Presentation in SoftServe's Security Hole #18 about cryptolocker ransomware, how they work, distribution methods, possible remediation scenarios. Short story about one of our client, who got infected with cryptolocker on 1C database server, our incident forensics and recommendations hot to stay secure
7. • Searches for files with certain extensions: doc, docx, wps, xls,
xlsx, ppt, pptx, pdf, jpg, dng, psd, raw, cer, crt, pfx, wallet …
• Doesn’t touch system directories
• Encrypts files with a 2048-bit RSA key pair
• Paying the ransom results in decryption of the files
• No way to decrypt the files without the private key
• Ransomware done right!
Crypto Lockers
15. “Traffic today has varied between 1 new endpoint each
second, to up to 5 per second. I estimate by the end of the
day well over 100,000 new endpoints will be infected with
Locky, making this a genuine major cybersecurity incident —
3 days in, approximately a quarter of million PCs will be
infected”.
February 17, 2016
16. Pay or not to pay?
“The ransomware is that good,” said
Joseph Bonavolonta, the Assistant
Special Agent in Charge of the FBI’s
CYBER and Counterintelligence
Program in its Boston office.
“To be honest, we often advise
people just to pay the ransom.”
28. How to stay secure?
Software updates
and patches
Security
Awareness
Low privilege access
Backups
Antivirus/Antispam
29. How to secure your 1C with RDP?
• Regural backups.
• Regural EXTERNAL backups
• Access control for own IP addresses/networks.
• VPN/IPSec
• Password policy
• Antibruteforce policy
• Don’t use usuals logins (admin/alex/manager).