![Page 1: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/1.jpg)
Ransomware: What is your data worth?
Charlie Eriksen
![Page 2: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/2.jpg)
2014
A trend?
"Oh shit"-moments
![Page 3: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/3.jpg)
2014 2015
A trend?
"Oh shit"-moments
![Page 4: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/4.jpg)
2014 2015 2016
A trend?
"Oh shit"-moments
![Page 5: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/5.jpg)
2014 2015 2016 2017
A trend?
"Oh shit"-moments
![Page 6: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/6.jpg)
Thoughts“Oh shit,
this is annoying”
Then Now
![Page 7: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/7.jpg)
Thoughts“Oh shit,
this is annoying”
Then Now
“This is taking a lot
of time”
![Page 8: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/8.jpg)
Thoughts“Oh shit,
this is annoying”
“We don’t have a
backup”
Then Now
“This is taking a lot
of time”
![Page 9: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/9.jpg)
Thoughts“Oh shit,
this is annoying”
“We’re losing money every
second”
“We don’t have a
backup”
Then Now
“This is taking a lot
of time”
![Page 10: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/10.jpg)
Thoughts“Oh shit,
this is annoying”
“We’re losing money every
second”
“We don’t have a
backup”
Then Now
“This is taking a lot
of time”
“How much would we be willing to
pay?”
![Page 11: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/11.jpg)
Ransomware
Source: http://www.pcworld.com/article/3157417/security/after-mongodb-ransomware-groups-hit-exposed-elasticsearch-clusters.html
![Page 12: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/12.jpg)
Ransomware
Source: https://www.theregister.co.uk/2016/11/04/papworth_ransomware_dodge/
![Page 13: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/13.jpg)
Ransomware
Source: http://www.computerworld.com/article/3163046/security/police-lost-8-years-of-evidence-in-ransomware-attack.html
![Page 14: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/14.jpg)
Ransomware
Source: http://www.computerworld.com/article/3105001/security/hackers-demonstrated-first-ransomware-for-iot-thermostats-at-def-con.html
![Page 15: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/15.jpg)
Worst case
Source: https://cdn2.vox-cdn.com/uploads/chorus_asset/file/2547914/sony-pictures-hack-6.0.jpg
![Page 16: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/16.jpg)
What is your data worth?
![Page 17: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/17.jpg)
What is your data worth?
![Page 18: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/18.jpg)
How does it happen?
Source: http://i.imgur.com/YUwqfUb.gif
![Page 19: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/19.jpg)
Infection methods
Out of date software
Unsafe browsing habits
Lack of security awareness
![Page 20: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/20.jpg)
Infection methods
User running malicious executable/open malicious file
Spam filter not effective
Antivirus not effective
Out of date software
Lack of security awareness
Source: http://www.secpod.com/blog/defeat-cryptolocker-ransomware-make-sure-your-data-is-not-taken-hostage/
![Page 21: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/21.jpg)
Infection methods
User running malicious executable/open malicious file
Spam filter not effective
Antivirus not effective
Out of date software
Lack of security awareness
Source: http://www.secpod.com/blog/defeat-cryptolocker-ransomware-make-sure-your-data-is-not-taken-hostage/
![Page 22: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/22.jpg)
Infection methods
Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/
![Page 23: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/23.jpg)
Infection methods
Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/
![Page 24: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/24.jpg)
Infection methods
Out of date/insecure software
Default credentials
Lack of security awareness by sysadmins
![Page 25: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/25.jpg)
What happens next?
Source: https://dev-connecteddata.host4kb.com/admin/media_store/2/AA-01924/Win2.png
![Page 26: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/26.jpg)
What happens next?
Source: http://www.acronis.com/en-us/blog/sites/default/files/acronis_backup_service_simplified_ui.png
Example
![Page 27: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/27.jpg)
Infected, what now?
Source: https://m.popkey.co/76b7ee/LmY5p.gif
![Page 28: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/28.jpg)
Process
Source: https://media.giphy.com/media/A34x7CEKUkCyc/giphy.gif
![Page 29: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/29.jpg)
Step 1 – Contain
Source: http://i.imgur.com/cpXMY96.gif
![Page 30: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/30.jpg)
Step 1 – Contain• Some ransomware will overwrite backups
• Either directly
• Or by changing the timestamp on files, thus invalidating differential backups
• Thus, don’t rely on backups. Do both differential, and full backups
![Page 31: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/31.jpg)
Step 2 – Determine scope• This often takes a while, and gets expensive with downtime
• Requires good logs• Netflow/network data
• Event logs/AD logs/Sysmon
• DNS Logs
• Ransomware will sometimes not change file ownership
![Page 32: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/32.jpg)
Step 2 – Determine scope
Source: https://www.elastic.co/guide/en/beats/metricbeat/current/images/metricbeat_system_dashboard.png
![Page 33: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/33.jpg)
Step 3 - Recover
Source: http://33.media.tumblr.com/0b316f1e5a59cd5847e1ae1fdf09edc0/tumblr_mvnwki0c3d1qajc4eo1_r1_500.gif
![Page 34: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/34.jpg)
Step 3 - Recover• Don’t attempt if you haven’t fully determined scope
• If your backups are intact, great. Restore!
• Sometimes paying is the only option
![Page 35: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/35.jpg)
What to do?
Source: https://i.makeagif.com/media/4-23-2015/A1V4ZR.gif
![Page 36: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/36.jpg)
Tips & tricks Ensure your software is up to date, and configured securely
Ensure you have at least basic spam filter, antivirus
Ensure you have security awareness, both by employees, and system admins
Do both full, and differential backups
Limit network share access where possible
![Page 37: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/37.jpg)
Logging saves lives
Source: https://fsmedia.imgix.net/a5/15/8c/cc/11f3/4897/9d4d/e05daefe62d6/ride-logs-13gif.gif?w=700&auto=format&gifq=35
![Page 38: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/38.jpg)
So what is your data worth?
![Page 39: Ransomware - Skýrslutæknifélag Íslands...Tips & tricks Ensure your software is up to date, and configured securely Ensure you have at least basic spam filter, antivirus Ensure](https://reader035.vdocument.in/reader035/viewer/2022071015/5fcdab250d02894725230987/html5/thumbnails/39.jpg)
Q&A (if time allows)