Ransomware: Mitigation Through Preparation
-
Upload
hosting -
Category
Technology
-
view
109 -
download
1
Transcript of Ransomware: Mitigation Through Preparation
Presented by HOSTING and Zerto
Ransomware: Mitigation Through Preparation
PRIVATE AND CONFIDENTIAL 2
• This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar
• Please submit questions via the button on the bottom left of the viewer– If we don’t get to your question during the webinar, we will follow up with you via email
• Download related resources via the “Attachments” button above the viewing panel• On Twitter? Join the conversation: #ransomware @Zerto and @HOSTINGdotcom
Housekeeping
PRIVATE AND CONFIDENTIAL 3
Ed SchaeferDirector of Cloud ServicesHOSTING since [email protected] @schaeferej
Donal FarrellCloud ArchitectZerto
Our Speakers:
PRIVATE AND CONFIDENTIAL 4
• The risk vector• Securing & protecting best practices • Current data protection & recovery solutions • The Zerto revolution• Recovering from the infection in minutes • Hosting.com Demo
Agenda
PRIVATE AND CONFIDENTIAL 5
Cloud Replication Services since 2012
• Consultative DR plan development• Guided Live and Test DR exercises• Solutions for every use case
– Daily Backups– Long term Backup storage– Continuous Replication
• Platform Native (Active Directory, SQL Server AlwaysOn)• Zerto Virtual Replication
DRaaS at HOSTING
PRIVATE AND CONFIDENTIAL 6
CRS with Site Recovery Manager
PRIVATE AND CONFIDENTIAL 7
Why Zerto?
PRIVATE AND CONFIDENTIAL 8
Ransomware Infections
PRIVATE AND CONFIDENTIAL 9
Big In The News
PRIVATE AND CONFIDENTIAL 10
50k+
A Global Problem - Worldwide infections
150k+50k+
5k+
5k+ 50k+
50k+
5k+
1k+
PRIVATE AND CONFIDENTIAL
How Does it Work?
1. The victim is compromised by a phishing scam or exploit kit which downloads Cryptowall4 (NOV 15)
2. Binary is downloaded and executed
3. Injected into explorer.exe
4. Makes itself persistent copies to %AppData% and registry run key
5. Injecting in svchost (main malware logic)
6. Downloads RSA Public encryption key from C2 server
7. Files are encrypted with a random AES encryption from C2 server
8. RSA key is used to encrypt that AES Key
9. Displays the ransomware in 3 formats, png, text and HTML
Public key
Get keys
27p9k967z.x1nep
PRIVATE AND CONFIDENTIAL
• Most ransomware uses extremely strong crypto
• Cryptowall 4 is not perfect….BUT• If a strong firewall or IPS is able to
intercept and block the CryptoWall 4 packets, the infection will not continue.
• RSA key cannot be downloaded • All security companies bottom line is
“Have a good recovery strategy”
Can It Be Broken?
PRIVATE AND CONFIDENTIAL
• 60% of attacks demanded over $1000• 63% of attacks took more than a day to
remediate• Email is the most popular entry point• 40% of attacks hit multiple endpoints• 80% of US organizations hit• 96% of US organizations NOT
CONFIDENT IN RESTORE CAPABILITY
Google Search – “malwarebytes international study”
PRIVATE AND CONFIDENTIAL 14
Stopping Infections
Users, IT Dept, External
-Train users & IT-Anti-virus/malware-Restrict domain admins-Change control-Isolated external users-Software restriction policies
Recommendations
-Audit file shares-Audit permissions-Apply read-only-Firewall policies-User VLANs-Honey trap & alerting
Disks, Network
-Secure entry points-Filter web traffic -Scan email attachments-Block USB devices-Isolated BYOD-No web access on VMs
Web, Email, USB, BYOD
PRIVATE AND CONFIDENTIAL 15
Typical Data Protection Solutions
06:00 09:00 15:00
Backup
12:00
Snapshot Snapshot
12:00 18:00
Snapshot
Power Interruption or Hardware Failure
Cryptolocker Virus Infection
File deletion, Application or Human error
= Data Loss & Downtime
24h+
4h+
PRIVATE AND CONFIDENTIAL 16
Zerto Virtual Replication
Minimize impact, re-wind and recover from any point in time
06:00 09:00 18:0000:00 12:00 15:00
2 weekJournal
*
*
Sites Apps FilesVMs
4.5
PRIVATE AND CONFIDENTIAL
How Zerto Revolutionized Disaster Recovery
17
Zerto Hypervisor Based Replication
Replication was in the wrong place – the physical layer
The first Enterprise-class, Software-Defined
Replication & Recovery Automation solution
Hypervisor
Security
Networking
Servers
Storage
Replication
PRIVATE AND CONFIDENTIAL 18
Scale-out architecture, security hardenedVirtual Replication Appliance
Compression, throttling, resilience
Prod Site
vCenter
VM VM
VM VRA
VM VM
VM VRA
DR Site
vCenter
VM VM
VM VRA
VM VM
VM VRAWAN/VPN
VM-Level Replication
ZVM ZVM
VM block-level changesAlways-on Replication, Data loss = SecondsNo snapshots, scheduling, impact, storage
Management & Orchestration1 x Zerto Virtual Manager per vCenter/SCVMMWindows VM, restrict ports
Storage-agnostic replicationReplica VM & Compressed Journal
vDisksJournal 1 hour to 2 weeks max, 7-10% space
vDisk vDisk vDisk
How Zerto Works
PRIVATE AND CONFIDENTIAL 19
Enterprise Application Architectures
VM
VM
VM
VM VM VM
VM VM VM
Firewall
Load Balancers
VM VM VM
Web Servers
File Servers
Index Servers
Database Servers
PRIVATE AND CONFIDENTIAL 20
Consistent Protection & Recovery
• Simple, scalable, protection & recovery of VMs, not LUNs
• Recover multi-VM application stacks together
• Point in time recovery, write ordering & application consistency
• Prioritize replication, pre-seeding, reduce initial sync
• Support virtualization features vMotion, svMotion, HA etc
Production Site
Enterprise Applications
VM
VM
VM VM
vDisk
vDisk
CRM, ERP, SQL, Oracle, SharePoint, Exchange
CRM VPG VM VM VM VM VM
SQL VPG VM VM VM VM VM
VM
VM
VM
VM
vDisk
vDisk
vDisk
VM
RPO 4 seconds
RPO 9 seconds
ERP VPG RPO 6 seconds VM VM VM VM VM
• LUN Consistency Group evolved = Virtual Protection Group
VM VM
VM
vDisk
VM
vDisk
VM
VM VM
VM
vDisk
vDisk
vDisk
vDisk
vDisk
PRIVATE AND CONFIDENTIAL 21
Recovering From Cryptolocker In Minutes
Disaster Event!
Click Failover
Select Apps
Verify
Start Failover
Recovery Process:
PRIVATE AND CONFIDENTIAL 22
Virtual Awareness and Integration
Hypervisor integratedReal-time Dashboard
Service level driven
Role Based Access ControlSingle Solution for BC/DR
REST API automation
Ensure complianceDR Test Reporting
Prove recovery capability
PRIVATE AND CONFIDENTIAL 23
Recovering Individual Files & Folders in Minutes
Select VM
Restore Request
File server data
Application files
SQL databases
Oracle databases
Exchange databases
Select Files & Folders
Browser download
Instant-access on ZVM
Mount network share
Data restored from seconds before
Restore Anywhere
Disks mounted
No agent or impact
Select point in time
PRIVATE AND CONFIDENTIAL 24
Proving Compliance and Removing Risk
• PCI• ISO• SOX• HIPAA• SEC
Testing Regulations
PRIVATE AND CONFIDENTIAL 25
Proving Compliance and Removing Risk
• PCI• ISO• SOX• HIPAA• SEC
Testing Regulations
PRIVATE AND CONFIDENTIAL 26
Proving Compliance and Removing Risk
• PCI• ISO• SOX• HIPAA• SEC
Testing Regulations
PRIVATE AND CONFIDENTIAL
DEMO
27
PRIVATE AND CONFIDENTIAL 28
Ransomware Infection:• Real screenshot from end user PC• Encrypted files on all user mapped shares with edit permissions
Real-world Zerto Customer Story
Response:• PC was isolated from the network• Used ZVR to recover files from
minutes before• No need to re-create files or accept
data loss from using backup• No ransom paid• Impact minimized!
PRIVATE AND CONFIDENTIAL 30
Zerto Feature Summary
Install in MinutesSimple Scalable Software
Click to Test, Failover, MigrateRTO = Minutes, Prove Compliance
Journal Based ProtectionReduce impact, recover & re-wind
No SnapshotsAlways-on, RPO = SecondsConsistency Groupings
Storage &Hypervisor Agnostic
For On-Premise DR & DRaaS
Enterprise-Class DisasterRecovery Software
Hypervisor-basedVirtual Aware
Powerful Data Protection & Recovery
Strategic BC/DR Platform