Webinar: Nightmare On Ransomware Street - Lock Your Digital Doors

Halloween has been and gone: the time where we share scary stories knowing they’re confined to story books and movie screens, but unfortunately, there are some IT horror stories that are all too real: the scariest being ransomware.

Unlike your typical Halloween monsters, these digital monsters, or hackers are real & use fear to get users to hand over cash or assets in exchange for decrypting essential and valuable files.

Under no circumstance should you give in to fear and pay the ransom demanded by a hacker. Instead, learn from our assembled team of experts what you can do right now to remove the main risks of infection and sleep better at night.


Listen to NNT CTO and CEO as they discuss:

  • The Anatomy of a Ransomware Attack
  • Proven Steps to Prevent a Ransomware Attack
  • Access to Ransomware Mitigation Kits
  • Tools to help handle Ransomware fears throughout the organization

Video Transcript

A Very Scary Webinar


Welcome to NNT on Halloween – thought I should explain that in case you were wondering what all the dripping blood and creepy images are – but yes, we have a very scary webinar for you today so please - ask any children or the infirm to leave the room – I CANNOT be held responsible for ANY sleepless nights that may ensue from what… you are about…to see…

Scary Horrible Frightening Sights



The Most TERRIFYING Sight By Far – A Ransomware Demand


I did warn you – that there would be Scary, Horrible, Frightening sights that once seen, cannot be unseen …but the most TERRIFYING sight by far – a Ransomware demand.

Certainly A Pretty Horrible Thing To Have To Deal With


The scariest thing? Certainly a pretty horrible thing to have to deal with

What is shown on the right is from Petya / NotPetya – WPP Group crippled, an organization with significant resources – if it can happen to them….. Petya – NotPetya is so called because it appears to share a significant amount of code with an older piece of ransomware that really was called Petya, but we now know it only carries a superficial resemblance, but the Petya tag stuck.

The malicious software has spread through large firms including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish transport firm Maersk, leading to PCs and data being locked up and held for ransom. Heritage Valley Health Systems, which runs hospitals and care facilities in Pittsburgh, also said their systems had been hit by the malware.

Talking of healthcare organizations, the UK NHS was very badly hit by another headline-grabbing Ransomware variant, WannaCrypt (or WannaCry). Again, the NHS is the 5th largest employer in the world, behind McDonald's, Walmart, The Chinese Army and the US DoD – so it isn’t a question of manpower, and in fact with Ransomware, because it is generally spread via Phishing, the larger the organisation, the more chance there is to be hit.

The message of the webinar, even though there may be plenty of Zombies around today, we need to make sure we snap back into life and take action.

Just To Show How Indiscriminate Ransomware Is


Just to show how indiscriminate Ransomware is, you can see where it is hitting hardest – there is a rough correlation between where infections are reported and the level of industrialisation – China is very insular in terms of internet usage/access but still reports being hit. With Petya, there was a suggestion that it was perhaps more targeted than most and more designed to cause disruption than necessarily coerce ransom payments.

But again, the overwhelming message you should be taking on board and hopefully using to educate your colleagues and company management is that Ransomware gets the great and the good, the big and the small, the healthcare providers and the most commercially savvy, and it is most definitely trying to get your company’s data too.

This Is A Webinar, So We Needed Some Graphs!


This is a webinar, so we needed some graphs!

The most interesting takeaway is that there is no real trend in the top graph – my interpretation is that on a month by month basis, the battlefront changes and sometimes they win, sometimes we defend better, but there is always a fresh attack coming – and only one of them needs to succeed. This is borne out by the lower graph which shows that some work better than others – but as I said earlier, you only need one to succeed and it’s going to be a Nightmare on Your Street.

A few years ago it was reported that AV is dead – well, not quite, it's more the Living Dead in that it is still alive – just – but is increasingly ineffective as obfuscated zero-day malware is used more and more. Zero Day means unknown to the AV, which renders the malware invisible, untracked by the AV. We need to organise and arm ourselves far more effectively.

How Does It Happen?


How does it happen? Email – phishing, be it the mass, spear or now whale variety for corporate targets – is still the most common means of invoking a Ransomware attack. The home-user ‘market’ for the extortionists lends itself to mass-emailing, but this means that the malware can just as easily end up on Corporate Workstations. Significantly, now that there has been a very public precedent of a hospital paying a ransom, expect to see greater targeting of corporate targets.

The first thing we need to establish is the fact that Ransomware is no different than any other form of malware in terms of its delivery means – usually, but not exclusively, via email with either malware attachments or links to infected websites. The difference - and the scary part - is how it is used to extort money from victims.

Once the malware has been invited onto a user’s computer it can then get to work, encrypting files before announcing its presence and declaring its ransom demand. The nature of its immediate demands and very tangible threat is precisely what makes it more feared than other malware. However, your line of defence and your approach to preventing Ransomware should be the same as it would be for any other Malware.

What Can We Do?


What can we do? Prevention is better than any cure, so start with minimizing the opportunity for Ransomware to infect your endpoints. Malware works because it is able to exploit vulnerabilities at a platform level, like Windows or RedHat, but also at an application level. This is especially pertinent to Ransomware because the main distribution method used is phishing -

Of course, still try AV s/w, it will protect against older, already known ransomware variants but the same blind spots apply. The widely-held view that ‘AV is Dead’ stems from its inability to identify Zero Day ransomware, which like any other Zero Day malware, will not be identified. Doesn’t mean it’s pointless, but it won’t be enough to stop all ransomware infections.

Unfortunately, phishing is, by design, notoriously tough to prevent, due to its cunning and devious methods. The malware is invited in by the recipient, typically either by opening an attachment or by activating/downloading a link, thereby largely subverting Corporate IT Security.

The best approach is to, therefore, harden the user workstation environment, to prevent malware activity where possible and to at least place more obstacles in the way when not. As with any hardening program, a balance must be found between strong security and operational ease of use.

The majority of exploitable vulnerabilities can be mitigated within the Workstation Operating System, and further protection can be provided using manufacturer extensions such as Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) and Windows Defender or 3rd Party AV.

Sounds Complicated?


Sounds complicated? Fortunately, NNT works with the Center for Internet Security and they have done all the hard work for you! They pull together all known vulnerabilities and provide detailed secure configuration guidance to ensure your desktops, servers and applications, including email client and browser software.

Best of all we will be giving any attendee a free Change Tracker system including the sample reports and remediation kits to not just identify vulnerabilities, but to then automatically apply a secure configuration policy.

The NNT approach


Determining a finite definition of applications and its processes for a device has always been a deceptively tricky exercise so monitoring is generally considered the best compromise between improving security without inadvertently disrupting user and application operation which is often the unfortunate consequence of rigidly blocking non-whitelisted processes.

However, for completeness, you may consider leveraging Microsoft AppLocker – its free and is effective if you have a reasonably controlled, static platform.

As an advance on this, and it is early day’s right now, but Microsoft will soon be shipping Windows Defender Device Guard for Windows 10 Enterprise and Server 2016. Similar to the current AppLocker, this strengthens security by only allowing signed and/or whitelisted drivers and applications to run, controlled by a User-Defined Code Integrity policy. However, Device Guard significantly advances the concept in that the Code Integrity policy is enforced by an isolated, virtualized secure kernel, rendering it always protected from malware. Device Guard also leverages enhanced BIOS protection provided by the latest UEFI chipsets.

The NNT approach is to whitelist the ‘known safe’ posture of the workstation or server in terms of processes and services, as well as all other configuration attributes – software, security policy, open ports and therefore unexpected activity, will be highlighted too. Again this is a fundamentally sound security best practise not just for ransomware defence but against any malware. We can show this later.

You Can Alleviate The Zero Day Blind Spot


The widely-held view that ‘AV is Dead’ stems from its inability to identify Zero Day ransomware, which like any other Zero Day malware will not be identified.

You can alleviate the Zero Day blind spot using good File Integrity Monitoring software to report any unusual file system activity. Not only will this highlight the ransomware malware files when first introduced to the system, but at least it will also show when newly encrypted files have been created. Don’t be put off by any previous experience of legacy FIM solutions like Tripwire – where this has always been dogged by FIM Change noise, false positives alerted for any file changes.

Contemporary intelligent FIM solutions work in conjunction with Threat Intelligence to eliminate the false positives of change noise and make the operation of FIM a viable, practical option.

Instead of simply reporting every file change as it is detected, each change is first automatically analysed to verify if the file identity is already known as a legitimate system file. This is where the file whitelist and threat intelligence is leveraged. The result is that only the genuinely suspicious file changes involving ‘not already verified as safe’ files are highlighted.

By augmenting the FIM technology with automated access to a comprehensive file whitelist repository, Zero Day malware missed by the AV will still be detected and flagged as suspiciously ‘not whitelisted’.

In The Meantime


In the meantime, the simplest and maybe the most effective countermeasure is to be prepared to start again via regular backups, but make sure this is an isolated

We have talked about the concept of Zero Day Ransomware but inevitably these do become known and so an AV update may help in case superior capabilities to detect and remove have been provided.

Taking this further, take a look at nomoreransom.org, a site backed by security firms and cybersecurity organizations in 22 countries. Since its launch on July 25, 2016, nomoreransom.org estimates that it has been able to save 6,000 victims of ransomware more than $2 million USD to date. Last week the group announced the site is now available in Dutch, French, Italian, Portuguese and Russian.

Visit the Crypto Sheriff page at nomoreransom.org, upload one of the files encrypted by the ransomware, and the site will let you know if there is a solution available to unlock all of your files for free




NNT Products


USA Offices
New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies LLC
Rivers Lodge
West Common

Tel: 01582 287310
email [email protected]
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500 Sans Institute
Copyright 2018, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.