Ransomware is malware that prevents users from accessing their systems or files unless a ransom is paid. Crypto-ransomware encrypts the infected system's data, forcing users to pay the ransom to obtain the decryption key. Trend Micro provides four layers of optimized protection against ransomware through email, endpoint, network and server security solutions that use techniques like behavioral analysis, vulnerability shielding, application control, and custom sandbox analysis. Users can also reduce risk by following security best practices like keeping systems patched, backups, access control, and education against phishing.
2. Copyright 2017 Trend Micro Inc.2
Ransomware:
“O Ransomware (“resgate + ware”) é um tipo de malware que
previne ou limita o usuário em acessar seu Sistema, bloqueando a
tela do Sistema ou bloqueando acesso aos arquivos pessoais do
usuário, a menos que um resgate seja pago. As famílias mais atuais
de Ransomware, coletivamente conhecidas como crypto-
ransomware, encriptam os dados do Sistema infectado, forçando o
usuário a pagar o resgate através de métodos de pagamento online
para obter a chave de descriptografia”
3. Copyright 2017 Trend Micro Inc.3
Worldwide Outbreak
192 Countries
300K Windows machines
4. Copyright 2017 Trend Micro Inc.4
Shadow Brokers
Leak Tools
April 14, 2017
Timeline
WannaCry/WCRY 1.0
April 14, 2017
Timeline
MS17-010
Microsoft Patch
March 14, 2017
WannaCry/WCRY 2.0
May 12, 2017
Vulnerability
Named
EternalBlue
5. Copyright 2017 Trend Micro Inc.5
27-Jun-2017
Social media reports
of cyber attack
~07:00 EST
Attack spreads quickly
in the Ukraine
~07:04 EST
Reported victims include:
Kyivenergo (powercompany)
Ukrtelecom (telco)
Oschadbank(bank)
Farmak(healthcare)
NBU (nationalbank)
Nova Posta(shipping)
6. Copyright 2017 Trend Micro Inc.6
~10:14 EST
Isolation of samples
Analysis continues
~10:07 EST
Rosneft (oil producer)
Maersk (shipping)
Cadbury(food manufacturing)
Multi-national orgs
get hit
Reported victims include:
7. Copyright 2017 Trend Micro Inc.7
ETERNALBLUE
usage confirmed
~10:34 EST
PSEXEC/WMIC
usage confirmed
~12:44 EST
15. Copyright 2017 Trend Micro Inc.15
Execution via
PSEXESVC.exe
Exploração de Vulnerabilidade
OR
Process httpdStart “Erebus.exe” _DECRYPT_FILE.txt Ransom note
Fluxo da Infecção
17. Copyright 2017 Trend Micro Inc.17
Execution via
PSEXESVC.exe
Exploração de Vulnerabilidade
OR
dcrypt.exe
HDDCryptor Ransom note
Fluxo da Infecção
18. Copyright 2017 Trend Micro Inc.18
Segurança de Email
Documento
JavaScript
Executável do
Ransomware
URL
Download do
ransomware
Anexo
Segurança de Endpoint
Execução:
Criptografia
dos
arquivos e
resgate
Ransomware
no sistema
Segurança Web
Segurança de Endpoint
Exploit
kit
Website
Comprometido
Existe proteção para isso?
20. Copyright 2017 Trend Micro Inc.20
Email Protection
Spear Phishing Protection
Identify and block emails which
spur users to action that will deliver
ransomware.
Malware Scanning
Scan for ransomware in emails,
attachments and downloads.
Web Reputation
Block access to known malicious
URLs. Real-time analysis at time
of click.
Sandbox Attachments and URLs
Detect and stop malicious URLs,
document exploits, macros and scripts.
21. Copyright 2017 Trend Micro Inc.21
Endpoint Protection
Ransomware Behavioral Analysis
Detect and stop unauthorized
encryption of files, restore lost files
Vulnerability Shielding
Virtually patch endpoint software
until it can be patched, shielding
endpoints againstvulnerabilities.
Application Control
Allow only know good
applications to run
High Fidelity Machine Learning
Examines the unknown both
prior to execution and at
runtime with noise cancelling
22. Copyright 2017 Trend Micro Inc.22
Network Protection
Custom Sandbox Analysis
Detect mass file modifications,
encryption behavior and modifications
that are consistent with ransomware
Network Monitoring
Monitor all network ports and
protocols:
• pattern and reputation analysis
and script emulation
• zero-day exploits and command
and control traffic
23. Copyright 2017 Trend Micro Inc.23
Server Protection
Lateral Movement, C&C Traffic
Detection
Detect and alert on ransomware-
specific traffic
Vulnerability Shielding
Virtually patches server software
until it can be patched, shielding
servers against vulnerability exploits
Behavioral Analysis
Detect suspicious activity on file
servers related to ransomware
and stops it
Application Control
Locks down host to prevent any
unknown process or scripts from
running.
25. Copyright 2017 Trend Micro Inc.25
Four Layers of Optimized Protection
1 Email 2 Endpoint 3 Network 4 Server
26. Copyright 2017 Trend Micro Inc.26
Educação dos usuários contra
Phishing
Educar os usuários em boas
práticas de uso de e-mail e
navegação na internet
Aumentar postura de segurança
Seguir as melhores práticas de
segurança para suas atuais e
futuras tecnologias
“Não Pague”
Pagar o resgate encoraja a
continuidade destes ataques e não
garante a recuperação dos dados
Manter patches atualizados
Minimizar possibilidade de
exploração de vulnerabilidades
Controle de Acesso
Limitar o acesso a dados críticos e
compartilhamentos de rede a
usuários que realmente necessitem
Backup
Em local isolado da rede
Boas práticas