h elp d esk h elp d esk t ech y our b ooks t ech y our b ooks smbk itchen smbk itchen l ook a w hale...
TRANSCRIPT
ENCRYPTING VIRUSESTHEY’RE THE MOST SIGNIFICANT THREAT TO BUSINESS THAT
HAS EVER OCCURRED.
AMY BABINCHAK
• Owner Harbor Computer Services, MSP• Owner Third Tier• Small Business MVP, (former Small Business Server, Essential Business Server
and Internet Security and Acceleration)• Blog: www.thirdtier.net/blog
SUSAN BRADLEY
• Enterprise Security MVP. Former Small Business Server MVP. • IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun• GSEC certification in security • Prefers Heavy Duty Reynolds wrap for her tinfoil hat• Blog: http://blogs.msmvps.com/bradley/
WHAT’S NEW WITH ENCRYPTING VIRUSES
• A BRIEF HISTORY OF THE EVOLUTION OF ENCRYPTING VIRUSES
• WHY THEY ARE HERE TO STAY
• BUSINESS IMPACT
• TAKING PROACTIVE ACTION
• GET TOOLS AND RESOURCES
A BRIEF HISTORY OF THE EVOLUTION OF ENCRYPTING VIRUSES
HOW THEY DO IT
• THE BIGGIES: CRYPTOLOCKER, CRYPTO DEFENSE, TORRENT LOCKER, CRYPTOWALL 1, 2 AND 3
• A BOTNET DROPS A VIRUS ON THE COMPUTER.
• THE VIRUS CALLS HOME FOR THE ENCRYPTION KEY.
• FILES ARE ENCRYPTED – FAST!
• RANSOM NOTE IS DISPLAYED
WHY IT WORKS
• RUNS AS THE LOGGED IN USER
• DOESN’T BEHAVE LIKE A VIRUS
WHY IT WORKS – PART 2
WHY ENCRYPTING INFECTIONS ARE HERE TO STAY
SHORT VERSION: $,$$$,$$$
MONEY TALKS • CRYPTOLOCKER MADE $3 MILLION
• COPY CATS HAVE MADE AN ESTIMATED $30 MILLION
BUSINESS IMPACT
WHO GETS INFECTED?
• POLICE DEPARTMENTS IN MAINE PAID THE RANSOM
• HTTP://WWW.WCSH6.COM/STORY/NEWS/LOCAL/2015/04/10/POLICE-DEPARTMENTS-HIT-BY-RANSOMWARE-VIRUS/25593777/
“LINCOLN COUNTY SHERIFF TODD BRACKETT SAID FOUR TOWNS AND THE COUNTY HAVE A SPECIAL COMPUTER NETWORK TO SHARE FILES AND RECORDS. SOMEONE ACCIDENTALLY DOWNLOADED A VIRUS, CALLED "MEGACODE", THAT PUT AN ENCRYPTION CODE ON ALL THE COMPUTER DATA.
THE SHERIFF SAID IT BASICALLY MADE THE SYSTEM UNUSABLE, UNTIL THEY PAID A RANSOM FEE OF ABOUT $300 TO THE CREATOR OF THE VIRUS. AFTER THE FEE WAS RECEIVED, THE DEPARTMENT WAS GIVEN A SPECIAL CODE TO UNLOCK THE ENCRYPTION AND RESTORE THE FILES. THE SHERIFF AND DAMARISCOTTA POLICE CHIEF RON YOUNG SAID NO ONE LIKED HAVING TO PAY OFF THE BAD GUY, BUT IT WAS THE ONLY WAY TO GET THEIR INFORMATION BACK.
WHO GETS INFECTED?
• LAW FIRM IN NORTH CAROLINA
• HTTP://WWW.ESECURITYPLANET.COM/MALWARE/LAW-FIRM-LOSES-ALL-FILES-TO-CRYPTOLOCKER-RANSOMWARE.HTML
“AS SOON AS THE EMAIL WAS OPENED, EVERY SINGLE DOCUMENT HERE AT GOODSON’S LAW FIRM WAS LOCKED UP.
GOODSON TELLS CHANNEL 9 WHILE NO CONFIDENTIAL INFORMATION WAS STOLEN, HE'S LOST ACCESS TO THOUSANDS OF LEGAL DOCUMENTS.”
WHO GETS INFECTED?
• HOME USER IN MICHIGAN WE HELPED THEM PAY THE RANSOM
WHO GETS INFECTED?
• A BUSINESS IN MICHIGAN• USER ERROR
• WE RESTORED FROM BACKUP
TAKING PROACTIVE ACTION
YOU CAN FIGHT THIS
THE USUAL SUSPECTS
• BACKUP
• PATCHES
• ANTI-VIRUS/ANTI-MALWARE SOFTWARE
CLEAN HOUSE
• MINIMIZE THE # OF MAPPED DRIVES
• TIGHTEN UP FILE/FOLDER PERMISSIONS
• PATCH JAVA/FLASH/SILVERLIGHT
BLOCK
• COMMAND AND CONTROL FOR CRYPTOWALL 2.0 ARE IN THE IP RANGE: 146.185.220.0/23
• MANY BOTNET CALL HOME TO .RU DOMAINS
• TOR SITES ALSO USED
• ANY “ANONYMOUS SERVICE” – SEE IF YOUR FIREWALL VENDOR HAS PRESET RULES
• CONSIDER FILTERING/BLOCKING DROPBOX LINKS
EDUCATE
• URL’S
• ATTACHMENTS
• FREE APPLICATIONS
• WEBSITES
• BANNER ADS
ZERO DAY FLASH
DON’T CLICK ON ADS
ADD POLICIES
• BLOCK LOCATIONS IN THE USER PROFILE
WHAT’S IN THE POLICIES?
SOFTWARE RESTRICTIONS
THE TELL
WMI FILTERS
DOCUMENTATION
WHAT’S IN THE POLICIES?SOFTWARE RESTRICTIONS
THE TELL
WMI FILTERS
DOCUMENTATION
WHAT’S IN THE POLICIES?SOFTWARE RESTRICTIONS
THE TELL
WMI FILTERS
DOCUMENTATION
WHAT’S IN THE POLICIES?SOFTWARE RESTRICTIONS
THE TELL
WMI FILTERS
DOCUMENTATION
THE NEXT LEVEL UP
• BIT9
• SAVANTPROTECTION.COM
• UPGRADE TO ENTERPRISE LICENSES
• POSSIBLY WINDOWS 10 – SMARTSCREEN FILTER IN THE OS
• SECUREAPLUS FOR HOME USERSAPPLICATION WHITELISTING
TOOLS AND RESOURCES
HTTP://WWW.THIRDTIER.NET/?S=CRYPTO
HTTP://WWW.BLEEPINGCOMPUTER.COM/VIRUS-REMOVAL/CRYPTOLOCKER-RANSOMWARE-INFORMATION#DECRYPT
MORE FROM THIRD TIERGO TO HTTP://WWW.THIRDTIER.NET/EVENTS
• AMY AND SUSAN MONTHLY WEBINARS
• FOURTH WEDNESDAY 8PM EASTERN
• PHIL: MONTHLY CHAT
• THIRD WEDNESDAY 7PM EASTERN
• SUPER SECRET NEWS
• GO TO OUR WEBSITE TO SIGN UP. PEOPLE ARE ALREADY SIGNED UP
• AMY: CALYPTIX RANSOMWARE TECHNICAL PRESENTATION
• MAY 6TH 2PM EASTERN
• MVP ONLINE CONFERENCE
• SUSAN IS PRESENTING! MAY 14TH 4-6PM EASTERN
• CONFERENCE IS 2 DAYS
• AMY: AMY @ SMBONLINECONFERENCE STRETCHING TO THRIVE
• JUNE 24TH 1PM EASTERN