Ransomware attacks are a growing threat. Zerto provides a virtual replication solution that allows recovery of encrypted files and applications within minutes through continuous replication of changes at the block level. The presentation demonstrated how Zerto can minimize the impact of a ransomware infection by recovering files from seconds before encryption occurred. It also discussed how Zerto helps users prove compliance with regulations by enabling testing and reporting of disaster recovery capabilities.
2. PRIVATE AND CONFIDENTIAL
• This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the
webinar
• Please submit questions via the button on the bottom left of the viewer
– If we don’t get to your question during the webinar, we will follow up with you via email
• Download related resources via the “Attachments” button above the viewing panel
• On Twitter? Join the conversation: #ransomware @Zerto and @HOSTINGdotcom
Housekeeping
2
3. PRIVATE AND CONFIDENTIAL
Ed Schaefer
Director of Cloud Services
HOSTING since 2007
eschaefer@hosting.com
@schaeferej
Donal Farrell
Cloud Architect
Zerto
Our Speakers:
3
4. PRIVATE AND CONFIDENTIAL
• The risk vector
• Securing & protecting best practices
• Current data protection & recovery solutions
• The Zerto revolution
• Recovering from the infection in minutes
• Hosting.com Demo
Agenda
4
5. PRIVATE AND CONFIDENTIAL
Cloud Replication Services since 2012
• Consultative DR plan development
• Guided Live and Test DR exercises
• Solutions for every use case
– Daily Backups
– Long term Backup storage
– Continuous Replication
• Platform Native (Active Directory, SQL Server AlwaysOn)
• Zerto Virtual Replication
DRaaS at HOSTING
5
10. PRIVATE AND CONFIDENTIAL 10
50k+
A Global Problem - Worldwide infections
150k+
50k+
5k+
5k+ 50k+
50k+
5k+
1k+
11. PRIVATE AND CONFIDENTIAL
How Does it Work?
1. The victim is compromised by a phishing scam or exploit kit which downloads Cryptowall4
(NOV 15)
2. Binary is downloaded and executed
3. Injected into explorer.exe
4. Makes itself persistent copies to %AppData% and registry run key
5. Injecting in svchost (main malware logic)
6. Downloads RSA Public encryption key from C2 server
7. Files are encrypted with a random AES encryption from C2 server
8. RSA key is used to encrypt that AES Key
9. Displays the ransomware in 3 formats, png, text and HTML
Public key
Get keys
27p9k967z.x1nep
12. PRIVATE AND CONFIDENTIAL
• Most ransomware uses extremely
strong crypto
• Cryptowall 4 is not perfect….BUT
• If a strong firewall or IPS is able to
intercept and block the CryptoWall 4
packets, the infection will not continue.
• RSA key cannot be downloaded
• All security companies bottom line is
“Have a good recovery strategy”
Can It Be Broken?
13. PRIVATE AND CONFIDENTIAL
• 60% of attacks demanded over $1000
• 63% of attacks took more than a day to
remediate
• Email is the most popular entry point
• 40% of attacks hit multiple endpoints
• 80% of US organizations hit
• 96% of US organizations NOT
CONFIDENT IN RESTORE CAPABILITY
Google Search – “malwarebytes international study”
14. PRIVATE AND CONFIDENTIAL
Stopping Infections
14
Users, IT Dept, External
- Train users & IT
- Anti-virus/malware
- Restrict domain admins
- Change control
- Isolated external users
- Software restriction policies
Recommendations
- Audit file shares
- Audit permissions
- Apply read-only
- Firewall policies
- User VLANs
- Honey trap & alerting
Disks, Network
- Secure entry points
- Filter web traffic
- Scan email attachments
- Block USB devices
- Isolated BYOD
- No web access on VMs
Web, Email, USB, BYOD
15. PRIVATE AND CONFIDENTIAL
Typical Data Protection Solutions
15
06:00 09:00 15:00
Backup
12:00
Snapshot Snapshot
12:00 18:00
Snapshot
Power Interruption or
Hardware Failure
Cryptolocker Virus
Infection
File deletion, Application
or Human error
= Data Loss & Downtime
24h+
4h+
16. PRIVATE AND CONFIDENTIAL
Zerto Virtual Replication
16
Minimize impact, re-wind and recover from any point in time
06:00 09:00 18:0000:00 12:00 15:00
2 week
Journal
*
*
Sites Apps FilesVMs
17. PRIVATE AND CONFIDENTIAL
How Zerto Revolutionized Disaster Recovery
17
Zerto Hypervisor Based
Replication
Replication was in the wrong
place – the physical layer
The first Enterprise-class,
Software-Defined
Replication & Recovery
Automation solution
Hypervisor
Security
Networking
Servers
Storage
Replication
18. PRIVATE AND CONFIDENTIAL 18
Scale-out architecture, security hardened
Virtual Replication Appliance
Compression, throttling, resilience
Prod Site
vCenter
VM VM
VM VRA
VM VM
VM VRA
DR Site
vCenter
VM VM
VM VRA
VM VM
VM VRA
WAN/VPN
VM-Level Replication
ZVM ZVM
VM block-level changes
Always-on Replication, Data loss = Seconds
No snapshots, scheduling, impact, storage
Management & Orchestration
1 x Zerto Virtual Manager per vCenter/SCVMM
Windows VM, restrict ports
Storage-agnostic replication
Replica VM & Compressed Journal vDisks
Journal 1 hour to 2 weeks max, 7-10% space
vDisk vDisk vDisk
How Zerto Works
19. PRIVATE AND CONFIDENTIAL
Enterprise Application Architectures
19
VM
VM
VM
VMVM VM
VMVM VM
Firewall
Load Balancers
VM VM VM
Web Servers
File Servers
Index Servers
Database Servers
20. PRIVATE AND CONFIDENTIAL
Consistent Protection & Recovery
20
• Simple, scalable, protection & recovery of VMs, not LUNs
• Recover multi-VM application stacks together
• Point in time recovery, write ordering & application consistency
• Prioritize replication, pre-seeding, reduce initial sync
• Support virtualization features vMotion, svMotion, HA etc
Production
Site
Enterprise Applications
VM
VM
VM VM
vDisk
vDisk
CRM, ERP, SQL, Oracle, SharePoint, Exchange
CRM VPG VM VM VM VM VM
SQL VPG VM VM VM VM VM
VM
VM
VM
VM
vDisk
vDiskvDisk
VM
RPO 4 seconds
RPO 9 seconds
ERP VPG RPO 6 secondsVM VM VM VM VM
• LUN Consistency Group evolved = Virtual Protection Group
VM VM
VM
vDisk
VM
vDisk
VM
VM VM
VM
vDisk
vDisk
vDisk vDisk
vDisk
21. PRIVATE AND CONFIDENTIAL
Recovering From Cryptolocker In Minutes
21
Disaster Event!
Click Failover
Select Apps
Verify
Start Failover
Recovery Process:
22. PRIVATE AND CONFIDENTIAL
Virtual Awareness and Integration
22
Hypervisor integrated
Real-time Dashboard
Service level driven
Role Based Access Control
Single Solution for BC/DR
REST API automation
Ensure compliance
DR Test Reporting
Prove recovery capability
23. PRIVATE AND CONFIDENTIAL
Recovering Individual Files & Folders in Minutes
23
Select VM
Restore Request
File server data
Application files
SQL databases
Oracle databases
Exchange databases
Select Files & Folders
Browser download
Instant-access on ZVM
Mount network share
Data restored from
seconds before
Restore Anywhere
Disks mounted
No agent or impact
Select point in time
28. PRIVATE AND CONFIDENTIAL
Ransomware Infection:
• Real screenshot from end user PC
• Encrypted files on all user mapped shares with edit permissions
Real-world Zerto Customer Story
28
Response:
• PC was isolated from the network
• Used ZVR to recover files from
minutes before
• No need to re-create files or accept
data loss from using backup
• No ransom paid
• Impact minimized!
29. PRIVATE AND CONFIDENTIAL
Zerto Feature Summary
30
Install in Minutes
Simple Scalable Software
Click to Test, Failover, Migrate
RTO = Minutes, Prove Compliance
Journal Based Protection
Reduce impact, recover & re-wind
No Snapshots
Always-on, RPO = Seconds
Consistency Groupings
Storage &
Hypervisor Agnostic
For On-Premise DR
& DRaaS
Enterprise-Class Disaster
Recovery Software
Hypervisor-based
Virtual Aware
Powerful Data Protection
& Recovery
Strategic BC/DR
Platform
Editor's Notes
Notes: If it works to identify physical presence with dots or small flags they can be placed in:
CA, AZ, OR, CO, IL, TX, OK, GA, FL, MA, NC, NY, PA, MN, CT, Western Canada, Eastern Canada
UK, Italy, Germany, Spain, Netherlands, Israel, Sweden
Malaysia, Japan, China, India, Singapore, Australia
The victim is compromised by a phishing scam or exploit kit which downloads Cryptowall.
**One of the first things Lastline’s research duo noticed about Cryptowall 4.0’s unpacked malware payload is a list of hashes it uses to resolve the addresses of all the APIs it needs to call. (One hash corresponds to exactly one API.) This choice of design, as opposed to storing the API names as strings or referring to an import table, enhances the ransomware’s ability to conceal itself from antivirus software.**
2) Binary is downloaded and executed – could be hiding in a ZIP file and a script then executed, attachment such as Macros etc
3) Injected into explorer.exe - The ransomware’s activities in explorer.exe are meant to achieve persistence and hide its tracks.
4) Makes itself persistent (registry run key) - Any infected user should remember that if persistence is successful the encryption function will run again on the next reboot to encrypt any files the user created after the initial infection. Cryptowall 4.0 sets about to achieve these objectives by copying itself to the %AppData% directory, creating a registry entry that enables it to start up at each boot, terminating the primary malware process, and deleting the original file.
5) Injecting in svchost (main malware logic) - CryptoWall 4 code injected in the svchost host process. Injection into this process is increasing the privileged level of access to the compromised machine; this allows the deletion of all available shadow copies without the end user being prompted with the UAC (User Account Control) dialog to ‘Approve’ the deletion if the user has administrator level access rights - use bcdedit to turn off Windows Startup Repair
6) Downloads RSA Public encryption key from C2 server Command and control center
7) Files are temporarily encrypted with a random AES encryption from C2 server and then the RSA key is used to encrypt that AES Key - now encrypts a file's name along with its data. Win 32 API used to encrypt
8) All files are encrypted with a temporary AES encryption key, which is later encrypted with the downloaded RSA public key and embedded in the encrypted files
9) Displays the ransomware in 3 formats, png, text and HTML to ensure the user knows
10) The only way to recover is to have access to the private key which was used to encrypt the public key, the private key can then de-crypt the AES key.
CryptoWall 4 actually excludes certain file extensions and directories to ensure the OS still works and obviously the user can use that terminal to pay the ransom (end goal).
Any infected user should remember that if persistence is successful the encryption function will run again on the next reboot to encrypt any files the user created after the initial infection.
One of the first things Lastline’s research duo noticed about Cryptowall 4.0’s unpacked malware payload is a list of hashes it uses to resolve the addresses of all the APIs it needs to call. (One hash corresponds to exactly one API.) This choice of design, as opposed to storing the API names as strings or referring to an import table, enhances the ransomware’s ability to conceal itself from antivirus software.
The bad news is that the Crypto-locker virus shows no signs becoming weak.
BUT it is if anything becoming more intelligent, that being said the program is not perfect and of course has flaws which can be exploited.
Many security companies are publishing excellent white papers on the details of such attacks and walking you through exactly how they work and giving some suggestions on how to fix them.
One such example is one company identified that the C&C server (Crypto) sends encrypted packets to get the encryption keys and this can be isolated from getting those keys (the software essentially goes in to a loop). BUT this list of servers is in the CryptoWall code itself and changes and is encrypted. Just an example of how difficult it is to stop this.
If you were fast to remove a PC from the network during the install phase then you could save your data.
If you can block the code from downloading its RSA key then at the very least it will just go in to a continuous loop
RSA public key packet ID is set to 7
The bad news is that the Crypto-locker virus shows no signs becoming weak.
BUT it is if anything becoming more intelligent, that being said the program is not perfect and of course has flaws which can be exploited.
Many security companies are publishing excellent white papers on the details of such attacks and walking you through exactly how they work and giving some suggestions on how to fix them.
One such example is one company identified that the C&C server (Crypto) sends encrypted packets to get the encryption keys and this can be isolated from getting those keys (the software essentially goes in to a loop). BUT this list of servers is in the CryptoWall code itself and changes and is encrypted. Just an example of how difficult it is to stop this.
If you were fast to remove a PC from the network during the install phase then you could save your data.
If you can block the code from downloading its RSA key then at the very least it will just go in to a continuous loop
RSA public key packet ID is set to 7
2 week journal covers the typically reported 90%+ of data requests being within a 2 week window
Back in 2011 replication in enterprise virtual environments was done at the storage layer, and at Zerto we saw this was in the wrong place as you were locked into replicating between 2 matching storage arrays.
This meant that first of all you were unable to mix and match your storage between your sites, you had the complexity of replicating per lun, it was so complicated it even required a separate mgmt software for VM integration and couldn’t fully realize all the benefits of virtualization because you were tied into the physical layer.
We revolutionized BC/DR by moving the replication into the hypervisor to make it software-defined and included all of the recovery automation, removing the need for a separate solution, and enabled the simplicity of protecting on a per VM basis.
And Zerto isn’t alone in this trend, everything from your security, networking and storage is now moving into the hypervisor to realize the benefits of being software defined.
Sales Notes:
No overhead in production, no TBs of space like a backup product
No agent required in protected VMs for this functionality
Supports crash and app consistent PITs
Data is compressed in the target site (on the fly by the ZVM backup service) before being sent over the wire to minimize bandwidth utilization
Instant-access means the data is immediately mounted to the ZVM in the recovery site, meaning you don’t have to wait to restore the data from backup to start using it
Zerto doesn’t give the workflows in the GUI for restoring app objects (like mailboxes), this can be done by mounting the data and pulling the objects out using the app tools, but Zerto has the one thing no other solution has > the actual data from the point in time required rather than the last backup
Exchange mailboxes can be mounted, with no need to download, from the ZVM with the database in recovery mode to pull mailboxes and mailbox items with no disruption to production
SQL and Oracle databases can instantly be mounted from the ZVM data, again no need to download first, to pull individual table data
The power and possibilities of this feature are endless and it enables IT to revolutionize their approach to data protection and recovery utilizing their existing DR solution. Its literally 2 solutions in 1.
SE Notes:
The disk should not be left mounted for longer than journal history configured, just like a FOT.
If the disk mount is kept for longer than the journal history, then the journal will expand just like a FOT
Performing a failover will automatically unmount and open mounts
Multiple disks can be mounted from the same checkpoint if a log and db need to be downloaded or restored