Hi, I'm Kate Taylor, and today we're going to talk about ransomware. Ransomware has been really popular lately, you've probably heard of the most infamous brands, Cryptowall or Cryptolocker. I'm going to walk you through how it works, and I'm going to highlight some steps that you can take with Palo Alto Networks to help prevent this kind of threat from entering your network. The way ransomware works is, you have an infected computer or any infected machine, could be a mobile device, it could be your laptop, doesn't matter. What happens is that that malware ransomware will send out a beacon to the attacker's server. This is the command and control channel, and what it does is it takes information from the victim's machine and sends it to the attack server, so that a public key can be created based on the victim's machine specifically. That public key is then sent back to the user's machine where it looks for a bunch of files, anything that you have access to, anything that's on your machine, anything that your machine has access to, like shared network files that you work on with your colleagues, anything like that, and it locks them up, it encrypts them using that public key. One thing to know is that most ransomware uses a two-key encryption, so there's a public key and a private key. The public key can encrypt anything, but you can only decrypt with the private key. This is how ransomware works. Going back to the scenario here where your files are now locked up, what that does is after the files have been encrypted, give us a little warning message to the user and says, "Hey, your files are locked, you should send us money and then we'll send you the private keys so that you can decrypt them." The user then will send the specified amount to the attacker. This is usually done, there's prepaid methods. Bitcoin is really popular. It's usually around a couple hundred dollars. Once the victim sends the money to the attacker, the attacker then sends the private key to the victims so they can decrypt their files. The attacker will usually impose a time limit on the victim. If the victim doesn't pay within that time limit, the attacker will destroy the private key, which means that the victims files are encrypted forever. They're gone at that point. Even after the victim has paid the attacker, the attacker still has this command and control channel set up, so they can still extract data from the victim's machine and use it for profit later. Palo Alto Networks has a few tools to help prevent ransomware from infecting your network and extorting your employees. We have antivirus, which scans files for known samples of ransomware and blocks them from entering the network. We also have wildfire, which scans files for new samples of ransomware out there and then creates protections for those, delivers them back to the antivirus library so that you're always protected against the latest ransomware samples. We also have anti command and control signatures which shutdown this command and control channel. The device information that the attacker needs to generate the public and private key, it doesn't have a chance to get to the attack server because that command and control channel is shutdown by our anti command and control signatures. We also have Traps, our advanced endpoint protection. This is important because it prevents code execution on endpoint, so ransomware never even has a chance to get on your machine in the first place. Traps, along with these other prevention tools, help stop ransomware from gaining a foothold in your network and extorting your employees. For more prevention tips like this, visit our website at www.paloaltonetworks.com.
