www.sangfor.com Sangfor Technologies Inc.

Sangfor's Answer to Ransomware

When Ransomware Calls - Sangfor Answers

Jason Yuan

VP for Product & Marketing

Sangfor Technologies

jason.yuan@sangfor.com

Sangfor Technologies Page 1

PART 1 The Threat

Sangfor Technologies Page 2

The Threat

91%

Cyber attacks that begin with phishing

- TrendMicro

01

363%

Increase of Ransomware attacks annually

- Malwarebytes

02

350K

New malicious malware samples seen everyday

- AV Test

03

$2.4M

Average cost of a malware attack to a company

The longer discovery of a breach takes, the more it costs.

- Accenture

04

Sangfor Technologies Page 3

What is Ransomware?

Ransomware is a form of malware that hijacks a victim’s

system and encrypts the data files. The attacker then

demands a ransom from the victim to restore access to the

data upon payment.

Users are shown instructions how to pay the ransom fee in

exchange for the decryption key. Ransoms range from a

few hundred dollars to thousands, usually payable to

cybercriminals in Bitcoin.

Sangfor Technologies Page 4

Attacks Bypass Traditional & Next Generation Antivirus

In a recent Barkly survey of companies who suffered

ransomware attacks in the past 12 months:

o 100% of customers were running anti-virus

o 95% of attacks bypassed traditional firewall

o 77% of attacks bypassed email security

WannaCry Ransomware infected 200,000

machines in four days across 150 countries.

Sangfor Technologies Page 6

Ransomware Transmission Methods

Ransomware typically uses one of four primary

methods for transmission and implantation:

Phishing

• Malicious code inside email attachments which victims open thereby infecting the PC

• Malicious scripts or code downloaded via embedded web link

Cases: Locky, Petya variant

Target: Windows

Worm

Malware which “worms” it’s waythrough a network taking advantageof vulnerabilities and weak passwords,replicating itself as it travels.

Cases: WannaCry, Petya variant

Target: Windows

Exploit Kit

A “hacker package” designed toseek out vulnerabilities in softwareinstalled on a device, infiltrate thesevulnerabilities to gain access to thesystem, and drop a malwarepayload into the system.

Case: Cerber

Target: Servers with vulnerabilities

System Vulnerability

Designed to crack RDP ports, SSHports, database ports, SMB ports,etc.

Case: Globelmposter variant

Target: Servers with vulnerabilities

Sangfor Technologies Page 7

Ransomware Intranet Attack Process

Ransomware encrypts

target file types

Data Encryption

A dialogue box pops up

to demand a ransom for

encrypted files

Ransom Demand

Vulnerability scanning of

internal network hosts

Network Scan

Uses intranet hosts with

vulnerabilities to spread

ransomware

Intranet Communication

Sangfor Technologies Page 8

TSMC Exposed to Ransomware

Event Profile:

• The largest semiconductor company in Taiwan

• Company statement shows the ransomware came from a newly

connected computer

• TSMC's stock dropped 15.2% in 3 days

• TSMC announced that luckily, their core codes weren’t lost

• Considered the most serious WannaCry attack globally, as of 2018

Date & Time: August, 3rd - 6th 2018

Loss: 370M USD

Industry: Manufacturing

Sangfor Technologies Page 9

PART 2 Ideal Protection

Against Ransomware

Sangfor Technologies Page 10

Adaptive Security Model

Prevent

DetectRespond

Continuous

Monitoring and

Analytics

Proactive Exposure Analysis

Predict Attacks

Baseline Systems

Remediate/Make Change

Design/Model Change

Investigate/Forensics Contain Incidents

Confirm and Prioritize Risk

Detect Incidents

Prevent Incidents

Divert Attackers

Harden and Isolate Systems

Predict

Sangfor Technologies Page 11

PART 3 How to Defend

Against Ransomware

Sangfor Technologies Page 12

A Different Approach for Defending Endpoints

Revolutionary

AI Detection

Continuous

Monitoring/Learning

Self-EvolutionUnknown Threat

Detection

No-Feature

Technology

Threat Attack

Protection

Advanced Intelligence Detection

Comprehensive Protection

Integrated

Control

Effective

Adaptation

Comprehensive

Protection

Flexible Response

Fast Closed

Loop Security

Collaborative

Intelligence

Threat Situational

Awareness

World-class Malware Analysis and Detection

Emphasis on ResponseEmphasis on Containment

and Mitigation

Sangfor Technologies Page 13

Risk Protection for Ransomware

• Risk Driven • Full Protection • Active Defense

Infected? C&C Communication Encryption Lateral Propagation

Endpoint Secure IAM

• Email

• Ransomware Detection

• Malicious Domain

• C&C Servers

Ransomware/APT

• Detection

• Blocking

• Disinfection

• Connection Analysis

• Malware Containment

Ransomware

Platform-X MSS

Cloud

NGAF

Incident Response

Services

• Integrated Management

• Situational Threat Awareness

• Global/Local

• Threat Intelligence

• AI Engine

• Automated Sandbox Cluster

Neural-X

Sangfor Technologies Page 14

Adaptive Malware Response

Value Proposition: Asset-centric, targeted defense, continuous detection, and collaborative response

to respond to breaches quickly.

Endpoint Assets

Lightweight, Intelligent, Responsive

Baseline

Verification

Visualization

Co

ntin

uo

us

Re

altim

e

Ass

ess

me

nt

Clo

sed

-Loo

p

Co

llab

ora

tion

Vulnerability

Scanning

Prevention Prediction Detection Response

Ransomware

Detection

Intrusion

Detection

Compliance

Review

One-click

Kill

One-click

Isolation

Attack

Trace

Linked

Response

Sangfor Technologies Page 15

Predictive Attack Capability with Engine Zero

• Comprehensive,

High-Quality

Malware Database

High Detection,Low False

Report

• Malware Family DNA

Fingerprint

Identification

• Multiple Expert

Algorithms Refine

Ideal Identification

• AI Models Continuous

Self-Study in Cloud

Engine

• Fast Iterative Self-Updating

Learning Mechanisms

• AI + Rules Identify

Optimal Response

to Known Threats

File Reputation Detection

Engine

Gene Characteristics Detection Engine

Behaviour Analysis

Detection Engine

AI Detection Engine

Neural-X Detection

Engine

Predict

Sangfor Technologies Page 16

Identify Unknown Malware Powered by AI

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

61.4%

99.65%

32%

SangforEngine Zero

Open Source AV

Market Benchmark

Detection False Positive

0.1% 0.04% 0.09%

Sangfor Engine ZeroAI Malware Detection Engine

Innovative Unique AI Technology

High Detection Accuracy

Low False Positive Rate

Globelmposter Ransomware

Zero-Day Detection

99.65% Accuracy with Unknown Malware Detection

>99.9% Accuracy with Known Malware Detection

Predict

Sangfor Technologies Page 17

Ransomware Verification

Detect

Sangfor Technologies CONFIDENTIAL Page 18

Neural-X Forensic Capabilities

Detect

Sangfor Technologies Page 20

Detection

NGAF Network View

Risks to both PCs and servers are visible

Endpoint Secure Client View

Detect

Identify Communications Between Endpoints

Tracking Abnormal Network Behavior

NGAF discovers malicious network behavior

and traces the origin using Endpoint Secure to

locate abnormal files, backdoors, toolkits, etc.

Detect

Prevention

Prevent

Sangfor Technologies Page 23

Ransomware Honeypot

Cannot be

encrypted

1. Bait files are placed in system-critical, high

target and random directories

2. Encryption of bait files highlights

running encryption process

3. Endpoint Secure kills the

encryption process to block

encryption

4. Malware controlling

encryption is identified

mitigated

Encrypted Encrypted Encrypted Encrypted Encrypted

Encrypted Encrypted Encrypted Encrypted Encrypted

Encrypting... Cannot be

encrypted

Protect Agent

After analysis of encryption order of tens of thousands of ransomware, key directories with a high probability of being

targeted for encryption are identified

Encrypted

Encrypted Encrypted Encrypted

Prevent

Sangfor Technologies Page 24

Response

Respond

Sangfor Technologies Page 25

Security Butler

Providing Security Expertise for Organizations that Need It

• Security event

Fully Visibility

• Customized Security Policy

• Expert Security Level

• 24/7 Monitoring

• Real-time active response

Professional Security

• Experts Online

• Unified Security

Management

Respond

Sangfor Technologies Page 26

One-Click Kill

Respond

Endpoint Secure Manager

One click mitigation for the entire network

One click mitigation for the entire network

Find one infection, quickly scan the

network for more

Sangfor Technologies Page 27

Micro-isolation Reduces Threat Propagation

Access control for different roles

Business A Business B

Department BDepartment A

Security isolation and access control for

different business systems

Security isolation at different terminals

Security isolation and access

control in concert with IAM

Data Center

Business Area

Intranet office

area

Respond

Sangfor Technologies Page 28

Simpler Smarter Monitoring

Multi-Dimensional Response

Malware Sandbox

Ransomware Honeypot

Network-Wide Threat Disposal

NGAF/IAM Integration

One-Click/Automatic Host Micro-Isolation

One-Click/Automatic File Disposal/Restore

Threat Intelligence

Global Whitelists/Blacklists

Compliance

Asset Tracking

Vulnerability Scanning

Patch Management

Respond

Sangfor Technologies Page 29

Simplified Security Operation

One Click Mitigation Vulnerability Scan with Remediation Informative Visual Dashboard & TI

Respond

Sangfor Technologies Page 30

PART 4 Sangfor Ransomware

Offerings

Sangfor Technologies Page 31

Sangfor SIP

External Threat Intelligence

Data Center

Branch officeWAN

Behavior Analysis, ML,

UEBA, Specialists

NTA Sensor

NGAF

EDR (Server)

NTA Sensor

NGAF

Visibility for Operation

Visibility for Management

Am I safe now?

Where am I at risk?

What’s the impact?

How do I fix it?

Threat Intelligence

Security Operations for the Enterprise

Sangfor Technologies Page 32

Standard Ransomware Solution

Cloud (Neural-X & Security Butler)

• Cloud Monitoring Service: Detecting existing exploits or

vulnerabilities like RDP port exposure, deserialization

vulnerabilities and Eternal Blue Vulnerabilities.

• Cloud Threat Intelligence: Pushing the latest ransomware

intelligence.

• Deploy Security Butler: Security operation center

controlling policy optimization & customization, advanced

threat analysis and guidance and security expert services.

Network• Deploy Border Security Devices: Block WEB exploits/RDP

brute force attacks.

• Configure Protection Device to Associate with the Cloud

Reputation: Directly block outbound C&C host behavior

and malicious file downloads based on IP/file reputation.

Endpoint• Endpoint Secure: Early detection of vulnerable hosts that

are easily exploited by ransomware.

• Scan endpoints regularly for ransomware.

• Real-time, AI-powered analysis of ransomware behavior

• Immediate isolation of infected hosts to avoid widespread

infection.

Enterprise Ransomware Detection FrameworkCloud

Network

Endpoint

Perimeter/Domain

NGAF

IAM

NGAF

IAM

Core switchSecurity

software

Security operation

visible screen

Security management zone

Endpoint Secure Protect Agent

Office

Endpoint Secure Protect Agent

Data center

Neural-X &Security Butler

Internet Internet

Core switch

Sangfor Technologies Page 33

Enterprise Ransomware Solution

Cloud (Neural-X)

• Cloud Monitoring Service: Detecting existing exploits or

vulnerabilities like RDP port exposure, deserialization

vulnerabilities and Eternal Blue Vulnerabilities.

• Cloud Threat Intelligence: Pushing the latest ransomware

intelligence.

Network• Deploy Border Security Devices: Block WEB exploits/RDP

brute force attacks.

• Configure Protection Device to Associate with the Cloud

Reputation: Directly block outbound C&C host behavior

and malicious file downloads, based on IP/file reputation.

• Deploy SIP: Link network data and terminal data to jointly

analyze suspicious behavior, monitor in real-time and

provide early warning of any threats.

Endpoint• Endpoint Secure: Early detection of vulnerable hosts that

are easily exploited by ransomware.

• Scan endpoints regularly for ransomware.

• Real-time, AI-powered analysis of ransomware behavior

• Immediate isolation of infected hosts to avoid widespread

infection.

Standard Ransomware Detection FrameworkCloud

Network

Terminal

Perimeter/Domain

NGAF

IAM

NGAF

IAM

Core switchSecurity

software

Security operation

visible screenSIP

Security management zone

Endpoint Secure Protect Agent

Office

Endpoint Secure Protect Agent

Data center

Neural-X

Internet Internet

Core switch

Sangfor Technologies Page 34

Ransomware Incident Response Services

Business Recovery

• Locating infection and

stopping spread

• Remediation planning

Assessment & Forensics

• Identify root cause

• Security Gap Analysis

• Response planning

Customized Solutions

• Vertical based

• Compliance based

• Tailored to unique needs

Highly Trained

Incident

Response Team

Sangfor Technologies Page 35

Case Studies

Country Ransomware Response Timeline

China WannaCry

Recover back ups (1 hour)- Confirm ransomware strain and infected files (30

mins)- Install Endpoint Secure to remediate ransomware (2 hours)

Customer A: Government

Country Ransomware Response Timeline

Malaysia GandGrab V2.1

Recover back ups (5 mins with Sangfor HCI)- Confirm ransomware strain and infected files

(30 mins)- Install Endpoint Secure to mitigate ransomware

(2 hours)

Customer B: Education

Country Ransomware Response Timeline

UAE Phobos

Confirm ransomware strain and infected files(30 mins)- Installed Endpoint Secure to

remediate ransomware (2 hours)- Vulnerability scanning (2 hours)

Customer C: Enterprise

THANK YOU

www.sangfor.com Sangfor Technologies Inc.

Jason Yuan

VP for Product & Marketing

Sangfor Technologies

jason.yuan@sangfor.com