Defending against ransomware: You already have the capability, why are we not using it? This method stopped our attacks cold. Now let me show you how to do it. And it’s FREE, you don’t have to purchase anything.

Presented at BSides Austin 2017, May 5, 2017, 10:30 a.m. (60 minutes)

2016 was the year of Ransomware, 2017 will be no different. I have listened in on many ransomware talks, at ISC2 Congress, SecureWorks ESS, BlackHat, RMISC, BSides and others, and they all fail at any real prescriptive help. They all miss the FREE things we CAN do to eliminate the bulk of the ransomware attacks. It is easy, free and nothing needs to be purchased, it just takes a little Active Directory and Email changes to implement, and a little bit of user education. Yeah yeah, everyone needs to be better at backups and not pay the ransom, but how can we really avoid it? Short Abstract (500) Ransomware is still a leading thorn in Healthcare's IT and Information Security's side. I have listened in on many ransomware talks, at ISC2 Congress, SecureWorks ESS, BlackHat, RMISC, BSides and others, and they all fail at any real prescriptive help. They all miss the one FREE thing we CAN do to eliminate the bulk of the ransomware attacks. You do not need a fancy product with blinky blue lights to reduce the risk of ransomware dramatically. This talk will walk attendees through what we did to curb the ransomware threat and how you can do it too! It is easy, free and nothing needs to be purchased, it just takes a little Active Directory and Email changes to implement, and a little bit of user education. Yeah yeah yeah, everyone needs to be better at backups and not pay the ransom, but that is still a responsive effort and takes a lot of time. Recovering takes hours of people labor, loss of productivity and the costs incurred while the issue is dealt with and data is restored. What if we can stop the way ransomware is allowed to infect our systems and drop or block it without buying any more technology? We all have what we need to stop it and it is called Microsoft Windows and it works to curb ransomware infections, just no one, until now has told us how. Long Abstract (2500) Ransomware has been the scourge of Healthcare for the past several years with no end in sight. We are seeing an increase every quarter of ransomware email campaigns hitting our email systems, trying to infect our users. We figured out how to protect our users from getting infected while receiving hundreds of emails a month, and in Q4 2016 over 1000 emails with ransomware payloads. Specialty insurer Beazley's clients were the targets of more attacks in July and August of 2016 (52) than in all of 2015 (43). Beazley projects it will respond to four times as many ransomware attacks in 2016 as it did last year. Companies need a way to prevent or reduce the threat of ransomware and through analyzing how we receive the ransomware, how users got infected and WHY they got infected we have been able to create a drastic reduction by implementing some very simple prevention. This talk will cover the methods ransomware infects us, email being the #1 method and the attachments within the emails. Each method of ransomware received will be discussed and the changes that can be made at the email layer, changes to Group Policy or manually on each client that can be made and the simple things to teach users what to avoid to further reduce the risk if one slips in. Also discussed in this talk are the ways how you can detect a ransomware event has occurred and how using cloud storage and good logging can help will also be covered. Examples of our own lab testing, infections and changes will be shared. New improvements to Microsoft Office will also be discussed and how it can help and where it will not. Also what user awareness training needs to cover making it more efficient since less is taught and what is taught is focuses and easy for the user to identify. The attendees will leave knowing there are some simple things that can be done to dramatically reduce the risk of ransomware infections. • Who I am (2 mins) • Overview of how Ransomware attacks occur - 15 mins • How to defend and reduce the impact of ransomware attacks - 20 mins • How to detect ransomware attacks - 10 mins • Resources - 5 mins • Q&A - 5 mins

Presenters:

• Michael Gough
  Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons. Michael is also blogs on HackerHurricane.com on various InfoSec topics.

Links:

• https://bsidesaustin2017.sched.com/event/AP1q/defending-against-ransomware-you-already-have-the-capability-why-are-we-not-using-it-this-method-stopped-our-attacks-cold-now-let-me-show-you-how-to-do-it-and-its-free-you-dont-have-to-purchase-anything

Similar Presentations:

• RVAsec 2021 / What’s Next In The Fight Against Ransomware
• NolaCon 2017 / The Devil's Bargain: Emerging Trends in the Ransomware Ecosystem
• Black Hat USA 2015 / Most Ransomware Isn't as Complex as You Might Think