The recent ransomware attacks on hospitals is just the beginning. In those attacks, the criminals apparently used traditional, consumer oriented ransomware including “Locky”. These were opportunistic attacks meaning that a widely cast spam campaign netted a system at random. An attempt was made to infect more systems with some success.
As you know one hospital declared an internal state of emergency and another one paid the ransom in order to get their network back. If attackers were able to create that much havoc by random, what can we expect when they really try.
Brian Krebs is right on the money when he suggests that ldquo;these schemes will slowly become more targeted. I also worry that these more deliberate attackers will take a bit more time to discern how much the data they've encrypted is really worth.”
More deliberate and more targeted attackers are already getting started. In my upcoming webinar I’ll discuss the difference between consumer targeted ransomware like Locky and Cryptolocker and enterprise targeted ransomware like SamSam which targets JBoss servers.
I have folks from Threat Research Team at CarbonBlack who will show you the internals of common ransomware. We’ll briefly some forensics of how the ransomware is dropped, how it starts and where it goes. But what we’ll really focus on is how to prevent it. And that starts with getting rid of some important misconceptions that I constantly here and read.
Then we’ll look how ransomware is in some ways just another kind of malware, and how advanced malware strategies address ransomware risks:
- It's not just hospitals
- It's not really about encryption or ransomware
- It's not about backups
- (In this case) it's not about data breaches
- It's not just about a few key servers
- It's not just about outdated or unpatched software
- It’s not about confidentiality – or is it?
But then we’ll focus on the differences. One of the biggest differences is time. Ransomware attack can reach critical mass and detonate very quickly compared the time it takes for APT-type data breach attacks to come to fruition. This has a big impact on how you defend yourself.
Also, while ransomware is malware it’s about denial-of-service, not confidential information. At least for now. This is a big issue that no one is talking about. Join me for the discussion, please.
The interesting thing is that ransomware is not that advanced. And even as that changes it IS possible to prevent most infections and detect and quickly mitigate the rest. But it takes advanced, active technology deployed to every endpoint in addition to other layers of a comprehensive defense. The key is to prevent your endpoints (all of them) from running unauthorized instructions whether in the form of actual executables, advanced memory injection or using “living off the land” techniques such as the entirely PowerShell-based ransomware discovered recently.
We will look at how you can implement the right level of protection and monitoring for different classes of systems:
- Fixed function systems
- Defined roll system
- Knowledge workers and executives
- Critical servers
While there’s a lot you can do through configuration management, patching and network based controls you have to engage the enemy on the frontline – on the endpoint. I’ll show you why and how to:
- Allow applications like Microsoft Word and Outlook to run as normal but prevent them from creating EXEs or DLLs
- Watch the memory usage behavior of applications and intervene with things like reflective memory attacks are detected
- Automatically begin watching for new indicators of compromise as soon as they are discovered
This is real training for free ™ that you won’t find anywhere else. Don’t miss it.
Please register now.