1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.

A DEEP DIVE ON RANSOMWARE An Update from the May 2016 Cyberthreat Report

Avi Turiel

2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

Ransomware 101

Notable Q1 ransomware

(and decryption success)

Locky in detail

Q1 Cyberthreat data

Agenda

3©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

Ransomware in Q1

©2016. CYREN Ltd. All Rights Reserved

4© 2014 CYREN Confidential and Proprietary 4©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

5©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

• Petya: Overwrites master boot record

• Samsam: Compromises servers, uses the servers to compromise other networked machines, and then holds them ransom

• TeslaCrypt: Originally targeted game files, now targets all file types

• GhostCrypt: Masquerades as CryptoLocker

• CryptoWall: Provides a free single-use decryption

• Jigsaw: Deletes increasing numbers of files till ransom is paid (and 1,000 files after reboot)

• Locky

Ransomware in Q1

Search: Bleeping computer, Jigsaw

6©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

• Don’t count on these though…

• Ransomware gets patched

• E.g.: TeslaCrypt V3

Some ransomware decryption success!

7©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

• Do you know anyone who has been infected with Ransomware?

• Yes

• No

Poll: First hand experience

8© 2014 CYREN Confidential and Proprietary 8©2016. CYREN Ltd. All Rights Reserved

Understanding Locky

9©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

• First extensive use of JavaScript as an email delivery method

• Most variants in a single day

• Highest email malware attachments in a single day

• Vast numbers of compromised websites

• Over 1 million tracked by CYREN

• Encrypts all files on shared network drives

Locky highlights

10©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

• First detected in February

• Initial distribution by MS-Word macro malware (email attachments)

• Initially from same botnet as used for Dridex (banking malware)

Brief history

Email with JSattachment

Redirect to compromised

site hosting ransomware

Download and run

Encrypt filesDemand ransom

11©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

Locky delivery emails

12©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

• Emails with malware attachments surged 412% in March due to Locky outbreaks

• Primarily during weekdays and between working hours

• Also spread via Web exploit kits

Vast distribution

13©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

• Ubiquitous in email - most systems view it as benign

• Easy to reprogram (less skill needed), automated creation of variants

• Many obfuscation tools

• Small size

• Locky is the first malware to use JavaScript (JS) in such massive quantities

• Over 1.5 million variants in one day (30 March)

Locky uses JavaScript

14©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

• Malware deletes itself if Russian language detected

• Encrypts:• Videos, images, documents, and source code

• Files located in connected networks, servers, or drives (including removable)

• Renames to .locky

• Deletes any local back-up files

• If bitcoin wallet is found it is emptied, then scrambled

Post-infection

Ransomware does not have to hide

15©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

16©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

• 0.5 to 1 bitcoin for individual computers

• ~$200 - $400

• 50 or more bitcoins for business

• ~$20,000

• Multiple onion links, multiple bitcoin addresses

Paying the ransom

17©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

• Do you know the outcome of the Ransomware experience/s you have dealt with/are familiar with?

(choose multiple answers):

• Paid and got files back

• Paid but files were not decrypted

• Didn’t pay but managed to recover data (e.g.: backup)

• Didn’t pay and lost data

• Unsure of outcome/No experience with Ransomware

Poll: Dealing with ransomware

18©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

IMPROVE YOUR PREVENTION

• Email security gateway

• 91% of attacks start in email

• Stop spam, viruses before they reach your users

• Web security gateway

• Stop malware downloads, malicious URLs

• Stop C&C communications, data exfiltration

• Network sandboxing

• Identify and stop never-before-seen malware

• Endpoint security with active monitoring

• Make sure its up to date

• Security training

• Social engineering, don’t click that link…

How to avoid being a ransomware victim

IMPROVE YOUR DETECTION/RESPONSE

• Backup and recovery

• Implement it

• Test it

• Know the difference between backup and sync

• Network shares

• Avoid mapping network drives with large file repositories (or no write permissions)

20© 2014 CYREN Confidential and Proprietary 20©2016. CYREN Ltd. All Rights Reserved

21© 2014 CYREN Confidential and Proprietary 21©2016. CYREN Ltd. All Rights Reserved

22© 2014 CYREN Confidential and Proprietary 22©2016. CYREN Ltd. All Rights Reserved

23© 2014 CYREN Confidential and Proprietary 23©2016. CYREN Ltd. All Rights Reserved

24© 2014 CYREN Confidential and Proprietary 24©2016. CYREN Ltd. All Rights Reserved

25©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

CYREN Powers the World’s Security

500K+ Threat collection points

600M+Users protected

17B+Daily transactions

130M+Threats blocked

26©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

CYREN’s 100% cloud security services

SaaS Secure Web Gateway protects users from cyber-

threats, monitors and controls web usage, and protect users both on and off the network.

SaaS Secure Email Gateway protects users from spam,

phishing attacks, viruses and zero-hour malware with a

seamless end-user experience.

Cloud-powered threat intelligence and SDKs allow

technology vendors and service providers to detect a broad set

of cyber-threats, including malicious websites, phishing

attacks, malware, botnets, and spam.

Enterprise OEM

27©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved

You can also find us here:

www.CYREN.com

twitter.com/cyreninc

linkedin.com/company/cyren

©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Thank You. Any Questions or Thoughts?