From Ransomware to rootkits, old-school security cannot always keep pace with today’s advanced attacks. In this joint Free Training Friday webinar between AbacusNext and Sophos, learn why these threats work, and how to protect against them. Watch the video or read the transcript below.


About Free Training Friday: Since the beginning of 2017, we have been holding these free, 30-minute training hosted by our industry-leading experts and innovators who will teach you about AbacusLaw, Amicus Attorney and the Abacus Private Cloud. Since then, we have expanded to also provide free Results CRM and OfficeTools Software trainings. If you would like to request a topic, please email

Video Transcription

Hello. Good morning, everyone. Good afternoon, good evening, good morning, wherever you're at. If everyone could just please confirm that you can not only hear me well but you can also see the shared screen, you can just go ahead and raise your hand or just give us a shout out on the chat pane. All right, what do we got here? We have ... All right, we got some hands raised, good. More hands raised, fantastic. Okay, you can hear us. Fantastic. All right, everyone.

Good morning, and good afternoon, wherever you're joining us from. My name is Andrew Perez and I'm an online content manager here at Abacus Next. Thanks for signing up for our webinar, Keep Ransomware Out: How You Can Stop Ransomware and Exploits Before They Strike.

Before we get started, just a couple of quick housekeeping notes. Please feel free to submit your questions through the presentation using the chat panel. We will answer your questions in the order they were received at the end of the presentation. Without further ado, I'd like to introduce our speaker today, Derek Snyder. Derek is Channel sales engineer at Sophos and has nearly 15 years of experience in the industry. I'll just go and hand it over to you, Derek.

Excellent, thank you, Andrew. Welcome, everyone, to our webinar today. I hope you guys enjoy this time. I know people are looking forward to a long weekend, some of you, or maybe you're doing some patching over the weekend. We will get through this, though, and hopefully, it's very educational for you, as well. My name is Derek Snyder. I also have Jerry Flores, one of our Channel account executives lurking around today, as well, and at the end today, if you guys do have further questions, just reach out to Abacus and let them know. We can set up further demos or answer more questions. We will have a few minutes for question and answer at the end. You can just type those into the question window or chat window and we'll try to answer a couple of those, and then any outstanding ones, we can send out answers to after we're done and post those.

I always like to just start with a couple headlines, and also it's a shameless plug for our Naked Security blog, run by Sophos. I promise it's safe to Google Naked Security. You'll come up to the Sophos blog. Of course, there's nothing going on in the news regarding ransomware lately? Wait, there is, yes. "WannaCry WannaCrypt, Wanna ..." We could probably make a whole lot of Wanna jokes, but it was very serious here in the last couple weeks, and unlike anything we had seen in the last 10 years or so.

We're going to go into a little bit about Wanna, but, really, this will be more an overview of how ransomware works, some history of ransomware, and talk about how you can better protect yourself against ransomware. Just a headline ... The Wanna variants attacked a lot of computers in a rapid amount of time across a lot of countries, utilizing a Microsoft networking protocol and a vulnerability that existed. There was a patch for that, back in around March, but, like many other exploits, there's sometimes good reason that we're not patched up.

It also took advantage of XP, as well, which, unfortunately, still people were using that, also. It spread like a worm, really, so a little more old school in how it spread. It didn't take user interaction to spread. It would look across a network for open ports and vulnerabilities and start spreading, so very interesting in how it did that.

The good news for us, at Sophos, is our CryptoGuard product, which is our last line of defense against ransomware, was able to stop the encryption. We block the encryption, restore those files back, so there's nothing for our users, that were protected by Sophos CryptoGuard, to do. Their files were protected and completely safe, and we'll talk more about how we do that.

Interesting headline, this one. This was a few months back. LA Valley College paid a huge ransomware sum, and we're starting to see higher values of ransom being requested and demanded. Typically they nickel and dime their selves to this billion dollar industry, because they want you to pay. You're more likely to pay a couple hundred dollars or a bitcoin or however much, versus something like $28,000. The point of this story that I always like to share, that stood out to me, was to remind people that if you do decide to pay the ransom, and sometimes, especially hospitals, colleges, a few other large organizations, they've made the decision to do that. If you do do that, it's not just a click of a button, "I've paid the money and now everything unlocks."

A very laborious task of sending ... A lot of man-hours involved in going to each file, one at a time, and unlocking or decrypting those files. Just keep that in mind and don't think, "You know what? I'll just throw caution into the wind and if it comes down to it I'll pay the ransom." That sounds great until you have thousands and thousands of files to unlock, one at a time. In the case of this college it was actually hundreds of thousands of files.

That's our weekly headline roundup there. If you're not familiar with Sophos, just a quick overview of Sophos and what we do and how we protect and where we play in the industry, security industry as a whole. Today we're going to be focusing on the endpoint protection, particularly ransomware and how we protect against these next generation threats, but we also play at that right-hand side in green, there. We do mobile device management and mobile protection, server protection, disk encryption and file encryption. If those files are very valuable to you, and you wouldn't want those in the wrong hands, we have a way of encrypting those transparently, so you can still work and share those files, but they're protected if they get in the wrong hands.

On the left hand, that orange side there, is more of our network protection. We have a next-generation firewall, wireless access points, email protection doing your spam and malware filtering in your email, and then also web gateway protection, so doing web filtering, web sandboxing, and some of that. We've taken all that together ... You notice it says "Synchronized security platform." We've put it all together and allow these components and features and products to share intelligence and take action on it. We'll talk more about that at the end, and a lot of flexible deployment options with the cloud being, really, the most popular way that most people are deploying these products now.

Let's talk a little bit about the evolution of threats and where we've come from and where we're at. Many of you are probably familiar with more of the viruses, worms, then we transition to spyware and Trojans. These are more the traditional malware. Interesting, as I noted, the Wanna variants really used more of a worm-like function to spread, which was pretty unique. We hadn't seen anything like that in quite a long time in the way it spread.

Then, we get into more advanced threats, remote access Trojans and exploits, and then into the advanced threats like ransomware. Locky is one of the variants you may have heard of, huge industry. You can see some of these numbers. We'll talk a little bit about the evolution of the protection for these threats, as well, as we go through this today.

What are some trends that we're seeing? We're seeing things moving from known to unknown. We used to really have a pretty good handle on known malware, and you could have a signature to protect against it, a very specific signature that would match. It was very easy to do. What we're seeing now is that 75% or more is really unique to the specific organization. Old way of doing things, signature matching alone, is not enough, and then we're seeing more targeted type attacks, again, unique to the organizations, targeted to those attacks. Not just to large organizations, too. If you're a smaller organization, don't think that you're immune. Some of the larger attacks that you've heard of, maybe, like Target, was a very well known breach.

That's because they had a third-party vendor that had access to credentials, access to systems, that they were able to get. Often they will use the small fish to get to the big fish. Really, nobody is immune, and we've seen this malware as a service really make it easier for criminals, for more criminals to get involved. You need to be as technical savvy as you used to be. Really, what they do is they exploit known vulnerabilities that they know people are not patched up against, which is what we see in this most recent attack. Again, an exploit, a vulnerability that had a known patch was exploited.

Sometimes we call it "Spray and pray." They just throw it out there, it gets known ... Again, known vulnerabilities, and they get enough back where people are not patched that it's worth it. Rather than searching for those zero-day attacks that are unknown in the industry, we actually don't see those used in the wild too much. You still want to have protection against those unknown threats, but we don't see those in the wild as much.

You see that stat, "Average time to fix vulnerabilities, 193 days." Again, patch early, patch often. We can't say that enough. No matter what protection you have, patch early, patch often. What are some of the top threats in the US? I've already referenced some of these, but regardless of the vector that they can get the threat in, or the payload, is typically ransomware today. That's the big one that we're seeing, is ransomware payloads. Whether it's through a phishing email with document malware, or whether it's through malvertising through an infected website, ultimately the payload is ransomware, and they're looking for money. Again, a very large industry, money-wise, and you see that successful attacker can earn up to $394,000 in a single month.

I'm sure some of us look at that number and think, "We might be on the wrong side of this industry." I think it's still better to be on the good side ... Quite a bit of risk in that 394,000. Just high-level anatomy of a ransomware attack ... What does it look like? What does it do? This gives you a good idea of what a ransomware attack looks like and what it does. First of all, you're infected. How do you get infected? Some of those ways that I just mentioned, through an exploit kit, through a phishing email with an infected document, it could be a known website dropping a file onto your machine, a dropper file that then delivers the payload.

Any number of ways like that for you to get infected, and then it's going to reach out to a command control server, and download the rest of the payload or, in ransomware's case, it will download a key for encryption, and then it will begin encrypting your files on your drives. It will look at the network drives, as well, that you have mapped, so if you have an E drive or F drive, whatever drive mapped to different file servers, it will look for those and start encrypting files there, as well. Then, they're going to demand their ransom, and I'll show you some screenshots of some of this.

Typically, they'll have a splash page and let you know how to pay your bitcoin to them, and then it will, basically, delete itself and you're left wondering what to do at that point. That's, kind of, high level of how ransomware attacks work.

Why does ransomware work? A few reasons why we think ransomware works. One is, not just the sophisticated techniques, and they're always innovating, like we saw in this past one, changing just enough where they can, maybe, get around some certain types of protection, but really, those exploits as a service that I mentioned, which I'll show you more of, make it very easy for people to deploy sophisticated attacks against you. Security holes at companies, which is what we discussed already, patching ... Often not patched, sometimes for good reason. Typically, every Tuesday, most of you are not running out and patching, maybe due to resources, personnel resources, or potential issues that come sometimes with patching.

Other things break, things like that, or work being impacted while you're patching. Oftentimes those holes are still there for a long period of time, and then not having real target protection, which is really what you need in the case of ransomware and advanced threats, is you really need specific, advanced protection, not just traditional antivirus, if you will, although there's a time and place for that, and it helps keep things off of your machines. You also need this advanced protection from these advanced threats, as well.

The final reason that it works, really, is because it's your data. That's precious data to your business or, even, at the home, on the home level. Those are precious photos that maybe got encrypted, or whatever that data might be, it's because it's your data that people are willing to pay. Exploits as a service, let's talk about how these are delivered, and we'll look at some different ways that these payloads get delivered in ransomware's case.

Exploits as a service is a very interesting diagram, I think. As you start at the bottom, with these orange guys down here, these are basically the criminals, could be criminal gangs and organizations, and they have an exploit kit admin. This is all just like a company. There's a hierarchy, there's positions and different places here where the money flows, which I find very interesting. It's a very sophisticated, sort of, coordinated, mature business model, is what it is, a mature economy in the case of ransomware.

They have these exploit kit admins that can distribute on the TOR network. Basically, if you think about the dark web, this is maybe what you could think of that there, and then exploit kit customers out to the left. They can purchase these exploit kits, very easy to do. You see it says, "Management panel." They get a very nice management panel, like any nice piece of software that you've ever seen. Same thing in these exploit as a service kits. You get a nice management panel, you can right click and deploy exploits just like that, like any very nice piece of software. That gets sent out, you have victims, payments come back into these distribution servers, and eventually everyone gets their piece of the pie money-wise, which is, again, very interesting and very sophisticated and coordinated, there.

What about malvertising? I don't if you guys have heard of malvertising. Malvertising's very interesting, in that it infects legitimate websites. It's not just going to, maybe, what you might consider some shady websites, or free software download websites, but rather it's going to some very big and well-known websites, and finding out later that they were infected. This is an example of how malvertising can work to infect you in milliseconds.

You go to your well-known site, whatever it might be,,, whatever it might be. There's an ad network on there. There's different spaces of ads, different sizes that you see, and based on those cookies that are saved, there's different demographics that they're looking for to fill within that ad network, and there's third parties that help aggregate all that information and then serve up specific ads to you in that little box on the pages that you see. A part of that third party, what they do is they have a real-time bidding service. It goes out for bid, "Hey, we have this little two by two square, and here's what it is." Again, this all happens in milliseconds, real-time bidding, like, milliseconds.

Guess who else gets to bid on that. That's right, this guy. This guy, sitting in whatever country or wherever he might be, he gets to bid on that space, as well, and guess what he does. He puts the ad in there. "Hey, you've won a free PayPal card, or gift card." It may be that. It might be a work from home ad, any number of different ads, and they're able to put these legitimate ads up there, but guess what. Those ads are also infected and programmed to take advantage of vulnerabilities. Often Flash, is an application that is often vulnerable on your machines and browsers. Then, you're infected, all within milliseconds. Pretty amazing how fast this happens. Again, these are the type of sites that have been infected with malvertising.

Not shady sites, some of the biggest well-known websites. How does document malware work? Document malware, really, one of the most common ways that we see ransomware coming into networks. Typically, via an email, and they have a lot of little tricks to get you to enable macros, essentially. These are real examples that our security labs have provided to us. You see a document like this, and you see that's all blurred out. What they've done is just inserted a blurry image, but they're trying to make you think that, "If I click that security warning up above, it's going to show me the image," and you can see. They'll have a message. "Document's been set to blur for security reasons. If you click the enable content above, you'll be able to view it properly." Click the content above, and guess what. Macros run, payloads get delivered, and you're going to have ransomware real quick.

This one's always a common one. We've all seen the red X's and we've right clicked and said, "Display images," things like that. Same thing. They want you to enable the macros above. They say same thing, "Enable macros above." This is one of my favorites. They just put text on there. Again, this was real from our security labs. Guess what. Just curiosity gets the best of people. If you just see that, at some point, there's enough people that are going to say, "You know what? I'm going to go ahead and click options above and enable the content."

Some specific examples of ransomware and how they've worked. Odin was a very popular variant, also a variant of Locky, which you've probably heard of. They just morph into new variants. Sometimes they're lazy, too. They'll utilize the same code. We'll see a variant like Odin that references like Locky in different points of the code. The way Odin worked, you'd get an email ... Again, a phishing email. "Your order has been processed," or, in this case, "Proceeded." You notice the bad grammar, sometimes, although that's not always the case now. They're getting very good at these emails to where they look very legitimate, often very hard to decipher.

In this case, you get an order that's been processed, and you're thinking, "I didn't order anything. Let me open this and see what it is." You open this file, and when you open that, you're going to find a couple files. The one thing that you'll find is a cancellation form, a cancellation form. If you didn't order this and you received the email, what would you do. You'd probably go ahead and click on the cancellation form. "I want to make sure whatever this is is canceled."

The other interesting thing is, when you actually look at these files that were in the zip file, Windows by default is not going to show you the extension, so you wouldn't notice that it was a .js Javascript program and not a document. They'll use different icons to make you think it's some sort of text document. In this case, you click the cancellation form, the Javascript runs, and again, payload is delivered.

They're going to give you your instructions for payment. This is an example. It'll open in Windows Explorer. It'll pop open one of these files and show you how to pay. They give you all the details. They mention some education on encryption. They let you know how that works. They'll also set your desktop background to something like this, in Odin's case. Again, very good customer service from these guys. They want to make sure you know how to pay and get your files back. The other thing, with good customer service, is if they want you to pay and they want to decrypt so that you'll tell your friends, "You know what? I paid, and yes, they gave me my files back."

This is an example of one of the Wanna variant's pages. Again, these things are always evolving. In this case, you'll notice on the left, the payment would be raised with a timer clicking down. We have files that would be lost. It'll let you know when those would be lost, and then, again, letting you know how to pay. Pretty scary stuff, if you have this in your business, and critical files.

Ransomware evolving, again, it is always evolving. They're always doing different sort of tricks. This is one of my favorite little pieces of code from Locky. A couple interesting things in here is the affiliate ID. That first one you see, affiliated ID. Affiliate ID is, basically, you think of network marketing. If you have an affiliate ID, and as that piece of code goes out, different people running or getting infected with this ransomware, they're basically in your network, in your marketing network. You get paid a piece of that because it's your affiliate ID as it goes out. The other real interesting one is the "Avoid Russian flag." When they see Russian language, don't encrypt. Apparently, when you do a crime in Russia, you don't attack people in Russia, or somebody knocks at your door pretty quickly. I always find that one interesting, as well. These things continue to evolve, different file extension that they attack.

In this case, they also started to exclude some extensions, which was interesting. Why would they exclude some extensions and not encrypt them? A few different reasons ... You see some system files were excluded because they need the system to run, but also, you see in the middle there ... You'll see iconcash.db, thumbs.db, they want you to be able to see ... What those are, those are like those preview icons that you would see next to ... Let's just, for example, say it was a photo or a document. You're able to see what was actually encrypted, that little preview. If you couldn't see it, guess what. You're not really sure what it is. When you can see that that's precious data to your company or if it's a home user, that's your precious photo of your children first steps, whatever it might be, you're able to see pieces of it, kind of, tugs at your heart strings and you know what it is that you want to save, you're much more apt to pay.

I find that kind of interesting, too, is they just continue to evolve in the different ways that they get you to pay. How do we protect against these sort of things? We've seen the evolution of security. We talked a little bit about it early on. With known malware, we were able to fairly easily match signatures. Known malware matches, block it. At Sophos, we try to cover all of these. That's really our definition of next generation end point protection, is, you, kind of, need everything, as far as exposure prevention, all the way to the advanced behavioral analytics to protect you. Exposure prevention's very easy to do, low resources, and it keeps things off your machine, bad stuff. You want to filter bad websites and malware that could be hosted on good websites. Block that stuff right away. Put some controls around USB devices that people plug in. Make sure those things are safe, and then looking at some of the pre-execution analytics and doing the file scanning.

File scanning, nowadays, has gone beyond just signature-based matching, but we're able to go deeper and look at genotypes and variants of existing threats, and determine, "Pieces of this matches enough that we're confident this is a variant of an existing threat," and run snippets of code before it runs and determine, again, "This looks like something else that we've seen, a variant of it. Go ahead and block it."

Getting into the advanced threats, you really need runtime behavior analytics and identifying techniques that are being used. In ransomware's case, what are the exploits that they're utilizing, the techniques, and how are they doing that to deliver the payload, and let's stop it. Then, we have Intercept X, which I'll talk about in a moment, which helps protect, specifically, against the ransomware. How do we intercept these next generation threats?

As I mentioned, we really look at it as a complete next generation end point protection, as comprehensive coverage, is what you need. You need the pre-execution, the post-execution. We've also recently added machine learning, is coming to our products. We acquired one of the Gartner visionaries named Invincia, so we're going to be adding machine learning, as well, to our endpoint protection, so we really have that comprehensive coverage. Keep bad things off the machine, stop the bad stuff when it runs, and then, finally, clean it up at the end.

Intercept X, what is it? Intercept X is our protection against ransomware and exploits and advanced threats. Specifically, in ransomware's case, what we do ... That last line of defense, and just like we saw with the Wanna variants, when it starts encrypting, we're able to make a just-in-time backup and then restore those files. We'll talk about here in the next couple minutes, and then I'll show you a really cool live demo in a virtual environment here, where I'll launch some variants and show you how we roll it back.

We have anti-exploit prevention in here. Some of these different memory-resident attacks ... How do you protect yourself if you're not patched up with some of these memory-resident attacks? Again, looking at the techniques that are being used without needing to know the specific signature or all the hundreds of thousands of pieces of malware, specifically, but looking at the techniques.

Finally, root-cause analysis, providing you, really, forensic-level detail of an attack after it happened, where it went, what it did, files it touched, everything like that. How does that intercept ransomware work? Intercept X ... CryptoGuard is what we call the technology. Again, we're monitoring the file access. These are files that ransomware would typically be attacking, and you would see this rapid encryption. We make a just-in-time backup copy, we investigate the process, and then once we determine that process is malicious, we go ahead and restore it or roll it back, if you will.

What we're doing is restoring the pre-encrypted file, and then we send all that information up for you, the administrative alert, so you know that it happened, and give you that visibility into the attack, but really, at that point, you're protected, just like we saw with the Wanna variants. Pretty interesting and unique, really a differentiator for us when it comes to protecting against ransomware.

These are examples of the memory-resident Intercept X exploits that we protect against. Again, completely signature-less, these are the techniques ... Heap sprays, and looking at some of the return-oriented program attacks, DOL hijacking, some of those type of attacks that you may have heard about ... Stack pivots, buffer overflows and some of those sort of things that we protect against.

The root-cause analytics, as I mentioned, showing you the forensics, and the important piece to you, without having a huge staff of people digging through logs for a long time or looking through, maybe, a sim, but being able to bring all this to the surface for you very quickly, in a way that you can understand. What happened? Where did it happen? When did it happen? How did it happen, and being able to find, quickly, the machine, the user, any files that were touched, network calls, and bringing that, again, up, very easy for you to find and see.

Sophos Clean, I mentioned, a very important piece, there, is the remediation and the cleanup. There are a number of next-generation type tools and protections that you may hear from other vendors. One thing you definitely want to ask, always, too, is what sort of remediation and cleanup do they offer? What we found is, many of those don't even do any cleanup. It's really just telling you, "Hey, we saw something over here. Now, go figure out what to do." At Sophos we have a deep cleaning product called Sophos Clean. It's a forensic cleanup, so it's not signature-based. We don't have to have known about the specific threat to go clean it up, but rather, we do a scan that happens very quickly, this deep system scan, to remove any remnants that we see.

You can schedule this. It will run automatically, when we find some advanced threats, as well. You can also take this around individually on a USB stick and run it on different machines if you wanted to trial it out or test it and clean up some machines that way.

Finally, we've taken all that that I mentioned, that next generation protection, and I talked about, we have a firewall, as well, and what we've done is this synchronized security platform, to provide even more protection for you. Allowing those to connect with a heartbeat, but not just to connect for the sake of connecting, but connecting in order to provide some automated response for you. The firewall can say, "You know what? That endpoint was not healthy. That health status ... Something's going on on that laptop, let's go ahead and prevent it from going out to the internet or the WAN, or prevent it from going to my file server zone," or, if it's encryption's case, remove those keys until we know it's clean, in case any data's exfiltrated, it's still encrypted and protected. Providing all that, again, instant insight into what's happened with an attack.

Finally, you can find a lot more information out here. As I close, it's going to be just a few minutes. I'm going to go pop over and show you a live demo of this Intercept X, but I did want you to know, if you visit, you'll find all kinds of resources. Not just the Wanna variants, but recommended resources like this and checklists on best practices on ransomware, as well. Let me jump right over here to my virtual machine.

The first thing I'm going to show you ... I'm going to show you three samples. We have a Sophos tester tool, built in-house, allows me to exploit Chrome, run some different variants of ransomware. Of course, these are our sanitized versions. They're not going to actually call out and infect. I like to use TorrentLocker, and the real reason, it renames files with a .encrypted extension which makes for a very nice visual. In this case, I'm going to show you how the tool works and what it looks like when it encrypts some files. I'm going to show you on an unprotected machine with no Sophos protection on it. You'll see these files here. We have, "Quick brown fox jumps over lazy dog," I execute the tool, and then you'll see those files encrypt.

Now, those files are encrypted. The next piece that I'll show you is I'm going to attack from this unprotected machine, something that could happen in your environment in some way. It could be a guest, it could be some rogue machine, or some unprotected machine, and attacking to a protected machine. In this case, I'll attack over to this Windows 10 machine. Again, we have some test files here, Word document, and you'll see, "Quick brown fox." What I'm going to do ... I'm going to go back to that machine, that unprotected machine, I'll launch the attack, I'll quickly flip over to this machine ... Again, doing it remote also slows it down just enough so there's something for you to see, otherwise there'd actually be nothing to see because it happens in milliseconds.

You'll see these actually go to .encrypted, we'll stop the ransomware, and you'll see those rollback. You'll see the whole process, so don't look away. I'll point that over to my Windows 10 ... We're in shared drive that's mapped. The ransomware will look for these mapped drives. I'll hit execute, I'll get back over there. I was a little slow there. It already went to .encrypted. This is the point where we investigate the process, and we try to determine, is this malicious encryption or not? Once we determine it's malicious encryption, we go ahead and restore those files. You'll see ransomware attack from 200.250 blocked, and those files just got restored to their pre-encrypted state.

That all happened automatically. Again, milliseconds, really. In this case, it's just slightly longer because it's remote attack. You can see, you can read those files, no problem. Very unique in how we do that. The last thing I'll show you here ... Again, very common document malware, as we talked about throughout the presentation. I get an email, like this. "Hey, Derek, after the webinar today, what do you say we go win the lottery?" Of course. From my friend Jerry ... I don't put anyone's last names on here. I don't want to incriminate anyone, but I open up the lotto.doc, just like any of our end users would do.

What do I find? I find in here, again, some of those tricks. "Press the enable content above to predict next week's lotto numbers." I'd love to win the lotto, and we won't be on these webinars next week, because we're all about to win. We're going to click this enable content above, print this out, and we're good to go. Your end user clicks that. "Uh oh, ransomware blocked. What happened here?" You see, "Error calculating lotto numbers. Try again next week." You'll see our Sophos Clean Scan just kicked off and is running automatically, that deep forensic cleaning. At this point, the end user does what they ... They might forward this to 10 other cubicle mates or coworkers and say, "Hey I couldn't open this. Can you open it?" They might slam their laptop shut and go to lunch and pretend like nothing happened.

Of course, the administrators would get the alerts, and that's where you might be able to use something like our root-cause analytics, something to that effect. I'll just give you a peek into what the console looks like live, just so you can see, as it logs in here to Sophos Central. You get various alerts on your dashboard. You could come into the root-cause analytics. I have that similar attack in progress here. You can bring it up, find what happened, who was logged in, what process, some incident response management. You can add comments, and then take a look at that visualization that I mentioned. Drag and drop things around ... You can click on these to get more information. You can see the files that it encrypted, sophostester.exe, all the way back to the root cause being outlook.exe. You see winword.exe, you know they opened an attachment, and of course, macro that we called, then ultimately the tester.exe, writing to those files and trying to encrypt them.

You can see some of that information as we click around in there. That's really the overview of the entire Intercept X. Hopefully you learned something about ransomware today, and how to better protect yourself. We'll take a few questions. Again, if you have any questions when we're done today, outstanding. If you'd like to get a more in-depth demonstration, go ahead and talk to Abacus, and we can set that up for you and do a whole demonstration of our console and platform.

Q & A

Can Intercept X run as standalone?

Yes.  It could run by itself against, or right next to, any sort of traditional anti-virus, endpoint protection that you might have, providing that ransomware protection for you, or it also can run as part of our entire suite. That includes our exposure prevention and all that that I talked about, as well, as one end point. It's very flexible. It can run by itself or it can run as a total package with the rest of our products.

Does CryptoGuard use volume shadow copy?

CryptoGuard does not use the Microsoft volume shadow copy. Many variants of ransomware will attack that or delete those, blow those out, so we use our own proprietary shadow copy, if you will, and our own little safe store. Good question.

Is this program compatible with Amicus?

Yes, Sophos is compatible with Amicus Attorney.

Want more Free Training Friday? Register for upcoming webinars here