download most often used when a particular target or target
demographic has been chosen.) Strategic web compromises are also called watering-hole
attacks. These rely on strategic reconnaissance of the end users, and are often reserved for
more specific targeted attacks.
– Phishing emails
▪ May be widespread, untargeted spam or specially crafted to your organization or industry.
These emails may include attachments or provide links to malicious websites.
– Exploiting vulnerabilities in Internet-accessible systems
▪ In this case scanning networks, or blatantly scouring the Internet looking for exploitable
vulnerabilities, vs. user initiated actions, like the preceding methods.
Anatomy of Ransomware Attack (continued)
▪ Installation
(How theft is organized by our inhouse MASSI, similarly it check if it has landed at
correct system or sandbox system)
– Reconstruction
– Process evasion
– Memory Access
▪ Command-and-Control
– HTTP
– Twitter
– TOR
– HTTPS
– Email
Anatomy of Ransomware Attack (continued)
▪ Destruction
– Encryption
– Locking
▪ Extortion
– Bitcoin
– Prepaid Vouchers
We have a solution (HR)?
▪ New Hiring
But no real spending on technology
KeyRanger/KeRanger Mac Ransomware
We don’t have:
▪ Backup (37% of people do the backup only, what about 63%)
▪ DR Site (no DR site possible for Small Business, but for web servers
we must have)
▪ Quick Restoring procedure (We must have software's like Veeam to
have instant restore of VM in just 15 minutes)
▪ Cost of Restoration is high, as sometime the backup is in cloud
Ransomware Operators & Targets
:
▪ Ransomware accounted only for 0.0016% of the attacks
▪ Just imagine how much bigger volume of attack is there in shape of
malware.
▪ Norse Corp Live Map
▪ Checkpoint Threat Cloud
Market of Ransomware?
▪US$ 25,253,505
Till July 17
Family of Ransomware (revenue Wise)
▪ Hackers send Malware in shape of Doc File, XLS, PPT, JS, VBE, WS
through;
– Embedded Hyperlinks
▪ Normal Documents
▪ Innocent looking hyperlink
▪ Resume (LinkedIn), PO, Invoice
– Websites/Downloads
▪ Common Exploit Kits
– Angler (Locky)
– Nuetrino (Cerber)
– Magnitude (Cerber, Locky, Milicry, CrypWall)
– Rig (Growing and used by Many)
– Drive-by Infections (no User action Required, just Browse)
▪ Malvertising
How Ransomware spreads [Continued]
▪ Downloads from
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
▪ Ports used:
22
135
139
443
9001
9004
Who are Victims of Ransomware?
▪ Police
– Destroy record of Criminals
– Avoid E – Challans (Happened in USA)
▪ Corporate Sector
– Business Plans
– Business emails
– Account Details
– Account PIN Codes
▪ Hospitals
▪ Financial Institutions
Who writes the Ransomware?
▪ Form an Incident Response Team (Select Good IQ & Quick Response Team
Members)
▪ Backup regularly & test backups
– Any Local/Cloud Based Backup with Versioning History will work only
– Designate an off-site and off-network location for backup media and recovery
Materials
– Place Backup in Fireproof Safe on site
– Send Backup to Locker in Bank
▪ Disable Office Macros by Default
▪ Use Firewalls to Block C&C Call-backs
▪ Scan all emails for malicious contents, (Use Endian UTM, Barracuda Spam
Firewall or Cloud based anti-spam Service)
Defending a Ransomware Attack [Continued]
▪Demo .
Parenting of now a days
Ransomware Response Checklist
1. Disconnect
a. Unplug Computer from Network
b. Turn off wireless functionality: Wi-Fi, Bluetooth, etc…..
2. Confirm (It is not a Hoax) [Mostly in IPhone, MAC)
3. Determine Scope of Infection
1. Mapped or Share drives of Infected Computer
2. Mapped or shared folders from other computers
3. Network Storage Devices of any kind
4. External Hard Drives
5. USB Storage Devices of any kind
6. Cloud based storage: DropBox, Google Drive, OneDrive etc.
Ransomware Response Checklist [continued]
▪ Michael Gillespie is a
ransomware researcher
who analyzes ransomware
so that he can create free
decryptors for ransomware
victims. He is also the
creator of the ID
Ransomware service that
can be used to identify what
ransomware a victim is
infected with.
Check Bleeping Computer on Twitter/WEB
▪ Send File-less
Malware
▪ Use
PowerShell
along with
SSL
Certificate to
send back
data.
▪ Use Netstat 1
–b -f
New wave of ATM attack
Ask questions
and clear your
ambiguity…..
Your Comments
Come up and
share your
comments.
More Stupid more you Learn []اچھا
▪ Keep
▪ Your
▪ Mouth
▪ SHUT
“Stay Hungry. Stay foolish” Steve Jobs