How to Help Your Customers Protect Themselves from Ransomware Attacks
-
Upload
solarwinds-n-able -
Category
Technology
-
view
9.186 -
download
2
Transcript of How to Help Your Customers Protect Themselves from Ransomware Attacks
© 2016 N-able Technologies, ULC. All rights reserved.
RANSOMWARE
5 STEPS TO PROTECTING YOUR CUSTOMERS’ DATA
© 2016 N-able Technologies, ULC. All rights reserved.
WHAT IS RANSOMWARE?
A software based attack on your
network with the goal of
extortion.
© 2016 N-able Technologies, ULC. All rights reserved.
HOW DOES RANSOMWARE SPREAD?
Ransomware is typically
delivered through an exploit kit
or phishing attack.
© 2016 N-able Technologies, ULC. All rights reserved.
WHAT IS AN EXPLOIT KIT?
Code created to take advantage of
an unpatched or unknown system
vulnerability.
Example: Windows® OS, JavaScript® or
Adobe Reader®
© 2016 N-able Technologies, ULC. All rights reserved.
WHAT IS PHISHING?
Masquerading as a trustworthy entity
in an electronic communication with
malicious intent.
Example: Attachments to email.
Embedded links.
© 2016 N-able Technologies, ULC. All rights reserved.
“HOSTAGE” (NEW)
“COP” OR “LOCKER”
CRYPTOGRAPHIC
THREE RANSOMWARE VARIENTS
• Generally acquired from browsing something “naughty”; infects through JavaScript or Adobe Flash®
vulnerabilities. Prevents access to your underlying system without encryption.
• Appears to be from a federal agency and requests you pay a “fine” to compensate for your “illegal activity”.
• Generally acquired from phishing attacks. Encrypts data on your system and shares preventing access.
Demands a “fee” to unlock.
• Locked out of your data until you pay the ransom.
• E.g. “Cryptolocker” & “Locky”
• Generally acquired from phishing attacks, same underlying concept as cryptographic.
• Steals browser, chat history and contact lists, records video & audio. May threaten to send this info to your
contacts if a “fee” is not paid.
• E.g. “Crysis” & “Jigsaw”.
1
2
3
© 2016 N-able Technologies, ULC. All rights reserved.
THE PROGRESSION OF RANSOMWARE
1989“Aids” Trojan on
floppy disk asks for $189 to unlock a
file
2006Gpcode, Archiveus,
Krotten, Cryzip, TROJ.RNSOM.A, and MayArchive
lock systems with RSA encryption
algorithms
2012“Reveton” informs
users they have downloaded illegal material and must
pay a “fine”
1
2013“Cryptolocker” appears using
nearly unbreakable encryption, hard to detect trojans and ultimately includes use of TOR network
for anonymity.
2014“CryptoWall”
infects through website
advertisements
2016“Locky”, encrypts
all files with a .lockyextension and
demands fee to unlock
2015“Chimera” encrypts files and threatens
to publish them online if ransom is
not paid
2015“CryptoWall” 3.0 and 4.0 add new
layers to their encryption and
come packaged in exploit kits
2016RaaS (Ransomware
as a Service) becomes possible paving the way for
prolific growth.
© 2016 N-able Technologies, ULC. All rights reserved.
WHEN IS RANSOMWARE SUCCESSFUL?
To be considered successful, an attack must:
1. Take control of a system or device.2. Prevent access to the device and its data to some
degree.3. Inform the user that the device is being held for
ransom along with a price and a method of payment.4. Accept payment from the user.5. Return full access to the device once payment is
received.**This does not always happen unfortunately.
© 2016 N-able Technologies, ULC. All rights reserved.
WHAT A COMPROMISED DEVICE LOOKS LIKE
All shapes and sizes:1. Desktop background2. Popup window
Demands:1. Pay a small “fine” to regain access.2. Pay a “fee” or lose your data.3. Pay an increasing “fee” as time elapses.4. Pay a “fee” or increments of your data
are destroyed over time.5. Pay a “fee” or your personal
information is released to the public or contact list.
© 2016 N-able Technologies, ULC. All rights reserved.
PROGRESSION OF A RANSOMWARE ATTACK
1. The ransomware trojan package is executed.• Few operating systems are safe. Many current ransomware variants will work on
Windows, OS X and Linux® systems.
2. The trojan reaches out to one of many cloud servers to download its main payload (commonly on the .TOR network, aka the “Dark web”).
3. Using the logged in user account, the trojan deletes itself, and the payload begins to install and encrypt your files using military grade encoding. Locations and files that are often targeted include:• Locally stored office documents, image files, video files etc. • Network shares the user has access to.• Connected external drives such as USB thumb drives.• Cloud storage that the user has write access to such as Dropbox®.
4. Volume Snapshot Services (VSS) or “Shadow Copies” are commonly deleted.5. Wallpaper or screen overlay appears that alerts the user to the encryption
and instructs them to pay a “fine” or “fee”, often via BitCoin® - a virtually untraceable online currency. Fees vary considerably.
6. Once paid, a public decryption key is returned and often data is restored.
© 2016 N-able Technologies, ULC. All rights reserved.
5 STEPS TO PROTECTING YOUR
CUSTOMERS’ DATA
© 2016 N-able Technologies, ULC. All rights reserved.
5 STEPS TO PROTECTING DATA
Access Restrictions
Firewall & Network
User Education
Antimalware
Patch Management & Third Party
Vulnerability Auditing
Backup & Recovery
USERS PREVENTION RECOVERY OPTIONAL
© 2016 N-able Technologies, ULC. All rights reserved.
STEP 1: USER EDUCATION
QUICK TIPS
Arm users with the knowledge they need to recognizethreats and avoid dangerous behavior.
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
• Majority of ransomware attacks rely on social engineering (convincing the user to initiate the interaction).
• Educate users to recognize and avoidthese attempts.
Common exploits:• Macro’s in Microsoft® Office documents.• JavaScript attachments in the form of fake documents.• Embedded JavaScript in malicious websites.
© 2016 N-able Technologies, ULC. All rights reserved.
STEP 1: USER EDUCATION
QUICK TIPS
Don’t enable macros unless you were expecting them!
Block macros in files from the internet by default in Active Directory.
Use MS Office viewers.
MINIMIZE IMPACT
PREVENTION
Macro’s in Microsoft Office® documents*:
1. An attachment arrives; when opened it appears encrypted.2. Directions are put in the document to use the “Options” button and re-enable
macros.3. Once the button is pressed, the ransomware infection begins.
*Allows for attack on Office 365® users as well!PREVENTION
© 2016 N-able Technologies, ULC. All rights reserved.
STEP 1: USER EDUCATION
QUICK TIPS
Unhide “knownextensions”. Giving your users visibility is key.
Antimalware's Application Control features block Microsoft WSH Cscriptand Microsoft WSH WScript
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
Javascript attachments in the form of fake documents:
1. An attachment arrives with what appears to be a Microsoft Office document or compressed file attached (Windows hides known extensions).
2. The user clicks to open the document. The 834425.zip.JS file executes.3. Once the file is executed, the ransomware infection begins.
PREVENTION
© 2016 N-able Technologies, ULC. All rights reserved.
STEP 1: USER EDUCATION
QUICK TIPS
Block malicious sites through your Antivirus or Firewall.
Sandbox web access.
Configure Windows to open JavaScript with Notepad.
MINIMIZE IMPACT
PREVENTION
Embedded JavaScript in malicious websites:
1. A user visits an infected page. It may be made to look like a legitimate organization.2. Users typically click on a link, “play button” or other clickable object and
unknowingly execute the JavaScript.3. Once the JavaScript is executed, the ransomware infection begins.
PREVENTION
© 2016 N-able Technologies, ULC. All rights reserved.
STEP 2: ACCESS RESTRICTIONS
QUICK TIPS
Keep data stores and shares protected by limiting the number of users who have access.
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
Ransomware typically executes under the logged in account.
• Restrict users from backup shares and networklocations they do not need access to.
• Do not use Administrator accounts.. even for administrators. Run As.. instead.
• Restrict Administrative accounts from using email.
© 2016 N-able Technologies, ULC. All rights reserved.
STEP 3: ANTIMALWARE
QUICK TIPS
Advanced Endpoint protection is required.
Intrusion Detection System.
Active VirusControl aka a Behavioral scan.
MINIMIZE IMPACT
PREVENTIONPREVENTION
Traditional signature based Antivirus is not effective.
• AV must be capable of stopping processes that exhibit malicious techniques (Heuristics/Behavioral & IDS)
• Implement inbound mail scanning and blocking.
• AV must be ON and up to date at all times. You will need a way to monitor this.
© 2016 N-able Technologies, ULC. All rights reserved.
STEP 4: PATCH MANAGEMENT
QUICK TIPS
Control patch deployment through a centralized system.
Enforce patch installation and reboots.
Discuss patchingpolicy with your Customer!
MINIMIZE IMPACT
PREVENTIONPREVENTION
Unpatched systems are an open door for ransomware delivery.
• Ensure your devices are patched and up to date.
• Apply patches no more than 30 days after they are released from the vendor.
• Review your patching process to remove any roadblocks such as reboot windows, and device availability.
© 2016 N-able Technologies, ULC. All rights reserved.
STEP 4: PATCH MANAGEMENT
QUICK TIPS
User’s often ignore update prompts for these tools.
Take control of the updates with a Remote Monitoring and Management solution such as N-central®.
MINIMIZE IMPACT
PREVENTION
Third party applications must be patched.
• Don’t let applications such as Java® and Adobe Readerget left out of your patch routine.
• These applications are some of the most commonentry points for exploit kits.
• Think carefully before deciding to leave older versions of third party applications active.
PREVENTION
© 2016 N-able Technologies, ULC. All rights reserved.
STEP 5: BACKUP & RECOVERY
QUICK TIPS
Encrypt your backup location. Ransomware will attempt to access with the user’s permissions
Windows shadow copies are typically deleted by ransomware.
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
Backup is the only hope for data recovery beyond paying the ransom.
• Review your backup configuration, is it adequate?
• One of your backup locations must be offsite/cloud.
• Restrict access to your network backup stores.
• Validate that backups are happening and can be restored.
© 2016 N-able Technologies, ULC. All rights reserved.
FIREWALL & NETWORK
QUICK TIPS
Advanced technology can help combat this modern threat.
Keeping workstations and servers segregated is good practice.
MINIMIZE IMPACT
PREVENTIONPREVENTION
A strong firewall can be a significant preventative measure.
Deploy a next generation firewall that:• Will block threats based on a “threat feed”.• Offers sandboxing.• Can police user interactions with websites that are
not whitelisted (i.e. a “proceed?” query).
© 2016 N-able Technologies, ULC. All rights reserved.
VULNERABILITY ASSESSMENT
QUICK TIPS
Understandingwhere you are vulnerable is key to impact mitigation.
Restrict user access to critical data
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
Know where your weak points are.
• Use a tool to frequently review your end-user accessrights and open exploits.
• Identify recurring problem areas and address them.
• Consider assessing your customers organization and exploring data insurance with them.
© 2016 N-able Technologies, ULC. All rights reserved.
Ransomware is not just one of many
CYBERTHREATSIt’s a
GROWINGbusiness.
© 2016 N-able Technologies, ULC. All rights reserved.
Ransomware is an opportunity to
EDUCATE & INFORMyour users and supply the necessary
SERVICESfor business continuity.
© 2016 N-able Technologies, ULC. All rights reserved.
HELP USERS HELP THEMSELVES
QUICK TIPS
Remind and inform your users frequently.
Consider running “red team” attacks; spoofinga ransomware attempt as a teaching tool.
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
Ransomware Rescue infographic variants available for download from SolarWinds N-able:
http://offers.n-able.com/ransomware/
• Created to educate your users.• English and Custom versions available.• Links to blogs and this webinar.
© 2016 N-able Technologies, ULC. All rights reserved.
THANK YOU
The N-ABLE TECHNOLOGIES and N-CENTRAL marks are the exclusive property of N-able Technologies, ULC. and its affiliates, are registered with the U.S. Patent and Trademark Office andthe Canadian Intellectual Property Office, and may be registered or pending registration in other countries. All other N-able trademarks, service marks, and logos may be common law marks,registered or pending registration in the United States, Canada, or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or aretrademarks or registered trademarks of their respective companies.