Embed Size (px)
Citation preview
Ransomware vs. SysAdminERIK LOEF
B
Erik Loef@erikloef
CTO
2day• Ransomware general• DEMO
• Application Whitelisting• DEMO
• Fileserver Protection• DEMO
• Windows 10 Fall Creators Update• DEMO
• Recap
general
variants• Lockers• CryptersKnown variants• Aids virus (1989)• Police | Fake Anitvirus• Cryptolocker/TelsaCrypt/Wildfirelocker
DEMORansomware end user experience
the other side
Pay
Application Whitelisting
let‘s take a look at SRP
Application Whitelisting
Microsoft Options
• AppLocker/Device Guard
• Good – Old – SRP
Third Party solutions
• RES
• Lumension
• Symantec
• and many many others
SRP
Advantages
• Working since Windows XP / Server 2003
• You can put it in ‘monitoring mode’ as a start
• Easy, everybody can do this
• Free
• Many examples and tools, I advise take a look at CryptoPrevent
DEMORansomware & SRP
File Server Resource Manager
• Quota Management
• File Screening Management
• Storage Reports Management
• Classification Management
File Screening Management
• unauthenticated API
• active vs. passive
• command execution
SEE https://fsrm.experiant.ca/
DEMORansomware & FSRM
DEMOControlled Folder AccessAttack Surface Reduction Rules
RECAP
• Ransomware still has the attention!
• You can fix this! (without high investments)
• Windows 10 Fall Creators Update first OS with specific built-in anti- Ransomwaremechanismes
LINKS• https://technet.microsoft.com/en-us/library/cc732431(v=ws.11).aspx
• https://fsrm.experiant.ca/
• http://windowsitpro.com/systems-management/q-how-can-we-verify-software-restriction-policy-srp-rule-we-defined-one-our-appli
• https://technet.microsoft.com/en-us/library/bb457006.aspx
• https://www.foolishit.com/cryptoprevent-malware-prevention/
• https://technet.microsoft.com/en-us/library/3f1faff2-cf65-42ce-9df8-a22bac671047
• https://www.nomoreransom.org/
• https://www.fraudehelpdesk.nl/
• www.twitter.com/erikloef
• https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce
• http://blog.netwrix.com/2016/04/11/ransomware-protection-using-fsrm-and-powershell/
Thanks to our event sponsors
Silver
Gold
