ransomware: how to avoid a crypto crisis at your it business
TRANSCRIPT
Ransomware
How to avoid a crypto crisis
at your IT business
Ransomware:How to avoid a crypto crisis
at your IT business
Jerry Koutavas
President
The ASCII Group, Inc.
Ben Yarbrough
CEO
Calyptix Security
#webclinic#calyptix
1. Ransomware background
2. How to avoid a crypto crisis
3. About AccessEnforcer
4. Helpful resources
Today’s Agenda
#webclinic#calyptix
Ransomware Background
#webclinic#calyptix
What is Ransomware?
• Extortion via software
• Restricts access to an infected computer system and demands a ransom payment to return access.
• Dates back to 1989 with the AIDS trojan
• AIDS hid folders, encrypted file names, and said a software license had expired. Fee of $189 to “renew” license and unlock the computer
#webclinic#calyptix
What is encrypting or “crypto” ransomware?
• Today’s primary ransomware threat
• Restricts access by encrypting a victim’s files. Demands a ransom to decrypt them
• Common examples: – Crypolocker, Critroni, CTB-locker
#webclinic#calyptix
Cryptolocker• Widely known variant of
ransomware
• Rose to prominence in late 2013
• Defeated in June, 2014, in a joint effort by various government agencies and security firms
• Decryption keys now freely available for victims at www.decryptcryptolocker.com
#webclinic#calyptix
Decryption is impossible
• Decrypting files is mathematically infeasible without a key
• After infection, the only hope is to restore from backup or pay the ransom
• Paying the ransom is a bad idea – it encourages the criminals
#webclinic#calyptix
How does ransomware spread?
• Malicious email attachments
– Appears as notice for invoice, voicemail, shipment, etc.
– Affects corporate and personal email (Gmail, Yahoo!, etc.)
• Drive-by downloads– Malicious websites infect
victims via exploits for unpatched software
#webclinic#calyptix
How does ransomware spread?
• Malvertising– Online advertising used to
spread malware
– Recent example included pages from Yahoo, AOL, The Atlantic, Match.com
• Removable drives– Connecting an infected
USB drive can spread some variants
– Includes mobile devices
#webclinic#calyptix
Common scenario• A “dropper” is installed on the
victim’s machine
• The dropper downloads and installs the full malware package
• Malware searches the local machine and all mapped drives for targeted files.
• Files are encrypted using a strong algorithm.
#webclinic#calyptix
Common scenario
• Victim is notified that the files are locked.
• Ransom is demanded, often from $100 to $600, to be paid in Bitcoins
• Instructions provided on how to acquire Bitcoins and pay
#webclinic#calyptix
Common scenario
• Deadline given for ransom payment, often from 48 to 96 hours
• If ransom is not paid by deadline, the ransom will increase or the decryption key will be destroyed.
#webclinic#calyptix
An evolving threat• Hundreds of thousands of
ransomware variations exist
• Some allow users to decrypt up to five files to “prove” decryption is possible.
• Victims can read payment instructions in multiple languages
• Ransoms jumped from $24 to $650 in some later versions
#webclinic#calyptix
Where is it headed?
• RansomWeb – Hackers
encrypt data stored on a web
server and demand a ransom
payment.
“The next step might well be the modern equivalent of protection
rackets – threatening companies with being either taken offline
or having their databases frozen unless they pay a regular fee.”
- Professor Alan Woodward, University of Surrey Department of Computing
#webclinic#calyptix
Thousands of victims
• Cryptolocker made $30
million in 100 days,
according to some
estimates
• Ransoms paid by police
departments, town halls,
law offices, and
businesses of all sizes
#webclinic#calyptix
Thousands of victims• The Law Offices of Paul
Goodson, based in Charlotte, NC, lost every document on its main server
• Infected by a malicious email attachment. Email disguised as a voicemail notification.
• Attempted to pay $300 ransom but did not complete the transaction by deadline
#webclinic#calyptix
Free marketing resource
• Show law firms the
dangers of ransomware
• Includes three examples
of attacked law firms
• We will send it to you
after today’s presentation
#webclinic#calyptix
How to avoid a crypto crisis
#webclinic#calyptix
• Suspicious emails
• Suspicious sites
• Software and network hygiene
• Segregate personal and
business web use
• Explain the rational of
restricting business networks
Educate users
RansomwareIs Bad
#webclinic#calyptix
Patch, patch, patch
• Maintain the latest
versions of your firewall,
anti-virus, operating
systems, applications,
and other systems.
• Automatically update as
new patches become
available.
#webclinic#calyptix
Filter spam and malicious email
• The top way ransomware spreads is by email attachment
• Some infections begin with a .scr file that arrives in a .zip or .cab email attachment
• Filter emails for content and attachments before they reach end users
#webclinic#calyptix
Filter outbound traffic• Control sites users can access
• Block malicious hosts
• Block IP range 146.185.220.0/23 – Range is associated with CryptoWall
• Enable intrusion prevention
system (IPS)
• Default deny all outbound traffic
#webclinic#calyptix
Group policies for Windows
• Block ransomware from
installing in its favorite
directories
• Free resource: Cryptolocker
Prevention Kit from Third
Tier (link at end of
presentaiton)
#webclinic#calyptix
Limit access to network shares
• Ransomware checks all mapped drives (including network drives)
• Only administrator and back up service provider should access back up drives
• When mounting a backup for restore purposes, make sure the permissions are set to “read only”
#webclinic#calyptix
Back up all files• The only way to fully recover
from infection is with a good backup
• Many businesses operate without backups, which can make ransomware infection a worst-case scenario
• Remember to test backups. They are only good if you can restore the data.
#webclinic#calyptix
Additional tips
Install a reputable anti-virus solution such as Microsoft Security Essentials or Malware Bytes.
Do not allow user accounts to modify applications or the operating system (e.g. standard user)
Adjust web browser settings to prevent forced downloads
#webclinic#calyptix
What if you are infected?
• Immediately power off the machine
• Unplug from the network
• Remove the hard drive and scan it with antivirus to remove infection.
• Do not power on the drive until it is cleaned
#webclinic#calyptix
AccessEnforcer
#webclinic#calyptix
AccessEnforcer
Simple and powerful UTM firewall for
small and medium business
#webclinic#calyptix
AccessEnforcer
• Features include: – Intrusion detection and prevention (IDS/IPS)
– Unlimited VPN
– Web filter
– Spam filter
– Multi-WAN
– Quality of service (QoS)
– Automatic updates
– GUI-based management
– Many more in the full features list
#webclinic#calyptix
Simplest Reseller Program in the Industry
• The Breakthrough Program 30-day license for monthly service
Includes every security feature
Includes lifetime warranty
Includes unlimited users
Cancel without penalty
No monthly or annual minimum
#webclinic#calyptix
Simplest Reseller Program in the Industry
• Gives your IT business:
Faster profits
Fewer limitations and
headaches
Freedom from annual
renewals
#webclinic#calyptix
AccessEnforcer
www.calyptix.com
Call to learn more about Calyptix
reseller partnership: 704-971-8982
#webclinic#calyptix
Helpful Resources
#webclinic#calyptix
Calyptix Resources
• Marketing flyer for law firms (will send via email)
• Ransomware Prevention: 5 ways to avoid a crisis
– http://www.calyptix.com/malware/ransomware-prevention-5-ways-to-protect-your-business/
• Critroni Ransomware: Decryption not an option
– http://www.calyptix.com/malware/critroni-ransomware-decryption-not-an-option/
• AccessEnforcer: Full features list
– http://www.calyptix.com/wp-content/uploads/2014/09/AE-features-list.pdf
#webclinic#calyptix
Additional Resources
• Cryptolocker Prevention Kit – Third Tier
– http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/
• More ransomware resources from Third Tier
– http://www.thirdtier.net/?s=crypto
#webclinic#calyptix
Questions
#webclinic#calyptix
Thank you!
www.calyptix.com
Call to learn more about Calyptix
reseller partnership: 704-971-8982