AntiRansomware Tools Thoroughly Tested Part 1

14
Information Security Inc. AntiRansomware Tools Thoroughly Tested Part 1

Transcript of AntiRansomware Tools Thoroughly Tested Part 1

Page 1: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Inc.

AntiRansomware Tools

Thoroughly Tested Part 1

Page 2: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Contents

2

• What is Ransomware?

• Rise of Ransomware

• Ransomware Testing Environment

• Cybereason RansomFree

• References

Page 3: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

What is Ransomware?

3

• Ransomware is a type of malicious software from cryptovirology

that threatens to publish the victim's data or perpetually block

access to it unless a ransom is paid

• Ransomware is malicious code that is used by cybercriminals to

launch data kidnapping and lockscreen attacks

• The motive for ransomware attacks is monetary

Page 4: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Rise of Ransomware

4

Page 5: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Ransomware Testing Envinronment

5

• Victim machine: Windows 7 Ultimate SP1 x64

• Ransomware: Zepto ransomware (https://www.tripwire.com/state-

of-security/latest-security-news/the-newest-online-threat-zepto-

ransomware/)

https://www.tripwire.com/state-of-security/latest-security-news/the-newest-online-threat-zepto-ransomware/
Page 6: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Cybereason RansomFree

6

• Download link: https://ransomfree.cybereason.com/download/

• How does RansomFree work?

https://ransomfree.cybereason.com/download/
Page 7: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Cybereason RansomFree

7

• How does RansomFree work?

◎ CybereasonRans uses !NtCreateFile function (https://goo.gl/dNd3Hx) to create bait

folders and files in mutiple locations◎ Creating bait folders

https://goo.gl/dNd3Hx
Page 8: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Cybereason RansomFree

8

• How does RansomFree work?

◎ CybereasonRans uses !NtCreateFile function (https://goo.gl/dNd3Hx) to create bait

folders and files in multiple locations◎ Creating bait files inside the folders

https://goo.gl/dNd3Hx
Page 9: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Cybereason RansomFree

9

• How does RansomFree work? When detecting suspecting behavior kill the process

Page 10: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Cybereason RansomFree

10

• How does RansomFree work?

◎ Ransomware is adding .zepto extension to bait files using NtSetInformationFile function

(https://goo.gl/3V1UMv)

Page 11: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Cybereason RansomFree

11

• How does RansomFree work?

◎ RansomFree kills ransomware’s threads and the parent process and loads a new

image of itself starting a new process with ID 244

Page 12: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Cybereason RansomFree

12

• How does RansomFree work?

◎ Thread stack before exiting

◎ BaseThreadInitThunk function (https://goo.gl/rm79Bd) calls the thread start address. If

the thread returns it will terminate the thread and delete it’s stack

Page 13: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

Cybereason RansomFree

13

• How does RansomFree work?

◎ RansomFree deletes files generated by ransomware

Page 14: AntiRansomware Tools Thoroughly Tested Part 1

Information Security Confidential - Partner Use Only

References

14

• Wikipedia

https://en.wikipedia.org/wiki/Ransomware

• Knowbe

https://www.knowbe4.com/ransomware

• Heimdal security

https://heimdalsecurity.com/blog/what-is-ransomware-protection


60 HZ MODEL PR-5400...Apr 24, 2019  · PR-5400 All generator sets are USA prototype built and thoroughly tested. Production models are USA factory built and 100% load tested. UL1446,

60 HZ MODEL PR-5400...Apr 24, 2019  · PR-5400 All generator sets are USA prototype built and thoroughly tested. Production models are USA factory built and 100% load tested. UL1446,

A Choice Collection Tested Rece Pts - Forgotten Books R E F A C E. In publishing this book the compiler has endeav ‘ored to give only a few choice, thoroughly tested receipts in

A Choice Collection Tested Rece Pts - Forgotten Books R E F A C E. In publishing this book the compiler has endeav ‘ored to give only a few choice, thoroughly tested receipts in

Proposal & Business Plan - brighousebid.co.uk · This proposal and business plan has been thoroughly researched and tested in recent months with an extensive programme of surveys,

Proposal & Business Plan - brighousebid.co.uk · This proposal and business plan has been thoroughly researched and tested in recent months with an extensive programme of surveys,

INSTRUCTION MANUAL - Hobbicomanuals.hobbico.com/flz/flza4010-manual.pdf3 We, as the kit manufacturer, provide you with a top quality, thoroughly tested kit and instructions, but ultimately

INSTRUCTION MANUAL - Hobbicomanuals.hobbico.com/flz/flza4010-manual.pdf3 We, as the kit manufacturer, provide you with a top quality, thoroughly tested kit and instructions, but ultimately

The Grange School - Tried and Tested Internet Tools for Teachers

The Grange School - Tried and Tested Internet Tools for Teachers

Getting Started with EasyBuildkehoste/EasyBuild_HPCAC_start...2016/03/23  · requires a limited amount of knowledge of Git/GitHub contributions are reviewed & thoroughly tested prior

Getting Started with EasyBuildkehoste/EasyBuild_HPCAC_start...2016/03/23  · requires a limited amount of knowledge of Git/GitHub contributions are reviewed & thoroughly tested prior

SKELETON AND CAULKING GUNS Resin Gun · All concept applicator guns are thoroughly mechanically tested and CE rated. Thrust ratios are market leading and the tools are manufactured

SKELETON AND CAULKING GUNS Resin Gun · All concept applicator guns are thoroughly mechanically tested and CE rated. Thrust ratios are market leading and the tools are manufactured

SpO2 Functional Tester - Flukeassets.fluke.com/manuals/spotlighumeng0000.pdf · Certification This instrument was thoroughly tested and inspected. It was found to meet Fluke Biomedical’s

SpO2 Functional Tester - Flukeassets.fluke.com/manuals/spotlighumeng0000.pdf · Certification This instrument was thoroughly tested and inspected. It was found to meet Fluke Biomedical’s

VT8000 Room Controllers - Viconics · • Each implementation of equipment utilizing communication links must be individually and thoroughly tested for proper operation ... period

VT8000 Room Controllers - Viconics · • Each implementation of equipment utilizing communication links must be individually and thoroughly tested for proper operation ... period

InstallatIon • operatIon • MaIntenance · This Alto-Shaam appliance has been thoroughly tested and inspected to ensure only the highest quality unit is provided. Upon receipt,

InstallatIon • operatIon • MaIntenance · This Alto-Shaam appliance has been thoroughly tested and inspected to ensure only the highest quality unit is provided. Upon receipt,

Aeroquip Bleed Air Ducting Componentspub/@eaton/...Mock-ups are provided to ensure proper installation, and prototype components are thoroughly tested and evaluated to substantiate

Aeroquip Bleed Air Ducting Componentspub/@eaton/...Mock-ups are provided to ensure proper installation, and prototype components are thoroughly tested and evaluated to substantiate

Gerhardt Extraction - gsi-lab.comgsi-lab.com/wp-content/uploads/2016/10/Gerhardt-Extraction-System.pdf · tested thoroughly in the Gerhardt application lab. The glass extraction beakers

Gerhardt Extraction - gsi-lab.comgsi-lab.com/wp-content/uploads/2016/10/Gerhardt-Extraction-System.pdf · tested thoroughly in the Gerhardt application lab. The glass extraction beakers

EMPLOYEE ACCIDENT INVESTIGATION FOR SUPERVISORS. TRAINING OBJECTIVE To provide supervisors information and tools to investigate employee accidents thoroughly.

EMPLOYEE ACCIDENT INVESTIGATION FOR SUPERVISORS. TRAINING OBJECTIVE To provide supervisors information and tools to investigate employee accidents thoroughly.

BZ Series - Germfree · Your BZ Series Hood has been thoroughly tested. The HEPA filter was integrity tested by the filter manufacturer and again at our factory before it was shipped

BZ Series - Germfree · Your BZ Series Hood has been thoroughly tested. The HEPA filter was integrity tested by the filter manufacturer and again at our factory before it was shipped

N28 N48 UM V2.8 EN 20120301v2 2.01.05static.highspeedbackbone.net/pdf/Thecus N2800_N4800 SMB...are thoroughly tested before they leave the factory and should function normally under

N28 N48 UM V2.8 EN 20120301v2 2.01.05static.highspeedbackbone.net/pdf/Thecus N2800_N4800 SMB...are thoroughly tested before they leave the factory and should function normally under

MODEL PAD128 USER MANUAL - accesio.comaccesio.com/MANUALS/PAD128.pdf · Page iv Warranty Prior to shipment, ACCES equipment is thoroughly inspected and tested to applicable specifications.

MODEL PAD128 USER MANUAL - accesio.comaccesio.com/MANUALS/PAD128.pdf · Page iv Warranty Prior to shipment, ACCES equipment is thoroughly inspected and tested to applicable specifications.

Appendix A List of Commercial or Field tested Tools and ...978-1-4613-1065-5/1.pdf · Appendix A List of Commercial or Field tested Tools and Systems This appendix lists commercial

Appendix A List of Commercial or Field tested Tools and ...978-1-4613-1065-5/1.pdf · Appendix A List of Commercial or Field tested Tools and Systems This appendix lists commercial

Incubators - SRICO · Incubators DAIHAN Scientific ... All the units supplied by DAIHAN Scientific are thoroughly tested, using 12 temperature sensors and the latest instruments to

Incubators - SRICO · Incubators DAIHAN Scientific ... All the units supplied by DAIHAN Scientific are thoroughly tested, using 12 temperature sensors and the latest instruments to

21st Century Knowledge · protecting inventions that are expensive to develop (such as thoroughly tested pharmaceuticals) 3. Intellectual property can provide resources for activities

21st Century Knowledge · protecting inventions that are expensive to develop (such as thoroughly tested pharmaceuticals) 3. Intellectual property can provide resources for activities

Instruction Manual for Plan for a Gradual Return to NormalcyUse single-use tools as much as possible, such as nail care tools and others. Thoroughly disinfect tools after each person.

Instruction Manual for Plan for a Gradual Return to NormalcyUse single-use tools as much as possible, such as nail care tools and others. Thoroughly disinfect tools after each person.