3/16/2015

1

RansomwareHow to avoid a crypto crisisat your IT business

Ransomware:How to avoid a crypto crisis

at your IT business

Jerry KoutavasPresidentThe ASCII Group, Inc.jk@ascii.com

Ben YarbroughCEOCalyptix Security

#webclinic#calyptix

1. Ransomware background

2. How to avoid a crypto crisis

3. About AccessEnforcer

4. Helpful resources

Today’s Agenda

#webclinic#calyptix

RansomwareBackground

#webclinic#calyptix

What is Ransomware?• Extortion via software

• Restricts access to an infectedcomputer system and demands aransom payment to return access.

• Dates back to 1989 with the AIDStrojan

• AIDS hid folders, encrypted filenames, and said a software licensehad expired. Fee of $189 to“renew” license and unlock thecomputer

#webclinic#calyptix

What is encrypting or“crypto” ransomware?• Today’s primary

ransomware threat

• Restricts access byencrypting a victim’s files.Demands a ransom todecrypt them

• Common examples:– Crypolocker, Critroni, CTB-locker

3/16/2015

2

#webclinic#calyptix

Cryptolocker• Widely known variant of

ransomware

• Rose to prominence in late 2013

• Defeated in June, 2014, in a jointeffort by various governmentagencies and security firms

• Decryption keys now freelyavailable for victims atwww.decryptcryptolocker.com

#webclinic#calyptix

Decryption is impossible• Decrypting files is

mathematically infeasiblewithout a key

• After infection, the onlyhope is to restore frombackup or pay the ransom

• Paying the ransom is abad idea – it encouragesthe criminals

#webclinic#calyptix

How does ransomwarespread?

• Malicious emailattachments

– Appears as notice forinvoice, voicemail,shipment, etc.

– Affects corporate andpersonal email (Gmail,Yahoo!, etc.)

• Drive-by downloads– Malicious websites infect

victims via exploits forunpatched software

#webclinic#calyptix

How does ransomwarespread?

• Malvertising– Online advertising used to

spread malware– Recent example included

pages from Yahoo, AOL,The Atlantic, Match.com

• Removable drives– Connecting an infected

USB drive can spreadsome variants

– Includes mobile devices

#webclinic#calyptix

Common scenario• A “dropper” is installed on the

victim’s machine

• The dropper downloads andinstalls the full malware package

• Malware searches the localmachine and all mapped drivesfor targeted files.

• Files are encrypted using a strongalgorithm.

#webclinic#calyptix

Common scenario• Victim is notified that the

files are locked.

• Ransom is demanded,often from $100 to $600,to be paid in Bitcoins

• Instructions provided onhow to acquire Bitcoinsand pay

3/16/2015

3

#webclinic#calyptix

Common scenario• Deadline given for

ransom payment, oftenfrom 48 to 96 hours

• If ransom is not paidby deadline, theransom will increase orthe decryption key willbe destroyed.

#webclinic#calyptix

An evolving threat• Hundreds of thousands of

ransomware variations exist

• Some allow users to decrypt up tofive files to “prove” decryption ispossible.

• Victims can read paymentinstructions in multiple languages

• Ransoms jumped from $24 to$650 in some later versions

#webclinic#calyptix

Where is it headed?• RansomWeb – Hackers

encrypt data stored on a webserver and demand a ransompayment.

“The next step might well be the modern equivalent of protectionrackets – threatening companies with being either taken offlineor having their databases frozen unless they pay a regular fee.”- Professor Alan Woodward, University of Surrey Department of Computing

#webclinic#calyptix

Thousands of victims• Cryptolocker made $30

million in 100 days,according to someestimates

• Ransoms paid by policedepartments, town halls,law offices, andbusinesses of all sizes

#webclinic#calyptix

Thousands of victims• The Law Offices of Paul

Goodson, based in Charlotte,NC, lost every document onits main server

• Infected by a malicious emailattachment. Email disguisedas a voicemail notification.

• Attempted to pay $300ransom but did not completethe transaction by deadline

#webclinic#calyptix

Free marketing resource• Show law firms the

dangers of ransomware

• Includes three examplesof attacked law firms

• We will send it to youafter today’s presentation

3/16/2015

4

#webclinic#calyptix

How to avoid acrypto crisis

#webclinic#calyptix

• Suspicious emails• Suspicious sites• Software and network hygiene• Segregate personal and

business web use• Explain the rational of

restricting business networks

Educate usersRansomwareIs Bad

#webclinic#calyptix

Patch, patch, patch• Maintain the latest

versions of your firewall,anti-virus, operatingsystems, applications,and other systems.

• Automatically update asnew patches becomeavailable.

#webclinic#calyptix

Filter spam andmalicious email

• The top way ransomwarespreads is by emailattachment

• Some infections begin witha .scr file that arrives in a.zip or .cab emailattachment

• Filter emails for content andattachments before theyreach end users

#webclinic#calyptix

Filter outbound traffic• Control the websites users can

access

• Block connections to malicioushosts

• Block IP range146.185.220.0/23

– Range is associated with CryptoWall

• Enable intrusion preventionsystem (IPS)

– Default deny for all outbound traffic

#webclinic#calyptix

Group policies forWindows

• Block ransomware frominstalling in its favoritedirectories

• Free resource: CryptolockerPrevention Kit from ThirdTier (link at end ofpresentaiton)

3/16/2015

5

#webclinic#calyptix

Limit access to networkshares

• Ransomware checks allmapped drives (includingnetwork drives)

• Only administrator and backup service provider shouldaccess back up drives

• When mounting a backupfor restore purposes, makesure the permissions are setto “read only”

#webclinic#calyptix

Back up all files• The only way to fully recover

from infection is with a goodbackup

• Many businesses operatewithout backups, which canmake ransomware infection aworst-case scenario

• Remember to test backups.They are only good if you canrestore the data.

#webclinic#calyptix

Additional tips

Install a reputable anti-virus solution such asMicrosoft Security Essentials or Malware Bytes.

Do not allow user accounts to modify applicationsor the operating system (e.g. standard user)

Adjust web browser settings to prevent forceddownloads

#webclinic#calyptix

What if you areinfected?

• Immediately power offthe machine

• Unplug from the network

• Remove the hard driveand scan it with antivirusto remove infection.

• Do not power on thedrive until it is cleaned

#webclinic#calyptix

AccessEnforcer

#webclinic#calyptix

AccessEnforcer

Simple and powerful UTM firewall forsmall and medium business

3/16/2015

6

#webclinic#calyptix

AccessEnforcer• Features include:

– Intrusion detection and prevention (IDS/IPS)– Unlimited VPN– Web filter– Spam filter– Multi-WAN– Quality of service (QoS)– Automatic updates– GUI-based management– Many more in the full features list

#webclinic#calyptix

Simplest ResellerProgram in the Industry• The Breakthrough Program

30-day license for monthly service Includes every security feature Includes lifetime warranty Includes unlimited users Cancel without penalty No monthly or annual minimum

#webclinic#calyptix

Simplest ResellerProgram in the Industry• Gives your IT business:Faster profitsFewer limitations and

headachesFreedom from annual

renewals

#webclinic#calyptix

AccessEnforcer

info@calyptix.comwww.calyptix.com

Call to learn more about Calyptixreseller partnership: 704-971-8982

#webclinic#calyptix

Helpful Resources

#webclinic#calyptix

Calyptix Resources• Marketing flyer for law firms (will send via email)

• Ransomware Prevention: 5 ways to avoid a crisis– http://www.calyptix.com/malware/ransomware-prevention-5-ways-to-

protect-your-business/

• Critroni Ransomware: Decryption not an option– http://www.calyptix.com/malware/critroni-ransomware-decryption-not-an-

option/

• AccessEnforcer: Full features list– http://www.calyptix.com/wp-content/uploads/2014/09/AE-features-list.pdf

3/16/2015

7

#webclinic#calyptix

Additional Resources• Cryptolocker Prevention Kit – Third Tier

– http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/

• More ransomware resources from Third Tier– http://www.thirdtier.net/?s=crypto

#webclinic#calyptix

Questions

?

#webclinic#calyptix

Thank you!

info@calyptix.comwww.calyptix.com

Call to learn more about Calyptixreseller partnership: 704-971-8982