Ransomware

Automatic TRANSCRIPT

The next generation. It infrastructure industry moves fast. Never miss a beat. By subscribing to sds central's daily newsletter at dx dot i o. slash newsletter. Hello and welcome to seven layers. Where every episode. We look at a technology that connects our world from literal wires in the ground to switches and routers in all the way up to the exploding amount of smart devices around. Us subscribed seven layers. So you never miss an episode and tune into our next episode where we will hear from a leading expert in ransomware and as always you can learn more about the current state of technology over on s dx. Central dot com. I'm your host connor craven and associate studios editor at sgx central before we jump into this episode. I'd like to take a moment to make a correction tour episode on election security in that episode tyler technologies was referred to as an elections technology company. Please note tyler. Technologies is a company that makes software for public sector but it does not make products that directly support voting or election systems or store individual voting records. Now onto this week's topic where we'll be shifting. Our focus to ransomware ransomware isn't new. Anyone who has used computers probably familiar with the idea of ransomware and uses common sense when they encounter an off. Email or sketchy looking website. But what many people don't realize is that. As technology evolves sodas ransomware. It becomes more difficult to decrypt more sinister behaviors and more and more prevalent. Ransomware has been on the rise. Attacks were up by hundred nineteen percent in twenty nineteen and in april twenty twenty. There was one hundred and forty eight percent increase in attacks compared to the previous month since then stay agencies. Healthcare organizations school districts insurance and tech companies have experienced large-scale ransomware attacks with unprecedented outcomes. This episode will prepare you for future ransomware attacks and educate you on what ransomware is in how continues to evolve in this episode. We'll cover what ransomware is and how it works. The storied history of ransomware. How to protect against ransomware. The importance of security protocols the impact ransomware attacks the rise of attacks the social or political reasoning. That may be behind them. And the future of ransomware special things. Sgx central studios editor. Ashley wiesner for writing script. This week part. One ransomware basics. Let's start out at a high level. What exactly is ransomware. Simply put resumes type of power that encrypts its victims files. The attacker will then demand a ransom to be paid. once the ransom is paid. The files will be decrypted. Except it's not that simple more often than not attackers will not decrypt. The files wants. The ransom is paid leaving the victims without their files and not the cost of the ransom might be thinking yikes what does the large scale. Impact of this. Look like in well. We'll get there. I promise but first. We're going to review. How ransomware works in how you volved which is loaded because ransomware can work in a few different ways. Ransomware can work by exploiting vulnerabilities in a system security protections. The mauer often comes from unsafe websites in these cases it can also spread through infected hardware like usb drive. The most common approach for attackers is to trick users into downloading. The ransomware themselves often done through phishing attacks. Victime open an email or download. A file containing ransomware. This type of attack is often the result of a trojan horse once it has access to device come our encrypts the files and demand ransom though. It sounds simple. Enough as technology has evolved so as ransomware. Let's take a look at the first ransomware attack. Which was the aids trojan ransomware monsoon december nineteen eighty nine his liver through an infected floppy disk labelled aids information introductory diskette who was sent to over twenty thousand individuals and health institutions the aids trojan used symmetric encryption and encrypted file names in the c. Drive this encryption didn't affect the files in any way it just made them unusable due to the nature of the encryption technique. It was easy to remove the ransomware through decryption however many victims wiped their hard drives in las years of work in the process. This ransomware attack was not particularly successful at collecting ransom after all victims were expected to mail a check to a po box. However it did set the stage for future. Ransomware attacks like the aids trojan ransomware. This time relied on symmetric inscriptions. It was often weak enough that they could be decrypted through trial and error. This was good news for the victims but bad news. For the attackers so attacks evolved attacks began generating a public key and embedding it into the ransomware wants. The ransomware was on a device. It would encrypt files with a randomly generated. Key the catch. Is that the randomly generated. Key was itself encrypted. The attacker would then use the public key to decrypt the randomly generated deke. An intern decrypt the files. This technique ensures that the same key can't used on subsequent attacks these keys often. You see advanced encryption. Standard referred to his eighty s. Making it more difficult to decrypt to learn more about eighty s and other methods of encryption go to s dx central dot com and search for it in the security section. Another approach attackers took was to use our s keys. Encryption are as keys are difficult to crack because the rsa generates both keys. The algorithm uses to randomly generated prime numbers and without those numbers. It is impossible to decrypt the key. The i team. Rsa was the archivist ransomware attack. That began in two thousand. Six archivist was distributed through militias links. Once on the device the mauer would copy files delete the original lock the copies in scripted folder. And then leave behind a file named how to get your files back dot. T. x t. This file would inform victims. Their files were locked in could only be accessed through a thirty character. Password victims were then told to email restoring at safe mail dot net or restoring files at yahoo dot com the attackers within direct victims to purchase items from several online stores. The exact reason for this approach is still unknown. But once the purchases were made the password will be sent the ultimate demise of archivists was poor password hygiene on the attackers end as it turned out. The password was the same for every attack. Once the password was distributed the malware became irrelevant though unsuccessful. Long-term archivist made it clear. Reverse engineering encrypted files to find. The key was a thing of the past in may twenty seventeen. The wannacry ransomware attack occurred over a span of four days. The attack became one of the most widespread ransomware attacks infecting nearly three hundred and fifty thousand devices resulting in about a billion dollars in damages. Despite only one hundred thousand dollars of ransom ever being paid wannacry utilized both eighty s and our sat's and it was a worm meaning it could spread exponentially and infect the entire network of an infected device. The ransomware was launched through vulnerable server. Messenger block or smb port. A computer in asia from their ransomware spread throughout the network by exploiting vulnerability in windows. S m b. The mauer would send an initial packet known as dropper that would be executed by the smb from there. The dropper would attempt to connect to an unregistered and seemingly random domain. If a connection was made the attack would halt. But if no connection was made the mauer would send two more packets the encrypted and the decrypt her the dropper within execute the encrypt her from here files will be encrypted ransom notes would appear in a set of timers would pop up the timer is dictated the amount of ransom and the fate of the files pay within three days and you have to pay three hundred. Bitcoin that it doubles. If you don't pay within seven days the files would be erased windows released. A patch to secure against the vulnerability and a french researcher found a way to retrieve the irs keys. These responses ultimately killed wannacry within days of it being launched. Despite being short-lived wannacry created large financial damages and also set the precedent of using cryptocurrency paranthan payments. The use of bitcoin or other crypto currency makes tracing the origin of ransomware even more difficult which protects the attackers. It's become clear that ransomware is always evolving and that doesn't mean there aren't ways to protect against it. Security best practices can prevent attackers in love for less costly recovery if an attack occurs security best practices include maintaining industry standards for security having knowledge of your organization's. It environment having a ransomware attack response plan a backup files and educating employees on password hygiene how to spot suspicious emails our links and how to report suspicious activity. The three to one rule is a common strategy for file backups. The strategy is as follows. Three have three copies of data available to have two copies on a device separate from the original copy think flash drives or an external hard drive one. Have one copy off site. The cloud would work for this by following the strategy in the event of an attack. It can wipe the infected device and restore the backup the fbi recommend organizations. Keep all software up to date as another prevention technique. And of course the recommend having a solid antivirus system. I'm sure some you are thinking. Yeah i know all this what to do of me or my organization has ransomware attack. And unfortunately there isn't a lot you can do infected devices. Have we wiped more often than not to remove the ransomware as far as paying the ransom. The fbi recommends you don't but it's ultimately a cost benefit analysis losing the files or having them leaked may cost more than the ransom itself. Paying also doesn't guarantee you get the files. Of course you should also report. The ransomware attack. Ransomware is considered a crime in the us and attack should be reported to the fbi and now a word from our sponsor after the break. We'll discuss the impact of ransomware attacks. The recent rise of ransomware. And why exactly these attacks are occurring. It infrastructure is under more demand more scrutiny than ever the way we build networks has fundamentally changed with new technologies constantly evolving to solve new challenges at the same time the role of it departments and of individuals within the department is changing while vendors an executive strategize around new technologies. Those in the trenches scrambled to keep up. Sgx central's definitional guides cover topics from sdn one. Oh one to the internet of things to carefully curate. For major industry events they are one hundred percent independent content designed to share knowledge and help technology professionals stay ahead of the curve. Download the latest guy. Today at sgx dot i o. Slash again that's sgx dot io slash guides park to ransomware on the rice and in the news. Now that we have a deeper understanding of ransomware is prevent an attack. Going to look at the impact of ransomware as i mentioned before the wannacry attack resulted in nearly a billion dollars in damages in the span of only four days putting large financial burden on its victims. This financial impact victims can be devastating trend micro reports the average cost of a ransomware attack on business. His one hundred thirty three thousand dollars the same report estimated that ransomware attacks resulted in billion dollars in revenue for attackers twenty. Eighteen ransomware is big money for attackers in the industry continues to grow trend micro also reported over forty million attacks businesses between january twenty nineteen and april twenty nineteen. This growth trend has continued into twenty twenty. We saw a one hundred and forty eight percent increase in tax from march twenty. Twenty two april twenty twenty. This increase in tax doesn't just mean financial losses. Recent ransomware attacks have resulted in time loss to attack response in data recovery data leaks interference with healthcare education election systems and unfortunately death death. A september twenty twenty ransomware attack on hospital in germany resulted in the death of a patient. Though there is no explicit ransom. There was an extortion note left. The attack disrupted hospital systems for nearly a week. This systems ultimately crashed making patient data inaccessible due to this. The hospital transported emergency patients to different hospital. The woman's death was a result of this transfer though. This debt is the first reported. Death related to ransomware ransomware attacks on healthcare institutions aren't new mc soft reported seven hundred sixty four ransomware attacks against healthcare organizations in twenty nineteen weekend of september twenty fifth twenty twenty sources say the potentially largest medical ransomware attack occurred in the us the computer systems for universal health services a healthcare organization with four hundred locations across the us uk in puerto rico was attacked two hundred and fifty. Us locations were affected by this attack resulting in cancelled surgeries rerouted ambulances in hand labeling medications. Uhs statement confirmed that no patient employee data has been linked. Clark county school district in las vegas wasn't so lucky. They experienced data leak early in september after refusing to pay a ransom school district. I reported the attack on august. Twenty seventh twenty twenty and come september fourteenth. The attacker posted a warning alongside stolen data. The data included employee social security numbers student home addresses grades and more with healthcare and educational institutions at risk. He may be wondering to yourself. What's next politics into that will say. Actually yeah tyler. Technologies a company that provides the us public sector with software was hit with a ransomware attack. The week of september twenty first. Twenty twenty though tyler. Technologies hasn't gone into the details of the attack did specify the at first it appeared be a typical cyberattack files were inaccessible and there was a ransom message. The come friday evening. It appeared outside actors. Were trying to gain access to their system. This raised fears that. The hackers may be out for more than just a payday as mentioned before ransomware and cyber attacks are on the rise in large-scale tax. Like those on. Uhs tyler technologies are becoming more and more prevalent and you may be wondering why one piece of it is that people pay ransoms and attackers make money. This is why the fbi recommends not paying ransoms. But it's bigger than that. The recent influx of attackers appears to be strategic meaning. Attackers are taking advantage of the current. Social and political landscape related to covid nineteen remote working in the recent election. Covid nineteen was unexpected by many and while most of us were stocking up on toilet paper or canned goods. Attackers were strategizing. ransomware attacks. Attackers were using covid. Nineteen to launch ransomware phishing attacks trojans fake caps back doors encrypt on minors patrick with him and john brennan both researchers at b. m. where carbon black wrote in a blog quote notable spikes in attacks can also be correlated to key days in the cove nineteen news cycles. Suggesting attackers are being seriously opportunistic. And leveraging breaking news to take advantage of vulnerable populations quote these spikes particularly relate to major milestones in covid nineteen the day. The us announced the first case of covid nineteen. There was a forty eight percent. Spike in attacks compared to january thirtieth baseline levels on february twenty-ninth multiple states announced public health emergencies and we saw sixty six percent increase in tax following this trend on march first the us announced the first covid. Nineteen death and vm-ware carbon black reported another sixty six percent spike. These attacks weren't just coordinated with the news cycle. They explicitly used covid. Nineteen as a ploy nineteen percent of the ransomware tax code and nineteen or stay at home orders to lure victims said sonic wall. Ceo bill conner mentioned by bill. Conner attackers are also capitalizing on. Stay at home orders. More specifically they are making the most out of the increase in a row work according to data collected by vm-ware carbon black. There was an estimated seventy percent increase in remote work between february fourth april seven creating the perfect environment for spear phishing. Tactics attackers can now gain access to organizations network to employees home device. Attackers can then move laterally through the network to access corporate systems this occurs because most organizations don't have the same layered security in segmentation out of the office. In fact a survey of eight hundred security professionals across the united kingdom germany and france revealed that fifty five percent of organizations say remote working is making them more vulnerable to tax seventy percent of organizations with five thousand or more employees expressed this sentiment as well covid. Nineteen isn't the only topic. In the news. These days the election continues to dominate headlines and intern ransomware attacks have increased in the american public sector. According to the mc soft security firm nine hundred sixty six ransomware attacks hit the public sector last year with two thirds of those attacks targeting local or state governments. The trend has continued to twenty twenty in the first two weeks of september seven. Us government entities were hit with ransomware in subsequently had data stolen this trend in ransomware attacks. In the reason attack on tyler technologies solidified election security concerns among government officials and us intelligence agencies again. Like i opened the show with tyler. Technologies only make software for the public sector but it does not make products that directly support voting or election systems or store individual voting records officials are specifically concerned that foreign attackers will target databases election technology or public sector software to manipulate disrupt or destroy data into build mistrust around election systems for months secretary of state. Jim condo said quote. We have to remember that this threat to our democracy will not go away and concern about ransomware attacks on voter registration. Databases is one clear example. He continued to say. We're sure the threat is far from over. And so what does this tell me. I hate to admit it. But his pretty uncertain we should expect the following a continued increase in ransomware attacks more attacks resulting in stolen data and attacks piggybacking off the social and political landscape and now a word from our sponsor the it department is changing automation has caused the shift and job descriptions and priorities as wants manual tasks such as network monitoring are being taken over by at the same time new technologies such as cloud five g machine. Learning and big data are creating demand for new jobs and career paths and subsequently a massive skills gap that organizations are desperately trying to bridge the path toward that next promotion job and next goal is increasingly murky. Sds central is here to help visit sgx dot io slash career to download our latest career. Guide these guides include detailed information about top skills needed for the fastest growing. It jobs interviews with industry experts and guidelines for nailing. Your next interview use them as a roadmap for navigating your dream tech career path. Download the latest guy today at spx dot io slash career. Thank you for joining us on. This week's episode of seven layers reach out podcasts at sds central dot com with any questions concerns corrections or honestly pronunciations. To before you go. Let's do a brief overview of what we discussed today one ransomware malware that prevents victims from accessing files and then demands payment to ransomware gains access through infected emails devices or attachments in through militias websites. Three attackers often use asymmetric. Encryption in crypto currency so the ransomware is difficult to decrypt in hard to trace for ransomware attacks have a large financial impact on organizations can result in data leaks and can't interfere with various infrastructures and finally attacks the rice. Although ransomware is becoming more prevalent doesn't mean people are helpless remember. Best security practices can prevent ransomware attacks. Reduce the negative impact if they do happen. I've been your host. Connor craven associate studios editor 's sdn central. I'm really looking forward to the next episode. And i hope you are too.

Coming up next