Enviar pesquisa
Carregar
Understanding ransomware
•
1 gostou
•
151 visualizações
Prathan Phongthiproek
Seguir
Understanding ransomware and Key lessons from WannaCry
Leia menos
Leia mais
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 28
Baixar agora
Baixar para ler offline
Recomendados
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
Aditya K Sood
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
Aditya K Sood
Cracking the mobile application code
Cracking the mobile application code
Sreenarayan A
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
Brucon presentation
Brucon presentation
wremes
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
Malware Analysis
Malware Analysis
Ramin Farajpour Cami
Bsides
Bsides
Roberto Sponchioni
Recomendados
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
Aditya K Sood
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
Aditya K Sood
Cracking the mobile application code
Cracking the mobile application code
Sreenarayan A
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
Brucon presentation
Brucon presentation
wremes
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
Malware Analysis
Malware Analysis
Ramin Farajpour Cami
Bsides
Bsides
Roberto Sponchioni
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Roberto Sponchioni
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security Vulnerabilities
Protecode
DLL Preloading Attack
DLL Preloading Attack
securityxploded
How to assign a CVE to yourself?
How to assign a CVE to yourself?
Ramin Farajpour Cami
Rise of software supply chain attack
Rise of software supply chain attack
Yadnyawalkya Tale
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Priyanka Aash
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
Path of Cyber Security
Path of Cyber Security
Satria Ady Pradana
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
Invincea, Inc.
Mmw mac malware-mac
Mmw mac malware-mac
Cyphort
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictions
Cyphort
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_rise
Cyphort
Osint - Dark side of Internet
Osint - Dark side of Internet
Raghav Bisht
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
The Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering System
Niran Seriki, CCISO, CISM
Malware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial Trojans
Cyphort
Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of Malware
Cyphort
Android malware analysis
Android malware analysis
Jason Ross
Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)
Guy Podjarny
Ransomeware : A High Profile Attack
Ransomeware : A High Profile Attack
IRJET Journal
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Security
Mais conteúdo relacionado
Mais procurados
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Roberto Sponchioni
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security Vulnerabilities
Protecode
DLL Preloading Attack
DLL Preloading Attack
securityxploded
How to assign a CVE to yourself?
How to assign a CVE to yourself?
Ramin Farajpour Cami
Rise of software supply chain attack
Rise of software supply chain attack
Yadnyawalkya Tale
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Priyanka Aash
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea, Inc.
Path of Cyber Security
Path of Cyber Security
Satria Ady Pradana
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
Invincea, Inc.
Mmw mac malware-mac
Mmw mac malware-mac
Cyphort
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictions
Cyphort
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_rise
Cyphort
Osint - Dark side of Internet
Osint - Dark side of Internet
Raghav Bisht
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
The Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering System
Niran Seriki, CCISO, CISM
Malware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial Trojans
Cyphort
Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of Malware
Cyphort
Android malware analysis
Android malware analysis
Jason Ross
Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)
Guy Podjarny
Mais procurados
(20)
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security Vulnerabilities
DLL Preloading Attack
DLL Preloading Attack
How to assign a CVE to yourself?
How to assign a CVE to yourself?
Rise of software supply chain attack
Rise of software supply chain attack
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
Path of Cyber Security
Path of Cyber Security
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
Mmw mac malware-mac
Mmw mac malware-mac
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictions
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_rise
Osint - Dark side of Internet
Osint - Dark side of Internet
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
The Making of a simple Cyber Threat Intelligence Gathering System
The Making of a simple Cyber Threat Intelligence Gathering System
Malware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial Trojans
Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of Malware
Android malware analysis
Android malware analysis
Stranger Danger (NodeSummit, 2016)
Stranger Danger (NodeSummit, 2016)
Semelhante a Understanding ransomware
Ransomeware : A High Profile Attack
Ransomeware : A High Profile Attack
IRJET Journal
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Security
KPMG-converted.pptx
KPMG-converted.pptx
Rose Valley Groups
The ever increasing threat of cyber crime
The ever increasing threat of cyber crime
Nathan Desfontaines
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
TechSoup
All your files now belong to us
All your files now belong to us
Peter Wood
Security Minded - Ransomware Awareness
Security Minded - Ransomware Awareness
Greg Wartes, MCP
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
Digital Transformation EXPO Event Series
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
APNIC
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
CODE BLUE
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
What is ransomware?
What is ransomware?
Milan Santana
Cyber Security Magazine
Cyber Security Magazine
Quentin Brown
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
Should You Pay Ransomware.pdf
Should You Pay Ransomware.pdf
KavitaDubey18
Defending Against Ransomware.pdf
Defending Against Ransomware.pdf
Jenna Murray
Cyber-Security-Presentation-2_2017.pptx.ppt
Cyber-Security-Presentation-2_2017.pptx.ppt
NiteshRajput1123
Cybersecurity a short business guide
Cybersecurity a short business guide
larry1401
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
MavrickHost - Reliable Hosting Partner
Malware Attacks | How To Defend Organizations From It?
Malware Attacks | How To Defend Organizations From It?
SOCVault
Semelhante a Understanding ransomware
(20)
Ransomeware : A High Profile Attack
Ransomeware : A High Profile Attack
Panda Adaptive Defense 360 - Cyber Extortion Guide
Panda Adaptive Defense 360 - Cyber Extortion Guide
KPMG-converted.pptx
KPMG-converted.pptx
The ever increasing threat of cyber crime
The ever increasing threat of cyber crime
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
All your files now belong to us
All your files now belong to us
Security Minded - Ransomware Awareness
Security Minded - Ransomware Awareness
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
What is ransomware?
What is ransomware?
Cyber Security Magazine
Cyber Security Magazine
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
Should You Pay Ransomware.pdf
Should You Pay Ransomware.pdf
Defending Against Ransomware.pdf
Defending Against Ransomware.pdf
Cyber-Security-Presentation-2_2017.pptx.ppt
Cyber-Security-Presentation-2_2017.pptx.ppt
Cybersecurity a short business guide
Cybersecurity a short business guide
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
Malware Attacks | How To Defend Organizations From It?
Malware Attacks | How To Defend Organizations From It?
Último
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Zilliz
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
apidays
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
Último
(20)
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
Understanding ransomware
1.
Understanding Ransomware: KeyLessonsfrom WannaCry Prathan Phongthiproek Manager Information Protection
and Business Resilience (IPBR) KPMG in Thailand
2.
2© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential • Understanding Ransomware • Key Lessons from WannaCry • Proactive Prevention Agenda
3.
Understanding Ransomware
4.
4© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential Ransomware is a form of computer malware (Virus) that blocks user access to files or systems, holding files or entire devices hostage using encryption until the victim pays a ransom in exchange for a decryption key, which allows the user to access the files or systems encrypted by the program. WhatisRansomware?
5.
5© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential TheRansomwareTubeMap Ref: https://www.f-secure.com/documents/996508/1030743/cyber-security-report-2017
6.
6© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential RansomwareAttack Ransomware on the headlines CryptoLocker NameTargetAttack December 1989 September 2013 May 2017 PC Cyborg/AIDS Trojan Healthcare Industry The first known attack was initiated in 1989 by Joseph Popp who handed out 20,000 infected disks to attendees of the World Health Organization’s AIDS conference. The malware displayed a message by demanding a payment of $189 and $378 for a software lease. Worldwide CryptoLocker was a prominent ransomware variant around 2013, and quite a profitable one at that. CryptoLocker infected more than 250,000 systems. It earned more than $3 million for its creators. The WannaCry ransomware attack was a worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. WannaCry Worldwide
7.
7© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential Open-SourcesRansomware https://github.com/goliate/hidden-tear
8.
8© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential Karmen Ransomware Karmen is being sold on Dark Web forums from Russian-speaking cyber- criminal DevBitox for $175. It automatically deletes the decryptor if a sandbox environment or analysis software is detected on the victim's computer, a tactic designed to make life harder for security researchers tasked with investigating the nasty Ransomware-as-a-Service
9.
9© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential HowisRansomwarespread? Ref: https://www.csa.gov.sg/singcert/news/advisories-alerts/ransomware exe
10.
10© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential Identifying email + Fake mailer HowisRansomwarespread?
11.
11© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential Successfully sent fake email HowisRansomwarespread? Malicious executable file embedded in Excel macro
12.
12© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential Demonstration
13.
13© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential The “No More Ransom” website help victims of ransomware retrieve their encrypted data without having to pay the criminals. NoMoreRansom!!
14.
14© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential WhattodoIfinfectedwithRansomware? Disconnect your machine from any others, and from any external drives: Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or share drives Use a smartphone or a camera to take a photograph of the ransom note presented on your screen Check if you can recover deleted files (Shadow Copy): Many forms of encrypting ransomware copy your files, encrypt the copies and then delete the originals. Check if there are decryption tools available (Nomoreransom) Use antivirus or anti-malware software to clean the ransomware from the machine Restore your files from a backup: If you regularly back up the affected machine, you should be able to restore the files from the backup. Immediately secure backup data or systems by taking them offline: Ensure backups are free of malware
15.
KeyLessons fromWannaCry
16.
16© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential WannaCry, Wcry, WannaCrypt and Wana Decrypt0r • WannaCry began on 12 May 2017 using known exploits (Eternalblue from NSA exploits) through SMBv1 (TCP 445) • Infiltrates endpoints and encrypts all the files using strong asymmetric encryption (RSA 2048-bit cipher), demanding a ransom payment $300 USD • Crippled at least 200K+ systems over 150 countries • WannaCry – Wannabe Worms NewEraofRansomware:WannaCry Ref: http://b0n1.blogspot.com/2017/05/wannacry-ransomware-picture-collection_17.html
17.
17© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential Impact/Summary The malware does install a backdoor that could be used to leak data from affected machines, but the malware itself does not exfiltrate data Aside from encrypting the data, the malware does not alter data. But the backdoor could be used by others to cause additional damage Affected organizations will loose access to the files encrypted by the malware. Recovery is uncertain even after paying the ransom. Integrity Availability Confidentiality
18.
18© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential TimelineoftheWannaCryandrelatedattack MalwareMalware Episode I: The Phantom Menace 2013-2016: The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016.They published several leaks containing hacking tools from the National Security Agency (NSA), including several zero-day exploits. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, anti-virus products, and Microsoft products January 16,2017: US-CERT Advisory on SMB vulnerability on SMBv1 March 14,2017: Microsoft releases patch for CVE- 2017-0144 (MS17-010) 2013- March 2017 Episode II: Attack of the Clones April 14,2017: Shadow Brokers releases NSA hacking tools including zero-days exploits (Eternal sets; Eternalblue, Eternalchampion, Eternalromance, Eternalsynergy). Eternalblue can exploit Wins XP, Vista, 7, 2000, 2003, 2008 May 12,2017: WannaCry attacks begin using Eternalblue to exploit Windows OS through SMB(445) May 13, 2017: Microsoft releases patch for unsupported OS (windows XP,8 and 2003) May 13, 2017: WannaCry’s “Kill Switch” domain was found, MalwareTech registered this domain in question and created a sinkhole April-May 2017 Episode III: Revenge of the Sith May 2017 May 13, 2017: WannaCry 2.0 with No Kill-Switch is on hunt May 14, 2017: WannaCry new variants appeared. The new variant equipped with SMB exploit that would help it to spread rapidly without disruption. The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host May 16, 2017: Shadow Brokers published a fresh statement, promising to release more zero-day bugs and exploits for various desktop and mobile platforms starting from June 2017.
19.
19© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential TimelineoftheWannaCryandrelatedattack MalwareMalware Episode IV: A New Hope May 18, 2017: WannaCry Ransomware Decryption Tools(WannaKey, WannaKiwi) have been released. This can use to unlock files without paying ransom. Those tools work on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 Although the tool won't work for every user due to its dependencies, still it gives some hope to WannaCry's victims of getting their locked files back for free even from Windows XP, the aging, largely unsupported version of Microsoft's operating system. Episode V: The Empire Strikes Back May 18, 2017: EternalRocks worm was discovered after infected SMB honeypot. The EternalRocks disguises itself as WannaCry, but instead of delivering a ransomware, it takes over the affected computer to power other attacks. EternalRocks exploits seven exploits leaked by Shadow Brokers and was developed to avoid detection and to remain undetectable on the target system. Episode VI: Return of the Jedi Ransomware Advisory Services Our unique Ransomware Advisory Services are specifically designed to review your ability to prevent, detect and react to a ransomware incident. The KPMG Ransomware Advisory service provides a proactive assessment of your capabilities: • Process review • Technical review • People assessment May 2017 May 2017 June 2017
20.
20© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential Identifying opening port (445) over the Internet (Global) port:445 "SMB Status Authentication: enabled SMB Version: 1" Shodan:HackerSearchEngine
21.
21© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential Identifying opening port (445) over the Internet (Thailand) port:445 "SMB Status Authentication: enabled SMB Version: 1“ country:TH Shodan:HackerSearchEngine
22.
22© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential How to protect organization ? • Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied. Please note that Microsoft has released security updates for all affected operating systems, including Windows XP and Windows 2003 Server. • In accordance with known best practices, any organization who has SMB publically accessible via the internet (TCP ports 139, 445) should immediately block all inbound traffic. • Employ network and host-based firewalls to block TCP/445 traffic from untrusted systems. • Organizations should consider blocking email attachments for the immediate future if this is viable and until such time reliable anti-malware definitions have been made available. • All Cybersecurity systems such as Anti Malware, Anti-Virus, Security Information and Event Management, Intrusion Detection and Prevention etc. should be updated with the latest Indicators of Compromise (IOC) • All end of life machines should be upgraded as a matter of priority as more exploits / malware are expected to be launched for the another vulnerabilities. • Ensure critical systems and files have up-to-date backups. Backups are the only full mitigation against data loss due to ransomware. Don’tCryoverWannaCry
23.
23© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential NSAToolsLeaked Infrastructure VulnerabilitiesInfrastructure Vulnerabilities Malware Malware Ref: https://www.facebook.com/thehackernews/photos/a.197666140247267.65555.172819872731894/1834023599944838/?type=3&theater
24.
24© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential NSAToolsLeaked ESTEEMAUDIT exploits through RDP (TCP 3389) on Wins XP and 2003 (0-Days) Ref: https://twitter.com/homelabit/status/869229229635928064/photo/1
25.
Proactive Prevention
26.
26© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential SecurityParadox Ref: http://gifgifmagazine.com/wp-content/uploads/2017/04/pretres.gif
27.
27© 2017 KPMG
Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Thailand. Document Classification: KPMG Confidential ProactivePrevention Prevention and Continuity measures • Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working. • Secure backups, and ensure backups are not connected to the computers and networks they are backing up. • Enable strong spam filters to prevent phishing e-mails from reaching the end users, and authenticate inbound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance, and DomainKeys Identified Mail to prevent e-mail spoofing. • Scan all incoming and outgoing e-mails to detect threats, and filter executable files from reaching end users. • Disable macro scripts from files transmitted via e-mail, and consider using Office viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications. • Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc. • Configure firewalls to block access to known malicious IP addresses, only allow necessary port at endpoint. • Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted. • Manage the use of privileged accounts by implementing the principle of least privilege. • Configure access controls with least privilege including file, directory, and network share permissions. • Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy. • Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and be trained on information security principles and techniques. Ref: https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf
28.
Document Classification: KPMG
Confidential “This document is made by KPMG Phoomchai Business Advisory Ltd., (KPMG), a Thai limited liability company and member firm of the KPMG network of independent firms affiliated with KPMG International, a Swiss cooperative, and is in all respects subject to the negotiation, agreement, and signing of a specific engagement letter or contract. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. © 2017 KPMG Phoomchai Business Advisory Ltd., a Thai limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. kpmg.com/socialmedia kpmg.com/app Contact Prathan Phongthiproek Manager Information Protection and Business Resilience KPMG in Thailand
Baixar agora