Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ransomware today: How to protect against Locky and friends

Published byRuth Heather Powers Modified over 6 years ago

Similar presentations

Presentation on theme: "Ransomware today: How to protect against Locky and friends"— Presentation transcript:

1 Ransomware today: How to protect against Locky and friends

2 What we’re going to cover
Anatomy of a ransomware attack The latest ransomware to rear its ugly head – introducing Locky and its friends Practical steps to protect your organization from ransomware threats How Sophos can help & Solutions

3 2 main vectors of attack SPAM (via social engineering) Exploit kits
Seemingly plausible sender Has attachment e.g. invoice, parcel delivery note The attachment contains an embedded macro When the attachment is opened the macro downloads and then executes the ransomware payload Used by Locky, TorrentLocker, CTB-Locker Exploit kits Black market tools used to easily create attacks that exploit known or unknown vulnerabilities (zero-day) Client side vulnerabilities usually target the Web browser Used by Angler, CryptoWall, TeslaCrypt, CrypVault, ThreatFinder

4 Anatomy of a ransomware attack

5 Anatomy of a ransomware attack
Installation via an exploit kit or spam with an infected attachment Once installed the ransomware modifies the registry keys Contact with the command & control server of the attacker The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer. Encryption of assets Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of the Windows OS (shadow copies) are often deleted to prevent data recovery. Ransom demand A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to. And gone The ransomware will then delete itself leaving just the encrypted files and ransom notes behind.

6 Ransom demands

7 Common ransomware: Locky and friends

8 Chain of infection for Angler exploit kits
The victim accesses a compromised web server through a vulnerable browser The compromised web server redirects the connection to an intermediary server In turn, the intermediary server redirects the connection to the attacker’s server which hosts the destination page of the exploit kit The destination page looks for vulnerable plug-ins (Java, Flash, Silverlight) and their version numbers If a vulnerable browser or plug in is detected the exploit kit releases its payload and infects the system.

9 Practical steps to protect against ransomware

10 Best practices – do this NOW!
Backup regularly and keep a recent backup copy off-site. Don’t enable macros in document attachments received via . Be cautious about unsolicited attachments. Don’t give yourself more login power than you need. Consider installing the Microsoft Office viewers. Patch early, patch often. Configure your security products correctly. Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands. Don’t enable macros in document attachments received via . Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it! Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out. Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights. Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake! Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. Configure your security products correctly. To enable them to work effectively they need to be configured correctly. Sophos customers should check out the ‘How to stay protected against ransomware’ whitepaper which includes, amongst other good advice, optimal configuration settings for Sophos solutions.

11 Security solution requirements
As a minimum you should: Deploy antivirus protection Block spam Use a sandboxing solution Block risky file extensions (javascript, vbscript, chm etc…) Password protect archive files Use URL filtering (block access to C&C servers) Use HTTPS filtering Use HIPS (host intrusion prevention service) Activate your client firewalls Use a whitelisting solution

12 Turn On Base Line Security
If you manage Sophos Endpoint Security and Control via Sophos Enterprise Console, ensure that the following settings have been made in the AV policy of terminal servers: Please Get Sophos Enterprise Console Updated with SEC5.4 and Endpoint On-access-scan: on Scan system memory: on Download scans: on Block access to malicious websites: on Sophos Live Protection: on Behavior monitoring: on Detect malicious behavior: on All Sophos Endpoint customers should also use the Application Control feature to protect against outside-the-browser script malware by blocking the Windows Script Host programs WScript.exe and CScript.exe: ê Application type: Programming/ Scripting tools ê Microsoft WSH Cscript: block ê Microsoft WSH WScript: block

13 How Sophos can help

14 Compete protection: Enduser and Network
Secure the Perimeter Ultimate enterprise firewall performance, security, and control. Secure the Endpoint (PC/Mac) Next Gen Endpoint security to prevent, detect, investigate and remediate Next-Gen Endpoint Protection Next-Gen Firewall /UTM Secure the Web Advanced protection, control, and insights that’s effective, affordable, and easy. Secure the Mobile Device Secure smartphones and tablets just like any other endpoint Web Security Mobile Control Network Enduser Sophos Central Secure the threats and phishing attacks don’t stand a chance. Protect the Data Simple-to-use encryption for a highly effective last line of defense against data loss Security SafeGuard Encryption Secure the Wireless Simple, secure Wi-Fi connection. Secure the Servers Protection optimized for server environment (physical or virtual): fast, effective, controlled Server Security Wireless Security

15 Next Gen Enduser Security Next Gen Network Security
Security as a System Sophos Cloud Security must be comprehensive The capabilities required to fully satisfy customer need Security is more effective as a system New possibilities through technology cooperation Next Gen Enduser Security Next Gen Network Security Security can be made simple Platform, deployment, licensing, user experience heartbeat Synchronized Security Integrated, context-aware security where Enduser and Network technology share meaningful information to deliver better protection SOPHOS LABS

16 Individual attacks vs Core techniques
New software vulnerabilities and exploits each year Exploitation techniques Maybe 1 new exploit technique each year; only ~20 techniques exist! 1,000’s New malware each year Malware techniques 100,000,000+ 10’s of new malware sub-techniques every year

17 Malicious Traffic Detection
SophosLabs URL database Malware Identities Data Control Anon. proxies Patches/ Vulnerabilities Peripheral Types Whitelist File look-up Genotypes Reputation HIPS rules MTD rules Apps SPAM SOPHOS SYSTEM PROTECTOR Application Tracking Threat Engine Application Control Emulator Device Control Web Protection IoC Collector Live Protection Security Heartbeat HIPS/ Runtime Protection Reputation Malicious Traffic Detection Application interrupted Malicious Traffic Detection Malicious traffic detected Administrator alerted Compromise User | System | File i

18 Advanced Threat Defense Made Simple
Sophos Sandstorm Advanced Threat Defense Made Simple How Sophos Sandstorm works If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete. A detailed report is provided for each file analyzed. Secure Web Gateway Secure Unified Threat Management Next-Gen Firewall

19 Email Sandboxing Effectiveness & Cost

20 TODAY Anti-Hacking Anti-Malware Sophos Clean Next-Gen Encryption
Crowd Sourced Download Reputation Malicious Traffic Detection Trusted Application Encryption Key* Application Lockdown Synchronized Security Auto Encryption Key Revoke/Restore* Encryption Delivery Whitelist Behavior Collaborate* Posture Prevent Detect Remediate Anti-Malware Exposure Emulation Execute Exploit Behavior Monitor Remediate Posture Device Control App Control Web Protect Web Control On Device emulation File Heuristics Signitures HIPS Buffer overflow Detection Application Behavior monitoring Data Loss Prevention Malware Quarantine Malware Removal Security Posture Assessment (SEC) Malware Forensics Sophos Clean * Requires additional Synchronized Security product SGN8.0 or XG Firewall Traditional

21 Sophos Clean - Advanced Malware Cleanup Available NOW
NEW Product offering Available as a standalone product Works with Sophos Endpoint Standard and Advanced Core Features Advanced malware removal Forensics evaluation of malware Malicious behavior identification Provides full list of indicators of compromise for detected malware Malicious components explained Allows quarantine/removal Works with 3rd party AV products

22 Advanced Exploit prevention
Anti-Hacking Next-Gen Project Spectrum Root Cause Analysis Threat Chain Review At Risk Assets Investigate Manage Simple Case Management Advanced Exploit prevention Exploit CryptoGuard Recommended Actions Malware Forensics Crowd Sourced Download Reputation Malicious Traffic Detection Trusted Application Encryption Key* Application Lockdown Synchronized Security Auto encryption Key Revoke/Restore Encryption Delivery Whitelist Behavior Collaborate Posture Prevent Detect Remediate Anti-Malware Exposure Emulation Execute Exploit Behavior Monitor Remediate Posture Device Control App Control Web Protect Web Control On Device emulation File Heuristics Signitures HIPS Buffer overflow Detection Application Behavior monitoring Data Loss Prevention Malware Quarantine Malware Removal Security Posture Assessment (SEC) Traditional

23 Endpoint Detection and Remediation
NEW Product offering Standalone or bundle with Sophos Endpoint Advanced Windows OS Mac support under development Core Features Signatureless protection Exploit Protection Malicious Traffic Detection Synchronized Security CryptoGuard Prevent ransomware file encryption Incident Response Root Cause Attribution At risk asset identification Process threat chain visualization Full list of indicators of compromise Recommended remediation action Sophos Clean Advanced malware forensics and removal

24 ..and yes, we also create an RCA chain for review-  here you see the chain with us recording that one of the processes in the attach chain read the contents of the My Documents folder To learn more go see Russ session…it ROCKS

25 Next Steps – Spectrum Early Access May/June 2016
Sophos Clean How do I sign up? First, contact your Sales-Rep Once invited, from the Sophos Central Admin Dashboard, simply subscribe to Beta/Early Access What do I get? Monthly Program update calls Forum with Sophos Engineering Provide direct input for future features Provide user experience design feedback Exploit Protection CryptoGuard Simple and Comprehensive Universally prevents spontaneous encryption of data Notifies end user on rapid encryption events Rollback to pre-encrypted state CRYPTOGUARD Incident Response

26 How Sophos protects on the endpoint Beyond signature based protection
Prevent Detect Remediate Exposure Prevention Web protection Web and App control Download reputation Device control Execution Prevention File analytics Heuristic evaluation On-device emulation Signature checking Runtime Detection Runtime behavior Exploit detection Data loss prevention Synchronized Security Incident Response Malware Removal Malware Quarantine Malware capture rate by model area Each model stand alone is 80-95% effective 80% 15% 5% Threat Intelligence Runtime lookups and automated updates 24/7 threat monitoring and model curation Champion/Challenger model testing Automated Efficacy, Efficiency and False positive testing prior to publishing Driven by data science + threat analyst expertise SOPHOSLABS BIG DATA AUTOMATION LEVERAGED EXPERTISE

27 Sophos Next-Gen Protection Applied to the threat Lifecycle
EXPOSURE EXPLOIT DELIVERY PERSISTENCE ACTIONS ON OBJECTIVES C&C Device Control Bad USB Reputation Application Lockdown Sandboxing Emulation Dynamic file Heuristics Behavior Analytics Synchronized Security Network Lockdown Safe Web Surfing Patch Assessment Static file Heuristics Malware Removal Encryption Key Shredding Malicious Traffic Detection OMG do I have to…. Saving this one for last…  Objective Talking Points Conclusion Threat analysis Device Exposure Prevention Web Exposure Prevention Pre-execution Detection Runtime Detection Remediation Encryption and Data Protection

28 Questions?

29 Thank You

Download ppt "Ransomware today: How to protect against Locky and friends"

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Sophos Live Protection. Agenda 1.Before and After Scenarios 2.Minimum Required Capabilities 3.How we do it 4.How we do it better.

Sophos Live Protection. Agenda 1.Before and After Scenarios 2.Minimum Required Capabilities 3.How we do it 4.How we do it better.
The Changing World of Endpoint Protection

The Changing World of Endpoint Protection
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.

Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Synchronized Security Revolutionizing Advanced Threat Protection

Synchronized Security Revolutionizing Advanced Threat Protection
Sky Advanced Threat Prevention

Sky Advanced Threat Prevention
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
1 #UPAugusta2016. 2 3 Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.

1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Kaspersky Small Office Security INTRODUCING New for 2014!

Kaspersky Small Office Security INTRODUCING New for 2014!
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

Similar presentations

Ads by Google