Stand and deliver! Your money or your data. James Burchell Sophos - PowerPoint PPT Presentation

Stand and deliver! Your money or your data. James Burchell Sophos Security Specialist

Endpo Endpoin int sec secur urit ity has r has reac eached a hed a ti tipping po poin int

Trumpings on Cyber “Now the cyber is so big and you look at what they’re doing with the internet.” “China know all about the cyber , all about it.” “We will never have great national security in the age of computers - Too many brilliant nerds can break codes.” Donald Trump

638 millio 638 million n ra ransomware attacks in 2016 2016 Fo Forbes

Ra Ransomware pa payoffs so s soar aring ing t towar ards ds $1bn $1bn a y a year ear FBI FBI

Medieval Witchcraft “Usually using photos of hoodie-cloaked blokes poised over a keyboard with Matrix -style green lettering in the background. But such figures – seen as untouchable, unbeatable, and untraceable – are chimeras, and it’s just adequate pernicious toe-rags who are doing the hacking.” Dr Ian Levy, Chief Technical Director, GCHQ

Crimeware as a service

Ransomware as a service

Two Main Attack Vectors Exploit kit Email attachments • Infect via compromised websites and • Infect via spam with malicious attachments malvertising • When the attachment is opened the • Black market tools used to easily create executable code downloads and then attacks that exploit known or unknown executes the ransomware payload vulnerabilities (zero-day) • Used by Locky, Zepto and CTB-Locker • Used by Cerber, CryptoWall, CryptXXX and CrypVault 15

“Two things are infinite: The universe and human stupidity, and I’m not so sure about the former.” - Albert Einstein

Rig Exploit Kit

April 2017

200+ Crypto-Ransomware Families .CryptoHasYou., 777, 7ev3n, 7h9r, 8lock8, Al Ransomware , Al Ransomware , Alpha Ransomware, AMBA, Apocalypse, ApocalypseVM, Alfa Ra Alma Ra AutoLocky, BadBlock, BaksoCrypt, Bandarchor, Bart, BitCryptor, BitStak, BlackShades Crypter, Blocatto, Booyah, Brazilian, BrLock, Browlock, Bucbi, BuyUnlockCode, Cerber, Chimera, CoinVault, Coverton, Cryaki, Crybola, CryFile, CryLocker, Cr CrypMIC , Crypren, Crypt38, Cryptear, Cr CryptFile2 , CryptInfinite, CryptoBit, CryptoDefense, CryptoFinancial, CryptoFortress, CryptoGraphic Locker, CryptoHost, CryptoJoker, Cr CryptoLocker , Cryptolocker 2.0, CryptoMix, CryptoRoger, CryptoShocker, CryptoTorLocker2015, CryptoWall 1, CryptoWall 2, CryptoWall 3, CryptoWall 4, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, Cr CryptXXX 3.1 , CTB-Faker, CT Locker , CTB-Locker WEB, CTB-Lo CuteRansomware, DeCrypt Protect, DEDCryptor, DetoxCrypto, DirtyDecrypt, DMALocker, DMALocker 3.0, Domino, EDA2 / HiddenTear, EduCrypt, El-Polocker, Enigma, FairWare, Fakben, Fantom, Fonco, Fsociety, Fury, GhostCrypt, Globe, GNL Locker, Gomasom, Goopic, Gopher, Harasom, Herbst, Hi Buddy!, Hitler, HolyCrypt, HydraCrypt, iLock, iLockLight, International Police Association, JagerDecryptor, Jeiphoos, Jigsaw, Job Crypter, Ke KeRanger , KeyBTC, KEYHolder, KimcilWare, Korean, Kozy.Jozy, KratosCrypt, KryptoLocker, LeChiffre, Linux.Encoder, Locker, Lo Locky , Lortok, LowLevel04, Mabouia, Magic, MaktubLocker, MIRCOP, MireWare, Mischa, MM Locker, Mobef, NanoLocker, Nemucod, NoobCrypt, Nullbyte, ODCODC, Offline ransomware, OMG! Ransomware, Operation Global III, PadCrypt, Pclock, Pe Petya , PizzaCrypts, PokemonGO, PowerWare, PowerWorm, PRISM, R980, RAA encryptor, Radamant, Rakhni,, Rannoh, Ransom32, RansomLock, Rector, RektLocker, RemindMe, Rokku, Samas-Samsam, Sanction, Satana, Scraper, Serpico, Shark, ShinoLocker, Shujin, Simple_Encoder, SkidLocker / Pompous, Smrss32, SNSLocker, Sport, Stampado, Strictor, Surprise, SynoLocker, SZFLocker, TeslaCrypt 0.x - 2.2.0, TeslaCrypt 3.0+, TeslaCrypt 4.1A, TeslaCrypt 4.2, Threat Finder, To TorrentLocker , TowerWeb, Toxcrypt, Troldesh, TrueCrypter, Turkish Ransom, UmbreCrypt, Ungluk, Unlock92, VaultCrypt, VenusLocker, Virlock, Virus-Encoder, WildFire Locker, Xorist, XRTN, Zcrypt, Ze Zepto , Zimbra, Zlader / Russian, Zyklon

Exploit Common Security Weaknesses Inadequate backup strategy Systems not implemented correctly Poor patching Lack of IT security knowledge Conflicting priorities: security vs Users have more rights productivity concerns than they need Lack of user security training 21

Lack of Advanced Prevention Technology • Many organizations have some form of generic protection • Ransomware is constantly evolving and learning to exploit it • Solutions need to be designed specifically to combat the threat 22

9 Best Security Practices to Apply Now!

9 Best Practice Security Tips Backup! Backup! Backup! • Perform regular backups and keep them offline and off-site Enable File Extensions • Make it easier to spot suspicious file types Open JavaScript in Notepad • Block malicious scripts 24 24

9 Best Practice Security Tips Don’t enable macros in email attachments • Microsoft turned it off – don’t turn it back on! Be cautious with unsolicited attachments • If in doubt leave it out Don’t have more login power than you need • Admin rights could mean a local infection becomes a network disaster 25

9 Best Practice Security Tips Microsoft Office viewers • See what a document looks like without opening it Patch early, patch often • Keep your defences on top form and plug holes Stay up-to-date with new security features • For example Office 2016 now includes a control called “Block macros from running in Office files from the internet” 26

Reducing the threat ”Additional Steps” Education Enable Security Features Use Security Analysis Tools

Useful Resources • Naked Security nakedsecurity.sophos.com • Sophos whitepaper news.sophos.com/en-us/How to stay protected from ransomware • Sophos Security Best Practices sophos.com/en-us/security-news-trends/best-practices • Sophos free tools sophos.com/en-us/products/free-tools.aspx 28