Cryptolocker and other ransomware brought crisis to thousands of businesses last year. The malware made millions by encrypting victims’ files and demanding ransoms to unlock them. Some companies lost everything. Others, including local police departments, had to pay a hefty ransom to recover their data.
Today, Cryptolocker is gone, but ransomware is growing stronger. New variants such as CryptoWall and Critroni are infecting users, locking their files, and demanding higher ransoms. How can you protect your IT business and clients from this growing threat?
Join Calyptix Security for a conversation on crypto-ransomware, where it’s headed, and how to avoid a ‘crypto crisis’ at your office. You’ll get straight-forward advice on how to stop this threat from impacting your business network security and clients.
Video recording of this webinar took place on March 12, 2015
2. Ransomware:
How to avoid a crypto crisis
at your IT business
Jerry Koutavas
President
The ASCII Group, Inc.
jk@ascii.com
Ben Yarbrough
CEO
Calyptix Security
5. #webclinic#calyptix
What is Ransomware?
• Extortion via software
• Restricts access to an infected
computer system and demands a
ransom payment to return access.
• Dates back to 1989 with the AIDS
trojan
• AIDS hid folders, encrypted file
names, and said a software license
had expired. Fee of $189 to
“renew” license and unlock the
computer
6. #webclinic#calyptix
What is encrypting or
“crypto” ransomware?
• Today’s primary
ransomware threat
• Restricts access by
encrypting a victim’s files.
Demands a ransom to
decrypt them
• Common examples:
– Crypolocker, Critroni, CTB-locker
7. #webclinic#calyptix
Cryptolocker
• Widely known variant of
ransomware
• Rose to prominence in late 2013
• Defeated in June, 2014, in a joint
effort by various government
agencies and security firms
• Decryption keys now freely
available for victims at
www.decryptcryptolocker.com
8. #webclinic#calyptix
Decryption is impossible
• Decrypting files is
mathematically infeasible
without a key
• After infection, the only
hope is to restore from
backup or pay the ransom
• Paying the ransom is a
bad idea – it encourages
the criminals
9. #webclinic#calyptix
How does ransomware
spread?
• Malicious email
attachments
– Appears as notice for
invoice, voicemail,
shipment, etc.
– Affects corporate and
personal email (Gmail,
Yahoo!, etc.)
• Drive-by downloads
– Malicious websites infect
victims via exploits for
unpatched software
10. #webclinic#calyptix
How does ransomware
spread?
• Malvertising
– Online advertising used to
spread malware
– Recent example included
pages from Yahoo, AOL,
The Atlantic, Match.com
• Removable drives
– Connecting an infected
USB drive can spread
some variants
– Includes mobile devices
11. #webclinic#calyptix
Common scenario
• A “dropper” is installed on the
victim’s machine
• The dropper downloads and
installs the full malware package
• Malware searches the local
machine and all mapped drives
for targeted files.
• Files are encrypted using a strong
algorithm.
12. #webclinic#calyptix
Common scenario
• Victim is notified that the
files are locked.
• Ransom is demanded,
often from $100 to $600,
to be paid in Bitcoins
• Instructions provided on
how to acquire Bitcoins
and pay
13. #webclinic#calyptix
Common scenario
• Deadline given for
ransom payment, often
from 48 to 96 hours
• If ransom is not paid
by deadline, the
ransom will increase or
the decryption key will
be destroyed.
14. #webclinic#calyptix
An evolving threat
• Hundreds of thousands of
ransomware variations exist
• Some allow users to decrypt up to
five files to “prove” decryption is
possible.
• Victims can read payment
instructions in multiple languages
• Ransoms jumped from $24 to
$650 in some later versions
15. #webclinic#calyptix
Where is it headed?
• RansomWeb – Hackers
encrypt data stored on a web
server and demand a ransom
payment.
“The next step might well be the modern equivalent of protection
rackets – threatening companies with being either taken offline
or having their databases frozen unless they pay a regular fee.”
- Professor Alan Woodward, University of Surrey Department of Computing
16. #webclinic#calyptix
Thousands of victims
• Cryptolocker made $30
million in 100 days,
according to some
estimates
• Ransoms paid by police
departments, town halls,
law offices, and
businesses of all sizes
17. #webclinic#calyptix
Thousands of victims
• The Law Offices of Paul
Goodson, based in Charlotte,
NC, lost every document on
its main server
• Infected by a malicious email
attachment. Email disguised
as a voicemail notification.
• Attempted to pay $300
ransom but did not complete
the transaction by deadline
18. #webclinic#calyptix
Free marketing resource
• Show law firms the
dangers of ransomware
• Includes three examples
of attacked law firms
• We will send it to you
after today’s presentation
20. #webclinic#calyptix
• Suspicious emails
• Suspicious sites
• Software and network hygiene
• Segregate personal and
business web use
• Explain the rational of
restricting business networks
Educate users
Ransomware
Is Bad
21. #webclinic#calyptix
Patch, patch, patch
• Maintain the latest
versions of your firewall,
anti-virus, operating
systems, applications,
and other systems.
• Automatically update as
new patches become
available.
22. #webclinic#calyptix
Filter spam and
malicious email
• The top way ransomware
spreads is by email
attachment
• Some infections begin with
a .scr file that arrives in a
.zip or .cab email
attachment
• Filter emails for content and
attachments before they
reach end users
23. #webclinic#calyptix
Filter outbound traffic
• Control sites users can access
• Block malicious hosts
• Block IP range 146.185.220.0/23
– Range is associated with CryptoWall
• Enable intrusion prevention
system (IPS)
• Default deny all outbound traffic
24. #webclinic#calyptix
Group policies for
Windows
• Block ransomware from
installing in its favorite
directories
• Free resource: Cryptolocker
Prevention Kit from Third
Tier (link at end of
presentaiton)
25. #webclinic#calyptix
Limit access to network
shares
• Ransomware checks all
mapped drives (including
network drives)
• Only administrator and back
up service provider should
access back up drives
• When mounting a backup
for restore purposes, make
sure the permissions are set
to “read only”
26. #webclinic#calyptix
Back up all files
• The only way to fully recover
from infection is with a good
backup
• Many businesses operate
without backups, which can
make ransomware infection a
worst-case scenario
• Remember to test backups.
They are only good if you can
restore the data.
27. #webclinic#calyptix
Additional tips
Install a reputable anti-virus solution such as
Microsoft Security Essentials or Malware Bytes.
Do not allow user accounts to modify applications
or the operating system (e.g. standard user)
Adjust web browser settings to prevent forced
downloads
28. #webclinic#calyptix
What if you are
infected?
• Immediately power off
the machine
• Unplug from the network
• Remove the hard drive
and scan it with antivirus
to remove infection.
• Do not power on the
drive until it is cleaned
31. #webclinic#calyptix
AccessEnforcer
• Features include:
– Intrusion detection and prevention (IDS/IPS)
– Unlimited VPN
– Web filter
– Spam filter
– Multi-WAN
– Quality of service (QoS)
– Automatic updates
– GUI-based management
– Many more in the full features list
32. #webclinic#calyptix
Simplest Reseller
Program in the Industry
• The Breakthrough Program
30-day license for monthly service
Includes every security feature
Includes lifetime warranty
Includes unlimited users
Cancel without penalty
No monthly or annual minimum
36. #webclinic#calyptix
Calyptix Resources
• Marketing flyer for law firms (will send via email)
• Ransomware Prevention: 5 ways to avoid a crisis
– http://www.calyptix.com/malware/ransomware-prevention-5-ways-to-
protect-your-business/
• Critroni Ransomware: Decryption not an option
– http://www.calyptix.com/malware/critroni-ransomware-decryption-not-an-
option/
• AccessEnforcer: Full features list
– http://www.calyptix.com/wp-content/uploads/2014/09/AE-features-list.pdf
37. #webclinic#calyptix
Additional Resources
• Cryptolocker Prevention Kit – Third Tier
– http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/
• More ransomware resources from Third Tier
– http://www.thirdtier.net/?s=crypto