Don't 'WannaCry' No More: How to Shield Your IT Infrastructure from Ransomware. Netwrix Corporation Roy Lopez System Engineer

Transcription

1 Don't 'WannaCry' No More: How to Shield Your IT Infrastructure from Ransomware Netwrix Corporation Roy Lopez System Engineer

2 How to Ask Questions Type your question here Click Send

3 Agenda Ransomware Trends What s WannaCry How to Prepare Demonstration Prize Drawing

4 Rise in Number of Ransomware Attacks M 3.8M 638M +19% +167 times $1B in Ransom fees Paid in 2016

5 Ransomware Top-liners of Cerber adds a.cerber extension Locky delievered via spam s containing JavaScript KillDisk Windows + Linux Petya + PetrWrap targets businesses. Dropbox link with.exe file Popcorn Time either pay the ransom or infect two other users Koolova makes you read articles Spora Ransomware as a-service

6 Decryptors Available Crysis Marsjoke Polyglot Wildfire Chimera Teslacrypt Learn more: Shadecoinvault Rannoh Rakhni

7 WannaCry: What s Happened Uses ETERNALBLUE Leverages the Microsoft Windows filesharing vulnerability Targets unpatched Windows Ransom: $300+ (in bitcoins) WannaCry 2.0 comes without killswitch Is a ransomware cryptoworm

8 Mitigate the Risk of WannaCry 1. Disable SMBv1 on your Windows servers by running this powershell cmdlet: Remove-WindowsFeature FS-SMB1 Note: A restart will be required after executing this command. 2. Make sure that you have applied the MS patch ( to your infrastructure. 3. Add rules on your AV to prevent the creation of.wnry file extensions. 4. Block TCP ports 139 and 445 from allowing inbound Internet connections. 5. Whitelist these domains (as WannaCry checks them) to stop the attack: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Note: This only works for direct connections; if using a proxy (as on enterprise networks), it won t work. 6. Educate users about the WannaCry ransomware threat and explain how not to fall victim to phishing attacks. 7. Set up alerts for WannaCry threat patterns ( 8. Pray.

9 Creating Honeypot for Ransomware File Server Resource Manager create a share with a $ in front of the name Let the group Authenticated Users have full control of this share FSRM file screen notices write activity cut off user s access Get-SmbShare -Special $false ForEach-Object { Block-SmbShareAccess -Name $_.Name - AccountName '[Source Io Owner]' -Force }

10 Checklist: Prepare for the Attack Done 1. Show up hidden file extensions on all workstations 2. Blacklist everything and whitelist only needed software 3. Allow users execute only authorized extensions 4. Disable AutoPlay and Autorun on all workstations 5. Disable file execution in attachments OR quarantine all attachments 6. Disable macro scripts from office files transmitted via 7. Limit user access to shared drives

11 Checklist: Prepare for the Attack 8. Whitelist only the specific ports and hosts you need 9. Create a guest network for new or unknown equipment 10. Deploy offline backup 11. Configure access to shared folders 12. Restrict permissions to read where possible 13. Segregate your network 14. Enable ad-blockers and script-blockers 15. Block Tor addresses Done

12 Known Ransomware Extensions.ecc,.ezz,.exx,.zzz,.xyz,.aaa,.abc,.ccc,.vvv,.xxx,.ttt,.micro,.encrypted,.locked,.crypto,

13 Continuous Awareness Back up! Always install latest patches and updates Beware of pseudo-crypto-ransomware pop-ups Educate your employees and executives! Send them the guide:

14 Netwrix Auditor Demonstration

15 Netwrix Auditor Applications Active Directory Azure AD Exchange Office 365 Windows File Servers EMC NetApp SharePoint Oracle Database SQL Server Windows Server VMware

16 About Netwrix Corporation Year of foundation: 2006 Headquarters location: Irvine, California Customer support: global 24/5 support with 97% customer satisfaction Global customer base: over 8,000 Recognition: Among the fastest growing software companies in the US with 105 industry awards from Redmond Magazine, SC Magazine, WindowsIT Pro and others

17 Netwrix Customers Financial Healthcare & Pharmaceutical Federal, State, Local, Government GA Industrial/Technology/Other

18 Industry Awards and Recognition All awards:

19 Next Steps Free Trial: setup in your own test environment: On-premises: netwrix.com/freetrial Virtual: netwrix.com/go/appliance Cloud: netwrix.com/go/cloud Test Drive: run a virtual POС in a Netwrix-hosted test lab netwrix.com/testdrive Live Demo: product tour with Netwrix expert netwrix.com/livedemo Contact Sales to obtain more information netwrix.com/contactsales Webinars: join our upcoming webinars and watch the recorded sessions netwrix.com/webinars netwrix.com/webinars#featured

20 Thank You!

21 Prize Drawing Ticketmaster egift Card! Haven t won this time? Sign up for upcoming sessions: