CISO Summit No 20: Ransomware: Prevention, Early Detection and Response

After a longer period of E-banking fraud, the resistance of the merging better protected E-banking against the hacker’s penetration attempt was increasing so much, that the business model did not work out for the hackers anymore. The hackers needed to find a new source for their income.

The new source is primarily ransomware, which made them develop trojan horses, install them on the victim’s system, and encrypt the data of the system. The victim cannot work anymore and does not see his data. At this points the hacker start negotiating, how much money they want, for releasing the crypto keys, such that the victim can reuse his data.

Customers having a real offline backup, just install their data again, and work further. But there are quite a few corporations having mirrored server system, which protects very well against hard drive failure, but not at all against crypto locker software.

A crypto locker ransomware as well as other ransomware (e.g. payment for not publishing of embarrassing or confidential data) needs time to be placed in an evaluated system. This system selects hackers very carefully. And several steps are needed until the final key will be pressed when all data encrypt. During this period, Computer Emergency Response Teams (CERT) and Security Operation Center (SOC) may find indicator of compromise and can potentially mitigate the upcoming catastrophe.

Our debate will examine strategies which were successful in specific cases and share strategies which not succeeded before the system was under hacker’s control. And we will look at these strategies before the incident happened and at the response: How to negotiate with the hackers, how to start fighting, what means fighting for the victim, and how likely is success? How does the requested amount change when the fight continues for longer time? Which type of support we need in such situation, and how we can get this support? And is it wise to look for partners before the incident?

The first presentation from Frank Herberg (Switch) prepares the ground for broad discussion, how detection of indicators of compromise work, and how to respond to these. In addition, some response options are debated. The second presentation from Johannes Dohren (PwC) presents a true war story and demonstrates lively “what fighting against hacker” really means.

With this setup we expect to serve the community with an inspiring exchange for being better prepared and have more options to react on hackers attempt to harm us.