h elp d esk h elp d esk t ech y our b ooks t ech y our b ooks smbk itchen smbk itchen l ook a w hale...

ENCRYPTING VIRUSESTHEY’RE THE MOST SIGNIFICANT THREAT TO BUSINESS THAT

HAS EVER OCCURRED.

AMY BABINCHAK

• Owner Harbor Computer Services, MSP• Owner Third Tier• Small Business MVP, (former Small Business Server, Essential Business Server

and Internet Security and Acceleration)• Blog: www.thirdtier.net/blog

SUSAN BRADLEY

• Enterprise Security MVP. Former Small Business Server MVP. • IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun• GSEC certification in security • Prefers Heavy Duty Reynolds wrap for her tinfoil hat• Blog: http://blogs.msmvps.com/bradley/

WHAT’S NEW WITH ENCRYPTING VIRUSES

• A BRIEF HISTORY OF THE EVOLUTION OF ENCRYPTING VIRUSES

• WHY THEY ARE HERE TO STAY

• BUSINESS IMPACT

• TAKING PROACTIVE ACTION

• GET TOOLS AND RESOURCES

A BRIEF HISTORY OF THE EVOLUTION OF ENCRYPTING VIRUSES

HOW THEY DO IT

• THE BIGGIES: CRYPTOLOCKER, CRYPTO DEFENSE, TORRENT LOCKER, CRYPTOWALL 1, 2 AND 3

• A BOTNET DROPS A VIRUS ON THE COMPUTER.

• THE VIRUS CALLS HOME FOR THE ENCRYPTION KEY.

• FILES ARE ENCRYPTED – FAST!

• RANSOM NOTE IS DISPLAYED

WHY IT WORKS

• RUNS AS THE LOGGED IN USER

• DOESN’T BEHAVE LIKE A VIRUS

WHY IT WORKS – PART 2

WHY ENCRYPTING INFECTIONS ARE HERE TO STAY

SHORT VERSION: $,$$$,$$$

MONEY TALKS • CRYPTOLOCKER MADE $3 MILLION

• COPY CATS HAVE MADE AN ESTIMATED $30 MILLION

BUSINESS IMPACT

WHO GETS INFECTED?

• POLICE DEPARTMENTS IN MAINE PAID THE RANSOM

• HTTP://WWW.WCSH6.COM/STORY/NEWS/LOCAL/2015/04/10/POLICE-DEPARTMENTS-HIT-BY-RANSOMWARE-VIRUS/25593777/

“LINCOLN COUNTY SHERIFF TODD BRACKETT SAID FOUR TOWNS AND THE COUNTY HAVE A SPECIAL COMPUTER NETWORK TO SHARE FILES AND RECORDS. SOMEONE ACCIDENTALLY DOWNLOADED A VIRUS, CALLED "MEGACODE", THAT PUT AN ENCRYPTION CODE ON ALL THE COMPUTER DATA.

THE SHERIFF SAID IT BASICALLY MADE THE SYSTEM UNUSABLE, UNTIL THEY PAID A RANSOM FEE OF ABOUT $300 TO THE CREATOR OF THE VIRUS. AFTER THE FEE WAS RECEIVED, THE DEPARTMENT WAS GIVEN A SPECIAL CODE TO UNLOCK THE ENCRYPTION AND RESTORE THE FILES. THE SHERIFF AND DAMARISCOTTA POLICE CHIEF RON YOUNG SAID NO ONE LIKED HAVING TO PAY OFF THE BAD GUY, BUT IT WAS THE ONLY WAY TO GET THEIR INFORMATION BACK.

WHO GETS INFECTED?

• LAW FIRM IN NORTH CAROLINA

• HTTP://WWW.ESECURITYPLANET.COM/MALWARE/LAW-FIRM-LOSES-ALL-FILES-TO-CRYPTOLOCKER-RANSOMWARE.HTML

“AS SOON AS THE EMAIL WAS OPENED, EVERY SINGLE DOCUMENT HERE AT GOODSON’S LAW FIRM WAS LOCKED UP. 

GOODSON TELLS CHANNEL 9 WHILE NO CONFIDENTIAL INFORMATION WAS STOLEN, HE'S LOST ACCESS TO THOUSANDS OF LEGAL DOCUMENTS.”

WHO GETS INFECTED?

• HOME USER IN MICHIGAN WE HELPED THEM PAY THE RANSOM

WHO GETS INFECTED?

• A BUSINESS IN MICHIGAN• USER ERROR

• WE RESTORED FROM BACKUP

TAKING PROACTIVE ACTION

YOU CAN FIGHT THIS

THE USUAL SUSPECTS

• BACKUP

• PATCHES

• ANTI-VIRUS/ANTI-MALWARE SOFTWARE

CLEAN HOUSE

• MINIMIZE THE # OF MAPPED DRIVES

• TIGHTEN UP FILE/FOLDER PERMISSIONS

• PATCH JAVA/FLASH/SILVERLIGHT

BLOCK

• COMMAND AND CONTROL FOR CRYPTOWALL 2.0 ARE IN THE IP RANGE: 146.185.220.0/23

• MANY BOTNET CALL HOME TO .RU DOMAINS

• TOR SITES ALSO USED

• ANY “ANONYMOUS SERVICE” – SEE IF YOUR FIREWALL VENDOR HAS PRESET RULES

• CONSIDER FILTERING/BLOCKING DROPBOX LINKS

EDUCATE

• URL’S

• ATTACHMENTS

• FREE APPLICATIONS

• WEBSITES

• BANNER ADS

ZERO DAY FLASH

DON’T CLICK ON ADS

ADD POLICIES

• BLOCK LOCATIONS IN THE USER PROFILE

WHAT’S IN THE POLICIES?

SOFTWARE RESTRICTIONS

THE TELL

WMI FILTERS

DOCUMENTATION

WHAT’S IN THE POLICIES?SOFTWARE RESTRICTIONS

THE TELL

WMI FILTERS

DOCUMENTATION

WHAT’S IN THE POLICIES?SOFTWARE RESTRICTIONS

THE TELL

WMI FILTERS

DOCUMENTATION

WHAT’S IN THE POLICIES?SOFTWARE RESTRICTIONS

THE TELL

WMI FILTERS

DOCUMENTATION

THE NEXT LEVEL UP

• BIT9

• SAVANTPROTECTION.COM

• UPGRADE TO ENTERPRISE LICENSES

• POSSIBLY WINDOWS 10 – SMARTSCREEN FILTER IN THE OS

• SECUREAPLUS FOR HOME USERSAPPLICATION WHITELISTING

TOOLS AND RESOURCES

HTTP://WWW.THIRDTIER.NET/?S=CRYPTO

HTTP://WWW.BLEEPINGCOMPUTER.COM/VIRUS-REMOVAL/CRYPTOLOCKER-RANSOMWARE-INFORMATION#DECRYPT

MORE FROM THIRD TIERGO TO HTTP://WWW.THIRDTIER.NET/EVENTS

• AMY AND SUSAN MONTHLY WEBINARS

• FOURTH WEDNESDAY 8PM EASTERN

• PHIL: MONTHLY CHAT

• THIRD WEDNESDAY 7PM EASTERN

• SUPER SECRET NEWS

• GO TO OUR WEBSITE TO SIGN UP. PEOPLE ARE ALREADY SIGNED UP

• AMY: CALYPTIX RANSOMWARE TECHNICAL PRESENTATION

• MAY 6TH 2PM EASTERN

• MVP ONLINE CONFERENCE

• SUSAN IS PRESENTING! MAY 14TH 4-6PM EASTERN

• CONFERENCE IS 2 DAYS

• AMY: AMY @ SMBONLINECONFERENCE STRETCHING TO THRIVE

• JUNE 24TH 1PM EASTERN