DeepSec2020 talk: Ransomware: Trends, Analysis and Solutions – Josh Pyorre
My talk on ransomware will be technical, but also tells the story of how it’s evolved, highlighting specific and interesting infections. I’ll walk through the history of ransomware, its relationship to cryptojacking, and the supporting software made up of malspam and exploit kits. We’ll also address the recent phase of ransomware data extortion. There will be demonstrations of current malware infections as well as unique methods and ideas for detection and hunting. We’ll end with multiple methods of prevention and mitigation, some using paid products, but with the focus primarily on opensource options. Since I work with approximately 15% of the internets DNS traffic in my job, I will be using some of that data to show statistics. Despite that, I’ve done my best to make sure this is not a talk about products from my company, and aim to provide solutions that can be implemented by any organization.
This presentation started from personal notes on connections between ransomware samples that I keep in order to improve my ability to hunt for new variants. I realized the combination of threat hunting techniques, mitigation and history may be of use to others. I believe ransomware and malspam are important topics because it’s the easiest way for threat actors to make money – and they’re using it widely among all industries. Companies are going out of business, individuals are losing important data and having personal information exposed, and lives have been lost when medical systems were compromised. Additionally, threat actors use ransomware to exploit every kind of tragedy, including the pandemic we’re currently experiencing.
Looking at how ransomware has changed with time and technology, and analyzing how it faded into the background for a while when cryptomining and cryptojacking was more prevalent, we can make educated guesses about its future direction. Most often, malware authors are going to take the easiest path to make money, and they will want to do less work. In the future, if the cost of cryptocurrency doesn’t rise to the levels it was 2 years ago, we might be seeing more ransomware as a service and other as yet unknown methods to make infections easier to implement and more difficult to trace. My talk will present my thoughts on all of this. I hope you can attend and find value in what I’ve learned while dealing with Ransomware.
Josh Pyorre is a senior security research analyst with Cisco Umbrella. Previously, he was a threat analyst at NASA, working as part of the team that built and ran the NASA Security Operations Center at Ames Research Center. He has worked with Mandiant, helping to build their SOC while conducting incident response for multiple clients. Before working in security, Josh was the technical director for a non-profit providing assistance to the homeless in San Francisco. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible.