How to Help Your Customers Protect Themselves from Ransomware Attacks

© 2016 N-able Technologies, ULC. All rights reserved.
RANSOMWARE
5 STEPS TO PROTECTING YOUR CUSTOMERS’ DATA

WHAT IS RANSOMWARE?
A software based attack on your
network with the goal of
extortion.

HOW DOES RANSOMWARE SPREAD?
Ransomware is typically
delivered through an exploit kit
or phishing attack.

WHAT IS AN EXPLOIT KIT?
Code created to take advantage of
an unpatched or unknown system
vulnerability.
Example: Windows® OS, JavaScript® or
Adobe Reader®

WHAT IS PHISHING?
Masquerading as a trustworthy entity
in an electronic communication with
malicious intent.
Example: Attachments to email.
Embedded links.

“HOSTAGE” (NEW)
“COP” OR “LOCKER”
CRYPTOGRAPHIC
THREE RANSOMWARE VARIENTS
• Generally acquired from browsing something “naughty”; infects through JavaScript or Adobe Flash®
vulnerabilities. Prevents access to your underlying system without encryption.
• Appears to be from a federal agency and requests you pay a “fine” to compensate for your “illegal activity”.
• Generally acquired from phishing attacks. Encrypts data on your system and shares preventing access.
Demands a “fee” to unlock.
• Locked out of your data until you pay the ransom.
• E.g. “Cryptolocker” & “Locky”
• Generally acquired from phishing attacks, same underlying concept as cryptographic.
• Steals browser, chat history and contact lists, records video & audio. May threaten to send this info to your
contacts if a “fee” is not paid.
• E.g. “Crysis” & “Jigsaw”.
1
2
3

THE PROGRESSION OF RANSOMWARE
1989
“Aids” Trojan on
floppy disk asks for
$189 to unlock a
file
2006
Gpcode, Archiveus,
Krotten, Cryzip,
TROJ.RNSOM.A,
and MayArchive
lock systems with
RSA encryption
algorithms
2012
“Reveton” informs
users they have
downloaded illegal
material and must
pay a “fine”
1
2013
“Cryptolocker”
appears using
nearly unbreakable
encryption, hard to
detect trojans and
ultimately includes
use of TOR network
for anonymity.
2014
“CryptoWall”
infects through
website
advertisements
2016
“Locky”, encrypts
all files with a .locky
extension and
demands fee to
unlock
2015
“Chimera” encrypts
files and threatens
to publish them
online if ransom is
not paid
2015
“CryptoWall” 3.0
and 4.0 add new
layers to their
encryption and
come packaged in
exploit kits
2016
RaaS (Ransomware
as a Service)
becomes possible
paving the way for
prolific growth.

WHEN IS RANSOMWARE SUCCESSFUL?
To be considered successful, an attack
must:
1. Take control of a system or device.
2. Prevent access to the device and its data to some
degree.
3. Inform the user that the device is being held for
ransom along with a price and a method of payment.
4. Accept payment from the user.
5. Return full access to the device once payment is
received.*
*This does not always happen unfortunately.

WHAT A COMPROMISED DEVICE LOOKS LIKE
All shapes and sizes:
1. Desktop background
2. Popup window
Demands:
1. Pay a small “fine” to regain access.
2. Pay a “fee” or lose your data.
3. Pay an increasing “fee” as time elapses.
4. Pay a “fee” or increments of your data
are destroyed over time.
5. Pay a “fee” or your personal
information is released to the public or
contact list.

PROGRESSION OF A RANSOMWARE ATTACK
1. The ransomware trojan package is executed.
• Few operating systems are safe. Many current ransomware variants will work on
Windows, OS X and Linux® systems.
2. The trojan reaches out to one of many cloud servers to download its main
payload (commonly on the .TOR network, aka the “Dark web”).
3. Using the logged in user account, the trojan deletes itself, and the payload
begins to install and encrypt your files using military grade encoding.
Locations and files that are often targeted include:
• Locally stored office documents, image files, video files etc.
• Network shares the user has access to.
• Connected external drives such as USB thumb drives.
• Cloud storage that the user has write access to such as Dropbox®.
4. Volume Snapshot Services (VSS) or “Shadow Copies” are commonly deleted.
5. Wallpaper or screen overlay appears that alerts the user to the encryption
and instructs them to pay a “fine” or “fee”, often via BitCoin® - a virtually
untraceable online currency. Fees vary considerably.
6. Once paid, a public decryption key is returned and often data is restored.

5 STEPS TO PROTECTING YOUR
CUSTOMERS’ DATA

5 STEPS TO PROTECTING DATA
Access
Restrictions
Firewall &
Network
User
Education
Antimalware
Patch
Management
& Third Party
Vulnerability
Auditing
Backup &
Recovery
USERS PREVENTION RECOVERY OPTIONAL

STEP 1: USER EDUCATION
QUICK TIPS
Arm users with
the knowledge
they need to
recognize
threats and
avoid dangerous
behavior.
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
• Majority of ransomware attacks rely on
social engineering (convincing the user
to initiate the interaction).
• Educate users to recognize and avoid
these attempts.
Common exploits:
• Macro’s in Microsoft® Office documents.
• JavaScript attachments in the form of fake documents.
• Embedded JavaScript in malicious websites.

QUICK TIPS
Don’t enable
macros unless
you were
expecting them!
Block macros in
files from the
internet by
default in Active
Directory.
Use MS Office
viewers.
MINIMIZE IMPACT
PREVENTION
Macro’s in Microsoft Office® documents*:
1. An attachment arrives; when opened it appears encrypted.
2. Directions are put in the document to use the “Options” button and re-enable
macros.
3. Once the button is pressed, the ransomware infection begins.
*Allows for attack on Office 365® users as well!
PREVENTION

QUICK TIPS
Unhide “known
extensions”.
Giving your users
visibility is key.
Antimalware's
Application
Control features
block Microsoft
WSH Cscript
and Microsoft
WSH WScript
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
Javascript attachments in the form of fake documents:
1. An attachment arrives with what appears to be a Microsoft Office document or
compressed file attached (Windows hides known extensions).
2. The user clicks to open the document. The 834425.zip.JS file executes.
3. Once the file is executed, the ransomware infection begins.
PREVENTION

QUICK TIPS
Block malicious
sites through
your Antivirus or
Firewall.
Sandbox web
access.
Configure
Windows to
open JavaScript
with Notepad.
MINIMIZE IMPACT
PREVENTION
Embedded JavaScript in malicious websites:
1. A user visits an infected page. It may be made to look like a legitimate organization.
2. Users typically click on a link, “play button” or other clickable object and
unknowingly execute the JavaScript.
3. Once the JavaScript is executed, the ransomware infection begins.
PREVENTION

STEP 2: ACCESS RESTRICTIONS
QUICK TIPS
Keep data stores
and shares
protected by
limiting the
number of users
who have
access.
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
Ransomware typically executes under the
logged in account.
• Restrict users from backup shares and network
locations they do not need access to.
• Do not use Administrator accounts.. even for
administrators. Run As.. instead.
• Restrict Administrative accounts from using email.

STEP 3: ANTIMALWARE
QUICK TIPS
Advanced
Endpoint
protection is
required.
Intrusion
Detection
System.
Active Virus
Control aka a
Behavioral scan.
MINIMIZE IMPACT
PREVENTIONPREVENTION
Traditional signature based Antivirus is not
effective.
• AV must be capable of stopping processes that exhibit
malicious techniques (Heuristics/Behavioral & IDS)
• Implement inbound mail scanning and blocking.
• AV must be ON and up to date at all times. You will
need a way to monitor this.

STEP 4: PATCH MANAGEMENT
QUICK TIPS
Control patch
deployment
through a
centralized
system.
Enforce patch
installation and
reboots.
Discuss patching
policy with your
Customer!
MINIMIZE IMPACT
Unpatched systems are an open door for
ransomware delivery.
• Ensure your devices are patched and up to date.
• Apply patches no more than 30 days after they are
released from the vendor.
• Review your patching process to remove any
roadblocks such as reboot windows, and device
availability.

STEP 4: PATCH MANAGEMENT
QUICK TIPS
User’s often
ignore update
prompts for
these tools.
Take control of
the updates with
a Remote
Monitoring and
Management
solution such as
N-central®.
MINIMIZE IMPACT
PREVENTION
Third party applications must be patched.
• Don’t let applications such as Java® and Adobe Reader
get left out of your patch routine.
• These applications are some of the most common
entry points for exploit kits.
• Think carefully before deciding to leave older versions
of third party applications active.
PREVENTION

STEP 5: BACKUP & RECOVERY
QUICK TIPS
Encrypt your
backup location.
Ransomware will
attempt to
access with the
user’s
permissions
Windows
shadow copies
are typically
deleted by
ransomware.
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
Backup is the only hope for data recovery
beyond paying the ransom.
• Review your backup configuration, is it adequate?
• One of your backup locations must be offsite/cloud.
• Restrict access to your network backup stores.
• Validate that backups are happening and can be
restored.

FIREWALL & NETWORK
QUICK TIPS
Advanced
technology can
help combat this
modern threat.
Keeping
workstations and
servers
segregated is
good practice.
MINIMIZE IMPACT
A strong firewall can be a significant
preventative measure.
Deploy a next generation firewall that:
• Will block threats based on a “threat feed”.
• Offers sandboxing.
• Can police user interactions with websites that are
not whitelisted (i.e. a “proceed?” query).

VULNERABILITY ASSESSMENT
QUICK TIPS
Understanding
where you are
vulnerable is key
to impact
mitigation.
Restrict user
access to critical
data
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
Know where your weak points are.
• Use a tool to frequently review your end-user access
rights and open exploits.
• Identify recurring problem areas and address them.
• Consider assessing your customers organization and
exploring data insurance with them.

Ransomware is not just one of many
CYBERTHREATS
It’s a
GROWINGbusiness.

Ransomware is an opportunity to
EDUCATE & INFORMyour users and supply the necessary
SERVICESfor business continuity.

HELP USERS HELP THEMSELVES
QUICK TIPS
Remind and
inform your
users frequently.
Consider running
“red team”
attacks; spoofing
a ransomware
attempt as a
teaching tool.
MINIMIZE IMPACT
PREVENTION
MINIMIZE IMPACT
Ransomware Rescue infographic
variants available for download from
SolarWinds N-able:
http://offers.n-able.com/ransomware/
• Created to educate your users.
• English and Custom versions available.
• Links to blogs and this webinar.

THANK YOU
The N-ABLE TECHNOLOGIES and N-CENTRAL marks are the exclusive property of N-able Technologies, ULC. and its affiliates, are registered with the U.S. Patent and Trademark Office and
the Canadian Intellectual Property Office, and may be registered or pending registration in other countries. All other N-able trademarks, service marks, and logos may be common law marks,
registered or pending registration in the United States, Canada, or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or are
trademarks or registered trademarks of their respective companies.

How to Help Your Customers Protect Themselves from Ransomware Attacks

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to How to Help Your Customers Protect Themselves from Ransomware Attacks (20)

More from Solarwinds N-able (20)

Recently uploaded (20)

How to Help Your Customers Protect Themselves from Ransomware Attacks