Presented by HOSTING and Zerto

Ransomware: Mitigation Through Preparation

PRIVATE AND CONFIDENTIAL 2

• This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar

• Please submit questions via the button on the bottom left of the viewer– If we don’t get to your question during the webinar, we will follow up with you via email

• Download related resources via the “Attachments” button above the viewing panel• On Twitter? Join the conversation: #ransomware @Zerto and @HOSTINGdotcom

Housekeeping

PRIVATE AND CONFIDENTIAL 3

Ed SchaeferDirector of Cloud ServicesHOSTING since 2007eschaefer@hosting.com @schaeferej

Donal FarrellCloud ArchitectZerto

Our Speakers:

PRIVATE AND CONFIDENTIAL 4

• The risk vector• Securing & protecting best practices • Current data protection & recovery solutions • The Zerto revolution• Recovering from the infection in minutes • Hosting.com Demo

Agenda

PRIVATE AND CONFIDENTIAL 5

Cloud Replication Services since 2012

• Consultative DR plan development• Guided Live and Test DR exercises• Solutions for every use case

– Daily Backups– Long term Backup storage– Continuous Replication

• Platform Native (Active Directory, SQL Server AlwaysOn)• Zerto Virtual Replication

DRaaS at HOSTING

PRIVATE AND CONFIDENTIAL 6

CRS with Site Recovery Manager

PRIVATE AND CONFIDENTIAL 7

Why Zerto?

PRIVATE AND CONFIDENTIAL 8

Ransomware Infections

PRIVATE AND CONFIDENTIAL 9

Big In The News

PRIVATE AND CONFIDENTIAL 10

50k+

A Global Problem - Worldwide infections

150k+50k+

5k+

5k+ 50k+

50k+

5k+

1k+

PRIVATE AND CONFIDENTIAL

How Does it Work?

1. The victim is compromised by a phishing scam or exploit kit which downloads Cryptowall4 (NOV 15)

2. Binary is downloaded and executed

3. Injected into explorer.exe

4. Makes itself persistent copies to %AppData% and registry run key

5. Injecting in svchost (main malware logic)

6. Downloads RSA Public encryption key from C2 server

7. Files are encrypted with a random AES encryption from C2 server

8. RSA key is used to encrypt that AES Key

9. Displays the ransomware in 3 formats, png, text and HTML

Public key

Get keys

27p9k967z.x1nep

PRIVATE AND CONFIDENTIAL

• Most ransomware uses extremely strong crypto

• Cryptowall 4 is not perfect….BUT• If a strong firewall or IPS is able to

intercept and block the CryptoWall 4 packets, the infection will not continue.

• RSA key cannot be downloaded • All security companies bottom line is

“Have a good recovery strategy”

Can It Be Broken?

PRIVATE AND CONFIDENTIAL

• 60% of attacks demanded over $1000• 63% of attacks took more than a day to

remediate• Email is the most popular entry point• 40% of attacks hit multiple endpoints• 80% of US organizations hit• 96% of US organizations NOT

CONFIDENT IN RESTORE CAPABILITY

Google Search – “malwarebytes international study”

PRIVATE AND CONFIDENTIAL 14

Stopping Infections

Users, IT Dept, External

-Train users & IT-Anti-virus/malware-Restrict domain admins-Change control-Isolated external users-Software restriction policies

Recommendations

-Audit file shares-Audit permissions-Apply read-only-Firewall policies-User VLANs-Honey trap & alerting

Disks, Network

-Secure entry points-Filter web traffic -Scan email attachments-Block USB devices-Isolated BYOD-No web access on VMs

Web, Email, USB, BYOD

PRIVATE AND CONFIDENTIAL 15

Typical Data Protection Solutions

06:00 09:00 15:00

Backup

12:00

Snapshot Snapshot

12:00 18:00

Snapshot

Power Interruption or Hardware Failure

Cryptolocker Virus Infection

File deletion, Application or Human error

= Data Loss & Downtime

24h+

4h+

PRIVATE AND CONFIDENTIAL 16

Zerto Virtual Replication

Minimize impact, re-wind and recover from any point in time

06:00 09:00 18:0000:00 12:00 15:00

2 weekJournal

*

*

Sites Apps FilesVMs

4.5

PRIVATE AND CONFIDENTIAL

How Zerto Revolutionized Disaster Recovery

17

Zerto Hypervisor Based Replication

Replication was in the wrong place – the physical layer

The first Enterprise-class, Software-Defined

Replication & Recovery Automation solution

Hypervisor

Security

Networking

Servers

Storage

Replication

PRIVATE AND CONFIDENTIAL 18

Scale-out architecture, security hardenedVirtual Replication Appliance

Compression, throttling, resilience

Prod Site

vCenter

VM VM

VM VRA

VM VM

VM VRA

DR Site

vCenter

VM VM

VM VRA

VM VM

VM VRAWAN/VPN

VM-Level Replication

ZVM ZVM

VM block-level changesAlways-on Replication, Data loss = SecondsNo snapshots, scheduling, impact, storage

Management & Orchestration1 x Zerto Virtual Manager per vCenter/SCVMMWindows VM, restrict ports

Storage-agnostic replicationReplica VM & Compressed Journal

vDisksJournal 1 hour to 2 weeks max, 7-10% space

vDisk vDisk vDisk

How Zerto Works

PRIVATE AND CONFIDENTIAL 19

Enterprise Application Architectures

VM

VM

VM

VM VM VM

VM VM VM

Firewall

Load Balancers

VM VM VM

Web Servers

File Servers

Index Servers

Database Servers

PRIVATE AND CONFIDENTIAL 20

Consistent Protection & Recovery

• Simple, scalable, protection & recovery of VMs, not LUNs

• Recover multi-VM application stacks together

• Point in time recovery, write ordering & application consistency

• Prioritize replication, pre-seeding, reduce initial sync

• Support virtualization features vMotion, svMotion, HA etc

Production Site

Enterprise Applications

VM

VM

VM VM

vDisk

vDisk

CRM, ERP, SQL, Oracle, SharePoint, Exchange

CRM VPG VM VM VM VM VM

SQL VPG VM VM VM VM VM

VM

VM

VM

VM

vDisk

vDisk

vDisk

VM

RPO 4 seconds

RPO 9 seconds

ERP VPG RPO 6 seconds VM VM VM VM VM

• LUN Consistency Group evolved = Virtual Protection Group

VM VM

VM

vDisk

VM

vDisk

VM

VM VM

VM

vDisk

vDisk

vDisk

vDisk

vDisk

PRIVATE AND CONFIDENTIAL 21

Recovering From Cryptolocker In Minutes

Disaster Event!

Click Failover

Select Apps

Verify

Start Failover

Recovery Process:

PRIVATE AND CONFIDENTIAL 22

Virtual Awareness and Integration

Hypervisor integratedReal-time Dashboard

Service level driven

Role Based Access ControlSingle Solution for BC/DR

REST API automation

Ensure complianceDR Test Reporting

Prove recovery capability

PRIVATE AND CONFIDENTIAL 23

Recovering Individual Files & Folders in Minutes

Select VM

Restore Request

File server data

Application files

SQL databases

Oracle databases

Exchange databases

Select Files & Folders

Browser download

Instant-access on ZVM

Mount network share

Data restored from seconds before

Restore Anywhere

Disks mounted

No agent or impact

Select point in time

PRIVATE AND CONFIDENTIAL 24

Proving Compliance and Removing Risk

• PCI• ISO• SOX• HIPAA• SEC

Testing Regulations

PRIVATE AND CONFIDENTIAL 25

Proving Compliance and Removing Risk

• PCI• ISO• SOX• HIPAA• SEC

Testing Regulations

PRIVATE AND CONFIDENTIAL 26

Proving Compliance and Removing Risk

• PCI• ISO• SOX• HIPAA• SEC

Testing Regulations

PRIVATE AND CONFIDENTIAL

DEMO

27

PRIVATE AND CONFIDENTIAL 28

Ransomware Infection:• Real screenshot from end user PC• Encrypted files on all user mapped shares with edit permissions

Real-world Zerto Customer Story

Response:• PC was isolated from the network• Used ZVR to recover files from

minutes before• No need to re-create files or accept

data loss from using backup• No ransom paid• Impact minimized!

PRIVATE AND CONFIDENTIAL 30

Zerto Feature Summary

Install in MinutesSimple Scalable Software

Click to Test, Failover, MigrateRTO = Minutes, Prove Compliance

Journal Based ProtectionReduce impact, recover & re-wind

No SnapshotsAlways-on, RPO = SecondsConsistency Groupings

Storage &Hypervisor Agnostic

For On-Premise DR & DRaaS

Enterprise-Class DisasterRecovery Software

Hypervisor-basedVirtual Aware

Powerful Data Protection & Recovery

Strategic BC/DR Platform