to defend against encryption ransomware
play

to Defend Against Encryption Ransomware Jian Huang Jun Xu - PowerPoint PPT Presentation

Jan 10, 2024 •22 likes •772 views

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

  1. FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang † ‡ Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi † † ‡

  2. Encryption Ransomware Is Becoming More Aggressive May 12, 2017 2

  3. Encryption Ransomware Is Becoming More Aggressive May 12, 2017 230,000+ computers 150+ countries $300-$600 per ransom 2

  4. What Is Encryption Ransomware ? Destroy Ask for payments Encrypt files original files to decrypt files 3

  5. What Is Encryption Ransomware ? 3

  6. What Is Encryption Ransomware ? A ransom notification: users files have been encrypted 3

  7. What Is Encryption Ransomware ? A ransom notification: users files have been encrypted Pay ransom to recover user files 3

  8. What Is Encryption Ransomware ? A ransom notification: users files have been encrypted Pay ransom to recover user files 3

  9. What Is Encryption Ransomware ? A ransom notification: users files have been encrypted Pay ransom to recover More ransom user files required if the payment is delayed 3

  10. Characteristics of Encryption Ransomware Family #Samples Attack Time (minutes) Backup Spoliation Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 4 Total 1477

  11. Characteristics of Encryption Ransomware Family #Samples Attack Time (minutes) Backup Spoliation Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 How long does it take for Mobef 7 16 Maktub 10 22 ransomware to finish the attack ? Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 4 Total 1477

  12. Characteristics of Encryption Ransomware Family #Samples Attack Time (minutes) Backup Spoliation Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Ask for ransom quickly Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 4 Total 1477

  13. Characteristics of Encryption Ransomware Family #Samples Attack Time (minutes) Backup Spoliation Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 4 Total 1477

  14. Characteristics of Encryption Ransomware Family #Samples Attack Time (minutes) Backup Spoliation Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Many ransomware attempt Maktub 10 22 to delete backup files Stampado 42 27 Cerber ( and bypass User Access Control ) 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 4 Total 1477

  15. Why Existing Solutions Are Not Good Enough ? Malware detection 5

  16. Why Existing Solutions Are Not Good Enough ? Malware detection Damage has already happened when ransomware is detected 5

  17. Why Existing Solutions Are Not Good Enough ? Journaling & Malware detection log-structured FS 5

  18. Why Existing Solutions Are Not Good Enough ? Journaling & Malware detection log-structured FS Ransomware with kernel privilege can destroy data backups 5

  19. Why Existing Solutions Are Not Good Enough ? Journaling & Networked & Malware detection log-structured FS Cloud Storage 5

  20. Why Existing Solutions Are Not Good Enough ? Journaling & Networked & Malware detection log-structured FS Cloud Storage Increased storage cost & can be stopped by ransomware 5

  21. Threat Model of Encryption Ransomware Application userspace kernel Block Driver read/write Block I/O Interface Disk Flash Translation Layer NAND Flash 6

  22. Threat Model of Encryption Ransomware Application userspace kernel Block Driver read/write Block I/O Interface Disk Flash Translation Layer NAND Flash 6

  23. Threat Model of Encryption Ransomware Application userspace kernel Block Driver read/write Block I/O Interface Our Goal: defend against encryption ransomware without relying on software-based solutions & Disk Flash Translation Layer without explicit data backups NAND Flash 6

  24. Threat Model of Encryption Ransomware Application userspace kernel Block Driver read/write Block I/O Interface Disk Flash Translation Layer NAND Flash Hard Disk Drive Flash-based SSD 6

  25. Flash Performs Better Than Hard Disk Drive No Seek Latency 40 x lower latency 7

  26. Flash Performs Better Than Hard Disk Drive No Seek Increased Latency Parallelism Dozens of 40 x lower latency parallel chips 7

  27. Flash Performs Better Than Hard Disk Drive No Seek Increased Became Latency Parallelism Commodity Dozens of 40 x lower latency Less than $ 0.2 /GB parallel chips 7

  28. Flash Performs Better Than Hard Disk Drive No Seek Increased Became Latency Parallelism Commodity Dozens of 40 x lower latency Less than $ 0.2 /GB parallel chips Significant improvements on Flash 7

  29. How Flash Is Used Today ? Application File System Flash-based Disk 8

  30. How Flash Is Used Today ? Application File System Flash Translation Layer Flash 8

  31. How Flash Is Used Today ? Application File System Flash Translation Layer Flash Out-of-Place Update A 8

  32. How Flash Is Used Today ? Application File System Flash Translation Layer Flash Out-of-Place Update Write A 8

  33. How Flash Is Used Today ? Application File System Flash Translation Layer Flash Out-of-Place Update Write A A B 8

  34. How Flash Is Used Today ? Application File System Flash Translation Layer Flash Out-of-Place Update Write Garbage Collection A A B 8

  35. FlashGuard: Leveraging Intrinsic Flash Properties Application userspace kernel Block Driver read/write Block I/O Interface Flash-based SSD Flash Translation Layer Flash 9

  36. FlashGuard: Leveraging Intrinsic Flash Properties Application userspace kernel Block Driver read/write Block I/O Interface Flash Translation Layer Flash 9

  37. Retaining Data in SSDs without Hardware Modification Overwrite a block Overwrite A Overwrite on SSD 10

  38. Retaining Data in SSDs without Hardware Modification Overwrite a block Overwrite A A B Overwrite on SSD 10

  39. Retaining Data in SSDs without Hardware Modification Overwrite a block Overwrite A A A B Overwrite on SSD Overwrite on HDD 10

  40. Retaining Data in SSDs without Hardware Modification Overwrite a block Overwrite Overwrite A A B A B Overwrite on SSD Overwrite on HDD 10

  41. Retaining Data in SSDs without Hardware Modification Retaining all the invalid pages Overwrite a block (stale data) is expensive Overwrite Overwrite A A B A B Overwrite on SSD Overwrite on HDD 10

  42. Retaining Data in SSDs without Hardware Modification Retaining all the invalid pages Overwrite a block (stale data) is expensive Overwrite Overwrite A A B A B Overwrite on SSD Overwrite on HDD Only retain the invalid pages caused by encryption ransomware 10

  43. FlashGuard: A Ransomware-Aware SSD File Read Encrypt Overwrite File Read Encrypt Write new files Delete/Overwrite 11

  44. FlashGuard: A Ransomware-Aware SSD Read Overwrite File Read Encrypt Overwrite Read File Overwrite Read Encrypt Write new files Delete/Overwrite 11

  45. FlashGuard: A Ransomware-Aware SSD Read Overwrite File Read Encrypt Overwrite Read File Overwrite Read Encrypt Write new files Delete/Overwrite FlashGuard only retains invalid pages that have been read for a certain period of time 11

  46. FlashGuard: A Ransomware-Aware SSD Read Write Read-Overwrite 100% Ratio of different IO operations 80% 60% 40% 20% 0% University computers ( 20 days) Enterprise servers ( 6-10 days) 11

  47. FlashGuard: A Ransomware-Aware SSD Read Write Read-Overwrite 100% Ratio of different IO operations 80% 60% 40% 20% 0% University computers ( 20 days) Enterprise servers ( 6-10 days) 11

  48. FlashGuard: A Ransomware-Aware SSD Read Write Read-Overwrite 100% Ratio of different IO operations 80% The data size is 60% relatively small (a few GBs) 40% 20% 0% University computers ( 20 days) Enterprise servers ( 6-10 days) 11

  49. Tracking Invalid Data with Out-of-Band Metadata Data OOB Metadata Flash Page LPA P-PPA Timestamp RIP Flash Block 4 Bytes 4 Bytes 4 Bytes 1 bit The logical page address mapped to the physical page 12

  50. Tracking Invalid Data with Out-of-Band Metadata Data OOB Metadata Flash Page LPA P-PPA Timestamp RIP Flash Block 4 Bytes 4 Bytes 4 Bytes 1 bit Previous physical page address for tracking all invalid pages 12

  51. Tracking Invalid Data with Out-of-Band Metadata Data OOB Metadata Flash Page LPA P-PPA Timestamp RIP Flash Block 4 Bytes 4 Bytes 4 Bytes 1 bit Check how long the page has been retained 12

  52. Tracking Invalid Data with Out-of-Band Metadata Data OOB Metadata Flash Page LPA P-PPA Timestamp RIP Flash Block 4 Bytes 4 Bytes 4 Bytes 1 bit Identify whether this page is a retained invalid page 12

Recommend

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
How to defend your proposal like professional Dr Dr. Reyas What is proposal presentation

How to defend your proposal like professional Dr Dr. Reyas What is proposal presentation

RD FYP 1 WORKSHOP 3 RD Proposal Presentation How to defend your proposal like professional Dr Dr. Reyas What is proposal presentation or proposal defend To defend your final year project work a) Comply with Bachelor or Diploma

436 views • 33 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

1 .NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend PowerShell 2 MALWARE UNICORN Senior or Malware Researcher @ Endgame, Inc. Wo Works s as s a a Mal alware are Re Researc archer r at at

1.04k views • 47 slides
Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

798 views • 54 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
DUTY TO DEFEND BY JOHN R. CRAWFORD NO DUTY TO DEFEND WHEN INSURED FAILS TO GIVE TIMELY NOTICE

DUTY TO DEFEND BY JOHN R. CRAWFORD NO DUTY TO DEFEND WHEN INSURED FAILS TO GIVE TIMELY NOTICE

DUTY TO DEFEND BY JOHN R. CRAWFORD NO DUTY TO DEFEND WHEN INSURED FAILS TO GIVE TIMELY NOTICE Food Market Merchandising vs. Scottsdale Indemnity , 857 F.3d 783 (8 th Cir. 2017) Facts of Food Market January 13, 2014: former employer Robert

908 views • 19 slides
What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary 1 Confidential & Proprietary Ransomware Overview Malware that blocks access to a system, device, or file until a ransom is paid

248 views • 11 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top Leaders-2019 www.vembu.com How to protect your business from a Ransomware attack? What is Ransomware? Types of Ransomware How it attacks? Stats for year

454 views • 16 slides
Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi with the help of many people from UCSD, NYU, and Chainalysis Only 37% of users backup their data g.co/research/protect Since 2016 ransomware

746 views • 62 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern

Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern

Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern Ransomware-as-a-Service: An Evolving Business Model Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording

999 views • 23 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides
I insurer agrees to defend its In pleading a negligence claim, seeking the same damages, the

I insurer agrees to defend its In pleading a negligence claim, seeking the same damages, the

C L A I M D E N I E D January 2005 A publication of the Lowenstein Sandler Insurance Law Practice Group NEW DECISION CLARIFIES NEW JERSEY LAW ON INSURERS DUTY TO DEFEND By Robert D. Chesler, Esq. n 1992, the New Jersey Supreme Most

723 views • 8 slides

More recommend