Massive Attack WannaCry Update and Prevention Eric Kwok KL.CSE
Wannacry Q: After patch ms17-010, your computer A: YES / NO won't be infect wannacry ransomware
Wannacry Q: In order to against Wannacry attack, just A: YES / NO put all file into Recycle Bin.
Ransomware Ransomware target any PC users, whether it s a home computer, endpoints in an enterprise network, or servers used by a government agency or healthcare provider
Kaspersky Security Awareness Training People are not motivated to learn (only 22% believe they can be targeted by criminals); Employees do not see IT Security as partners and always try to bypass them; There is a lack of measurements on awareness, besides how many people got trained.
Kaspersky Security Awareness Training Online training modules Simulated phishing attacks Knowledge assessments Education automation Progress reports
What is Wannacry Ransomware Why this is so massive and different from before It is a worm Kill Switch Use NSA backdoor vulnerability to spread Initiated through an SMBv1 remote code DO NOT request user s interaction Automatic discovery & infect windows OS without MS17-010 patch
Worms + Ransomware Infect other unpatched Windows machines automatically Basically it scans LAN IPS for SMB/445 port open DO NOT request user s interaction (But Wannacry is not the only one) Spora Ransomware (Download or install automatically)
Endpoint Firewall + Network Attack Blocker IDS / IPS Function Blocking C&C Server Isolate Infected machine
Vulnerability MS17-010 : Patched by Microsoft on 14-Mar Vulnerability everywhere
Kaspersky Vulnerability and Patch Management Vulnerability Scan & Patch Management Automated distribution of patches and updates for 150+ applications
Automatic Exploit Prevention Control of potentially vulnerable applications Monitor pre-launch activities Tracking the origin of code
Ransomware is difficult to detect
Signature Based Detection The first layer protection Not only for detection
Known HIPS & Firewall (network traffic) URL Filtering (web traffic) Anti-Spam (email traffic) Anti-Phishing (email traffic) Blacklisting Unknown Heuristics Whitelisting App Control Advanced BSS AEP Systems Watcher The Kaspersky Lab approach Vulnerability Assessment & Patch Management Kaspersky Security Network 70% 29% 1% File Download File Start File Execution Reactive Technologies Proactive Technologies
Known HIPS & Firewall (network traffic) URL Filtering (web traffic) Anti-Spam (email traffic) Anti-Phishing (email traffic) Blacklisting Unknown Heuristics Whitelisting App Control Advanced BSS AEP Systems Watcher The Kaspersky Lab approach Vulnerability Assessment & Patch Management Kaspersky Security Network 29% 1% File Download File Start File Execution Reactive Technologies Proactive Technologies
Known HIPS & Firewall (network traffic) URL Filtering (web traffic) Anti-Spam (email traffic) Anti-Phishing (email traffic) Blacklisting Unknown Heuristics Whitelisting App Control Advanced BSS AEP Systems Watcher The Kaspersky Lab approach Vulnerability Assessment & Patch Management Kaspersky Security Network 29% 1% File Download File Start File Execution Reactive Technologies Proactive Technologies
The Kaspersky Lab approach Kaspersky Kaspersky Security Security Network Network Over 2.1 Billion Whitelisting Object 1 billion black Object A Urgent Detection System
Known HIPS & Firewall (network traffic) URL Filtering (web traffic) Anti-Spam (email traffic) Anti-Phishing (email traffic) Blacklisting Unknown Heuristics Whitelisting App Control Advanced BSS AEP Systems Watcher The Kaspersky Lab approach Vulnerability Assessment & Patch Management Kaspersky Security Network 29% 1% File Download File Start File Execution Reactive Technologies Proactive Technologies
The Kaspersky Lab approach Known Virus Signature Log Application Activity UnKnown Heuristics Terminal Malicious Program RollBack Malware action System Watcher Urgent Detection System KSN Kaspersky Unique Feature System Watcher
The Kaspersky Lab approach File Server Protection - Anti-Cryptor Protecting shared folder from crypto-malware Blocking access from hosts with suspicious activity Application Startup Control
Wannacry Live Demo 表演者曾受專業訓練, 觀眾切勿模仿
Questions? Useful Link : www.securelist.com Local Support - corp.support@lapcom.com.hk Tel : 36934668 Thanks You! New virus analysis : newvirus@kaspersky.com Ransomware : noransom.kaspersky.com