ransomware: hard to stop for enterprises, highly profitable for criminals
TRANSCRIPT
Ransomware: Hard to Stop for Enterprises, Highly Profitable for Criminals
Raja MukerjiCo-Founder and President, ExtraHop Networks
Ransomware: Hard to Stop for Enterprises, Highly Profitable for
CriminalsRaja Mukerji
Co-Founder and President, ExtraHop Networks
Ransomware: Easy Money for Criminals1. A user’s machine gets infected with
malware
Client
Attacker
Mail ServerFile
Share
Client ClientClient
2. The malware downloads an encryption program
3. Begins encrypting files on the client
4. Spreads to network shares that the client is connected to
5. Spreads infected document(s) to other users/systems
6. Ransom is paid using Bitcoin, which is extremely difficult to track
Ransomware: Fast and Easy for Criminals
Ransomware Facts
Ransomware now makes up about 60 percent of malware infections encountered by Malwarebytes anti-virus software
The CryptoLocker strain of ransomware is responsible for $325 million in damages so far.
Hollywood Presbyterian Medical Center paid a $17,000 ransom after shifting to paper processes for one week.
The FBI has offered a $3 million reward for the arrest of Evgeniy Bogachev, believed to be linked to ransomware viruses.
Q4 2014Q1 2015
Q2 2015Q3 2015
0
50000
100000
150000
200000
250000
300000
350000
Number of users attacked by Trajon-Ransom malware tracked by Kaspersky Lab
The Problem: An M&M Security Model
?
Rogue Devices with Credentials
Ideal Solution Is Zero Trust
Insert your company logo here
Traditional Firewall
SDN routing
Clients Servers
Firewall
Agent-Based Firewall
Clients Servers
Agent-BasedFirewall
?
Detect Ransomware Behavior on the Network
Client
Attacker
Mail ServerFile
Share
SMTPHTTP
CIFS
CIFS
Client ClientClient
1. Detect ransomware activity on the network by analysing all CIFS WRITE operations in real time
2. Trace the infection to identify all infected clients and systems
3. Investigate the incident to identify “patient zero,” the source of the malware, and the attack vector
Analyze Data in Flight to Understand Risk
I know which clients I need to take offline.
I understand the extent of the impact down to the exact files that were overwritten.
I know which IP addresses to block.
I can easily investigate the incident to find “patient zero” and the attack vector.
I have alerts set up to immediately let me know when ransomware behavior is observed.
Most importantly … catch ransomware
attacks live, in real time
East-West Traffic Growth
3.34 ZB – 2014
24%Compound annual
growth rate
Source: Cisco Global Cloud Index 9.8 ZB – 2019
0123456789
Traffic within the Datacenter (East-West) Ze
taby
tes
Wire Data Analytics at Scale
1 Gbps/day =
11 TB5 Gbps/day =
54TB20 Gbps/day =
216 TBOne cylinder represents approximately 10TB of data.
40 Gbps/day =
432 TB
Wire Data = Risk Visibility
CVE Detection
Shellshock
HTTP.sys
Turla malware
Heartbleed
FREAK SSL/TLS
POODLE
Logjam
Compliance
SSH tunneling
Non-standard ICMP
Non-standard DNS
Non-standard HTTP
Disallowed file types
Invalid file extension writes
Blacklisted traffic
Encryption Profile
Certificate expiration
Key length
Outdated SSL sessions
MD5/SHA-1 cert signing
SSL traffic by port
Email encryption
Wild card certificates
Protocol Activity
Unencrypted FTP
Telnet
Gopher
TACACS
SNMP v1, v2, v2c
Finger
IRC
Application & User Behavior
Privileged user logins
Unauthorized connections
Lateral network traversal
Brute force attacks
Storage/DB access
Fraudulent transactions
Large data transfers
Unstructured Packets Structured Wire Data
Architecture MattersContinuous Packet Capture Stream Processing
How it works Write to disk first, then analyze Analyze first, then write to disk
Performance limits
Disk speed Bus throughput and RAM
Lookback Data typically stored for days Data typically stored for months
Packet capture Capture packets for all flows Capture packets for the flows you want
Cost More, bigger appliances with more storage (Up to 200+ TB on 3U appliance)
Fewer, smaller appliances with less storage (2.4 TB on 2U appliance)
CPUDisk
Wire
CPU Disk
Wire
Ransomware Detection Types
• Type 1: Checks for known file extensions that are commonly associated with ransomware attacks
• Type 2: Compares all file extensions against a “whitelist” to uncover potential attacks
• Type 3: Looks for WRITE activity that exceeds a configurable threshold
• Type 4: Advanced detection of instructional files typically associated with ransomware variants that are left behind during an attack
Rewind and Analyze (i.e. Forensics)
Observed CIFS WRITE activity on the network
Simple visual queries to target
ransomware activity
Questions?See an ExtraHop demo at booth #XXX