This document discusses the history and evolution of ransomware. It notes that while ransomware attacks have occurred for over a decade, they have increased significantly in recent years due to the money that can be made. It describes how CryptoLocker in 2013 collected $27 million in just 3 months. CryptoLocker was shut down by Operation Tovar in 2014, but spawned copycats like CryptoWall, one of the most successful ransomware strains. More recent variants like Locky in 2016 have also seen success. The document warns that ransomware authors are getting more sophisticated and business-savvy in their methods. It suggests ransomware is likely to continue evolving and poses an ongoing threat.

1. Ransomware – Protect or Pay?

2. Cryptolocker
was just the
beginning…

3. Three things you need to know about
CryptoLocker
•Ransomware attacks have been occurring for more than a
decade, but it’s been in the last few years that we’ve seen
large-scale attacks.
•Why? High rate of successful attacks… It’s all about the
money.
•Plus… The software for creating Ransomware is cheap and
readily available—perpetrators need only malicious intent
to carry out an attack. No coding required!
Ransomware: A brief history in Cybercrime

4. Three things you need to know about
CryptoLocker
How big of a business was CryptoLocker? According to a
report in December 2013*, the CryptoLocker malware
authors collected $27 million USD worth of bitcoins
from their victims over a period of 3 just months…
Ransomware: A brief history in Cybercrime
• http://www.zdnet.com/article/cryptolockers-crimewave-a-trail-of-millions-in-laundered-bitcoin/
• https://www.zscaler.com/blogs/research/signed-cryptowall-30-variant-delivered-mediafire

5. Three things you need to know about
CryptoLocker
•In 2014, CryptoLocker malware was largely
neutralized by Operation Tovar, an international
collaboration of security companies and law
enforcement, that successfully shut down the
command and control centers and the GameOver
Zeus (GOZ) botnets that drove the ransomware
•However, the scourge of ransomware is far from
over. CryptoLocker, as a result of its success,
spawned a slew of copycats
Ransomware: A brief history in Cybercrime
OPERATION TOVAR

6. Three things you need to know about
CryptoLocker
•CryptoLocker’s demise in 2014 gave way to a worthy
successor in CryptoWall, which has since evolved
into one of the nastiest and most successful strains of
ransomware.
•CryptoWall has been known to arrive via email
attachments, exploit kits, and drive-by downloads,
which occur when a user unintentionally downloads
a virus or malware (usually due to an outdated
browser or OS or lack of security technology to
prevent an unknown attack).
A new generation of Ransomware

7. Three things you need to know about
CryptoLocker
CryptoWall 3 (CW3) analysis by the numbers…
A new generation of Ransomware
• Source: CyberThreatAlliance - http://cyberthreatalliance.org/cryptowall-report.pdf
• 4,046 malware samples
• 839 command and control URLs
• Five second-tier IP addresses used for
command and control
• 49 campaign code identifiers
• 406,887 attempted infections of CW3
• An estimated U.S. $325 million in damages

8. Three things you need to know about
CryptoLocker
It’s sophisticated… Anatomy of a CryptoWall 3 attack*
A new generation of Ransomware
• Source: CyberThreatAlliance - http://cyberthreatalliance.org/cryptowall-report.pdf

9. Three things you need to know about
CryptoLocker
•In February 2016, a new version of ransomware
arrived on the scene. Known as Locky, it’s payload is
nearly identical to CryptoWall.
•Locky is likely to become one of the most active and
lucrative malware strains.
•Locky was responsible for the February 2016 breach
at Hollywood Presbyterian Medical Center, which
paid a ransom that amounted to about $17,000… a
small price to pay for EMR recovery.
A new generation of Ransomware

10. Three things you need to know about
CryptoLockerRansomware variants are sailing past layers of legacy security solutions
54%40%60%
of advanced threats
hide behind SSL.
ThreatLabz Research,
Zscaler
Inspecting all
traffic can require
8X more security
appliances
of Internet traffic
crosses CDNs and
goes uninspected.
Virtual Networking
Index, Cisco
of the top 100 sites
have malware

11. Three things you need to know about
CryptoLockerRansomware variants are sailing past layers of legacy security solutions
AV is completely ineffective…
100% 80% 60% 40% 20%
10%
Advanced
Persistent
Threats
0.03%
Cross-site
Scripting
0.73%
Virus
0.95%
Peer to
Peer
4.8%
Botnet
Calls
24% Cookie
Stealing
2.1% Browser
Exploits
0.8%
Phishing
0.33%
Malicious
Content
66.2%
Chart: Threats blocked for
typical Zscaler client, Q2 2015
Detail:
5 million threats blocked
65 million policy violations
Out of 1+ billion total transactions

12. Three things you need to know about
CryptoLockerRansomware variants are sailing past layers of legacy security solutions
Personalized content delivered
from multiple sources
Traffic: SSL
CDN: Akamai
Page objects loaded:
JavaScript, CSS, images
Potential threats: 167
Reputable sites are getting compromised… and their complexity adds to the risks...

13. Where is
Ransomwar
e going?

14. Continued evolution of Ransomware
Where is it going?
• Ransomware authors are getting creative…
• Recently, we started seeing a new campaign
involving multiple signed CryptoWall 3.0 samples
in our Cloud Sandboxes being downloaded from a
popular file hosting service, MediaFire…
Valid MDG Advertising
certificate used to sign
CryptoWall 3.0
• https://www.zscaler.com/blogs/research/signed-cryptowall-30-variant-delivered-mediafire

15. Continued evolution of Ransomware
Where is it going?
• Ransomware authors are becoming
even more business savvy…
• Maktub, another Ransomware
variant, will display a time-sensitive
ransom note. The ransom payment
starts at 1.4 bitcoins to get the
decryption key. But if the ransom
isn’t paid within 15 days, the ransom
goes up to 3.9 bitcoins on an
escalating scale…

16. About Zscaler

17. Introducing Zscaler
TECHNOLOGY
INNOVATION
Cloud security platform: security
stack as a service
(80 patents)
Largest security cloud:
100 DCs, 100M threats
blocked from 25B trans/day
Enabling the secure transformation to the cloud.
MARKET LEADER
Trusted by G2000,
5K customers, 15M users
across 185 countries
FINANCIAL
STRENGTH
Accelerating growth,
exceptional margins,
125% renewal rate
Billion dollar
valuation, backed by
Recognized leader
Global partners

18. More than 5,000 organizations trust Zscaler
Protecting 15 million users – 200 of the Global 2,000 – leading global brands
ZSCALER = Zenith of Scalability (4 dimensions of scale)
185 COUNTRIES1.6M USERS 30K LOCATIONS 45 GBPS

19. Leading industry analysts agree…
Zscaler is a very strong choice
for any organization interested in
a cloud gateway.
…on-premises web content security can’t
protect digital business…

20. Challenges imposed by the cloud and mobility
NEW ATTACK
VECTORS
Breaches and ransomware
attacks are on the rise.
The cloud and mobility are powerful business enablers, but they significantly impact
security, network traffic flows, applications, user experience, and cost.
APPLIANCE
SPRAWL
IT infrastructure is getting
complex and costly.
EASE OF APP
ADOPTION
Businesses are consuming
services independent of IT.
HOW CAN I SIMPLIFY IT WHILE MAINTAINING SECURITY
CONTROLS?
HOW SECURE ARE WE?
CAN I UP-LEVEL MY SECURITY?
HOW DO I MANAGE MY MPLS COSTS
AND DELIVER A BETTER USER
EXPERIENCE?

21. A typical Internet gateway
INEFFECTIVE SECURITY
•Can’t handle advanced threats
•Can’t keep up—patches, threats
•Bypassed by mobile users
Can you afford to continue investing in on-premises appliances?
COSTLY
•CAPEX intensive—not elastic
•Traffic backhaul costs
•Power and cooling costs
COMPLEX TO MANAGE
•Multiple admin consoles
•Scattered logs, no visibility
•Ongoing maintenance
POOR USER EXPERIENCE
•Each box introduces latency
•Backhaul latency
•No localized content

22. Enter Zscaler: Your security stack as a cloud
service
SINGLE POLICY CONSOLE
Define polices by user, group,
location. Policy follows the user
Zscaler built a perimeter around the Internet so you don’t need
to put a perimeter around every office.
GLOBAL, REAL-TIME
REPORTING
Gain visibility into all of the
applications, users, threats, and
botnet-infected machines
CONNECT – CONTROL – SECURE
Nothing bad comes in, nothing good leaks out
Zscaler App
INTERNET AND CLOUD APPS
Tunnel – GRE/IPsec
SIMPLY CONFIGURE THE ROUTER OR ENDPOINT DEVICE TO FORWARD TRAFFIC TO ZSCALER
MOBILE EMPLOYEE REMOTE OFFICESHQ

23. Zscaler Cloud Security Platform
Consolidate and simplify point appliances
CLOUD SECURITY PLATFORM
100+
data centers
worldwide
25B+
transactions processed
every day
105M+
threats blocked
every day
100K+
security updates
every day
ACCESS CONTROL
CLOUD FIREWALL
CLOUD APPS (CASB)
URL FILTERING
BANDWIDTH QOS
THREAT PREVENTION
ANTI-VIRUS
INTRUSION
PREVENTION
ADVANCED
PROTECTION
CLOUD SANDBOX
DATA PROTECTION
FORENSICS
DLP INTERNAL DATA
DLP CLOUD DATA

24. FULL INLINE CONTENT INSPECTION
All bytes, all ports, all protocols,
including SSL—no compromises.
REAL-TIME THREAT CORRELATION
Correlation of risk indicators—
destination to content—to predict
and block zero-day attacks.
CLOUD INTELLIGENCE
Over 105M threats blocked
every day—once a new threat is
detected, it’s immediately blocked for
all users. 100K+ security updates a day.
40+ INDUSTRY THREAT FEEDS
Threat sharing partnerships,
commercial deals, open source,
private working groups.
What sets Zscaler’s security apart?
UNIFORM
SECURITY FOR
EVERYONE
As long as everything is routed through Zscaler, from a security perspective, I’m happy.
— John Taylor, Global Head of IT Security, British American Tobacco

25. A three-step journey to future-proof your
business
for security, mobility, and cloud transformation
(BROADBAND)
SECURE
Up-level your security
NO POLICY OR INFRASTRUCTURE CHANGES
REQUIRED
(MPLS WAN)
SIMPLIFY
Remove point products
ELIMINATE GATEWAY SECURITY APPLIANCES AT
YOUR OWN PACE
(MPLS WAN)
TRANSFORM
Cloud-enable your network
ROUTE INTERNET TRAFFIC LOCALLY FOR A
BETTER USER EXPERIENCE
(MPLS WAN)

26. Begin your
journey today!
How secure are you?
Run a quick and safe
security test to find out.
www.zscaler.com/securitypreview