![Page 1: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/1.jpg)
SLAITCONSULTING.com
Maryland Education Enterprise Consortium - 2017
SLAIT Consulting
![Page 2: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/2.jpg)
SLAITCONSULTING.com
About SLAITSLAITisanInformationTechnologyConsultingServicesCompanyspecializingindeliveringcustomizedITServicesandSolutionstoclientsintheCommercial,State\LocalGovernmentandEducationsectors.
• Servingclientsforover26years
• $100Mrevenue
• 350+Resources
• HeadquarteredinVirginiaBeach,VAwithregionalofficesin:• Richmond,VA• Greenbelt,MD• Charlotte,NC• Raleigh,NCINNOVATIVE SOLUTIONS FOR
FORWARD THINKING COMPANIES
![Page 3: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/3.jpg)
SLAITCONSULTING.com
Some of SLAIT’s Technology PartnersInnovative Solutions for Forward Thinking Companies
![Page 4: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/4.jpg)
SLAITCONSULTING.com
Ransomware – Your Data Held Hostage
SLAIT Consulting
![Page 5: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/5.jpg)
SLAITCONSULTING.com
Ransomware By the numbersInnovative Solutions for Forward Thinking Companies
§ Priortoattack4outof5organizationsareconfidentbackupcanprovidethemcompleterecovery• Lessthanhalfofvictimsfullyrecovertheirdata
§ Emailisthe#1deliveryvehicleforransomware§ Nearlytwo-thirdsofexploitkitshaveransomwarepayloads• Ransomwareisthemostpopularpayload
§ 600%growthinnewransomwarefamiliesin2016§ 4xjumpinAndroidransomware§ 230%percentjumpinJavaScriptransomwarepayloads
![Page 6: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/6.jpg)
SLAITCONSULTING.com
Big BusinessInnovative Solutions for Forward Thinking Companies
BusinessModel§ Veryskilledgroupsmaintainandsellexploitkits
• Maintainlistofexploitsincludingzero-dayexploits• Packagetheabilitytoautomaticallyidentify
vulnerabilitiesanddeliverpayloadofyourchoice§ RansomwaregroupsuseEKtodeploytheirvariant§ Ransomwareasaservice– Someransomwaregroupsevensubcontracttheircombinedpackageforashareoftheprofits
Profits§ 209millionpaidtocybercriminalsinQ1- 2016§ AnglerExploitKit
• $60millionperyear§ Cryptowall 3– $321millionperyear§ Locky – 90,000victimsperday
• Researchindicatesaround2.9%ofvictimspaytheransomofbetween.5and1bitcoin($450).Thisworksouttobetween$200-$400milliondollarsayear
![Page 7: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/7.jpg)
SLAITCONSULTING.com
Evolutionary CapitalismInnovative Solutions for Forward Thinking Companies
§ EveryransompaidisaninvestmentintheR&Dprocessoftheransomwareeconomy
§ Threatgroupstrackwhatmethodsaresuccessfulandwhatmethodsarenot
§ Threatgroupsalsotrackthesuccessofcompetitors,copyingandavoidingasappropriate
§ Continualprocesswherebyunsuccessfulmethodsdie-offandsuccessfulmethodsproliferate
§ Expectfutureransomwareto• Bemoreautomatedwithagreaterprevalenceofself-propagation
• Haveanincreasedfocusonlateralmovement andreducingC2dependency• EncryptwhatC2isnecessary
• Includetimedelayfeaturestoinhibitdatarestoreoptions
![Page 8: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/8.jpg)
SLAITCONSULTING.com
Ransom Family Commonalities(AKA Kill Chain)
SLAIT Consulting
EmailCompromisedwebsites/ads
AnglerEKNuclearEK
OfficeMacrosFlash
WebrequestBittorrent
Tor
SelfProtectionDeletebackupsSetautorun
NetworkscansNetworkshareaccess
Baittheend-user Exploit
C2(sometimesbefore,sometimesafterencryption)
Localizedinfection NetworkInfection
TypicalProcess
TypicalVectors
![Page 9: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/9.jpg)
SLAITCONSULTING.com
Evolution of RansomwareInnovative Solutions for Forward Thinking Companies
Previous• Cryptolocker• Cryptolocker2.0
• Cryptobit
2014• Crytodefense• Cryptowall 1.0• CBTLocker• Crytblocker• Synlocker• Torrentlocker• Crytowall 2.0
2015• Cryptowall 3.0• Telsacrypt 1.0• Vaultcrypt• Teslacrypt 2.0• Crytowall 4.0• Chimera
2016•Crytojocker•Droidlocker•Nanlocker•Locky•CTB-Lockerweb•Jigsaw•Teslacrypt 3.0•Teslacrypt 4.0•Teslacrypt 4.1•Samas•Cryptoxxx•Petya•Maktub•Cerber•KeRanger
![Page 10: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/10.jpg)
SLAITCONSULTING.com
TrendingInnovative Solutions for Forward Thinking Companies
§Increaseintargetedattacksagainst•àHealthcareorganizations•à Lawfirms•à Paymentprocessingfirms§Attackerseekingsofttargetswithhighimpact§Criticalsystems/dataà expectationhigherpayout§Paymentperinfectedsystem§Ransomwareseekinglocalbackups§Exploitexpandedattacksurface§EncryptionofMBR§Changeindeliverymethodologyattackingpreviouslycompromisedsystems§Dropsbootloaderthencrashessystemtoforcereboot– encryptsuponreboot
![Page 11: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/11.jpg)
SLAITCONSULTING.com
What the future holds - PredictionsSLAIT Consulting
§Moreplatformstargeted•AllflavorsofwindowsandAndroidexist•TargetedOSXattacks- 2016§Higherransoms– successbegetssuccess§MOREtargetedattacks– Seekingcriticalnetworks§InternetofThings=Significantexpansionofattachsurface
Prevention
Detection
Response
Test
Prevention
![Page 12: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/12.jpg)
SLAITCONSULTING.com
What to doSLAIT Consulting
Prevention
Detection
Response
Test
Prevention
EmailGatewayFiltering§ .exe,.bat,.ps1,.js,.jse,.scr,.com,.osx,.jar,.vb,.vbs,.bas,.ws,.wsf,.shs,.pif,.hta,lnk• .doc,.xls,.rft
Domaingrouppolicies§ Blockmacros
• Opendownloadeddocumentsin“protectedview”• Opendownloadeddocumentsandblockallmacros
§ Restrictprogramexecution• Disableexecutionfromtemporaryand/oruserdatafolders
§ DisableWindowsScriptHost§ Showfileextensions
• (****.PDF.EXE)
RestrictaccesstonetworksharesMaintainexcellentbackuppractices
![Page 13: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/13.jpg)
SLAITCONSULTING.com
What to doSLAIT Consulting
Prevention
Detection
Response
Test
Prevention
Maximizevisibility§ Effectivesecurityattheperimeter§ Effectivesecurityattheendpoint
IncreaseduserawarenessResources
§ IDRansomware:Ransomwareidentification:• https://id-ransomware.malwarehunterteam.com/
§ Anti-Petya LiveCD• https://hshrzd.wordpress.com/2016/20/anti-peyta-live-cd-the-
fastest-stage1-key-decoder/§ NoRansom:Decryptors forCoinVault,CrytXXX,etc.
• https://noransom.kaspersky.com§ Ransomwareoverview:RansomwareIOCs
• https://goo.gl/SfU0hv• https://docs.google.com/spreadsheets/d/1TWS238xacAto-
fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/htmlview?pli=1
![Page 14: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/14.jpg)
SLAITCONSULTING.com
SLAIT ThreatManage USMSix Security Pillars in the SLAIT ThreatManage USM Platform
SLAIT24x7 Security
Operations Center
SIEM & LOG MANAGEMENT• LogCollection&Correlation• OTXThreatData• SIEMEventCorrelation• IncidentResponse
BEHAVIORAL MONITORING• NetworkIDS• Netflow Analysis• FullPacketCapture• ThreatCloud Integration
ADVANCED THREAT DETECTION
• AdaptiveThreatFabric• BehavioralAnalysis• DynamicSandboxAnalysis
VULNERABILITY ASSESSMENT• ContinuousVulnerabilityMonitoring• Authenticated&Unauthenticated
ActiveScanning
ASSET DISCOVERY & INVENTORY• ActiveNetworkScanning• PassiveNetworkScanning• AssetInventory• SoftwareInventory
ENDPOINT RESPONSE• “FlightDataRecorder”• LiveResponse• ThreatActorDetection/Remediation
![Page 15: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/15.jpg)
SLAITCONSULTING.com
SLAIT ThreatManage USMUnified Security Management Framework
SLAIT Security Operations CenterAnalystsHunters
**Responders**
ThreatManage USM Sensors
ThreatManage USM ServersThreatManage USM Loggers
SECURITY DATA: Events, Alerts, and Logs (Firewall, IDS, AD, Endpoint)
ThreatManage CustomerAnalysts
RespondersEngineers
Customer assets to include licenses,
hardware, etc
SLAIT ThreatManage
Services
![Page 16: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/16.jpg)
SLAITCONSULTING.com
CenterforInternetSecurity(CIS)• SANS– CIStop20CriticalSecurityControls(CSC)
1) Inventoryofauthorizedandunauthorizeddevices2) Inventoryofauthorizedandunauthorizedsoftware3) Secureconfigurationsforhardwareandsoftwareonmobile
devices,laptops,workstationsandservers4) Continuousvulnerabilitymonitoring5) Controlleduseofadministrativeprivileges6) Maintenance,monitoringandanalysisofauditlogs7) EmailandWebBrowserprotection8) Malwaredefense9) Limitationandcontrolofnetworkports,protocols,and
services10) Datarecoverycapability
11) Secureconfigurationsfornetworkdevicessuchasfirewalls,routersandswitches
12) Boundarydevices13) Dataprotection14) Controlledaccessbasedonneedtoknow15) Wirelessaccesscontrol16) Accountmonitoringandcontrol17) Securityskillsandassessmentandappropriatetrainingtofill
gaps18) Applicationsoftwaresecurity19) Incidentresponseandmanagement20) PenetrationtestsandRedteamexercises
![Page 17: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/17.jpg)
SLAITCONSULTING.com
And when all else fail…RestoreInnovative Solutions for Forward Thinking Companies
§ Implementfrequentbackups– Limitdatalostbyensuringarecentrestorepoint§ Limitaccesstothesebackups– Asufficientlyadvancedattackercouldseektoeliminatethebackupsthemselves
![Page 18: SLAIT Consulting Maryland Education Enterprise Consortium ...meec-edu.org/files/2016/07/SLAIT-Overview-Ransomware-MEEC-2017.pdfMaryland Education Enterprise Consortium -2017 SLAIT](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f033bd17e708231d4083293/html5/thumbnails/18.jpg)
SLAITCONSULTING.com
SLAIT ConsultingInnovative Solutions for Forward Thinking Companies
ArnoldE.Bell- [email protected],GreenbeltMDT:(301)987-1293|(800)761-6898slaitconsulting.com
Follow Us On Our Social Sites
LinkedIn: slait.it/linkedinslait
Twitter: @slaitconsulting
Facebook: SLAITConsulting