Ransomware: How to Avoid Extortion
Matthew Walker – VP Northern Europe
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
Examples of Ransomware
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
Examples of Ransomware
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
About Ransomware
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
About Ransomware
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
About Ransomware
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
About Ransomware
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
About Ransomware
84% believe their company would be seriously damaged
if it were successfully infected with ransomware
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
About Ransomware
31% admitted that if their corporate networks were infected
they’d have no choice but to pay the ransom
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
How Does It Work?
Delivery
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
How Does It Work?
Phishing Email
Delivery
Malvertising
Botnet
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
Drive-By
Download
Malicious App
How Does It Work?
Encrypt Data Files
Phone Home
Disable Defenses
Installation
Infection
Delivery
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
How Does It Work?
Support Services
Demand Ransom
Encrypt Data Files
Phone Home
Disable Defenses
Installation
Infection
Delivery
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
How Does It Work?
Release of Files
Support Services
Demand Ransom
Encrypt Data Files
Phone Home
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
Disable Defenses
Installation
Infection
Delivery
Pay Ransom
How Does It Work?
Release of Files
Support Services
Demand Ransom
Encrypt Data Files
Phone Home
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
Disable Defenses
Installation
Infection
Delivery
Pay Ransom
Recommendations
Network Defenses
Preparation
• NGFW, EDR, Threat Intel
• Back-ups – follow 3 – 2 – 1 rule
• Staff Training
• User Training
Endpoint Defense-in-Depth
• Patch and Configuration
Management
• Application Whitelisting
• Data Encryption
• Device Control
• Antivirus
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
Post-Event
• Configuration Restoration
• Forensics
• Infrastructure Changes
Recommendations
AV
Control the Bad
Device Control
Control the Flow
HD and Media Encryption
Control the Data
Application Control
Control the Gray
Patch and Configuration Management
Control the Vulnerability Landscape
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
Endpoint Defense-in-Depth
Successful risk mitigation starts with a
solid vulnerability management foundation, augmented by additional layered
defenses which go beyond the traditional
blacklist approach.
Recommendations
Patch and Configuration Management
AV
Control the Bad
Device Control
Control the Flow
HD and Media Encryption
Control the Data
Application Control
Control the Gray
Patch and Configuration Management
Control the Vulnerability Landscape
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
• Eliminates the attackable surface area that
hackers can target
• Central configuration of native system
security controls such as firewalls and OS
protections (e.g., ASLR, DEP, etc.)
• Improves endpoint performance and
stability
Recommendations
Application Whitelisting
AV
Control the Bad
Device Control
Control the Flow
HD and Media Encryption
Control the Data
Application Control
Control the Gray
Patch and Configuration Management
Control the Vulnerability Landscape
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
• Extremely effective against zero-day attacks
• Stops unknown, targeted malware payloads,
regardless of delivery mechanism
• Low performance impact on endpoints
Recommendations
Data Encryption
AV
Control the Bad
Device Control
Control the Flow
HD and Media Encryption
Control the Data
Application Control
Control the Gray
Patch and Configuration Management
Control the Vulnerability Landscape
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
• Protects data in cases of theft or accidental
loss
• Makes lateral data acquisition more difficult
for APTs
• Required by almost all regulations
Recommendations
Device / Port Control
AV
Control the Bad
Device Control
Control the Flow
HD and Media Encryption
Control the Data
Application Control
Control the Gray
Patch and Configuration Management
Control the Vulnerability Landscape
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
• Can prevent unauthorized devices from
delivering payloads
• Can stop specific file types from being
copied to host machines
• Stops a common delivery vector for evading
extensive physical and technologic security
controls
Recommendations
Antivirus
AV
Control the Bad
Device Control
Control the Flow
HD and Media Encryption
Control the Data
Application Control
Control the Gray
Patch and Configuration Management
Control the Vulnerability Landscape
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
• Stops “background noise” malware
• May detect reused code and evasion
techniques
• Will eventually clean payloads after
signatures are developed
Recommendations
Network Defenses
Preparation
• NGFW, ETDR, Threat Intel
• Back-ups – follow 3 – 2 – 1 rule
• Staff Training
• User Training
Endpoint Defense-in-Depth
•
•
•
•
•
Patch and Config Management
Application Whitelisting
Data Encryption
Device Control
Antivirus
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
Post-Event
• Configuration Restoration
• Forensics
• Infrastructure Changes
Summary
Ransomware, cyber-extortion, digital
blackmail – it’s evil and it’s here
Implement the security tech and training
ahead of time to minimize the chances of
your data being held for ransom and to
maximize your ability to recover quickly
Have an Incident Response Plan in place
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.
www.heatsoftware.com
www.lumension.com
©2015 HEAT Software. All rights reserved. Proprietary & Confidential.