Ransomware – Defense in Depth

Ransomware is not new, just now bitcoins enables them to get paid directly
Quorum-Slide-1.JPG
It’s a ‘virus’ that spreads
Quorum-Slide-2.JPG
Lots in the room have been hit. 1 paid, 2 restored from backups (of those willing to comment). 4Tb Windows file share was taken down.
Got to protect yourself in layers. (Onion)
Start at the outside and work your way in. Wireless is the favourite access method, followed by USB.
Quorum-Slide-3.JPG
Secure passwords are a joke. Dictionary with 01 & year at end.
Current versions critical – PHP ver 3 is 2nd favorate access method.
Print firmware, if it is connected to the domain, it has a list of user names and passwords…
VMDK files can now be encrypted via poor password policies on ESXi servers.
Quorum-Slide-4.JPG
Exchange Server & Database servers are priority targets because they can ask for more money.
Backup is the last line of defence. If the site goes down, can restore VMs to cloud.
Quorum-Slide-5.JPG
Once hit, the attacker will try and escalate permissions and go to the top of the stack. Monitoring usage of privileged account access AND alerting. When systems are restored, the security breach is still inplace. Need to close the ‘hole’ and replace passwords 1st!
Quorum-Slide-6.JPG
One person in the room had their VSS backups removed before the ransomware kicked in.Quorum-Slide-8.JPG
Quorum-Slide-7.JPG
Quorum-Slide-9.JPG

111 Responses to “Ransomware – Defense in Depth”

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>