Ransomware

Introduction

This year, I had the privilege of attending the OpenText Enfuse conference in Las Vegas. While there, I had the opportunity to develop my forensic abilities and build relationships with industry professionals, co-workers, friends, and many other wonderful new people. The breakout sessions provided me with deep level overviews of interesting topics like threat hunting, ransomware, cryptocurrency investigation, and the growth of digital forensics in the insurance industry. The last is of particular interest to me because I’ve worked in that industry for the past two summers. The lectures provided me with a contextual understanding and wide variety of perspectives on the larger ideas that drive digital forensics and cybersecurity. James Comey’s keynote session added a legal context to the benefits and drawbacks of encryption. He presented this in a way that allowed for new discussions to take place about data privacy and digital forensic investigations.

Held Hostage: A Ransomware Primer

One session that particularly excited me prior to attending Enfuse 2018 was “Held Hostage: A Ransomware Primer”. Nick Hyatt, a Managing Consultant with Optiv Enterprise Incident Management, presented this breakout session.
 
The session defined ransomware in easy to understand terms. It then dug deep into how ransomware can infect systems and the impact that such an attack can have on a wide variety of operations. Hyatt traced ransomware from its beginnings in 1989, with the PC Cyborg Trojan,which would encrypt a system after 90 boots, to the current and more sophisticated ransomware attacks that have grown since 2013, such as WannaCry. Hyatt also explained the growth of ransomware as a service (RaaS) criminal organizations can use to hire attackers to launch attacks on specified targets.
 
The most common ways ransomware infects systems are through bad links in phishing emails and unpatched vulnerabilities in operating systems or software. Healthcare organizations are easy targets for distributing ransomware as their medical technology is often dated. This in turn provides a larger attack surface for dangerous actors. The oil industry is also a large target for ransomware attacks because workers are often remote, so malware is capable of traveling through shared networks across state and country lines.
 
Hyatt then covered several real world examples of how ransomware affects systems. Two healthcare organizations and a gas company were the targets of these attacks. In each instance, an initial infected system spread malware to shared folders where the damage multiplied, forcing the organizations to deploy backups. Everything regarding the defense against the attacks was reactive, meaning defense measures only began after the incident occurred.

Best practices for defending against ransomware lie in educating employees about the different ways ransomware can get into a network, patching out of date software, network segmentation to prevent spread, frequent backups, and email extension filters to prevent the delivery of unwanted file types. When employees are aware of these attack vectors, then they may begin to recognize the signs of obvious danger. Hyatt noted that the most important part of security awareness training is to explicitly explain what signs of suspicious activities look like. Show them! Hyatt stressed, “Security is about learning, not shaming.”

Conclusion

OpenText Enfuse 2018 allowed me to explore a wide variety of security topics in a very short amount of time, but if you ask me, too short. I could’ve spent another week attending sessions like these to get my finger on the pulse of conversations happening now in the security and digital forensics fields. The experience was invaluable from every perspective imaginable.

To learn more about the LCDI  or our projects.  Follow us on our Facebook and Twitter pages or send an email to lcdi@champlain.edu!