Don't 'WannaCry' No More: How to Shield Your IT Infrastructure from Ransomware. Netwrix Corporation Roy Lopez System Engineer

Don't 'WannaCry' No More: How to Shield Your IT Infrastructure from Ransomware Netwrix Corporation Roy Lopez System Engineer

How to Ask Questions Type your question here Click Send

Agenda Ransomware Trends What s WannaCry How to Prepare Demonstration Prize Drawing

Rise in Number of Ransomware Attacks 2014 2015 2016 3.2M 3.8M 638M +19% +167 times $1B in Ransom fees Paid in 2016

Ransomware Top-liners of 2016-2017 Cerber adds a.cerber extension Locky delievered via spam emails containing JavaScript KillDisk Windows + Linux Petya + PetrWrap targets businesses. Dropbox link with.exe file Popcorn Time either pay the ransom or infect two other users Koolova makes you read articles Spora Ransomware as a-service

Decryptors Available Crysis Marsjoke Polyglot Wildfire Chimera Teslacrypt Learn more: http://nomoreransom.org Shadecoinvault Rannoh Rakhni

WannaCry: What s Happened Uses ETERNALBLUE Leverages the Microsoft Windows filesharing vulnerability Targets unpatched Windows Ransom: $300+ (in bitcoins) WannaCry 2.0 comes without killswitch Is a ransomware cryptoworm

Mitigate the Risk of WannaCry 1. Disable SMBv1 on your Windows servers by running this powershell cmdlet: Remove-WindowsFeature FS-SMB1 Note: A restart will be required after executing this command. 2. Make sure that you have applied the MS patch (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) to your infrastructure. 3. Add rules on your AV to prevent the creation of.wnry file extensions. 4. Block TCP ports 139 and 445 from allowing inbound Internet connections. 5. Whitelist these domains (as WannaCry checks them) to stop the attack: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com Note: This only works for direct connections; if using a proxy (as on enterprise networks), it won t work. 6. Educate users about the WannaCry ransomware threat and explain how not to fall victim to phishing attacks. 7. Set up alerts for WannaCry threat patterns (http://get.netwrix.com/get_alerts_on_wannacry_attacks_lf/). 8. Pray.

Creating Honeypot for Ransomware File Server Resource Manager create a share with a $ in front of the name Let the group Authenticated Users have full control of this share FSRM file screen notices write activity cut off user s access Get-SmbShare -Special $false ForEach-Object { Block-SmbShareAccess -Name $_.Name - AccountName '[Source Io Owner]' -Force }

Checklist: Prepare for the Attack Done 1. Show up hidden file extensions on all workstations 2. Blacklist everything and whitelist only needed software 3. Allow users execute only authorized extensions 4. Disable AutoPlay and Autorun on all workstations 5. Disable file execution in e-mail attachments OR quarantine all email attachments 6. Disable macro scripts from office files transmitted via e-mail 7. Limit user access to shared drives

Checklist: Prepare for the Attack 8. Whitelist only the specific ports and hosts you need 9. Create a guest network for new or unknown equipment 10. Deploy offline backup 11. Configure access to shared folders 12. Restrict permissions to read where possible 13. Segregate your network 14. Enable ad-blockers and script-blockers 15. Block Tor addresses Done

Known Ransomware Extensions.ecc,.ezz,.exx,.zzz,.xyz,.aaa,.abc,.ccc,.vvv,.xxx,.ttt,.micro,.encrypted,.locked,.crypto, _crypt,.crinf,.r5a,.xrnt,.xtbl,.crypt,.r16m01d05,.pzdc,.good,.lol!,.omg!,.rdm,.rrk,.encryptedrsa,.crjoker,.enciphered,.lechiffre,.keybtc@inbox_com,.0x0,.bleep,.1999,.vault,.ha3,.toxcrypt,.magic,.supercrypt,.ctbl,.ctb2,.locky,.wnry

Continuous Awareness Back up! Always install latest patches and updates Beware of pseudo-crypto-ransomware pop-ups Educate your employees and executives! Send them the guide: https://www.netwrix.com/download/documents/ransomware_survival_guide.pdf

Netwrix Auditor Demonstration

Netwrix Auditor Applications Active Directory Azure AD Exchange Office 365 Windows File Servers EMC NetApp SharePoint Oracle Database SQL Server Windows Server VMware

About Netwrix Corporation Year of foundation: 2006 Headquarters location: Irvine, California Customer support: global 24/5 support with 97% customer satisfaction Global customer base: over 8,000 Recognition: Among the fastest growing software companies in the US with 105 industry awards from Redmond Magazine, SC Magazine, WindowsIT Pro and others

Netwrix Customers Financial Healthcare & Pharmaceutical Federal, State, Local, Government GA Industrial/Technology/Other

Industry Awards and Recognition All awards: www.netwrix.com/awards

Next Steps Free Trial: setup in your own test environment: On-premises: netwrix.com/freetrial Virtual: netwrix.com/go/appliance Cloud: netwrix.com/go/cloud Test Drive: run a virtual POС in a Netwrix-hosted test lab netwrix.com/testdrive Live Demo: product tour with Netwrix expert netwrix.com/livedemo Contact Sales to obtain more information netwrix.com/contactsales Webinars: join our upcoming webinars and watch the recorded sessions netwrix.com/webinars netwrix.com/webinars#featured

Thank You!

Prize Drawing Ticketmaster egift Card! Haven t won this time? Sign up for upcoming sessions: https://www.netwrix.com/webinars.html