how to help your customers protect themselves from ransomware attacks

© 2016 N-able Technologies, ULC. All rights reserved.

RANSOMWARE

5 STEPS TO PROTECTING YOUR CUSTOMERS’ DATA


WHAT IS RANSOMWARE?

A software based attack on your

network with the goal of

extortion.


HOW DOES RANSOMWARE SPREAD?

Ransomware is typically

delivered through an exploit kit

or phishing attack.


WHAT IS AN EXPLOIT KIT?

Code created to take advantage of

an unpatched or unknown system

vulnerability.

Example: Windows® OS, JavaScript® or

Adobe Reader®


WHAT IS PHISHING?

Masquerading as a trustworthy entity

in an electronic communication with

malicious intent.

Example: Attachments to email.

Embedded links.


“HOSTAGE” (NEW)

“COP” OR “LOCKER”

CRYPTOGRAPHIC

THREE RANSOMWARE VARIENTS

• Generally acquired from browsing something “naughty”; infects through JavaScript or Adobe Flash®

vulnerabilities. Prevents access to your underlying system without encryption.

• Appears to be from a federal agency and requests you pay a “fine” to compensate for your “illegal activity”.

• Generally acquired from phishing attacks. Encrypts data on your system and shares preventing access.

Demands a “fee” to unlock.

• Locked out of your data until you pay the ransom.

• E.g. “Cryptolocker” & “Locky”

• Generally acquired from phishing attacks, same underlying concept as cryptographic.

• Steals browser, chat history and contact lists, records video & audio. May threaten to send this info to your

contacts if a “fee” is not paid.

• E.g. “Crysis” & “Jigsaw”.

1

2

3


THE PROGRESSION OF RANSOMWARE

1989“Aids” Trojan on

floppy disk asks for $189 to unlock a

file

2006Gpcode, Archiveus,

Krotten, Cryzip, TROJ.RNSOM.A, and MayArchive

lock systems with RSA encryption

algorithms

2012“Reveton” informs

users they have downloaded illegal material and must

pay a “fine”

1

2013“Cryptolocker” appears using

nearly unbreakable encryption, hard to detect trojans and ultimately includes use of TOR network

for anonymity.

2014“CryptoWall”

infects through website

advertisements

2016“Locky”, encrypts

all files with a .lockyextension and

demands fee to unlock

2015“Chimera” encrypts files and threatens

to publish them online if ransom is

not paid

2015“CryptoWall” 3.0 and 4.0 add new

layers to their encryption and

come packaged in exploit kits

2016RaaS (Ransomware

as a Service) becomes possible paving the way for

prolific growth.


WHEN IS RANSOMWARE SUCCESSFUL?

To be considered successful, an attack must:

1. Take control of a system or device.2. Prevent access to the device and its data to some

degree.3. Inform the user that the device is being held for

ransom along with a price and a method of payment.4. Accept payment from the user.5. Return full access to the device once payment is

received.**This does not always happen unfortunately.


WHAT A COMPROMISED DEVICE LOOKS LIKE

All shapes and sizes:1. Desktop background2. Popup window

Demands:1. Pay a small “fine” to regain access.2. Pay a “fee” or lose your data.3. Pay an increasing “fee” as time elapses.4. Pay a “fee” or increments of your data

are destroyed over time.5. Pay a “fee” or your personal

information is released to the public or contact list.


PROGRESSION OF A RANSOMWARE ATTACK

1. The ransomware trojan package is executed.• Few operating systems are safe. Many current ransomware variants will work on

Windows, OS X and Linux® systems.

2. The trojan reaches out to one of many cloud servers to download its main payload (commonly on the .TOR network, aka the “Dark web”).

3. Using the logged in user account, the trojan deletes itself, and the payload begins to install and encrypt your files using military grade encoding. Locations and files that are often targeted include:• Locally stored office documents, image files, video files etc. • Network shares the user has access to.• Connected external drives such as USB thumb drives.• Cloud storage that the user has write access to such as Dropbox®.

4. Volume Snapshot Services (VSS) or “Shadow Copies” are commonly deleted.5. Wallpaper or screen overlay appears that alerts the user to the encryption

and instructs them to pay a “fine” or “fee”, often via BitCoin® - a virtually untraceable online currency. Fees vary considerably.

6. Once paid, a public decryption key is returned and often data is restored.


5 STEPS TO PROTECTING YOUR

CUSTOMERS’ DATA


5 STEPS TO PROTECTING DATA

Access Restrictions

Firewall & Network

User Education

Antimalware

Patch Management & Third Party

Vulnerability Auditing

Backup & Recovery

USERS PREVENTION RECOVERY OPTIONAL


STEP 1: USER EDUCATION

QUICK TIPS

Arm users with the knowledge they need to recognizethreats and avoid dangerous behavior.

MINIMIZE IMPACT

PREVENTION

MINIMIZE IMPACT

• Majority of ransomware attacks rely on social engineering (convincing the user to initiate the interaction).

• Educate users to recognize and avoidthese attempts.

Common exploits:• Macro’s in Microsoft® Office documents.• JavaScript attachments in the form of fake documents.• Embedded JavaScript in malicious websites.



QUICK TIPS

Don’t enable macros unless you were expecting them!

Block macros in files from the internet by default in Active Directory.

Use MS Office viewers.

MINIMIZE IMPACT

PREVENTION

Macro’s in Microsoft Office® documents*:

1. An attachment arrives; when opened it appears encrypted.2. Directions are put in the document to use the “Options” button and re-enable

macros.3. Once the button is pressed, the ransomware infection begins.

*Allows for attack on Office 365® users as well!PREVENTION



QUICK TIPS

Unhide “knownextensions”. Giving your users visibility is key.

Antimalware's Application Control features block Microsoft WSH Cscriptand Microsoft WSH WScript

MINIMIZE IMPACT

PREVENTION

MINIMIZE IMPACT

Javascript attachments in the form of fake documents:

1. An attachment arrives with what appears to be a Microsoft Office document or compressed file attached (Windows hides known extensions).

2. The user clicks to open the document. The 834425.zip.JS file executes.3. Once the file is executed, the ransomware infection begins.

PREVENTION



QUICK TIPS

Block malicious sites through your Antivirus or Firewall.

Sandbox web access.

Configure Windows to open JavaScript with Notepad.

MINIMIZE IMPACT

PREVENTION

Embedded JavaScript in malicious websites:

1. A user visits an infected page. It may be made to look like a legitimate organization.2. Users typically click on a link, “play button” or other clickable object and

unknowingly execute the JavaScript.3. Once the JavaScript is executed, the ransomware infection begins.

PREVENTION


STEP 2: ACCESS RESTRICTIONS

QUICK TIPS

Keep data stores and shares protected by limiting the number of users who have access.

MINIMIZE IMPACT

PREVENTION

MINIMIZE IMPACT

Ransomware typically executes under the logged in account.

• Restrict users from backup shares and networklocations they do not need access to.

• Do not use Administrator accounts.. even for administrators. Run As.. instead.

• Restrict Administrative accounts from using email.


STEP 3: ANTIMALWARE

QUICK TIPS

Advanced Endpoint protection is required.

Intrusion Detection System.

Active VirusControl aka a Behavioral scan.

MINIMIZE IMPACT

PREVENTIONPREVENTION

Traditional signature based Antivirus is not effective.

• AV must be capable of stopping processes that exhibit malicious techniques (Heuristics/Behavioral & IDS)

• Implement inbound mail scanning and blocking.

• AV must be ON and up to date at all times. You will need a way to monitor this.


STEP 4: PATCH MANAGEMENT

QUICK TIPS

Control patch deployment through a centralized system.

Enforce patch installation and reboots.

Discuss patchingpolicy with your Customer!

MINIMIZE IMPACT


Unpatched systems are an open door for ransomware delivery.

• Ensure your devices are patched and up to date.

• Apply patches no more than 30 days after they are released from the vendor.

• Review your patching process to remove any roadblocks such as reboot windows, and device availability.


STEP 4: PATCH MANAGEMENT

QUICK TIPS

User’s often ignore update prompts for these tools.

Take control of the updates with a Remote Monitoring and Management solution such as N-central®.

MINIMIZE IMPACT

PREVENTION

Third party applications must be patched.

• Don’t let applications such as Java® and Adobe Readerget left out of your patch routine.

• These applications are some of the most commonentry points for exploit kits.

• Think carefully before deciding to leave older versions of third party applications active.

PREVENTION


STEP 5: BACKUP & RECOVERY

QUICK TIPS

Encrypt your backup location. Ransomware will attempt to access with the user’s permissions

Windows shadow copies are typically deleted by ransomware.

MINIMIZE IMPACT

PREVENTION

MINIMIZE IMPACT

Backup is the only hope for data recovery beyond paying the ransom.

• Review your backup configuration, is it adequate?

• One of your backup locations must be offsite/cloud.

• Restrict access to your network backup stores.

• Validate that backups are happening and can be restored.


FIREWALL & NETWORK

QUICK TIPS

Advanced technology can help combat this modern threat.

Keeping workstations and servers segregated is good practice.

MINIMIZE IMPACT


A strong firewall can be a significant preventative measure.

Deploy a next generation firewall that:• Will block threats based on a “threat feed”.• Offers sandboxing.• Can police user interactions with websites that are

not whitelisted (i.e. a “proceed?” query).


VULNERABILITY ASSESSMENT

QUICK TIPS

Understandingwhere you are vulnerable is key to impact mitigation.

Restrict user access to critical data

MINIMIZE IMPACT

PREVENTION

MINIMIZE IMPACT

Know where your weak points are.

• Use a tool to frequently review your end-user accessrights and open exploits.

• Identify recurring problem areas and address them.

• Consider assessing your customers organization and exploring data insurance with them.


Ransomware is not just one of many

CYBERTHREATSIt’s a

GROWINGbusiness.


Ransomware is an opportunity to

EDUCATE & INFORMyour users and supply the necessary

SERVICESfor business continuity.


HELP USERS HELP THEMSELVES

QUICK TIPS

Remind and inform your users frequently.

Consider running “red team” attacks; spoofinga ransomware attempt as a teaching tool.

MINIMIZE IMPACT

PREVENTION

MINIMIZE IMPACT

Ransomware Rescue infographic variants available for download from SolarWinds N-able:

http://offers.n-able.com/ransomware/

• Created to educate your users.• English and Custom versions available.• Links to blogs and this webinar.


THANK YOU

The N-ABLE TECHNOLOGIES and N-CENTRAL marks are the exclusive property of N-able Technologies, ULC. and its affiliates, are registered with the U.S. Patent and Trademark Office andthe Canadian Intellectual Property Office, and may be registered or pending registration in other countries. All other N-able trademarks, service marks, and logos may be common law marks,registered or pending registration in the United States, Canada, or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or aretrademarks or registered trademarks of their respective companies.

how to help your customers protect themselves from ransomware attacks

Technology