Ransomware, the scourge of
2016
Rik Ferguson
Vice President Security Research
Trend Micro
(Not so) Humble Beginnings
Ransomware Evolution
Ransomware Evolution
Image credit: www.botnets.fr
Ransomware Evolution - CryptoLocker
Ransomware in 2016
• 2016 Losses $1B
• 246 new families in 2016 alone
compared to 29 for 2015. 748%
increase.
• PhishMe Report: As of the end of
Q3’16, 97% of all phishing emails
contained crypto-ransomware
• InfoBlox Report: Ransomware
Domains Up By 35 fold In Q1’16
Ransomware Targeting Businesses
Ransomware Infection Vectors
UK Ransomware Survey
• Just over two thirds (69%) of UK ITDMs have heard about
ransomware and know how it works.
• Four fifths (82%) consider ransomware to be a threat to their
organization, while 18% do not.
• The average ransomware request received was £540, although for
20% of those infected, the request was more than £1,000.
• Nine in ten (89%) reported a time limit on paying the ransom, with
the time limit being 19 hours on average.
• Organizations affected by ransomware estimate they spent 33 man
hours on average fixing the issues caused by the ransomware
infection.
UK Ransomware Survey
•
•
•
•
Two thirds (65%) ended up paying the ransom. However, only 45% of those
infected got their data back through this mean while 20% paid a ransom and did
not get their data back.
The three most common reasons for paying the ransom:
– They were worried about being fined if the data was lost – 37%
– The data was highly confidential – 32%
– The ransom amount was low enough to count as cost to business – 29%
Seven in ten (69%) think their organization will be targeted by ransomware in
the next 12 months.
77% have an incident response plan in case of infection with ransomware
– Only 44% have tested their incident response plan, while a third (33%) have
a plan in place without testing it.
Notable Ransomware Families
2016
A ROGUES GALLERY
2
Locky – Malicious Macros
Ransom_LOCKY is requesting
0.5 Bitcoin ransom ($209.27)
Crysis – A Hands-On Threat Actor
A sample infection flow of Crysis via an RDP brute force attack
Cerber A Ransomware Factory
It replaces the system's current wallpaper with the this image:
Stampado – Ransomware as a Service
Exploits and Exploit Kits in 2016
A DECLINING INDUSTRY?
2
The demise of the Exploit Kit?
Neutrino Price Increase
$8,000
$7,000
$7,000
$6,000
After Angler Disappeared
$5,000
$4,000
$3,500
$3,000
$2,000
Before Angler Disappeared
$1,000
$0
Neutrino Price per Month
Rate of Vulnerability Additions to Exploit Kits
Exploit Kit / Ransomware Relationship
Exploit Kit
Delivered Ransomware
(2015)
Angler
CRYPWALL, CRYPTESLA,
CRILOCK
Neutrino
CRYPWALL, CRYPTESLA
Magnitude
CRYPWALL
Rig
CRYPWALL, CRYPTESLA
Nuclear
CRYPWALL, CRYPTESLA,
CRYPCTB, CRYPSHED
Sundown
Delivered Ransomware
(2016)
CRYPWALL, CRYPTESLA,
CRILOCK, WALTRIX,
CRYPMIC
CRYPWALL, CRYPTESLA,
CERBER, WALTRIX, LOCKY,
CRYPMIC
CRYPWALL, CERBER,
LOCKY, MILICRY
GOOPIC, CERBER,
CRYPMIC, LOCKY,
CRYPHYDRA, CRYPTOLUCK,
MILICRY
CRYPTESLA, LOCKY
CRYPTOSHOCKER, LOCKY,
PETYA, MILICRY
Top Vulnerabilities Within Exploit Kits
CVE-2013-2551
Affected software: Microsoft Internet Explorer® 6–10
Description: A use-after-free vulnerability that lets attackers remotely execute arbitrary code via a specially crafted site that triggers access to a
deleted object
CVE-2015-0311
Affected software: Adobe Flash Player 13.0.0.262, 14.x, 15.x, and 16.x–16.0.0.287 on Microsoft Windows® and 11.2.202.438 on Linux
Description: An Adobe Flash Player buffer overflow vulnerability that allows attackers to remotely execute arbitrary code via unknown vectors
CVE-2015-0359
Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before
11.2.202.457 on Linux
Description: An Adobe Flash Player memory corruption vulnerability that allows attackers to execute arbitrary code when the application is
used; failed exploitation attempts likely result in denial of service (DoS)
CVE-2014-0515
Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x–13.0.x before 13.0.0.206 on Microsoft Windows and Mac® OS X® and
before 11.2.202.356 on Linux
Description: An Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object, which allows
attackers to run some processes and run arbitrary shellcode
CVE-2014-0569
Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux
Description: An Adobe Flash Player remote integer overflow vulnerability that lets attackers execute arbitrary code via unspecified vectors
Ransomware Blocks in 2016
2016 Total:
~1B
Fundamental Best Practices
Back-up and Restore
Automated: 3 copies, 2 formats, 1
air-gapped from network
Access Control
Limit access to business critical data
Keep Current with Patching
Minimize exploits of
vulnerabilities
Employee Education
Awareness, best practices,
simulation testing
Smart Protection Network in 2016
… received 2.8T
reputation queries
from customers
… Blocked 1B
ransomware threats
… identified 130M
new unique threats
… blocked 81B
total threats
Thank You
Rik Ferguson
Trend Micro
@rik_ferguson