Ransomware makers have progressed from infecting individual users on a one-off basis to targeting whole organizations. Using advanced attack techniques like reconnaissance and credential abuse, they can infect many machines at once, bringing business operations to a screeching halt.
To stop individual and network-wide attacks, organizations need a multi-layered defense that includes both detection and eradication. Join security experts from LightCyber and Ayehu as they discuss how to defeat ransomware. They will present a live demo of a ransomware attack and show how to quickly contain it with LightCyber + Ayehu.
Attendees will learn:
- Why targeted ransomware is more devastating and difficult to stop than traditional ransomware.
- Methods to disrupt ransomware attacks and ward off extortionists.
- How LightCyber + Ayehu work together to detect and mitigate ransomware threats.
Presenters:
- Kasey Cross, Sr. Product Manager, LightCyber
- Guy Nadivi, Director, Business Development – North America, Ayehu
- Peter Lee, Director, Professional Services, Ayehu
5. State of Ransomware
• Ransomware is getting more advanced, using
targeted attack techniques to maximize damage
• $209M paid out by US victims in Q1/2016*
• 38% of companies hit by ransomware in 2016*
• 38% and 17% of ransomware attacks target the
service and manufacturing industries,
despite many, high-profile healthcare attacks
* FBI, KnowBe4 Survey of 1,138 companies, Symantec
6. Opportunistic Ransomware Attacks
Laptop
File Servers
Malicious
Website
k Infected client contacts
command and control server
and receives a unique
cryptographic key
User downloads ransomware
From a website or opens a
malicious email attachment
l Ransomware encrypts
data on the local client
m Ransomware encrypts
data on network drives
Infected Email
Command &
Control
Internet
7. Targeted Ransomware Attack
Intrusion
(Seconds – Minutes)
Intrusion
Outside the Network
Active Breach
(Hours - Weeks)
Establish
Backdoor
Recon &
Lateral
Movement
Ransomware
Installation
Inside the Network
Attacker compromises a
client or server in the
network k Attacker moves
laterally to infect as
many machines as
possible with
ransomware
8. Steps to Defeat Ransomware: Prevention
Educate employees
Patch vulnerable client and server software
Inspect network traffic for malware
Install endpoint protection (anti-virus software)
Back up files regularly
9. Challenges with Preventing Ransomware
Polymorphic malware
with new strains
generated everyday
bypass AV signatures
Many delivery methods:
email, malvertising,
compromised sites,
targeted attacks
May use default
processes like Explorer
to encrypt files, making
it difficult to terminate
10. DMZ
Internet
SPAN
Detection by LightCyber Magna
• Lateral movement of ransomware
• Pathfinder identifies anomalous tools
and processes
• Encryption of file servers and shares
Security Ecosystem
Servers:
DHCP, DNS, AD,
File Servers
How LightCyber Detects Targeted Ransomware
How Ransomware Spreads
• Attackers gain persistent access
• System tools and scripts are used
• Ransomware is installed on other
machines
• File servers are encrypted
Ayehu
Remediation
14. Speed of Response is Critical to Defeat Ransomware
Cyber Security Incident
Response Automation
15. Automating Cyber Security Incident Response
POSSIBLE QUESTIONS
• Do we really have a ransomware infection?
• Is only one computer infected? Multiple computers?
• Did the ransomware infect any shared folders?
• Have the latest security updates (Antivirus/Patches) been
applied to infected computer(s)?
POSSIBLE ACTIONS
• Send the host to a different VLAN using NAC/IPS.
• Inform the user via SMS or email.
• Report every step in the ITSM system.
• Update watch list for communication with the C&C Server.
Ransomware Quarantine Automatic Playbook
16. Building an Automated Security Playbook
No Programming Required !
Over 500
pre-built
activities
Over 150 pre-built
workflows / playbooks
Easy-to-use
drag-and-drop
interface