Events Add an event Speakers Talks Collections
 
Duration 40:01
16+
Play
Video

Ransomware Threat Landscape

Adam Meyers
SVP, Intelligence at CrowdStrike
  • Video
  • Table of contents
  • Video
RSAC 2021
May 20, 2021, Online, USA
RSAC 2021
Request Q&A
RSAC 2021
From the conference
RSAC 2021
Request Q&A
Video
Ransomware Threat Landscape
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
56
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speaker

Adam Meyers
SVP, Intelligence at CrowdStrike

As CrowdStrike’s Senior Vice President of Intelligence, Adam Meyers leads the Threat Intelligence line of business for the company. Meyers directs a geographically dispersed team of cyberthreat experts tracking criminal, state-sponsored, and nationalist cyber adversary groups across the globe and producing actionable intelligence to protect customers. He oversees the development and deployment of AI, machine learning, reverse engineering, natural language processing, and other technologies to detect suspicious and malicious cyber behavior and stop increasingly sophisticated adversaries. Meyers’ work in combining human intelligence and intelligence derived from technology continues to transform cybersecurity.

View the profile

About the talk

Adam Meyers, SVP Intelligence, CrowdStrike Ransomware remained a dominant threat to enterprises in many different geographic regions and business verticals during 2020. Undeterred by the global pandemic, these actors inflicted a cruel toll on many organizations by extorting, leaking, and selling stolen data from their intrusions. This session will explore the ransomware threat landscape of 2020 and assess what is in store in the coming year.

Share

Hi, I'm out of Meijer and I'll be talking about ransomware threat landscape today. I've been a crash site for almost 10 years. Now. I helped launch the company way back when and prior to that. I spent about ten years working in the defense industrial base with a variety of Civilian intelligence, community and Military customers across the US federal government spent a number of years supporting the US Department of State and got to really kind of focus on tracking threat actors in that capacity. And I run a team about a hundred and fifty for it

until professionals here, across the type who focus on tracking various fractures across the world. And in this presentation, were going to be talking a lot about this, right activist and how the ransomware threat landscape has changed over the last year. We first started crowdstrike back in 2011. A lot of the companies that were out there a little bit, the predominant thinking was that you need to focus on now where he needs to focus on those threats. That were existing all over the world and that were most prevalent in, in the various environments. It would be monitored, and as we're

launching a company, we had this kind of realization that it's not really about the malware. It's about the threat actor because they're trying to accomplish some goal and back in 2010. The name of the game and security was really a focus on the most problem with rats. And she really go after the things that I can be found in the most environment, season signature-based accent. We realize that those smaller incidents. The ones that weren't very prevalent unique. Aspects of these attacks were the things that really made them interesting and we're the most expensive for potential

customers. Most expensive for organizations that are trying to conduct business and to operate and by focusing on those events and those types of threat actors, then we could better protect businesses in Enterprise. And when we launched we had this, this saying that you don't have a malware problem, you have an address for a problem and today we track over a hundred and fifty for adversary. This across the world who are engaged in a variety of different activities. And our belief is that by understanding who these reactors are how they operate, and what they're after, you're going

to be in a better position to defend your Enterprise, defend your environment from them. So we attacked her motivation as a way to turn a character eyes are categorized in various threats. Ultimately would love to be able to get to the point where we understand exactly. Who's behind this activity. What military unit away? Fee location, there in world. What they're what their name is a, but that's not always possible. And still for us. We begin all analysis investigation by looking at the motor. What is the thread after after, what it, what, what is there to Hebron by categorizing them using

that model than wearing a better understanding of what we're doing? Did the first categorization that we look at is nation-states? This is associated with a government offensive cyber-operations for one reason or another generally, this would involve Espionage. It could be sabotage disruptive or destructive attack. And in some cases were increasingly seeing them engage and even equine was financially motivated attack North Korea. There on those that have been dealing with increasing sanctions and financial difficulties as a result of what's going on. Have

turned author eyes in the case of North Korea or unauthorized in the case of other countries. The second category that we track is econ. This is financially motivated, activity years ago. This was almost entirely tracked under things like banking Trojans that were trying to steal credentials, get access to information and monetize that in somewhere increasingly over the last two or three years is almost exclusively been driven by ransomware activity. And we're seeing even some of the traditional spread actors who are engaged and

bank fraud and and account takeover. Is there actually moving because the last 18 months or so we've seen that more of these reactors are engaging in further extortion by stealing information and threatened to disclose it. If their demands are not met or they're not paid until they're looking to increase the cost to the victim. In the final category is that we will get is something that we call activism activism generally related to do things that are politically motivated or could be anything ranging from anti-capitalism to hear in the US, for example, of

animal rights, an animal testing factors that have been used by doctors to conduct distributed or acts like website defacement in order to bring attention to a particular political issue. Once we are looking at something and we kind of put it in one of these buckets are categorized. Then we have the ability to start talking a little bit of more about who this tractor is, and what they're interested in a class. Like we tracked actors named Krypton in model. We have

two names that will typically be assigned to thread a factor, in the case of all criminal acts and something spider know you're with check fraud. That would be wizard spider or dry Dachshund and Pitbull. Hamer are all trapped under engine spider. As a result of the US Department of Justice indictment. We have a lot of visibility into the actual individuals behind that has been famously. Photographed, Drivin fancy cars around Moscow. And he's associated with this group, which is evil core. I so all of these different criminal actors are engaged in some form of

financially. Motivated activity. Are we tracking the panda? This is associated with a military organization working at the best of the country. Aron we track is kitten North Korea. We track is chilena. Russia attacking bear. India, Pakistan is tiger and leopard, respectively, activist activist National interest and Jackal. And there's been some newer entrants cyber-operations admonitions papers back in Vietnam. For some time now has been engaged in increasing activity, that is of interest to organization to R & Automotive Healthcare. And I also South Korea has been observed

as well. Aldi's. Grocery store here. There's a hundred and fifty-four so that we actively track and then we also have what we call activity Busters. So we don't necessarily know. Who is this Mission staying in NFL? Which nation is it? Now, hundred fifty, for tractors, might seem like a pretty insurmountable. Thank you track to be worried about the protector Enterprise. But the good news is that not all of the factors are necessarily coming after your organization Enterprise. If

you understand what geographical locations are concerned about what business verticals are concerned about, then you can look at the activity this track by this, but I understand what they can do and their intentions, what they want to do. And so as we populate this chart looking at generally kind of protector activity, against the West, particularly the United States, you can see that pretty good. Sampling of different capabilities and intentions with these things and move depends on what business.

In general, the Western perspective, the three, most prevalent threats that we see are North Korea, China and Russia. Aron you separate example be much well or in front of intentions, their capabilities, haven't changed, but because of the joint, we're deal, they were targeting of things like Saudi Arabia and we have the breakup of the joint comprehensive plan of action. We have the tanker wars in the summer of 2019 in the Strait of Hormuz and we have this increased attention has intentions

to Target. The West go up and really culminates in January 2020 with the killing of general qassem soleimani and adds that he didn't. We see around moving up and up and up and come to the And so you always have to be re-evaluating these threats and understanding how they're changing and how you're thinking and what the what that will do intensive beef. Now, it's interesting to note that almost all of these tractors in the course of 2020 used covid-19 in their simology in their attacks. They used it for a week or is that used it for file memes. And they even Target that are

related to covid-19 says we are coming out of the grips of his Global pandemic. You can see that this is really created a lot of activity and a lot of opportunity to increase in success of their targeting, which is things going to look at here. So in what is one of your ransomware operations for most organizations became be most corrupt of threat that we were trapped. And it's important to understand that ransomware is part of a broader ecosystem. There's a global ecosystem and underground economy. If you will, that is kind of feeding off of each other

different pieces of this underground economy that will focus on different areas that specialize in different things. All meant to generate revenue for the operator. So if you look at the breakdown, when you have service oriented aspects of this underground economy, you access Brokers, access Brokers or utility for ransomware actors. You want you find interesting Target and start off with access. So and act as broker will use when I go to use the hockey and I'm in the cell that access to the highest bidder and ransomware, actors who uses to figure out what identify

organizations that they're most interested in and then buy access instructor operate. We also have lots of different elements of the underground economy. There's things you. Schools that are sold ransomware service that you can actually buy the malware and now we're packing services website, kind of doctor continued, their operations. And how do you get your ransomware? How do you get your mail? We're out there. There's a whole set of Houston. Social network spam, they do

email spam. They're building exploit kits in operating them. They're selling installs to the highest bidder. And then finally, there's the monetization side. So you have money mules, that are helping to move money around for the threat actors. You have a ransom payment, extortion, Services. You got money laundering. There's lots of ways. That's right after 11. So as we think about What ransomware actors were using for initial access today, that are prevalent in the,

well-known baking shows that were engaged in a lot of account in the browser, still credentialed for Banking and credit cards, and they realized there was a lot more money to be made on the ransom or several years ago. Inside a pivoting and they use their banking Trojan, which are widely distributed many environments today and use that as the initial foothold. And once I have that initial foothold, they can move laterally and Dakota ransomware steel files and conduct in the car where they can get paid tens of

millions of dollars just for 1 + 1 + 2. The other thing that we have is distribution actors, so we have a mallard fighter and Mommy spider, monkey spider famously, Tides, the Mo Tab. Which is used for spam. And so what they actually do is they distribute their malware and once they have them, our plants during the system through spam, then they'll still access to these other evening. After if you want to conduct ransomware attacks, still go buy a spider there on. They can deploy their tools and carry out their operation. Access Brokers with a Mockingbird earlier,

spider is one, but we've, there's a lot of people Steelers that are used to steal information, that could be used by these doctors and also Bell sell access. So if they find it, remotely exploitable service in and they break in, or they began into some other campaign, they'll actually sell that access in a form and when the tunnel after is brass going for on, they find the target of interest. If I re-access in the money last piece here is that Services have been in this year for Sirius BPM, appliances, and

software. We've seen a lot of misuse of our Tepee, which essentially was deployed as a result of organizations, trying to wrap me to die off the digital strategy in the wake of covid. And recently, we've seen the Microsoft Exchange vulnerabilities, which have been used for a lot of these Remote application that. So once these reactors get in mother at Eastern access broker a bank Trojan or some other service, they're typically, living off the land by living off the land.

They're using things. I've already peed a hopper speed post. They're using football strike or Windows utilities that are present on the system or system's internals tools that might be present, or at least look like legitimate administrator and then they'll do actual tracing using things like Mega and our phone in order to steal files that they'll then further leak on a dedicated weeks are in order to monetize... As well. and so, a lot of the tools that they're using, are necessarily going to trigger a lot of alerts in your environment or things that people might look

too closely at If you take a look at how covid-19 affected the economy ecosystem, you can pick up a scent Seer. That there's been a pretty massive Spike wondering about this novel coronavirus. There's not too much activity, though. It starts to go up in February. But by March, we see a hundredfold increase in the number of files that had covid-19 or coronavirus in it at work emails or or links that we were tracking. So Fred actors really in the course of the last year have utilized covid-19 coronavirus to

supercharge their taxes to get victims. Quicken files and click on links in order to enable their activity. So the most active got a week sites as we're tracking use criminal actors and their activity in a, they are creating these dedicated weak side and they'll put little pieces are in a pan of 15% of the stolen information on this website to demonstrate almost like a wife that we have this data and we're going to week more of it if we don't get paid and we see this time and time again

and the most prevalent as being most prevalent. But actors that are engaged Twisted fighter, which is known for their Diaz or McGregor ransomware wizard spider, which has been using Quincy. So they have different tools to be using different scenarios for ransomware attacks, but we have never seen where you can use for it. A week attack. We've only seen it for sure. Ransomware attack, when there's a dead a week attack. Typically they're using something like And then pinche spider with our evil which was previously associated with

the camshaft ransomware, the service and so it's twisted, spider incy, spider use more ransomware as a service. And but with resume service, they're effectively building the ransomware and build build a platform. So, you take the ride somewhere, you can put it into the victim environment, and when they pay through the platform, victim pay is through the pack platform. The operator of that service takes some percentage is the revenue-sharing model answer, the percentage of that and

as payment for what they're providing a service. So II model is that they're running the operation entirely themselves. So they'll buy access will deploy their tools. Do conduct them, Ransom negotiations, and then they take 100%. The most targeted sectors over the last year that we've observed are really industrial engineering manufacturing, and technology and probably state and local government Healthcare would come on the heels of that. This is an interesting set of targets. One of the reasons that

we believe this is a crime is that ransomware actors? Look for organizations. That have to be up in what I would call it and operational imperative. And if they need to be up and running at some point, there's going to be a discussion about is it cheaper? Or is it more beneficial to just pay the ransom amount then to try to restore from backup or try to figure out some way around paint and organizations like industrial engineering manufacturing technology companies. There's downtime associated with that. For every time there's an associated with loss and with a ransomware actor,

that spread after opening is that they can get that sweet spot. Where there's more money being lost than they're asking for. And so organizations are going to pay them. As we look at the threat actors that were able to really kind of use covid-19 is a driver for what they're doing. There's three that comes to mind traveling spider which is known for their email and they were using some email subjects to get organizations to open up. A can you put on Winx such as general meeting for Coronavirus or impersonating Healthcare organizations?

When they're targeting different organizations in order to get their tools to pull it? So they can conduct targeted government and Healthcare sectors over the last year. Circus spiders, the second one and they've compromised at least one. U.s. Local public health district site. They also reported we had compromised number of hospitals in Europe, with covid-19 emails and they're known for their netwalker. Malware was goes by many different names. And then thirdly is grateful Specter and their best known for their getting go loader, which is a macro

document. And they were using covid-19 lures organization. So about the attachment enable macro and let things going and they said the sector over the last year and they're one of the ones that were most prevalent in the leak space where they're using their crop League site. In order to Generate a urine and get these organizations to pay and they claim that they were not bugging Healthcare, but they continue to Target Healthcare. So we ran somewhere and why was it such a problem? Read? It? It kind of begs. The question of, how did we get here? And so, as a brief history of

ransomware, I think we, we can roll back out. Ransom has been around for a lot longer than then this time. In fact, I think the first piece that I can find it, ran somewhere with his back to the late 80s. But if we want to talk about the modern era of ransomware, it really goes back to cryptowall cryptolocker 2014 timeframe back. You can see here one of the earlier, Ransom, the lands that, that we looked at. And in this case, they're looking for $500 and if they would double the amount of money if you wanted

this targeted individual, so this will get on to your computer and mom and dad's computer whoever's in a computer in my beep. And it was Rock the system up, it would encrypted files and in order. You unlock the system, and I think that they realized pretty quickly. That this was very expensive for them to operate dealing with individuals, getting them currency, how to use for the payment portal with, absolutely no sense of proposition. And they had to do it, multiple

languages. By 2016, we were kind of calling it The Year of ransomware in terms of individuals. And I was even fast testify before the Senate Judiciary as pertains to ransomware why we were saying is ransomware and what can be done about it. And there was something that was in the testimony, that I want to call out, which was that, you said the doctors have likely taken in the tens of thousands of dollars in order to recover their data, prompting them to look

for victims who provide critical services to Target, as I said before. They're looking for critical Services. They're looking for things that have an operating imperative. And at least one after that time we call that had begun conducting targeted ransomware attacks, which is what we today call big game hunting for Enterprise rental car. After this testimony about a year later, the NHS in the UK gets hit by ransomware and this is massively disruptive. And this was something

that lots of their systems was with a huge National Health Service that was hit by this tracking my activity and this brought a lot of attention to that somewhere as a threat. I'm just too much later later. Hit a second time. So the initial Ransom attack that hit them was the one guy attack which is associated with North Korea. Two months later. The same victim is attacked by spider using dried X and bitpaymer bitpaymer is a custom Locker used by the spider actor at which has been used for many years now. 2017 was one of the first instances of that being used and really brought

attention to the fact that ransomware. I have gone from targeting individual to Target Enterprises. As we look at the ransomware payment in 2019, you can see that it started off going from tens of thousands, hundreds of thousands of dollars. And by 2019, we start to see millions and millions of dollars in Ransom demands million dollars for me is 2.34. Doppelpaymer. Were you asking for 12.5 and mrs. Now it's actually see tens of millions of dollars in Ransom, demand, 30 40 50, 60 million dollars. Not uncommon

in Ransom demands anymore. And organizations are paying and as a result, Bistro doctors are further emboldened and they're conducting more and more inclusions in order to generate more Revenue. In fact, in September of 2020, we observe one, Ransom demand for 1.4 billion dollars, which was certainly the highest we've ever seen in and since we haven't. But it gives you a sense of the fact that these protectors really think that they can get away with with charging newest, millions of dollars day in and day out in

order to generate Revenue. So, where is it going? What up? What we think is next on the agenda, with these Ransom actors. Well, one of the things that we've observed, and we walked a little bit about is that we've seen his protectors diversifying, what they're targeting. The workstations are servers. Any more aware of the fact that a lot of organizations are using encrypted desks or using esxi or virtual machines in order to optimize their data centers. And so these factors have begun working at the

virtual machine environments that they're at their way and figuring out ways to shut down those work on machines and then encrypt the virtual desk so that you need to decrypt in order to recover. Even your infrastructure is one of the actors that has been most associated with this so far, but this is something that's going to need to evolve. Environments in understanding how to Target workloads, Beyond just the actual computer they're looking at, what is the computer running and how can they disrupt the most maximize the pain of

their causing in order to generate higher rent? Today's five things that we talked customers to do in order to mitigate advancetrac. The first one is easier said than done and we've been talking about this for the last 20 years and security, which has secured the Enterprise by this. I mean, using things like principle of least privilege, making sure that you have vulnerability management place that you're passing in predictable and, and informed ways that you have all of these security layers and defense-in-depth

inside of your Enterprise, that will make it a harder Target. And for this again, many organizations are still struggling to get there. So this is probably the number one thing that organizations can do and it's not really something it's going to cost a lot of money. Just a lot of time and effort got there. The second thing that we tell organizations is prepared to prevent and crushed ice be talking about something that we called a minute to identify and a Sprite or an activity, near Enterprise about 10 minutes to investigate it

in about an hour to remediate it. And if you spit into that Cadence is going to meet that goal. Then you're going to be in a better position to stop these protect us from moving across the Enterprise and escalating privilege and the playing last night against the environment and well, that sounds like some pretty crazy numbers with things like EDR and threat hunting. This is something that they can strive for. That spread Hunters, can kind of get to a kid and so when they see something come up, Be able to investigate it and remediate very quickly will enable them to do so and organizations

that don't have the budget or the Staffing hunters or are red Hunters are hard to find and they're expensive to keep on board and trained and and and engaged while there's lots of threat Management Services out there, this all day everyday and is really on top of these types of rats than even you can have something like or falcon complete service where the hunters are authorized to remediate the activity as well. And he do this all through one platform. You can't hide that one. 1060 number. The third thing is

Next. Gen X 10ft, virus Legacy. Antivirus Solutions are not cutting it anymore. Signature-based, to text him, is something that is extremely fragile. You have to understand the threat in order to have Signature for it and then use that prevented with next-gen antivirus technology. What we talkin about is using machine welding machine, where is classifying threads or file before they've ever encountered them? So they're looking at various features within that file and using that to classify it as good or bad. And that allows you to do prevention and detection

without ever having seen the strep before it. And that's that next-generation Technologies. Absolutely tablespace at this point in order to successfully protect the environment from these types of every ransomware and shoes. New songs. Use some unique build that can be identified but it is a unique bills and there is no purposefully. Creating their intrusions and other tools to go around a little bit odd, maybe. But what we tell customers newest to go through exercise tabletop exercises, in order to understand if something happens, who are we going to call Which Wich now, who's got

the responsibility? If you got the best backup solution in the world, but you've never tested it. Then you're going to have a hard time when he needs to put it under Fire and still buy running these bills quarterly in Virtual Realms or eventually as we get back into offices, doing it inside of a Ford rims are really good way to get everybody to understand what they need to do. What Their position is and to build up muscle memory for what to do in a specific incident or a twin something happen. If I don't know your adversary, there's twenty-five, different ransomware actors that were tracking

today. And if you understand their tactics, their techniques and their procedures, what schools are using and how they operate then, you're going to be a much better position to defend your environment from this protectors by understanding. What business verticals are targeting with you. Grab the reasons, they're targeting and what you need to look for in order to stop them before they were able to steal data. And we could on the internet. Thank you for your time today.

Cackle comments for the website

Buy this talk

Access to the talk “Ransomware Threat Landscape”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 2021”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Brook Chelmo
Software and Security Product Marketing Strategist at SonicWall Inc.
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Aaron M. Rosenmund
Director of Security Research and Curriculum at Pluralsight
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Dmitri Alperovitch
Co-Founder and Chief Technology Officer at CrowdStrike
+ 1 speaker
Sandra Joyce
Senior Vice President, Global Intelligence at FireEye
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Ransomware Threat Landscape”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
816 conferences
32658 speakers
12329 hours of content