Stop Ransomware In Its Tracks. Chris Chaves Channel Sales Engineer

Transcription

1 Stop Ransomware In Its Tracks Chris Chaves Channel Sales Engineer

2 Agenda Ransomware A Brief Introduction Why Are Ransomware Attacks so Successful? How Does a Ransomware Attack Happen? How to Stop Ransomware 9 Best Security Practices to Apply Now! Summary 2

3 Ransomware A Brief Introduction

4 Ransomware Is Hitting the Headlines 4

5 And Keeps Growing Estimated to be a $1 Billion a year industry by the end of 2016 (FBI) Criminals are dedicated and professional even setting up customer care teams to secure payment 5

6 And Keeps Evolving Shortcut files (.lnk) becoming more popular Ransomware deleting itself so quickly it can t be analyzed Sleep timer to evade sandboxing technologies? 6

7 Ouch! The Hollywood Presbyterian Medical Center was hit by ransomware and reportedly paid 40 Bitcoins ($17,000) to restore their lost files. The impact of ransomware: Ambulances were diverted Electronic medical records disappeared was unavailable No access to X-ray or CT scan information 7

8 What Is Ransomware? #1 malware threat A form of malware that restricts access to a system or its data, then demands payment in order to restore access Ransom demands are often in region of BTC 0.5 to BTC 1.00 (1 BTC = ~ 540/ $600/ 455) Variants Locky hit the headlines in early 2016 Many other variants are created on a DAILY basis 8

9 2 Main Attack Vectors attachments Infect via spam with malicious attachments When the attachment is opened the executable code downloads and then executes the ransomware payload Used by Locky, Zepto and CTB-Locker Exploit kit Infect via compromised websites and malvertising Black market tools used to easily create attacks that exploit known or unknown vulnerabilities (zero-day) Used by Cerber, CryptoWall, CryptXXX and CrypVault 9

10 Why Are Ransomware Attacks So Successful?

11 Why Are Ransomware Attacks so Successful? 1. Sophisticated attack techniques and continuous innovation 11

12 Sophisticated Attack Techniques Highly professional malware Skilful social engineering Hide malicious code in permitted technologies e.g. Microsoft Office macros, JavaScript, VBScript, Flash, shortcut files 12

13 Malware as a Service Includes network and endpoint techniques from infecting a website, all the way to delivering an endpoint payload and selling the results Zero day exploits automatically included Cross platform & Agile developed 13

14 Why Are Ransomware Attacks so Successful? 2. Exploit common security weaknesses 14

15 Exploit Common Security Weaknesses Inadequate backup strategy Poor patching Users have more rights than they need Systems not implemented correctly Lack of IT security knowledge Conflicting priorities: security vs productivity concerns Lack of user security training 15

16 Why Are Ransomware Attacks so Successful? 3. Lack of advanced prevention technology 16

17 Lack of Advanced Prevention Technology Many organizations have some form of generic protection Ransomware is constantly evolving and learning to exploit it Solutions need to be designed specifically to combat the threat 17

18 How Does a Ransomware Attack Happen?

19 Web Gateway Gateway Firewall/UTM Endpoint Devices Mail Server Servers 19

20 Web Gateway Gateway Firewall/UTM Endpoint Devices Mail Server Servers 20

21 Command & Control Web Gateway Gateway Firewall/UTM Endpoint Devices Mail Server Servers 21

22 Command & Control Web Gateway Gateway Firewall/UTM Endpoint Devices Mail Server Servers 22

23 23

24 How to Stop Ransomware

25 Web Gateway Gateway Firewall/UTM Endpoint Devices Mail Server Servers 25

26 Endpoints and Servers Malicious Traffic Detection identifies traffic to ransomware C&C centers Anti-malware and HIPS behavior analysis includes rules that block ransomware Application Control can block Wscript which is often used by ransomware Application Whitelisting can establish a default deny policy on servers so only trusted applications can execute and stopping ransomware infecting servers Web Security scans web content for ransomware code Exploit Prevention in Sophos Intercept X stops ransomware taking advantage of weaknesses in software products 26

27 Gateway Anti-Spam, Anti-Virus Block s with ransomware macro attachments Delay queue for untrusted senders Web Gateway URL filtering to block websites hosting ransomware and their command and control servers Enforce strict controls on ransomware-related file types 27

28 9 Best Security Practices to Apply Now!

29 9 Best Practice Security Tips Backup! Backup! Backup! Perform regular backups and keep them offline and off-site Enable File Extensions Make it easier to spot suspicious file types Open JavaScript in Notepad Block malicious scripts 29

30 9 Best Practice Security Tips Don t enable macros in attachments Microsoft turned it off don t turn it back on! Be cautious with unsolicited attachments If in doubt leave it out Don t have more login power than you need Admin rights could mean a local infection becomes a network disaster 30

31 9 Best Practice Security Tips Microsoft Office viewers See what a document looks like without opening it Patch early, patch often Keep your defences on top form and plug holes Stay up-to-date with new security features For example Office 2016 now includes a control called Block macros from running in Office files from the internet 31

32 Summary

33 Summary Have the right protection in place at each stage of an attack: o Firewall o Endpoints and Server o o Web Apply IT security best practices 33

34 Useful Resources Sophos whitepaper How to stay protected from ransomware Regular security stories on Naked Security Sophos Support Ransomware: Information and prevention Contact us or Find a Partner 34

35