NCSC Speaker

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]

Ransomware: Past, Present, and Future

By A Cyber Security Advisor

NCSC


What is the NCSC?The new National Cyber Security Centre is the UK’s authority on cyber security and part of GCHQ.

The NCSC brings together cyber security into a single, expert organisation building on the best of what we already have and combining the functions of:

• CESG• CERT-UK• Cyber related aspects of Centre for the Protection of National Infrastructure• Centre for Cyber Assessment

2


3

Where we are based

Cheltenham

London Victoria


4

Our Organisation


5

What we do:

We understand cyber security:Sharing our knowledge, we identify and address systemic vulnerabilities

We respond to cyber security incidents:Managing serious security breaches, we reduce the harm they cause to the UK

We nurture our national cyber security capability:Providing leadership on critical issues, harnessing talent and technology

We reduce risks to the UK:We help public and private sector organisations secure their networks


About Me: The Details

Over 40 years in the IT Industry:• Career divided between private and public sectors• Involved in IT / Cyber security since 2004• Joined NCSC in 2016• Work with companies in the Communications, IT Services and Space

sectors of the CNI• Government Chair of the Space Information Exchange since 2016


• The Basics• How It All Began• Current Edition• Back to the Future• How to Prepare: Now, and in the Future

Ransomware:Past, Present and Future


Wikipedia’s definition of ransomware:

“Ransomware is computer malware that installs covertly on a victim'sdevice (e.g., computer, smartphone, wearable device) and that eithermounts the cryptoviral extortion attack from cryptovirology that holds thevictim's data hostage, or mounts a cryptovirology leakware attack thatthreatens to publish the victim's data, until a ransom is paid.”1

In short: an entity renders data or a device inaccessible, then demandspayment for its ‘release’

1 Wikipedia https://en.wikipedia.org/wiki/Ransomware

Ransomware: The Basics

https://en.wikipedia.org/wiki/Ransomware


Purpose: Money!!!!

and relatively lower risk than traditional kidnap, ransom, and extortion methods.

• Direct Revenue Generation: $1 Billion in 20162

• Top Impacted Countries: United States, Japan, United Kingdom, Italy, Germany, and Russia3

• Most Prevalent attack vectors: misleading apps, fake antivirus scams4

• Average Ransom Demand: Range between $500-$20005

• Business Costs: $75 Billion per year6

2, 5, 6: Rock, Tracy. “Ransomware Statistics 2016-2017: A Scary Trend in Cyberattacks” February 27, 2017. Invenio IT. http://invenioit.com/security/ransomware-statistics-2016/

3 and 4: Savage, Kevin. Coogan, Peter. Lau, Hon. “The Evolution of Ransomware” August 6, 2015. Symantec.

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf

Ransomware: The Basics

http://invenioit.com/security/ransomware-statistics-2016/


The original “kidnap, ransom, and extortion” (KRE) technique• Used in ancient times for payment, bargaining, warfare• Still used in parts of the world today

Well-known Cases:• Richard the Lionheart (1192)• Charles Lindbergh Jr (1932) – “The Lindbergh Baby”• Peter Weinberger (1956) – Changed kidnapping laws in US• Patty Hearst (1974)

Ransomware: How it all began


Enter Technology:First known ransomware attack using encryption

• AIDS Trojan (1989) written by Joseph Popp

• Software Expiration Pop-Up Notice

• $189 US Ransom

• Poorly written

• Symmetric Cryptography



Learn and Improve from the mistakes of others• Adam Young and Moti Yung experiment (1996)• Encrypt with public key and ransom the private key• Introduced concept of ‘electronic money’ extortion



Examples of extortion through ransomware:• Gpcode, Gpcode.AG, Gpcode.AK (varients)• TROJ.RANSOM.A• Archiveus• Krotten• Cryzip• MayArchive

As advancing technologies grew, so did the size of encryption keys:

Ransomware: Where it all began


Four Flavours:

Crypto ransomware Mobile ransomwareLocker ransomware Leakware (aka Doxware)

Ransomware: Current Edition


Crypto Ransomware:

An infection encrypting data within a computer or system, denying crypto keys until a ransom is paid.

Ransomware: Current Edition


*different to preventing access to files or data, which is crypto ransomware

Ransomware: Current EditionLocker Ransomware * :

An infection locking a computer or device, denying access until a ransom is paid.


Ransomware: Current EditionMobile Ransomware:

Blockers; payloads are commonly an APK file installed on user’s mobile to lock access to the device, or mobile application(s) access. Online synchronization negates the incentive to encrypt data, so limited to denying access to mobile use.

*Instances vary based on type of mobile device – i.e., Android vs iOS


Example: Ashley Maddison

Ransomware: Current EditionLeakware:

Also known as Doxware: this form of malicious activity combines ‘doxing’ andransomware. It combines both encryption of data and the collection/theft ofpersonal information for the use of future extortion activities.“…instead of locking up your sensitive data and making them inaccessible toyou, it makes them accessible to everybody – unless you pay up.”7

7 Littlejohn Shinder, Debra. The Evolution of Extortionware. February 7, 2017. GFI Tech Talk. https://techtalk.gfi.com/the-evolution-of-extortionware/


Technology advances much faster than implementation of security measures.

WannaCry (aka: WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor)• Date: 12 May 2017 – Present• Location(s): Everywhere!• Ransom Demand: $300-$600• Cause: EternalBlue exploit / Failure to patch• Damage Thus Far: Over 200K victims and more than 230K

computers infected8

8 https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Ransomware: Back to the future



Petya (AKA NotPetya. Varients included Petna, Pneytna, Goldeneye)• Date: 27 June 2017 onwards• Location(s):Ukraine: - spreading westward • Ransom Demand: $300 in bitcoins – but were they after money?• Cause: EternalBlue exploit / Failure to patch• Damage thus far: Epicentre was Ukraine, but included UK and US




“Mr Smith Group”

The US TV network has refused to pay a multimillion dollar ransomdemand to the hackers, who compromised the network’s systems inJuly and have since leaked a series of embarrassing documents, emailsand unaired shows, including Game of Thrones and Curb YourEnthusiasm.



Evolution and Innovation:Stealthier: searching for a bigger ‘pay-load’• Long-term game • Less about data than entire business

• Infrastructure• Operations

• E.g. Hospitals, Power Grids



Evolution and Innovation:Stealthier: searching for a bigger ‘pay-load’• Long-term game • Less about data than entire business

• Infrastructure• Manufacture• Operations

E.g. UK Space Industry



What does the “entire business” mean?

Not limited to data sets or system access, but also:• Incident Response• Backups• Restoration/Recovery Operations


Leading to:

Total Organisational Paralysis


What you are (hopefully?) doing now:

• Business Risk Assessment

• Data Recovery (backups)

• Detection

• Disaster Recovery Plan

Ransomware: How to prepare –now


What to Do in the Future:

• Dependable Data Recovery Solutions• Updated Backup Systems• Cyber Insurance?• Exercise, Exercise, Exercise!!!!!• Crypto Currency

Ransomware: How to prepare –in the future


How have you been Impacted? What lessons have you learned?

If not …………….?

Ransomware:

For further information see: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware


28

For further information see: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

NCSC Speaker

Presentations & Public Speaking

Transcript of NCSC Speaker