Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
NCSC Speaker
1. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Ransomware: Past, Present, and Future
By A Cyber Security Advisor
NCSC
2. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
What is the NCSC?
The new National Cyber Security Centre is the UK’s authority on cyber security and
part of GCHQ.
The NCSC brings together cyber security into a single, expert organisation building
on the best of what we already have and combining the functions of:
• CESG
• CERT-UK
• Cyber related aspects of Centre for the Protection of National Infrastructure
• Centre for Cyber Assessment
2
3. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
3
Where we are based
Cheltenham
London Victoria
4. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
4
Our Organisation
5. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
5
What we do:
We understand cyber security:
Sharing our knowledge, we identify and address systemic vulnerabilities
We respond to cyber security incidents:
Managing serious security breaches, we reduce the harm they cause to the UK
We nurture our national cyber security capability:
Providing leadership on critical issues, harnessing talent and technology
We reduce risks to the UK:
We help public and private sector organisations secure their networks
6. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
About Me: The Details
Over 40 years in the IT Industry:
• Career divided between private and public sectors
• Involved in IT / Cyber security since 2004
• Joined NCSC in 2016
• Work with companies in the Communications, IT Services and Space
sectors of the CNI
• Government Chair of the Space Information Exchange since 2016
7. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
• The Basics
• How It All Began
• Current Edition
• Back to the Future
• How to Prepare: Now, and in the Future
Ransomware:
Past, Present and Future
8. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Wikipedia’s definition of ransomware:
“Ransomware is computer malware that installs covertly on a victim's
device (e.g., computer, smartphone, wearable device) and that either
mounts the cryptoviral extortion attack from cryptovirology that holds the
victim's data hostage, or mounts a cryptovirology leakware attack that
threatens to publish the victim's data, until a ransom is paid.”1
In short: an entity renders data or a device inaccessible, then demands
payment for its ‘release’
1 Wikipedia https://en.wikipedia.org/wiki/Ransomware
Ransomware: The Basics
9. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Purpose: Money!!!!
and relatively lower risk than traditional kidnap, ransom, and
extortion methods.
• Direct Revenue Generation: $1 Billion in 20162
• Top Impacted Countries: United States, Japan, United Kingdom, Italy,
Germany, and Russia3
• Most Prevalent attack vectors: misleading apps, fake antivirus scams4
• Average Ransom Demand: Range between $500-$20005
• Business Costs: $75 Billion per year6
2, 5, 6: Rock, Tracy. “Ransomware Statistics 2016-2017: A Scary Trend in Cyberattacks” February 27, 2017. Invenio IT. http://invenioit.com/security/ransomware-statistics-2016/
3 and 4: Savage, Kevin. Coogan, Peter. Lau, Hon. “The Evolution of Ransomware” August 6, 2015. Symantec.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf
Ransomware: The Basics
10. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
The original “kidnap, ransom, and extortion” (KRE) technique
• Used in ancient times for payment, bargaining, warfare
• Still used in parts of the world today
Well-known Cases:
• Richard the Lionheart (1192)
• Charles Lindbergh Jr (1932) – “The Lindbergh Baby”
• Peter Weinberger (1956) – Changed kidnapping laws in US
• Patty Hearst (1974)
Ransomware: How it all began
11. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Enter Technology:
First known ransomware attack using encryption
• AIDS Trojan (1989) written by Joseph Popp
• Software Expiration Pop-Up Notice
• $189 US Ransom
• Poorly written
• Symmetric Cryptography
Ransomware: How it all began
12. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Learn and Improve from the mistakes of others
• Adam Young and Moti Yung experiment (1996)
• Encrypt with public key and ransom the private key
• Introduced concept of ‘electronic money’ extortion
Ransomware: How it all began
13. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Examples of extortion through ransomware:
• Gpcode, Gpcode.AG, Gpcode.AK (varients)
• TROJ.RANSOM.A
• Archiveus
• Krotten
• Cryzip
• MayArchive
As advancing technologies grew, so did the size of encryption keys:
Ransomware: Where it all began
14. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Four Flavours:
Crypto ransomware Mobile ransomware
Locker ransomware Leakware (aka Doxware)
Ransomware: Current Edition
15. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Crypto Ransomware:
An infection encrypting data within a computer or system, denying crypto keys
until a ransom is paid.
Ransomware: Current Edition
16. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
*different to preventing access to files or data, which is crypto ransomware
Ransomware: Current Edition
Locker Ransomware * :
An infection locking a computer or device, denying access until a ransom is
paid.
17. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Ransomware: Current Edition
Mobile Ransomware:
Blockers; payloads are commonly an APK file installed on user’s mobile to
lock access to the device, or mobile application(s) access. Online
synchronization negates the incentive to encrypt data, so limited to denying
access to mobile use.
*Instances vary based on type of mobile device – i.e., Android vs iOS
18. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Example: Ashley Maddison
Ransomware: Current Edition
Leakware:
Also known as Doxware: this form of malicious activity combines ‘doxing’ and
ransomware. It combines both encryption of data and the collection/theft of
personal information for the use of future extortion activities.
“…instead of locking up your sensitive data and making them inaccessible to
you, it makes them accessible to everybody – unless you pay up.”7
7 Littlejohn Shinder, Debra. The Evolution of Extortionware. February 7, 2017. GFI Tech Talk. https://techtalk.gfi.com/the-evolution-of-extortionware/
19. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Technology advances much faster than implementation of security measures.
WannaCry (aka: WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor)
• Date: 12 May 2017 – Present
• Location(s): Everywhere!
• Ransom Demand: $300-$600
• Cause: EternalBlue exploit / Failure to patch
• Damage Thus Far: Over 200K victims and more than 230K
computers infected8
8 https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Ransomware: Back to the future
20. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Technology advances much faster than implementation of security measures.
Petya (AKA NotPetya. Varients included Petna, Pneytna, Goldeneye)
• Date: 27 June 2017 onwards
• Location(s):Ukraine: - spreading westward
• Ransom Demand: $300 in bitcoins – but were they after money?
• Cause: EternalBlue exploit / Failure to patch
• Damage thus far: Epicentre was Ukraine, but included UK and US
Ransomware: Back to the future
21. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Technology advances much faster than implementation of security measures.
“Mr Smith Group”
The US TV network has refused to pay a multimillion dollar ransom
demand to the hackers, who compromised the network’s systems in
July and have since leaked a series of embarrassing documents, emails
and unaired shows, including Game of Thrones and Curb Your
Enthusiasm.
Ransomware: Back to the future
22. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Evolution and Innovation:
Stealthier: searching for a bigger ‘pay-load’
• Long-term game
• Less about data than entire business
• Infrastructure
• Operations
• E.g. Hospitals, Power Grids
Ransomware: Back to the future
23. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
Evolution and Innovation:
Stealthier: searching for a bigger ‘pay-load’
• Long-term game
• Less about data than entire business
• Infrastructure
• Manufacture
• Operations
E.g. UK Space Industry
Ransomware: Back to the future
24. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
What does the “entire business” mean?
Not limited to data sets or system access, but also:
• Incident Response
• Backups
• Restoration/Recovery Operations
Ransomware: Back to the future
Leading to:
Total Organisational Paralysis
25. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
What you are (hopefully?) doing now:
• Business Risk Assessment
• Data Recovery (backups)
• Detection
• Disaster Recovery Plan
Ransomware: How to prepare –
now
26. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
What to Do in the Future:
• Dependable Data Recovery Solutions
• Updated Backup Systems
• Cyber Insurance?
• Exercise, Exercise, Exercise!!!!!
• Crypto Currency
Ransomware: How to prepare –
in the future
27. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
How have you been Impacted? What lessons have you learned?
If not …………….?
Ransomware:
For further information see: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware
28. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
28
For further information see: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware