Solution Briefs

Waste Less Time Fighting Ransomware

Issue link: https://learn-umbrella.cisco.com/i/749076

Contents of this Issue

Navigation

Page 0 of 2

© 2016 Cisco and/or its affiliates. All rights reserved. "Does Cisco Umbrella block ransomware?" This is one of the most common questions that we hear from customers. In reality, the answer for any security provider — including Cisco — is seldom an absolute "yes" or "no." It really depends on how each variant arrives onto your systems, as well as its order of operations for encrypting data for ransom. However, with Cisco you can significantly reduce the number of ransomware infections across your organization. Prevent and contain ransomware with Cisco Umbrella and AMP for Endpoints Phases of ransomware attacks Attackers have many ways to initiate an attack — everything from common malvertising and phishing methods to sophisticated thumbdrive drop tactics. The infections can begin when users click on links in phishing emails or if malicious ads or compromised sites redirect users to domains hosting exploit kits (e.g. 'Angler,' 'Zeus,' 'Nuclear,' etc.). Exploit kits can also be delivered via email attachments or infected thumbdrives. Interestingly, this initial payload is not the ransomware. Assuming the initial payload successfully exploits a system, it analyzes its environment (e.g. OS, unpatched applications) to select an effective ransomware variant. At this point, a callback is made to a ransomware drop host to retrieve the private keys needed to encrypt the endpoint. Most popular exploit kits have to resolve a domain name to an IP address to initiate the callback. Although variants of ransomware behave differently — for example, SamSam uses a built-in encryption key that doesn't require a command & control (C2) callback and other variants use Tor-based Onion Routing or IP-only callbacks that avoid DNS — there are many ways that Cisco can help. Waste less time fighting ransomware attacks. S O LU T I O N B R I E F Exploit or phishing domains Compromised sites and malvertising Phishing spam Blocked by Cisco Umbrella Blocked by Cisco AMP for Endpoints Ransomware payload Web redirect Web link File drop Email attachment C2 C2 Nuclear Angler Malicious infrastructure Encryption key infrastructure Rig

Articles in this issue

view archives of Solution Briefs - Waste Less Time Fighting Ransomware