1 - sophos ransomware budapest apr2016 - tmsi · ○ used by locky, torrentlocker , ctb-locker •...
TRANSCRIPT
![Page 1: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/1.jpg)
1
JoannaWziątek-ŁadoszSalesEngineer,Sophos
Ransomware:isthereanywayyoucanprotectyourself?
![Page 2: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/2.jpg)
2
Whatwe’regoingtocover
• Ransomwareorigins• Anatomyofaransomwareattack• Thelatestransomware – introducingLocky anditsfriends• Whytheseattacksaresosuccessful• Practicalstepstoprotectyourorganizationfromransomwarethreats• HowSophoscanhelp
![Page 3: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/3.jpg)
3
HistoryofRansomware
• Thefirstknownransomwarewasfoundin1989
• AIDSTrojan/PCBorgmalware.
• Aninfectedcomputerwoulddisplayamessagetotheuserthatoneoftheirprogramshadexpiredandtheyneededtopay$189tohaveitrestored.
• Thecreatorwaseventuallycaughtandtheransomwaregenrewentundergroundforseveralyears,thoughitreappearedbrieflyin2005and2006.
![Page 4: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/4.jpg)
4
![Page 5: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/5.jpg)
5
![Page 6: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/6.jpg)
6
![Page 7: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/7.jpg)
7
![Page 8: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/8.jpg)
8
Cryptolocker
• WiththeriseofCryptoLocker in2013,acriminalgangfirstdemonstratedtheabilitytoreliablycombineremoteencryptionwithremoteextortiononamassscale.
• CryptoLocker wastakendownbylawenforcementauthoritiesinMay2014,andforthenextseveralmonths,therewasasignificantreductionintheprevalenceofransomware.
• Itnotonlyshowedhowencryptingransomwarecouldbemadetowork:italsoshowedjusthowlucrativethismalwarebusinesscouldbe.
• AccordingtoUSDepartmentofJusticefilings,CryptoLocker earned$27,000,000foritsownersinjusttwomonths.
![Page 9: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/9.jpg)
9
![Page 10: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/10.jpg)
10
![Page 11: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/11.jpg)
11
Growth
Howmanypercenthas ransomwareincreasedbetween2014and2015?
Answer:About170%Thereasonfortheriseissimple–ransomwareworks.
Datasofarshowsthatthisfigurefor2016willatleastdouble.
![Page 12: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/12.jpg)
12
Facts about encyption• Cryptolockernormally uses AES256-bitencryption.But inlaterversionsthey havechanged this toAES128-bitencryption.
Filetypesthatusuallyareencrypted:
*.3fr,*.accdb,*.ai,*.arw,*.bay,*.cdr,*.cer,*.cr2,*.crt,*.crw,*.h,*.dbf,*.dcr,*.der,*.dng,*.doc,*.docm,*.docx,*.dwg,*.dxf,*.dxg,*.eps,*.erf,*.indd,*.jpe,*.jpg,*.kdc,*.mdb,*.mdf,*.mef,*.mrw,*.nef,*.nrw,*.odb,*.odm,*.odp,*.ods,*.odt,*.orf,*.p12,*.p7b,*.p7c,*.pdd,*.pef,*.pem,*.pfx,*.ppt,*.pptm,*.pptx,*.psd,*.pst,*.ptx,*.r3d,*.raf,*.raw,*.rtf,*.rw2,*.rwl,*.srf,*.srw,*.wb2,*.wpd,*.wps,*.xlk,*.xls,*.xlsb,*.xlsm,*.xlsx
![Page 13: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/13.jpg)
13
2mainvectorsofattack
• SPAM (viasocialengineering)○ Seeminglyplausiblesender○ Hasattachmente.g.invoice,parceldeliverynote○ Theattachmentcontainsanembeddedmacro○ Whentheattachmentisopenedthemacrodownloads
andthenexecutestheransomwarepayload○ UsedbyLocky,TorrentLocker,CTB-Locker
• Exploitkits○ Blackmarkettoolsusedtoeasilycreateattacksthat
exploitknownorunknownvulnerabilities(zero-day)○ ClientsidevulnerabilitiesusuallytargettheWebbrowser○ UsedbyAngler,CryptoWall,TeslaCrypt,CrypVault,
ThreatFinder
![Page 14: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/14.jpg)
1414
Anatomyofaransomwareattack
![Page 15: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/15.jpg)
15
Anatomyofaransomwareattack
Andgone
Theransomwarewillthendeleteitselfleavingjusttheencryptedfilesandransomnotesbehind.
Ransomdemand
Amessage appearsontheuser’sdesktop,explaininghowaransom(oftenintheformofbitcoins)canbepaidwithinatimeframeofe.g.72hourstoenabledecryptionofthedatawiththeprivatekeythatonlytheattacker’ssystemhasaccessto.
Encryptionofassets
Certainfilesarethenencryptedonthelocalcomputerandonallaccessiblenetworkdriveswiththispublickey.AutomaticbackupsoftheWindowsOS(shadowcopies)areoftendeletedtopreventdatarecovery.
Contactwiththecommand&controlserveroftheattacker
TheransomwaresendsinformationabouttheinfectedcomputertotheC&Cserveranddownloadsanindividualpublickeyforthiscomputer.
Installationviaanexploitkitorspamwithaninfectedattachment
Onceinstalledtheransomwaremodifiestheregistrykeys
![Page 16: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/16.jpg)
16
Ransomdemands
![Page 17: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/17.jpg)
17
Payingransoms
• PaymentismadeinBitcoins• InstructionsareavailableviaTor• Theransomincreasesthelongeryoutaketopay
• Onpaymentoftheransom,thepublicencryptionkeyisprovidedsoyoucandecryptyourcomputerfiles
![Page 18: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/18.jpg)
1818
Commonransomware:Locky andfriends
![Page 19: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/19.jpg)
19
Locky:thenewkidontheblock
• Nicknameofanewstrainofransomware,so-calledbecauseitrenamesallyourimportantfilessothattheyhavetheextension .locky
• RansomsvaryfromBTC 0.5toBTC 1.00(1BTCisworthabout$400/£280).• Startedhittingtheheadlinesinearly2016• Wreakinghavocwithatleast400,000machinesaffectedworldwide
![Page 20: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/20.jpg)
20
AcommonLocky attack
• Youreceiveanemailcontaininganattacheddocument.○ Thedocumentlookslikegobbledegook.○ Thedocumentadvisesyoutoenablemacros“ifthedataencodingisincorrect.”
○ Thecriminalswantyoutoclickonthe'Options'buttonatthetopofthepage.
• OnceyouclickOptions,Lockywillstarttoexecuteonyourcomputer.
• Assoonasitisreadytoaskyoufortheransom,itchangesyourdesktopwallpaper.
• Theformatofthedemandvaries,buttheresultsarethesame.
![Page 21: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/21.jpg)
21
CTB-Locker
• Peculiarity:Businessmodelbasedonaffiliations○ Infectionsareconductedby'partners'whoreceiveinreturnaportionofthetakings○ Enablesfasterspreadingofmaliciouscode○ ApproachnotablyusedinthepastbyFake-AV
• Thecybercrooksoffer theoptionofamonthlypayment• HasalsobeenwidelydistributedbytheRigandNuclearexploitkits• AswithTorrentLocker, themajorityofinfectionshavestartedviaspamcampaigns
![Page 22: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/22.jpg)
22
CTB-Lockervariantthatattackswebsites
• SamenameastheransomwarethatattacksWindowscomputers• WritteninPHP• FirstattackintheUKon12thFebruary2016• Alreadymanyhundredsofsiteshavebeenattacked• Attackswebsitesbyencryptingallfilesintheirrepositories• Apassword-protected‘shell’isinstalledonmostoftheaffectedsites,allowingattackerstoconnecttotheserver(s) viaabackdoor
![Page 23: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/23.jpg)
23
Angler:anall-too-well-knownexploitkit
• Growninnotorietysincemid2014○ Thepayloadisstoredinmemoryand
thediskfileisdeleted○ Detectssecurityproductsandvirtual
machines○ Abilitytospreadmanyinfections:
bankingTrojans,backdoor,rootkits,ransomware
• Easytouse○ Doesn’trequireanyparticulartechnical
competence○ AvailableforafewthousandUSDonthe
DarkWeb
![Page 24: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/24.jpg)
24
Angler’sevolutionintothedominantexploitkit
Sep2014 Jan2015 May 2015
![Page 25: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/25.jpg)
25
ChainofinfectionforAnglerexploitkits1. Thevictimaccesses acompromisedwebserver
throughavulnerablebrowser2. Thecompromisedwebserverredirectsthe
connectiontoanintermediaryserver3. Inturn,theintermediaryserverredirectsthe
connectiontotheattacker’sserverwhichhoststhedestinationpageoftheexploitkit
4. Thedestinationpagelooksforvulnerableplug-ins(Java,Flash,Silverlight)andtheirversionnumbers
5. Ifavulnerablebrowserorpluginisdetectedtheexploitkitreleases itspayloadandinfectsthesystem.
![Page 26: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/26.jpg)
26
![Page 27: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/27.jpg)
2727
Whytheseattacksaresosuccessful
![Page 28: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/28.jpg)
28
Whyaretheseattackssosuccessful?Professionalattacktechnology• Highlyprofessionalapproache.g.usuallyprovidestheactualdecryptionkeyafterpaymentoftheransom
• Skillfulsocialengineering• Hidemaliciouscodeintechnologiesthatarepermittedinmanycompaniese.g.MicrosoftOfficemacros,JavaScript,VBScript,Flash…
![Page 29: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/29.jpg)
29
Whyaretheseattackssosuccessful?Securityweaknessesintheaffectedcompanies• Inadequatebackupstrategy• Updatesandpatchesarenotimplementedswiftlyenough• Dangeroususer/rightspermissions– morethantheyneed• Lackofusersecuritytraining• Securitysystemsarenotimplementedorusedcorrectly• LackofITsecurityknowledge• Conflictingpriorities:securityvsproductivityconcerns
![Page 30: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/30.jpg)
3030
Practicalstepstoprotectagainstransomware
![Page 31: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/31.jpg)
31
Bestpractices– dothisNOW!
1. Backupregularlyandkeeparecentbackupcopyoff-site.2. Don’tenablemacrosindocumentattachmentsreceivedviaemail.3. Becautiousaboutunsolicitedattachments.4. Don’tgiveyourselfmoreloginpowerthanyouneed.5. ConsiderinstallingtheMicrosoftOfficeviewers.6. Patchearly,patchoften.7. Configureyoursecurityproductscorrectly.
![Page 32: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/32.jpg)
32
Securitysolutionrequirements
Asaminimumyoushould:• Deployantivirusprotection• Blockspam• Useasandboxingsolution• Blockriskyfileextensions(javascript,vbscript,chmetc…)• Passwordprotectarchivefiles• UseURLfiltering(blockaccesstoC&Cservers)• UseHTTPSfiltering• UseHIPS(hostintrusionpreventionservice)• Activateyourclientfirewalls• Useawhitelistingsolution
![Page 33: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/33.jpg)
33
Additionalsteps
• Employeeawareness&training○ SophosITSecurityDosandDon’ts○ SophosThreatsaurus
• Segmentthecompanynetwork○ NACsolutionsensureonlyknowncomputerscanaccessthenetwork○ Separatefunctionalareaswithinafirewalle.g.clientandservernetworks
• Encryptcompanydata○ Itdoesn’tstoptheransomwarebutpreventsdamagecausedbysensitivedocumentsgettingintothewronghands
• Usesecurityanalysistools○ Ifaninfectiondoesoccur,it’svitalthatthesourceisidentifiedandcontainedASAP.
![Page 34: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/34.jpg)
3434
HowSophoscanhelp
![Page 35: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/35.jpg)
35
Complete protection:EnduserandNetwork
SophosCentral
EnduserNetwork
Next-GenFirewall/UTM
WebSecurity
EmailSecurity
WirelessSecurity
SafeGuardEncryption
MobileControl
Next-GenEndpointProtection
ServerSecurity
SecuretheEndpoint(PC/Mac)
NextGenEndpoint securitytoprevent,detect,investigateand
remediate
SecuretheMobileDeviceSecuresmartphonesandtabletsjustlikeanyotherendpoint
SecuretheServersProtectionoptimizedforserverenvironment(physicalorvirtual):
fast,effective,controlled
ProtecttheDataSimple-to-useencryptionforahighlyeffectivelastlineofdefenseagainstdataloss
SecurethePerimeterUltimateenterprisefirewallperformance,security,and
control.
SecuretheWebAdvancedprotection,control,andinsightsthat’seffective,
affordable,andeasy.
SecuretheEmailEmailthreatsandphishingattacks
don’t standachance.
SecuretheWirelessSimple,secureWi-Fi
connection.
![Page 36: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/36.jpg)
36
SecurityasaSystem
SynchronizedSecurityIntegrated,context-awaresecuritywhereEnduser andNetworktechnology sharemeaningful informationtodeliverbetterprotection
SecuritymustbecomprehensiveThecapabilities requiredtofully satisfy customerneed
SecuritycanbemadesimplePlatform,deployment,licensing, userexperience
SecurityismoreeffectiveasasystemNewpossibilities throughtechnologycooperation
NextGenEnduserSecurity
NextGenNetworkSecurity
SophosCloud
heartbeat
SOPHOSLABS
![Page 37: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/37.jpg)
37
MaliciousTrafficDetection
SOPHOSSYSTEMPROTECTOR
ApplicationTracking
ThreatEngine
ApplicationControl
Emulator DeviceControl
WebProtection
IoCCollector
LiveProtection
SecurityHeartbeat
HIPS/RuntimeProtection
Reputation
MaliciousTraffic
Detection
Soph
osL
abs
URLdatabase
MalwareIdentities HIPSrulesGenotypesFilelook-up Reputation Apps SPAM
DataControl
PeripheralTypes
Anon.proxies
Patches/VulnerabilitiesWhitelist
Administratoralerted
Application interrupted
i Compromise
User|System|File
MTDrules
Malicious trafficdetected
MaliciousTraffic
Detection
![Page 38: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/38.jpg)
38
SophosSandstorm
HowSophosSandstormworks
1. Ifthefilehasknownmalwareit’sblockedimmediately.Ifit’sotherwisesuspicious,andhasn’tbeenseenbefore,itwillbesenttothesandboxforfurtheranalysis.Whenwebbrowsing,usersseeapatiencemessagewhiletheywait.
2. Thefileisdetonatedinthesafeconfinesofthesandboxandmonitoredformaliciousbehaviour.Adecisiontoalloworblockthefilewillbesenttothesecuritysolutiononcetheanalysisiscomplete.
3. Adetailedreportisprovidedforeachfileanalyzed.
AdvancedThreatDefense MadeSimple
SecureWebGateway
SecureEmailGateway
UnifiedThreatManagement
Next-GenFirewall
![Page 39: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/39.jpg)
3939
Questions?
![Page 40: 1 - Sophos Ransomware Budapest Apr2016 - TMSI · ○ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known](https://reader034.vdocuments.us/reader034/viewer/2022050715/5e09b65a5dadbc5344404618/html5/thumbnails/40.jpg)
40© Sophos Ltd. All rights reserved.