Sophos Benelux, profile picture
Uploaded bySophos Benelux
PPTX, PDF2,476 views

How to stay protected against ransomware

The document provides an overview of ransomware, specifically targeting variants like Locky, detailing their methods of attack and the factors contributing to their success. It emphasizes the importance of protecting organizations through regular backups, avoiding macro-enabled documents, and implementing various security measures. Additionally, it outlines how Sophos can assist in preventing ransomware attacks through a comprehensive security approach.

Embed presentation

Downloaded 169 times
11 Ransomware today: How to protect against Locky and friends
2 What we’re going to cover • A bit of Background • Anatomy of a ransomware attack • The latest ransomware to rear its ugly head – introducing Locky and its friends • Why these attacks are so successful • Practical steps to protect your organization from ransomware threats • How Sophos can help
3 A bit of background Ransomware is a form of malware that encrypts private information and demands payment in order to decrypt it. History • CryptoLocker first appeared in 2013 • New variants emerge all-too-regularly • Current wave has roots in the early days of FakeAV • Locky is one of the newest flavors to menace internet users • Common ransom demands for USD 200 – 500. • Technology used changes rapidly • Office documents with macros • CHM files • JavaScript • .bat files
4 2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment contains an embedded macro ○ When the attachment is opened the macro downloads and then executes the ransomware payload ○ Used by Locky, TorrentLocker, CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known or unknown vulnerabilities (zero-day) ○ Client side vulnerabilities usually target the Web browser ○ Used by CryptoWall, TeslaCrypt, CrypVault, ThreatFinder
55 Anatomy of a ransomware attack
6 Anatomy of a ransomware attack And gone The ransomware will then delete itself leaving just the encrypted files and ransom notes behind. Ransom demand A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to. Encryption of assets Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of the Windows OS (shadow copies) are often deleted to prevent data recovery. Contact with the command & control server of the attacker The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer. Installation via an exploit kit or spam with an infected attachment Once installed the ransomware modifies the registry keys
7 Ransomdemands
8 Paying ransoms • Payment is made in Bitcoins • Instructions are available via Tor • The ransom increases the longer you take to pay • On payment of the ransom, the public encryption key is provided so you can decrypt your computer files
99 Common ransomware: Locky and friends
10 Locky: the new kid on the block • Nickname of a new strain of ransomware, so-called because it renames all your important files so that they have the extension .locky • Ransoms vary from BTC 0.5 to BTC 1.00 (1 BTC is worth about €380/$425/£300). • Started hitting the headlines in early 2016 • Wreaking havoc with at least 400,000 machines affected worldwide
11 A common Locky attack • You receive an email containing an attached document. ○ The document looks like gobbledegook. ○ The document advises you to enable macros “if the data encoding is incorrect.” ○ The criminals want you to click on the 'Options' button at the top of the page. • Once you click Options, Locky will start to execute on your computer. • As soon as it is ready to ask you for the ransom, it changes your desktop wallpaper. • The format of the demand varies, but the results are the same.
12 Example: Attached Word document
13
14 TorrentLocker • Almost exclusively distributed via sophisticated spam campaigns ○ High quality emails ○ Translated into multiple languages (Dutch, Japanese, Korean, Italian, Spanish …) • Highly targeted geographically • Peculiarity: Use of the victim machine’s address book to send the ransomware to other machines • Communicates with its C&C server in HTTPS (POST requests) to make detection more difficult
15 CTB-Locker • Peculiarity: Business model based on affiliations ○ Infections are conducted by 'partners' who receive in return a portion of the takings ○ Enables faster spreading of malicious code ○ Approach notably used in the past by Fake-AV • The cyber crooks offer the option of a monthly payment to host all of the code. • Has also been widely distributed by the Rig and Nuclear exploit kits • As with TorrentLocker, the majority of infections have started via spam campaigns
16 CTB-Locker variant that attacks websites • Same name as the ransomware that attacks Windows computers • Written in PHP • First attack in the UK on 12th February 2016 • Already many hundreds of sites have been attacked • Attacks websites by encrypting all files in their repositories • A password-protected ‘shell’ is installed on most of the affected sites, allowing attackers to connect to the server(s) via a backdoor
17 Angler: an all-too-well-known exploit kit • Grown in notoriety since mid 2014 ○ The payload is stored in memory and the disk file is deleted ○ Detects security products and virtual machines ○ Ability to spread many infections: banking Trojans, backdoor, rootkits, ransomware • Easy to use ○ Doesn’t require any particular technical competence ○ Available for a few thousand USD on the Dark Web
18 Angler’s evolution into the dominant exploit kit Sep 2014 Jan 2015 May 2015
19 Chain of infection for Angler exploit kits 1. The victim accesses a compromised web server through a vulnerable browser 2. The compromised web server redirects the connection to an intermediary server 3. In turn, the intermediary server redirects the connection to the attacker’s server which hosts the destination page of the exploit kit 4. The destination page looks for vulnerable plug-ins (Java, Flash, Silverlight) and their version numbers 5. If a vulnerable browser or plug in is detected the exploit kit releases its payload and infects the system.
2020 Why these attacks are so successful
21 Whyare theseattacks sosuccessful? Professional attack technology • Highly professional approach e.g. usually provides the actual decryption key after payment of the ransom • Skillful social engineering • Hide malicious code in technologies that are permitted in many companies e.g. Microsoft Office macros, JavaScript, VBScript, Flash …
22 Whyare theseattacks sosuccessful? Security weaknesses in the affected companies • Inadequate backup strategy • Updates and patches are not implemented swiftly enough • Dangerous user/ rights permissions – more than they need • Lack of user security training • Security systems are not implemented or used correctly • Lack of IT security knowledge • Conflicting priorities: security vs productivity concerns
2323 Practical steps to protect against ransomware
24 Best practices – do this NOW! 1. Backup regularly and keep a recent backup copy off-site. 2. Don’t enable macros in document attachments received via email. 3. Be cautious about unsolicited attachments. 4. Don’t give yourself more login power than you need. 5. Consider installing the Microsoft Office viewers. 6. Patch early, patch often. 7. Configure your security products correctly.
25 Security solution requirements As a minimum you should: • Deploy anti malware protection • Block spam • Use a sandboxing solution • Block risky file extensions (javascript, vbscript, chm etc…) • Password protect archive files • Use URL filtering (block access to C&C servers) • Use HTTPS filtering • Use HIPS (host intrusion prevention service) • Activate your client firewalls • Use a whitelisting solution
26 Additional steps • Employee awareness & training ○ Sophos IT Security Dos and Don’ts ○ Sophos Threatsaurus • Segment the company network ○ NAC solutions ensure only known computers can access the network ○ Separate functional areas within a firewall e.g. client and server networks • Encrypt company data ○ It doesn’t stop the ransomware but prevents damage caused by sensitive documents getting into the wrong hands • Use security analysis tools ○ If an infection does occur, it’s vital that the source is identified and contained ASAP.
2727 How Sophos can help
28 Complete protection: Enduser and Network Sophos Central Enduser Network Next-Gen Firewall /UTM Web Security Email Security Wireless Security SafeGuard Encryption Mobile Control Next-Gen Endpoint Protection Server Security Secure the Endpoint (PC/Mac) Next Gen Endpoint security to prevent, detect, investigate and remediate Secure the Mobile Device Secure smartphones and tablets just like any other endpoint Secure the Servers Protection optimized for server environment (physical or virtual): fast, effective, controlled Protect the Data Simple-to-use encryption for a highly effective last line of defense against data loss Secure the Perimeter Ultimate enterprise firewall performance, security, and control. Secure the Web Advanced protection, control, and insights that’s effective, affordable, and easy. Secure the Email Email threats and phishing attacks don’t stand a chance. Secure the Wireless Simple, secure Wi-Fi connection.
29 Security as a System Synchronized Security Integrated, context-aware security where Enduser and Network technology share meaningful information to deliver better protection Security must be comprehensive The capabilities required to fully satisfy customer need Security can be made simple Platform, deployment, licensing, user experience Security is more effective as a system New possibilities through technology cooperation Next Gen Enduser Security Next Gen Network Security Sophos Cloud heartbeat SOPHOS LABS
30 Malicious Traffic Detection SOPHOS SYSTEM PROTECTOR Application Tracking Threat Engine Application Control Emulator Device Control Web Protection IoC Collector Live Protection Security Heartbeat HIPS/ Runtime Protection Reputation Malicious Traffic Detection SophosL abs URL database Malware Identities HIPS rulesGenotypesFile look-up Reputation Apps SPAM Data Control Peripheral Types Anon. proxies Patches/ VulnerabilitiesWhitelist Administrator alerted Application interrupted i Compromise User | System | File MTD rules Malicious traffic detected Malicious Traffic Detection
31 Sophos Sandstorm How Sophos Sandstorm works 1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait. 2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete. 3. A detailed report is provided for each file analyzed. Advanced Threat Defense Made Simple Secure Web Gateway Secure Email Gateway Unified Threat Management Next-Gen Firewall
3232 CRYPTOGUARD
33 Anatomy of a Ransomware Attack Exploit Kit or Spam with Infection Command & Control Established Local Files are Encrypted Ransomware deleted, Ransom Instructions delivered
34 Ransomware Cryptowall costs users $325M in 2015 ○ 2 out of 3 infections driven by phishing attack ○ Delivered by drive by exploit kits ○ 100’s of thousands of victims world wide More variants – Locky and Samas ○ Now for MAC and Windows users Targeting bigger Phish ○ $17K payment from California hospital CryptoGuard • Simple and Comprehensive • Universally prevents spontaneous encryption of data • Simple activation in Sophos Central CRYPTOGUARD CryptoGuard – Say Goodbye to Ransomware
35 CryptoGuard • 1. monitors file system activity • 2. when file is opened-for-write, create just-in-time backup of the file • 3. when the file is closed, compare contents • 4. when file is no longer a document, mark as suspicious • 5. if this happens on many files (3 or more), rollback files from above backup, revoke write-access from process (or client IP) that did the changes • 6. all modifications are tracked per process or per client-IP; so if a remote client modifies files, they are tracked, rolled back and blocked if needed
36 CryptoGuard • Stops local ransomware from attacking local data • Stops local ransomware from attacking remote data (incl. mapped or unmapped shares) • Stops remote ransomware from attacking local data
37 More information • Sophos whitepaper on how to stay protected from ransomware https://www.sophos.com/en- us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en • Sophos technical whitepaper on ransomware https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of- ransomware.pdf?la=en • Naked Security – regular stories on Locky and other ransomware attacks https://nakedsecurity.sophos.com/ • IT Security DOs and DON'Ts https://www.sophos.com/en- us/medialibrary/PDFs/employeetraining/sophosdosanddontshandbook.pdf?la=en • Threatsaurus https://www.sophos.com/en-us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en • Sophos free tools https://www.sophos.com/fr-fr/products/free-tools.aspx
3838 Questions? Benelux: salesnetherlands@sophos.com UKI: customerteam@sophos.com Americas: nasales@sophos.com
39© Sophos Ltd. All rights reserved.

More Related Content

PDF
How to Protect Your Organization from the Ransomware Epidemic
byTripwire
 
PPTX
The EU Data Protection Regulation and what it means for your organization
bySophos Benelux
 
PDF
Ransomware
bym3 Networks Limited
 
PDF
Enterprise security: ransomware in enterprise and corporate entities
byQuick Heal Technologies Ltd.
 
PDF
Ransomware- What you need to know to Safeguard your Data
byInderjeet Singh
 
PDF
Sophos Day Belgium - The IT Threat Landscape and what to look out for
bySophos Benelux
 
PDF
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
bySymantec
 
PDF
IT Security landscape and the latest threats and trends
bySophos Benelux
 
How to Protect Your Organization from the Ransomware Epidemic
byTripwire
 
The EU Data Protection Regulation and what it means for your organization
bySophos Benelux
 
Ransomware
bym3 Networks Limited
 
Enterprise security: ransomware in enterprise and corporate entities
byQuick Heal Technologies Ltd.
 
Ransomware- What you need to know to Safeguard your Data
byInderjeet Singh
 
Sophos Day Belgium - The IT Threat Landscape and what to look out for
bySophos Benelux
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
bySymantec
 
IT Security landscape and the latest threats and trends
bySophos Benelux
 

What's hot

PDF
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
PPTX
This is Next-Gen IT Security - Introducing Intercept X
bySophos Benelux
 
PDF
Cambodia CERT Seminar: Incident response for ransomeware attacks
byAPNIC
 
PPTX
WannaCry? No Thanks!
byRoberto Martelloni
 
PPTX
Ransomware: Mitigation Through Preparation
byHostway|HOSTING
 
PPTX
Ransomware
byNick Miller
 
PPT
Ransomware - The Growing Threat
byNick Miller
 
PDF
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
byClearDATACloud
 
PDF
Why are you still getting CryptoLocker?
byAaron Lancaster
 
PPTX
Evolution of ransomware
byCharles Steve
 
PDF
Ransomware protection
byRohit Srivastwa
 
PPTX
MMW April 2016 Ransomware Resurgence
byCyphort
 
PDF
Analysing Ransomware
byNapier University
 
PDF
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
byRoger Hagedorn
 
PPTX
Ransomware: Emergence of the Cyber-Extortion Menace
byZubair Baig
 
PPTX
seminar report on What is ransomware
byJawhar Ali
 
PPTX
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
byAndrew Morris
 
PDF
Understanding CryptoLocker (Ransomware) with a Case Study
bysecurityxploded
 
PPTX
Ransomware: WanaCry, WanCrypt
byYash Diwakar
 
PPTX
Wannacry & Petya ransomware
byRaghavendra P.V
 
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
This is Next-Gen IT Security - Introducing Intercept X
bySophos Benelux
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
byAPNIC
 
WannaCry? No Thanks!
byRoberto Martelloni
 
Ransomware: Mitigation Through Preparation
byHostway|HOSTING
 
Ransomware
byNick Miller
 
Ransomware - The Growing Threat
byNick Miller
 
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
byClearDATACloud
 
Why are you still getting CryptoLocker?
byAaron Lancaster
 
Evolution of ransomware
byCharles Steve
 
Ransomware protection
byRohit Srivastwa
 
MMW April 2016 Ransomware Resurgence
byCyphort
 
Analysing Ransomware
byNapier University
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
byRoger Hagedorn
 
Ransomware: Emergence of the Cyber-Extortion Menace
byZubair Baig
 
seminar report on What is ransomware
byJawhar Ali
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
byAndrew Morris
 
Understanding CryptoLocker (Ransomware) with a Case Study
bysecurityxploded
 
Ransomware: WanaCry, WanCrypt
byYash Diwakar
 
Wannacry & Petya ransomware
byRaghavendra P.V
 

Viewers also liked

PDF
Take the Ransom Out of Ransomware
byUnitrends
 
PDF
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
byJulia Yu-Chin Cheng
 
PPTX
Ransomware
byNortheast Kansas Library System
 
PPTX
Ransomware : A cyber crime without solution ? by Prashant Mali
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PDF
ISACA April 21 - Eric Sorenson - Risk Presentation
byEric Sorenson
 
PDF
HART as an Attack Vector
byDigital Bond
 
PPTX
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
byCyphort
 
PDF
Web backdoors attacks, evasion, detection
byn|u - The Open Security Community
 
PPTX
Trojan virus & backdoors
byShrey Vyas
 
PPT
Layer 7: Getting Your SOA to Production Without Cost and Complexity
byCA API Management
 
PDF
2013 Security Threat Report
bySophos
 
PPTX
Complete Security
bySophos
 
PPTX
Get the Most From Your Firewall
bySophos
 
PPTX
Your Money or Your File! Highway Robbery with Blackhole and Ransomware
bySophos
 
PDF
Threat and Mitigation
byNoel Waterman
 
PPTX
Risk Analysis Of Banking Malware Attacks
byMarco Morana
 
PPTX
Logikcull Webinar: Preventing the Next Panama Papers
byLogikcull.com
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Take the Ransom Out of Ransomware
byUnitrends
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
byJulia Yu-Chin Cheng
 
Ransomware
byNortheast Kansas Library System
 
Ransomware : A cyber crime without solution ? by Prashant Mali
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
ISACA April 21 - Eric Sorenson - Risk Presentation
byEric Sorenson
 
HART as an Attack Vector
byDigital Bond
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
byCyphort
 
Web backdoors attacks, evasion, detection
byn|u - The Open Security Community
 
Trojan virus & backdoors
byShrey Vyas
 
Layer 7: Getting Your SOA to Production Without Cost and Complexity
byCA API Management
 
2013 Security Threat Report
bySophos
 
Complete Security
bySophos
 
Get the Most From Your Firewall
bySophos
 
Your Money or Your File! Highway Robbery with Blackhole and Ransomware
bySophos
 
Threat and Mitigation
byNoel Waterman
 
Risk Analysis Of Banking Malware Attacks
byMarco Morana
 
Logikcull Webinar: Preventing the Next Panama Papers
byLogikcull.com
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 

Similar to How to stay protected against ransomware

PDF
Step FWD IT_Ransomware-Guide
bychrismannering
 
PPTX
Ransomware the clock is ticking
byManoj Kumar Mishra
 
PDF
Webinar: A deep dive on ransomware
byCyren, Inc
 
PDF
Ransomware Trends 2017 & Mitigation Techniques
byAvinash Sinha
 
PDF
How to Help Your Customers Protect Themselves from Ransomware Attacks
bySolarwinds N-able
 
PDF
Ransomeware : A High Profile Attack
byIRJET Journal
 
PDF
Null mumbai Session on ransomware by_Aditya Jamkhande
bynullowaspmumbai
 
PDF
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
byNCCOMMS
 
PDF
Ransomware ly
byLisa Young
 
PDF
Ransomware - Rameez Shahzada
byRAMEEZ SHAHZADA
 
PDF
Combating RANSOMWare
byUmer Saeed
 
PDF
Ransomware hostage rescue manual
byRoel Palmaers
 
PPTX
Web Security.pptx
byAnnMichelleDiaz
 
PDF
Ransomware (1).pdf
byHiYeti1
 
PPTX
Ransomware
byChaitali Sharma
 
PDF
Your money or your files
byRoel Palmaers
 
PPTX
Meeting02_RoT.pptx
byothmanomar13
 
PDF
Get Smart about Ransomware: Protect Yourself and Organization
bySecurity Innovation
 
PDF
3. Ransomware (cyber awareness series)
byIsaac Feliciano
 
PPTX
3Es of Ransomware
bySunil Kumar
 
Step FWD IT_Ransomware-Guide
bychrismannering
 
Ransomware the clock is ticking
byManoj Kumar Mishra
 
Webinar: A deep dive on ransomware
byCyren, Inc
 
Ransomware Trends 2017 & Mitigation Techniques
byAvinash Sinha
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
bySolarwinds N-able
 
Ransomeware : A High Profile Attack
byIRJET Journal
 
Null mumbai Session on ransomware by_Aditya Jamkhande
bynullowaspmumbai
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
byNCCOMMS
 
Ransomware ly
byLisa Young
 
Ransomware - Rameez Shahzada
byRAMEEZ SHAHZADA
 
Combating RANSOMWare
byUmer Saeed
 
Ransomware hostage rescue manual
byRoel Palmaers
 
Web Security.pptx
byAnnMichelleDiaz
 
Ransomware (1).pdf
byHiYeti1
 
Ransomware
byChaitali Sharma
 
Your money or your files
byRoel Palmaers
 
Meeting02_RoT.pptx
byothmanomar13
 
Get Smart about Ransomware: Protect Yourself and Organization
bySecurity Innovation
 
3. Ransomware (cyber awareness series)
byIsaac Feliciano
 
3Es of Ransomware
bySunil Kumar
 

More from Sophos Benelux

PPTX
Taking the battle to Ransomware with Sophos Intercept X
bySophos Benelux
 
PPTX
Sophos introduces the Threat Landscape
bySophos Benelux
 
PPTX
Sophos Security Day Belgium - The Hidden Gems of Sophos
bySophos Benelux
 
PPTX
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
bySophos Benelux
 
PPTX
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
bySophos Benelux
 
PPTX
Discover Synchronized Security - Sophos Day Netherlands
bySophos Benelux
 
PPTX
Hacking Mobile Apps
bySophos Benelux
 
PPTX
SDN - a new security paradigm?
bySophos Benelux
 
PPTX
Balabit - Shell Control Box
bySophos Benelux
 
PPTX
What's cooking at Sophos - an introduction to Synchronized Security
bySophos Benelux
 
PPTX
Sophos Cloud - breaking the stereotypes
bySophos Benelux
 
PPTX
Prevent million dollar fines - preparing for the EU General Data Regulation
bySophos Benelux
 
PPTX
Case Study Diagnostiek voor U
bySophos Benelux
 
PPTX
The next generation of IT security
bySophos Benelux
 
PPTX
Introduction Sophos Day Netherlands
bySophos Benelux
 
PPTX
The EU Data Protection Regulation - what you need to know
bySophos Benelux
 
PPTX
Security: more important than ever - Sophos Day Belux 2014
bySophos Benelux
 
PPTX
Securing with Sophos - Sophos Day Belux 2014
bySophos Benelux
 
PPTX
Anatomy of an Attack - Sophos Day Belux 2014
bySophos Benelux
 
Taking the battle to Ransomware with Sophos Intercept X
bySophos Benelux
 
Sophos introduces the Threat Landscape
bySophos Benelux
 
Sophos Security Day Belgium - The Hidden Gems of Sophos
bySophos Benelux
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
bySophos Benelux
 
Sophos Day Belgium - What's cooking in Sophos' Network Security Group?
bySophos Benelux
 
Discover Synchronized Security - Sophos Day Netherlands
bySophos Benelux
 
Hacking Mobile Apps
bySophos Benelux
 
SDN - a new security paradigm?
bySophos Benelux
 
Balabit - Shell Control Box
bySophos Benelux
 
What's cooking at Sophos - an introduction to Synchronized Security
bySophos Benelux
 
Sophos Cloud - breaking the stereotypes
bySophos Benelux
 
Prevent million dollar fines - preparing for the EU General Data Regulation
bySophos Benelux
 
Case Study Diagnostiek voor U
bySophos Benelux
 
The next generation of IT security
bySophos Benelux
 
Introduction Sophos Day Netherlands
bySophos Benelux
 
The EU Data Protection Regulation - what you need to know
bySophos Benelux
 
Security: more important than ever - Sophos Day Belux 2014
bySophos Benelux
 
Securing with Sophos - Sophos Day Belux 2014
bySophos Benelux
 
Anatomy of an Attack - Sophos Day Belux 2014
bySophos Benelux
 

Recently uploaded

PPTX
How to Manage Package Reservation in Odoo 18 Inventory
byCeline George
 
PPTX
Cost of Capital - Cost of Equity, Cost of debenture, Cost of Preference share...
bySundar B N
 
PDF
The Drift Principle: When Information Accelerates Faster Than Minds Can Compress
byReality Drift Archive
 
PPTX
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
PDF
Current Electricity for first year physiotherapy
byGanesh Jadhav
 
PDF
Projecte de la porta de primer B: L'antic Egipte
byeduardrubio1
 
PPTX
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PDF
FAMILY ASSESSMENT FORMAT - CHN practical
byDr. Sudhadevi Sadanandan
 
PDF
All Students Workshop 25 Yoga Wellness by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
PPTX
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
PPTX
AI_in_Daily_Life_Presentation and more.pptx
bybantydansena
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PPTX
Limpitlaw "Licensing: From Mindset to Milestones"
byNational Information Standards Organization (NISO)
 
DOCX
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
PPTX
Details of Muscular-and-Nervous-Tissues.pptx
byAshish Umale
 
PPTX
PURPOSIVE SAMPLING IN EDUCATIONAL RESEARCH RACHITHRA RK.pptx
byssuser047b711
 
PDF
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
PPTX
extracting significant information to formulate sound judgement
byMarichelle2
 
How to Manage Package Reservation in Odoo 18 Inventory
byCeline George
 
Cost of Capital - Cost of Equity, Cost of debenture, Cost of Preference share...
bySundar B N
 
The Drift Principle: When Information Accelerates Faster Than Minds Can Compress
byReality Drift Archive
 
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
Current Electricity for first year physiotherapy
byGanesh Jadhav
 
Projecte de la porta de primer B: L'antic Egipte
byeduardrubio1
 
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
FAMILY ASSESSMENT FORMAT - CHN practical
byDr. Sudhadevi Sadanandan
 
All Students Workshop 25 Yoga Wellness by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
AI_in_Daily_Life_Presentation and more.pptx
bybantydansena
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
Limpitlaw "Licensing: From Mindset to Milestones"
byNational Information Standards Organization (NISO)
 
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
Details of Muscular-and-Nervous-Tissues.pptx
byAshish Umale
 
PURPOSIVE SAMPLING IN EDUCATIONAL RESEARCH RACHITHRA RK.pptx
byssuser047b711
 
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
extracting significant information to formulate sound judgement
byMarichelle2
 

How to stay protected against ransomware

  • 1.
    11 Ransomware today: How toprotect against Locky and friends
  • 2.
    2 What we’re goingto cover • A bit of Background • Anatomy of a ransomware attack • The latest ransomware to rear its ugly head – introducing Locky and its friends • Why these attacks are so successful • Practical steps to protect your organization from ransomware threats • How Sophos can help
  • 3.
    3 A bit ofbackground Ransomware is a form of malware that encrypts private information and demands payment in order to decrypt it. History • CryptoLocker first appeared in 2013 • New variants emerge all-too-regularly • Current wave has roots in the early days of FakeAV • Locky is one of the newest flavors to menace internet users • Common ransom demands for USD 200 – 500. • Technology used changes rapidly • Office documents with macros • CHM files • JavaScript • .bat files
  • 4.
    4 2 main vectorsof attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment contains an embedded macro ○ When the attachment is opened the macro downloads and then executes the ransomware payload ○ Used by Locky, TorrentLocker, CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known or unknown vulnerabilities (zero-day) ○ Client side vulnerabilities usually target the Web browser ○ Used by CryptoWall, TeslaCrypt, CrypVault, ThreatFinder
  • 5.
    55 Anatomy of aransomware attack
  • 6.
    6 Anatomy of aransomware attack And gone The ransomware will then delete itself leaving just the encrypted files and ransom notes behind. Ransom demand A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to. Encryption of assets Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of the Windows OS (shadow copies) are often deleted to prevent data recovery. Contact with the command & control server of the attacker The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer. Installation via an exploit kit or spam with an infected attachment Once installed the ransomware modifies the registry keys
  • 7.
  • 8.
    8 Paying ransoms • Paymentis made in Bitcoins • Instructions are available via Tor • The ransom increases the longer you take to pay • On payment of the ransom, the public encryption key is provided so you can decrypt your computer files
  • 9.
  • 10.
    10 Locky: the newkid on the block • Nickname of a new strain of ransomware, so-called because it renames all your important files so that they have the extension .locky • Ransoms vary from BTC 0.5 to BTC 1.00 (1 BTC is worth about €380/$425/£300). • Started hitting the headlines in early 2016 • Wreaking havoc with at least 400,000 machines affected worldwide
  • 11.
    11 A common Lockyattack • You receive an email containing an attached document. ○ The document looks like gobbledegook. ○ The document advises you to enable macros “if the data encoding is incorrect.” ○ The criminals want you to click on the 'Options' button at the top of the page. • Once you click Options, Locky will start to execute on your computer. • As soon as it is ready to ask you for the ransom, it changes your desktop wallpaper. • The format of the demand varies, but the results are the same.
  • 12.
  • 13.
  • 14.
    14 TorrentLocker • Almost exclusivelydistributed via sophisticated spam campaigns ○ High quality emails ○ Translated into multiple languages (Dutch, Japanese, Korean, Italian, Spanish …) • Highly targeted geographically • Peculiarity: Use of the victim machine’s address book to send the ransomware to other machines • Communicates with its C&C server in HTTPS (POST requests) to make detection more difficult
  • 15.
    15 CTB-Locker • Peculiarity: Businessmodel based on affiliations ○ Infections are conducted by 'partners' who receive in return a portion of the takings ○ Enables faster spreading of malicious code ○ Approach notably used in the past by Fake-AV • The cyber crooks offer the option of a monthly payment to host all of the code. • Has also been widely distributed by the Rig and Nuclear exploit kits • As with TorrentLocker, the majority of infections have started via spam campaigns
  • 16.
    16 CTB-Locker variant thatattacks websites • Same name as the ransomware that attacks Windows computers • Written in PHP • First attack in the UK on 12th February 2016 • Already many hundreds of sites have been attacked • Attacks websites by encrypting all files in their repositories • A password-protected ‘shell’ is installed on most of the affected sites, allowing attackers to connect to the server(s) via a backdoor
  • 17.
    17 Angler: an all-too-well-knownexploit kit • Grown in notoriety since mid 2014 ○ The payload is stored in memory and the disk file is deleted ○ Detects security products and virtual machines ○ Ability to spread many infections: banking Trojans, backdoor, rootkits, ransomware • Easy to use ○ Doesn’t require any particular technical competence ○ Available for a few thousand USD on the Dark Web
  • 18.
    18 Angler’s evolution intothe dominant exploit kit Sep 2014 Jan 2015 May 2015
  • 19.
    19 Chain of infectionfor Angler exploit kits 1. The victim accesses a compromised web server through a vulnerable browser 2. The compromised web server redirects the connection to an intermediary server 3. In turn, the intermediary server redirects the connection to the attacker’s server which hosts the destination page of the exploit kit 4. The destination page looks for vulnerable plug-ins (Java, Flash, Silverlight) and their version numbers 5. If a vulnerable browser or plug in is detected the exploit kit releases its payload and infects the system.
  • 20.
    2020 Why these attacksare so successful
  • 21.
    21 Whyare theseattacks sosuccessful? Professionalattack technology • Highly professional approach e.g. usually provides the actual decryption key after payment of the ransom • Skillful social engineering • Hide malicious code in technologies that are permitted in many companies e.g. Microsoft Office macros, JavaScript, VBScript, Flash …
  • 22.
    22 Whyare theseattacks sosuccessful? Securityweaknesses in the affected companies • Inadequate backup strategy • Updates and patches are not implemented swiftly enough • Dangerous user/ rights permissions – more than they need • Lack of user security training • Security systems are not implemented or used correctly • Lack of IT security knowledge • Conflicting priorities: security vs productivity concerns
  • 23.
    2323 Practical steps toprotect against ransomware
  • 24.
    24 Best practices –do this NOW! 1. Backup regularly and keep a recent backup copy off-site. 2. Don’t enable macros in document attachments received via email. 3. Be cautious about unsolicited attachments. 4. Don’t give yourself more login power than you need. 5. Consider installing the Microsoft Office viewers. 6. Patch early, patch often. 7. Configure your security products correctly.
  • 25.
    25 Security solution requirements Asa minimum you should: • Deploy anti malware protection • Block spam • Use a sandboxing solution • Block risky file extensions (javascript, vbscript, chm etc…) • Password protect archive files • Use URL filtering (block access to C&C servers) • Use HTTPS filtering • Use HIPS (host intrusion prevention service) • Activate your client firewalls • Use a whitelisting solution
  • 26.
    26 Additional steps • Employeeawareness & training ○ Sophos IT Security Dos and Don’ts ○ Sophos Threatsaurus • Segment the company network ○ NAC solutions ensure only known computers can access the network ○ Separate functional areas within a firewall e.g. client and server networks • Encrypt company data ○ It doesn’t stop the ransomware but prevents damage caused by sensitive documents getting into the wrong hands • Use security analysis tools ○ If an infection does occur, it’s vital that the source is identified and contained ASAP.
  • 27.
  • 28.
    28 Complete protection: Enduserand Network Sophos Central Enduser Network Next-Gen Firewall /UTM Web Security Email Security Wireless Security SafeGuard Encryption Mobile Control Next-Gen Endpoint Protection Server Security Secure the Endpoint (PC/Mac) Next Gen Endpoint security to prevent, detect, investigate and remediate Secure the Mobile Device Secure smartphones and tablets just like any other endpoint Secure the Servers Protection optimized for server environment (physical or virtual): fast, effective, controlled Protect the Data Simple-to-use encryption for a highly effective last line of defense against data loss Secure the Perimeter Ultimate enterprise firewall performance, security, and control. Secure the Web Advanced protection, control, and insights that’s effective, affordable, and easy. Secure the Email Email threats and phishing attacks don’t stand a chance. Secure the Wireless Simple, secure Wi-Fi connection.
  • 29.
    29 Security as aSystem Synchronized Security Integrated, context-aware security where Enduser and Network technology share meaningful information to deliver better protection Security must be comprehensive The capabilities required to fully satisfy customer need Security can be made simple Platform, deployment, licensing, user experience Security is more effective as a system New possibilities through technology cooperation Next Gen Enduser Security Next Gen Network Security Sophos Cloud heartbeat SOPHOS LABS
  • 30.
    30 Malicious Traffic Detection SOPHOSSYSTEM PROTECTOR Application Tracking Threat Engine Application Control Emulator Device Control Web Protection IoC Collector Live Protection Security Heartbeat HIPS/ Runtime Protection Reputation Malicious Traffic Detection SophosL abs URL database Malware Identities HIPS rulesGenotypesFile look-up Reputation Apps SPAM Data Control Peripheral Types Anon. proxies Patches/ VulnerabilitiesWhitelist Administrator alerted Application interrupted i Compromise User | System | File MTD rules Malicious traffic detected Malicious Traffic Detection
  • 31.
    31 Sophos Sandstorm How SophosSandstorm works 1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait. 2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete. 3. A detailed report is provided for each file analyzed. Advanced Threat Defense Made Simple Secure Web Gateway Secure Email Gateway Unified Threat Management Next-Gen Firewall
  • 32.
  • 33.
    33 Anatomy of aRansomware Attack Exploit Kit or Spam with Infection Command & Control Established Local Files are Encrypted Ransomware deleted, Ransom Instructions delivered
  • 34.
    34 Ransomware Cryptowall costs users$325M in 2015 ○ 2 out of 3 infections driven by phishing attack ○ Delivered by drive by exploit kits ○ 100’s of thousands of victims world wide More variants – Locky and Samas ○ Now for MAC and Windows users Targeting bigger Phish ○ $17K payment from California hospital CryptoGuard • Simple and Comprehensive • Universally prevents spontaneous encryption of data • Simple activation in Sophos Central CRYPTOGUARD CryptoGuard – Say Goodbye to Ransomware
  • 35.
    35 CryptoGuard • 1. monitorsfile system activity • 2. when file is opened-for-write, create just-in-time backup of the file • 3. when the file is closed, compare contents • 4. when file is no longer a document, mark as suspicious • 5. if this happens on many files (3 or more), rollback files from above backup, revoke write-access from process (or client IP) that did the changes • 6. all modifications are tracked per process or per client-IP; so if a remote client modifies files, they are tracked, rolled back and blocked if needed
  • 36.
    36 CryptoGuard • Stops localransomware from attacking local data • Stops local ransomware from attacking remote data (incl. mapped or unmapped shares) • Stops remote ransomware from attacking local data
  • 37.
    37 More information • Sophoswhitepaper on how to stay protected from ransomware https://www.sophos.com/en- us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en • Sophos technical whitepaper on ransomware https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of- ransomware.pdf?la=en • Naked Security – regular stories on Locky and other ransomware attacks https://nakedsecurity.sophos.com/ • IT Security DOs and DON'Ts https://www.sophos.com/en- us/medialibrary/PDFs/employeetraining/sophosdosanddontshandbook.pdf?la=en • Threatsaurus https://www.sophos.com/en-us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en • Sophos free tools https://www.sophos.com/fr-fr/products/free-tools.aspx
  • 38.
  • 39.
    39© Sophos Ltd.All rights reserved.

Editor's Notes

  • #2 Welcome to our Session about Ransomware. I you have questions please type in the chat windows. Then we can gather the questions an answer them at the end or come back to you with the answers.
  • #3 What are we going to cover today. a little bit of background of the Ransomware How most ransomware attacks works. Some types of ransomware Locky and friends. Why the attacks work Some things you can do to protect yourself and minimized the risk. And last but not least, How can we, Sophos can help you.
  • #4 First of all, at bit of background on the Ransomeware As all of you know Ransomware is malware that encrypts your files and hold them Ransoms until you pay money to the bad guys to get to the key to decrypt the files. It started in 2013 with CryptoLocker. A lot of new types emerges. One of the latest ones out there is Locky. The ransom the bad guys ask is around 1 bitcoin. A bitcoin is about 380 euros or 430 USD about 300 pounds. What we’’ve seen is that the technology is changing. now it comes in office docs using macros CHM files Compiled HTML files. Javascript and bacht files. The are finding new ways to infect the target PC.
  • #5 We are seeing 2 main ways of attacks. Spam and Exploit kits. Spam : Seems to be from a plausible sender The emails are getting more sophisticated. The look very real. The attachments contain embedded macro Exploit Kits: Available in the black market You can easily create an attack that uses known or unknown vulnerabilities. They usually target the Webbrowser.
  • #7 When we look at Ransom ware attacks, we see the following pattern. Step 1 the Ransomware needs to be installed on the target computer. Usualy this is done through and Expoit kit or through a Spam campain. Once installed it’s going to change some registry key on the target. Step 2 When the Ransomware is active on the target, It’s going to connect to a command and control server and sends information about the infected computer and downloads a publickey for this computer. Step 3 Now the Ransomware has the public key is going to Encrypt files on the local computer including the networks drives that are accessible from this computer. Often the shadow copies on the Windows machine are deleted to prevent you to recover the encrypted files. Step 4 When the Ransomware has finished messing with your files it will show the ransom note, with the instructions how to pay the Ransom, often this is in Bitoins. Step 5 After the Ransom note is shown the Ransomware will delete itself and leaves you with the ransom note and the encrypted files.
  • #8 Here are some examples of the Ransom notes used. 1 bitcoin 1 Bitcoin equals 376.30 Euro 1 Bitcoin equals 427.59 US Dollar Second note. It’s 500 USD but this is only valid for 167h 58m and 54s After the key will cost you twice as much.
  • #9 The payment is normally done in Bitcoins The instructions on how to pay are availabe via Tor. They even have an FAQ and support. In this case you are seeing a countdown clock. If you do not pay before the countdown end the price to decrypt your file will be twice as much. If you deside to pay, which we are not recommending you to do. You will hopefully get the key to decrypt your files.
  • #10 Now we are going to look at some of the common Ransomware that’s around.
  • #11 One of the lastest onces Locky. Named after the extension it uses for the files that are encrypted .locky Ransoms are usually around 1 bitcoin is around 380 euro of 425 dollar or 300 pounds. Locky has surfaced a couple of months ago, early 2016.
  • #12 A Common Locky The user is receiving an email with a document. When they open the document they see all lot of characters, that doesn’t make sence. The bad guys want you to enable macros. It needs the macro to be executed. When the Ransomware is finished it will change you wallpaper and replace it with the Ransom note.
  • #13 Here is an example of a document. They want you to enable macros. But don’t do it.
  • #14 Here are the different Ransomnotes and also the amount you need to pay.
  • #15 TorrentLocker TorrentLocker spread though spam campains. High quality mails and different languages. It uses the victims address book to spread the ransomware to other machines. Communicates to the Command and Control Server using HTTPS, This makes it more difficult to detect that traffic.
  • #16 The authors of CTB-Locker are using an affiliate program to drive infections by outsourcing the infection process to a network of affiliates or partners in exchange for a cut of the profits. offering a hosted option where the operator pays a monthly fee and they will host all the code. Has been spread by Rig and Nuclear Exploits kits but most of the infectecting were through spam campains. They also has Ransom notes in different laguages.
  • #17 CTB Locker Same name as the previous ones. But this ones Attacks websites by Encrypting files in their repositories. On most sites they install a password-protected shell to get to the servers via a backdoor
  • #18 One of the Well known exploit kits is Angles It is used to spead many infections. Payload is stored in memory and the local file is deleted. It is easy to use and you can buy it on the darkweb for few thousand Dollars. In the picture you see the revenue
  • #19 Angler is gained marketshare over the last few year. Is we look at 2014 it had around 23% Half a year later in januari of 2015 is was arount 39% A couple of month after that it increased to over 82 % Just last Sunday According to Fox-IT Security Operations Center, at least 288 websites were affected, and it is believed that a compromised ad network was responsible for so many sites being affected simultaneously. A lot of the popular news site in The Netherlands were hit… nu.nl marktplaats.nl sbs6.nl rtlnieuws.nl rtlz.nl startpagina.nl buienradar.nl Angler was used in this case
  • #22 They act like a normally company, have faqs, support and usully provide the decryption key after the payment. Using social engineering And hide the code in program/document that many companies uses every day Like macros, javascripts.
  • #25 Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands. Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it! Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out. Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights. Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake! Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. Configure your security products correctly. To enable them to work effectively they need to be configured correctly. Sophos customers should check out the ‘How to stay protected against ransomware’ whitepaper which includes, amongst other good advice, optimal configuration settings for Sophos solutions.
  • #27 Employee awareness/training In addition to the immediate measures described above , it's important that all employees receive regular IT security training. The success of these measures should also be checked regularly. Sophos provides a number of free tools to help educate employees on security threats, including IT Security DOs and DON'Ts and the Threatsaurus. Segmentation of the company network Security measures at the gateway are rendered useless if a computer that is introduced to the network without authorization (private notebook, computer belonging to the service provider, company notebook with outdated virus protection) is allowed to infiltrate these measures. Network Access Control (NAC) solutions, for example, can help against the threat of an unauthorized device in the network by only allowing known computers access to the network. Therefore, in general, the principle that each system only has access to those resources that are necessary to fulfill the relevant tasks should also apply to the network design. In the network area, this also means that you separate functional areas with a firewall, e.g. the client and server networks. The relevant target systems and services can only be accessed if this is really necessary. The backup servers can then only be accessed from the work stations, for example, via the port required by the backup solution, not via Windows file system access. As a result, you must also consider applying a client firewall to work stations or servers because there is usually no reason for work stations or servers to have communication with each other, unless it relates to known services. This method can also help to prevent waves of infection within a network. Encrypting company data Suitable encryption of company documents can help to prevent malware from obtaining unencrypted access to confidential documents. This prevents damage caused by the outflow of business-relevant documents. Use security-analysis tools Even if you implement all of the above measures, you can never guarantee with 100% certainty that security incidents/infections in company computers will be prevented in the future. However, if an incident does occur, it is vital that the source of the infection and any potential effects on other company systems are identified as quickly as possible and contained. This can help to reduce the time and effort required to identify and correct the affected systems and restore functionality to the IT infrastructure drastically. In addition, by identifying the source and the method of infection, potential vulnerabilities in the security concept can be highlighted and eliminated.
  • #29 We have a complete security porfolio protection Enduser as well as the Network.
  • #30 We offer security as a system. With our Synchronized Security We integrated our different solutions and information between our products. So that we are able act inmediately on the thing happening in the network. One of the first is the integration between our XG firewall and our Cloud EndPoint by using our Security Heartbeat. We bring the Endpoint and the Firewall together and exchange information that can be used to pro actively block threats.
  • #31 Malicious Traffic Detection. Here we have infected device that is trying to communicate to a command and control server. This is detect by the Malicious Traffic detection (MTD) on the client The Administrator is Alerted and get the info on the user system en file that is responsible for the threat. The application is automatically blocked.
  • #32 Another Feature you can use is Sophos Sandstrom. Sophos Sandstorm is cloudbased sandboxing. We can the feature with our Web and Email Appliance and with the Sophos UTM v9.4 How does it work? If we have suspicious file, we create a hash and check that hash with our sandstorm. If we have seen the file before we know if the file is good of bad. Is it a bad file it’s block immediately if it’s the, the user is receiving the file. If it’s a new file the file is send to the sandbox and is detonated. Then the behaviour is monitored. And the decision Allow or block is send back. There is also a detailed report for each file that is analyzed.
  • #33 This is part of our Project Spectrum. Spectrum will integrate the technics of Hitman Pro, that we acquired late last year.
  • #34 To recap, This is basically the way Ransomware is operating. It needs to be delivered, using an exploit kit of spam infection. Then it connects to a command an Control Server. Local Files are getting Encrypted. RansomWare is deleted and the Instructions for paying the Ransom is Shown.
  • #35 CryptoGuard is the anti-ransomware component and it works independently to provide another layer of defense against your data being held hostage by the Locky/Cryptowall type of malware. I t’s a driver in the file filter stack that monitors the behaviors of the applications and processes that access your documents. If it detects that an application is encrypting a number of files it will automatically isolate that process from the file system such that it cannot do any more damage AND it will roll-back any files that have been impacted to their prior state.
  • #36   CryptoGuard is the anti-ransomware component and it works independently to provide another layer of defense against your data being held hostage by the Locky/Cryptowall type of malware. It’s a driver in the file filter stack that monitors the behaviors of the applications and processes that access your documents. If it detects that an application is encrypting a number of files it will automatically isolate that process from the file system such that it cannot do any more damage AND it will roll-back any files that have been impacted to their prior state.   Lightweight and effective CryptoGuard provides another later of defense for your endpoints and data. It: a.       Stops local ransomware from attacking local data b.       Stops local ransomware from attacking remote data (incl. mapped or unmapped shares) c.       Stops remote ransomware from attacking local data   Since most ransomware inject/run from legitimate trusted processes, or even consist of or only use trusted binaries, CryptoGuard is not shy revoking write-access from legitimate/trusted processes (or client IP).