Ben Yarbrough Ransomware CEO - Calyptix Security...anti-virus, operating systems, applications, and...
Transcript of Ben Yarbrough Ransomware CEO - Calyptix Security...anti-virus, operating systems, applications, and...
3/16/2015
1
RansomwareHow to avoid a crypto crisisat your IT business
Ransomware:How to avoid a crypto crisis
at your IT business
Jerry KoutavasPresidentThe ASCII Group, [email protected]
Ben YarbroughCEOCalyptix Security
#webclinic#calyptix
1. Ransomware background
2. How to avoid a crypto crisis
3. About AccessEnforcer
4. Helpful resources
Today’s Agenda
#webclinic#calyptix
RansomwareBackground
#webclinic#calyptix
What is Ransomware?• Extortion via software
• Restricts access to an infectedcomputer system and demands aransom payment to return access.
• Dates back to 1989 with the AIDStrojan
• AIDS hid folders, encrypted filenames, and said a software licensehad expired. Fee of $189 to“renew” license and unlock thecomputer
#webclinic#calyptix
What is encrypting or“crypto” ransomware?• Today’s primary
ransomware threat
• Restricts access byencrypting a victim’s files.Demands a ransom todecrypt them
• Common examples:– Crypolocker, Critroni, CTB-locker
3/16/2015
2
#webclinic#calyptix
Cryptolocker• Widely known variant of
ransomware
• Rose to prominence in late 2013
• Defeated in June, 2014, in a jointeffort by various governmentagencies and security firms
• Decryption keys now freelyavailable for victims atwww.decryptcryptolocker.com
#webclinic#calyptix
Decryption is impossible• Decrypting files is
mathematically infeasiblewithout a key
• After infection, the onlyhope is to restore frombackup or pay the ransom
• Paying the ransom is abad idea – it encouragesthe criminals
#webclinic#calyptix
How does ransomwarespread?
• Malicious emailattachments
– Appears as notice forinvoice, voicemail,shipment, etc.
– Affects corporate andpersonal email (Gmail,Yahoo!, etc.)
• Drive-by downloads– Malicious websites infect
victims via exploits forunpatched software
#webclinic#calyptix
How does ransomwarespread?
• Malvertising– Online advertising used to
spread malware– Recent example included
pages from Yahoo, AOL,The Atlantic, Match.com
• Removable drives– Connecting an infected
USB drive can spreadsome variants
– Includes mobile devices
#webclinic#calyptix
Common scenario• A “dropper” is installed on the
victim’s machine
• The dropper downloads andinstalls the full malware package
• Malware searches the localmachine and all mapped drivesfor targeted files.
• Files are encrypted using a strongalgorithm.
#webclinic#calyptix
Common scenario• Victim is notified that the
files are locked.
• Ransom is demanded,often from $100 to $600,to be paid in Bitcoins
• Instructions provided onhow to acquire Bitcoinsand pay
3/16/2015
3
#webclinic#calyptix
Common scenario• Deadline given for
ransom payment, oftenfrom 48 to 96 hours
• If ransom is not paidby deadline, theransom will increase orthe decryption key willbe destroyed.
#webclinic#calyptix
An evolving threat• Hundreds of thousands of
ransomware variations exist
• Some allow users to decrypt up tofive files to “prove” decryption ispossible.
• Victims can read paymentinstructions in multiple languages
• Ransoms jumped from $24 to$650 in some later versions
#webclinic#calyptix
Where is it headed?• RansomWeb – Hackers
encrypt data stored on a webserver and demand a ransompayment.
“The next step might well be the modern equivalent of protectionrackets – threatening companies with being either taken offlineor having their databases frozen unless they pay a regular fee.”- Professor Alan Woodward, University of Surrey Department of Computing
#webclinic#calyptix
Thousands of victims• Cryptolocker made $30
million in 100 days,according to someestimates
• Ransoms paid by policedepartments, town halls,law offices, andbusinesses of all sizes
#webclinic#calyptix
Thousands of victims• The Law Offices of Paul
Goodson, based in Charlotte,NC, lost every document onits main server
• Infected by a malicious emailattachment. Email disguisedas a voicemail notification.
• Attempted to pay $300ransom but did not completethe transaction by deadline
#webclinic#calyptix
Free marketing resource• Show law firms the
dangers of ransomware
• Includes three examplesof attacked law firms
• We will send it to youafter today’s presentation
3/16/2015
4
#webclinic#calyptix
How to avoid acrypto crisis
#webclinic#calyptix
• Suspicious emails• Suspicious sites• Software and network hygiene• Segregate personal and
business web use• Explain the rational of
restricting business networks
Educate usersRansomwareIs Bad
#webclinic#calyptix
Patch, patch, patch• Maintain the latest
versions of your firewall,anti-virus, operatingsystems, applications,and other systems.
• Automatically update asnew patches becomeavailable.
#webclinic#calyptix
Filter spam andmalicious email
• The top way ransomwarespreads is by emailattachment
• Some infections begin witha .scr file that arrives in a.zip or .cab emailattachment
• Filter emails for content andattachments before theyreach end users
#webclinic#calyptix
Filter outbound traffic• Control the websites users can
access
• Block connections to malicioushosts
• Block IP range146.185.220.0/23
– Range is associated with CryptoWall
• Enable intrusion preventionsystem (IPS)
– Default deny for all outbound traffic
#webclinic#calyptix
Group policies forWindows
• Block ransomware frominstalling in its favoritedirectories
• Free resource: CryptolockerPrevention Kit from ThirdTier (link at end ofpresentaiton)
3/16/2015
5
#webclinic#calyptix
Limit access to networkshares
• Ransomware checks allmapped drives (includingnetwork drives)
• Only administrator and backup service provider shouldaccess back up drives
• When mounting a backupfor restore purposes, makesure the permissions are setto “read only”
#webclinic#calyptix
Back up all files• The only way to fully recover
from infection is with a goodbackup
• Many businesses operatewithout backups, which canmake ransomware infection aworst-case scenario
• Remember to test backups.They are only good if you canrestore the data.
#webclinic#calyptix
Additional tips
Install a reputable anti-virus solution such asMicrosoft Security Essentials or Malware Bytes.
Do not allow user accounts to modify applicationsor the operating system (e.g. standard user)
Adjust web browser settings to prevent forceddownloads
#webclinic#calyptix
What if you areinfected?
• Immediately power offthe machine
• Unplug from the network
• Remove the hard driveand scan it with antivirusto remove infection.
• Do not power on thedrive until it is cleaned
#webclinic#calyptix
AccessEnforcer
#webclinic#calyptix
AccessEnforcer
Simple and powerful UTM firewall forsmall and medium business
3/16/2015
6
#webclinic#calyptix
AccessEnforcer• Features include:
– Intrusion detection and prevention (IDS/IPS)– Unlimited VPN– Web filter– Spam filter– Multi-WAN– Quality of service (QoS)– Automatic updates– GUI-based management– Many more in the full features list
#webclinic#calyptix
Simplest ResellerProgram in the Industry• The Breakthrough Program
30-day license for monthly service Includes every security feature Includes lifetime warranty Includes unlimited users Cancel without penalty No monthly or annual minimum
#webclinic#calyptix
Simplest ResellerProgram in the Industry• Gives your IT business:Faster profitsFewer limitations and
headachesFreedom from annual
renewals
#webclinic#calyptix
AccessEnforcer
Call to learn more about Calyptixreseller partnership: 704-971-8982
#webclinic#calyptix
Helpful Resources
#webclinic#calyptix
Calyptix Resources• Marketing flyer for law firms (will send via email)
• Ransomware Prevention: 5 ways to avoid a crisis– http://www.calyptix.com/malware/ransomware-prevention-5-ways-to-
protect-your-business/
• Critroni Ransomware: Decryption not an option– http://www.calyptix.com/malware/critroni-ransomware-decryption-not-an-
option/
• AccessEnforcer: Full features list– http://www.calyptix.com/wp-content/uploads/2014/09/AE-features-list.pdf
3/16/2015
7
#webclinic#calyptix
Additional Resources• Cryptolocker Prevention Kit – Third Tier
– http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/
• More ransomware resources from Third Tier– http://www.thirdtier.net/?s=crypto
#webclinic#calyptix
Questions
?
#webclinic#calyptix
Thank you!
Call to learn more about Calyptixreseller partnership: 704-971-8982