Embed Size (px)
Citation preview
ClicktoeditMastertitlestyle
HOW TO RECOVER FROM RANSOMWARE
WITHOUT PAYING...
Paul Ducklin
HOW TO RECOVER FROM RANSOMWARE
WITHOUT PAYING...
TO PAY, OR NOT TO PAY,
THAT IS THE QUESTION
https://nakedsecurity.sophos.com/
What do I do?
Ransomware
Ransomware
Malicious software that locks you out
and demands money to let you back in
“
”
Ransomware
Where we are.
How we got here.
What to do? (6 quick tips.)
1
2
3
History of ransomware
2016 - LOCKY
History of ransomware
2016 - LOCKY
History of ransomware
1989/1990 - AIDS INFORMATION TROJAN
History of ransomware
2012 - REVETON
History of ransomware
The main crooks got busted.✔Lockscreen ransomware died out fairly suddenly.
History of ransomware
You could recover without paying.✔Lockscreen ransomware died out fairly suddenly.
History of ransomware
Cryptoransomware makes more $£€✘Lockscreen ransomware died out fairly suddenly.
History of ransomware
2013 - CRYPTOLOCKER
History of ransomware
2014 - CRYPTOWALL
History of ransomware
2015 - TESLACRYPT
History of ransomware
2016 - LOCKY
History of ransomware
2016 - THE YEAR THEY ALL HAD A GO!
History of ransomware
Ransomware today
Ransomware today
(Dutch and German examples from http://www.fraudhelpdesk.org/)
Ransomware today
Ransomware today
Ransomware today
QUICK
TIP
Ransomware today
Ransomware today
(Aside) Do you have to pay?
(Aside) Do you have to pay?
YOUR FILE CONTENT IN CLEARTEXT FORM
RSA-2048 PUBLIC KEY
AES-128 KEY
RSA-2048 PUBLIC KEY
AES-128 KEY
(Aside) Do you have to pay?
YOUR FILE CONTENT IN CLEARTEXT FORM
WYLX AGRH INLLQA YM 9$WWQLKA WPOS
RSA-2048 PUBLIC KEY
AES-128 KEY
(Aside) Do you have to pay?
YOUR FILE CONTENT IN CLEARTEXT FORM
WYLX AGRH INLLQA YM 9$WWQLKA WPOS
YOUR FILE CONTENT IN CLEARTEXT FORM
(Aside) Do you have to pay?
RSA-2048 PUBLIC KEY
AES-128 KEY
WYLX AGRH INLLQA YM 9$WWQLKA WPOS
YOUR FILE CONTENT IN CLEARTEXT FORM
AES-128 M@Q
(Aside) Do you have to pay?
RSA-2048 PUBLIC KEY
AES-128 KEY
WYLX AGRH INLLQA YM 9$WWQLKA WPOS
YOUR FILE CONTENT IN CLEARTEXT FORM
AES-128 M@Q
RSA-2048 PUBLIC KEY
AES-128 KEY
Only in memory
(Aside) Do you have to pay?
WYLX AGRH INLLQA YM 9$WWQLKA WPOS
AES-128 M@Q
RSA-2048 PUBLIC KEY
(Aside) Do you have to pay?
WYLX AGRH INLLQA YM 9$WWQLKA WPOS
AES-128 M@Q
RSA-2048 PUBLIC KEY
(Aside) Do you have to pay?Won't unlock
WYLX AGRH INLLQA YM 9$WWQLKA WPOS
AES-128 M@Q
RSA-2048 PRIV KEY
(Aside) Do you have to pay?
Crooks have this
WYLX AGRH INLLQA YM 9$WWQLKA WPOS
AES-128 M@Q
RSA-2048 PUBLIC KEY
Won't unlock
WYLX AGRH INLLQA YM 9$WWQLKA WPOS
RSA-2048 PRIV KEY
(Aside) Do you have to pay?
So they can sell
you back the key
WYLX AGRH INLLQA YM 9$WWQLKA WPOS
AES-128 M@Q
RSA-2048 PUBLIC KEY
Won't unlock
AES-128 KEY
(Aside) Do you have to pay?
ALAS, MY LIEGE, UNLESS THINE FOE MIS-STEP WITHAL, THOU NEED'ST PAY
What to do?
What to do?
Backup regularly and keep a copy off-site.
1
What to do?
Backup regularly and keep a copy off-site.
Don't enable macros in emailed docs.
1
2
What to do?
Backup regularly and keep a copy off-site.
Don't enable macros in emailed docs.
Tell Windows to show file extensions.
3
1
2
What to do?
Backup regularly and keep a copy off-site.
Don't enable macros in emailed docs.
Tell Windows to show file extensions.
Don't open script or shortcut files sent by email.
3
1
2
4
What to do?
Backup regularly and keep a copy off-site.
Don't enable macros in emailed docs.
Tell Windows to show file extensions.
Don't open script or shortcut files sent by email.
Limit your login power to what you need.
3
1
2
4
5
What to do?
Backup regularly and keep a copy off-site.
Don't enable macros in emailed docs.
Tell Windows to show file extensions.
Don't open script or shortcut files sent by email.
Limit your login power to what you need.
Patch early, patch often.
3
1
2
4
5
6
ASK US HOW...
