Stand and deliver! Your money or your data. James Burchell Sophos - - PowerPoint PPT Presentation

Stand and deliver! Your money

• r your data.

James Burchell

Sophos Security Specialist

Endpo Endpoin int sec secur urit ity has r has reac eached a hed a ti tipping po poin int

“Now the cyber is so big and you look at what they’re doing with the internet.” “China know all about the cyber, all about it.” “We will never have great national security in the age of computers - Too many brilliant nerds can break codes.”

Donald Trump

Trumpings on Cyber

638 millio 638 million n ra ransomware attacks in 2016 2016

Fo Forbes

Ra Ransomware pa payoffs so s soar aring ing t towar ards ds $1bn $1bn a y a year ear

FBI FBI

“Usually using photos of hoodie-cloaked blokes poised

• ver a keyboard with Matrix-style green lettering in the
• background. But such figures – seen as untouchable,

unbeatable, and untraceable – are chimeras, and it’s just adequate pernicious toe-rags who are doing the hacking.”

Dr Ian Levy, Chief Technical Director, GCHQ

Medieval Witchcraft

Crimeware as a service

Ransomware as a service

Two Main Attack Vectors

15

Email attachments

• Infect via spam with malicious attachments
• When the attachment is opened the

executable code downloads and then executes the ransomware payload

• Used by Locky, Zepto and CTB-Locker

Exploit kit

• Infect via compromised websites and

malvertising

• Black market tools used to easily create

attacks that exploit known or unknown vulnerabilities (zero-day)

• Used by Cerber, CryptoWall, CryptXXX and

CrypVault

“Two things are infinite: The universe and human stupidity, and I’m not so sure about the former.”

• Albert Einstein

Rig Exploit Kit

April 2017

.CryptoHasYou., 777, 7ev3n, 7h9r, 8lock8, Al Alfa Ra Ransomware, Al Alma Ra Ransomware, Alpha Ransomware, AMBA, Apocalypse, ApocalypseVM, AutoLocky, BadBlock, BaksoCrypt, Bandarchor, Bart, BitCryptor, BitStak, BlackShades Crypter, Blocatto, Booyah, Brazilian, BrLock, Browlock, Bucbi, BuyUnlockCode, Cerber, Chimera, CoinVault, Coverton, Cryaki, Crybola, CryFile, CryLocker, Cr CrypMIC, Crypren, Crypt38, Cryptear, Cr CryptFile2, CryptInfinite, CryptoBit, CryptoDefense, CryptoFinancial, CryptoFortress, CryptoGraphic Locker, CryptoHost, CryptoJoker, Cr CryptoLocker, Cryptolocker 2.0, CryptoMix, CryptoRoger, CryptoShocker, CryptoTorLocker2015, CryptoWall 1, CryptoWall 2, CryptoWall 3, CryptoWall 4, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, Cr CryptXXX 3.1, CTB-Faker, CT CTB-Lo Locker, CTB-Locker WEB, CuteRansomware, DeCrypt Protect, DEDCryptor, DetoxCrypto, DirtyDecrypt, DMALocker, DMALocker 3.0, Domino, EDA2 / HiddenTear, EduCrypt, El-Polocker, Enigma, FairWare, Fakben, Fantom, Fonco, Fsociety, Fury, GhostCrypt, Globe, GNL Locker, Gomasom, Goopic, Gopher, Harasom, Herbst, Hi Buddy!, Hitler, HolyCrypt, HydraCrypt, iLock, iLockLight, International Police Association, JagerDecryptor, Jeiphoos, Jigsaw, Job Crypter, Ke KeRanger, KeyBTC, KEYHolder, KimcilWare, Korean, Kozy.Jozy, KratosCrypt, KryptoLocker, LeChiffre, Linux.Encoder, Locker, Lo Locky, Lortok, LowLevel04, Mabouia, Magic, MaktubLocker, MIRCOP, MireWare, Mischa, MM Locker, Mobef, NanoLocker, Nemucod, NoobCrypt, Nullbyte, ODCODC, Offline ransomware, OMG! Ransomware, Operation Global III, PadCrypt, Pclock, Pe Petya, PizzaCrypts, PokemonGO, PowerWare, PowerWorm, PRISM, R980, RAA encryptor, Radamant, Rakhni,, Rannoh, Ransom32, RansomLock, Rector, RektLocker, RemindMe, Rokku, Samas-Samsam, Sanction, Satana, Scraper, Serpico, Shark, ShinoLocker, Shujin, Simple_Encoder, SkidLocker / Pompous, Smrss32, SNSLocker, Sport, Stampado, Strictor, Surprise, SynoLocker, SZFLocker, TeslaCrypt 0.x - 2.2.0, TeslaCrypt 3.0+, TeslaCrypt 4.1A, TeslaCrypt 4.2, Threat Finder, To TorrentLocker, TowerWeb, Toxcrypt, Troldesh, TrueCrypter, Turkish Ransom, UmbreCrypt, Ungluk, Unlock92, VaultCrypt, VenusLocker, Virlock, Virus-Encoder, WildFire Locker, Xorist, XRTN, Zcrypt, Ze Zepto, Zimbra, Zlader / Russian, Zyklon

200+ Crypto-Ransomware Families

Exploit Common Security Weaknesses

21

Inadequate backup strategy Poor patching Users have more rights than they need Lack of user security training Systems not implemented correctly Lack of IT security knowledge Conflicting priorities: security vs productivity concerns

Lack of Advanced Prevention Technology

22

• Many organizations have some form
• f generic protection
• Ransomware is constantly evolving

and learning to exploit it

• Solutions need to be designed

specifically to combat the threat

9 Best Security Practices to Apply Now!

9 Best Practice Security Tips

24 24

Backup! Backup! Backup!

• Perform regular backups and keep them offline and off-site

Enable File Extensions

• Make it easier to spot suspicious file types

Open JavaScript in Notepad

• Block malicious scripts

25

Don’t enable macros in email attachments

• Microsoft turned it off – don’t turn it back on!

Be cautious with unsolicited attachments

• If in doubt leave it out

Don’t have more login power than you need

• Admin rights could mean a local infection

becomes a network disaster

9 Best Practice Security Tips

26

Microsoft Office viewers

• See what a document looks like without opening it

Patch early, patch often

• Keep your defences on top form and plug holes

Stay up-to-date with new security features

• For example Office 2016 now includes a

control called “Block macros from running in Office files from the internet”

9 Best Practice Security Tips

”Additional Steps”

Reducing the threat

Use Security Analysis Tools Education Enable Security Features

Useful Resources

28

• Naked Security

nakedsecurity.sophos.com

• Sophos whitepaper

news.sophos.com/en-us/How to stay protected from ransomware

• Sophos Security Best Practices

sophos.com/en-us/security-news-trends/best-practices

• Sophos free tools

sophos.com/en-us/products/free-tools.aspx