The Day We Infected Ourselves with Ransomware
35
RANSOMWARE 5/24/2017
-
Upload
godfrey-nolan -
Category
Technology
-
view
142 -
download
0
Transcript of The Day We Infected Ourselves with Ransomware
RANSOMWARE
5/24/2017
Who We AreRIIS is a boutique IT firm focused on joining business
and technology through Custom Mobile , Software
Development and Premium IT Professional Services
Mobile Apps Web Dev Professional Services Security Audits User Experience
Our Specialties
Agenda
• Wanna Cry
• What is Ransomware?
• Different Flavors
• Test Lab Setup
• Fixes
• Preparation Plan
• Call to Action
Wanna Cry
Wanna Cry
Ransomware
News
Trust but VerifyDon’t believe the HypeHard to decipher the signal from the noise
What is Ransomware
Deployment
What is
Ransomware
• Deployment
What is Ransomware
Installation
What is
Ransomware
• Installation
What is Ransomware
Command and Control
What is Ransomware
Destruction
What is Ransomware
Extortion
What is Ransomware
Targets
• Hospitals
• Fortune 500
• Universities and Schools
• Police Stations
• Religious Organizations
What is Ransomware
Flavors
• Locky
• Cryptowall
• CryptXXX
• Jigsaw
• TeslaCrypt
• Petra
• Win32Dircrypt
What is
Ransomware
• Ransomware as a service
Test Lab
Setup
• Wipe machines
• Install fresh copy of Windows 7
• Use dedicated wifi hotspot of test phone
• Download Ransomware from the Zoo
• https://github.com/ytisf/theZoo
• Choose your flavor and install
Test Lab
Setup
Test Lab
Warning
Do not do this on a machine you ever want
to use again. Make sure it is not connected
to your company wifi.
Test Lab
Fixes
Jigsaw
Fixes
Jigsaw
Fixes
Jigsaw
Fixes
TeslaCrypt
Fixes
TeslaCrypt
Fixes
TeslaCrypt
Ransomware Prep Plan
• Backup your data and keep a copy offsite.
• Disconnect from all cloud backup services such as Dropbox.
• Use Antivirus, Firewalls and Email scanners.
• Update your OS when a new patch appears.
• Use Microsoft’s shadow drives (VSS) or Mac’s Time Machine.
• Uninstall Flash.
• Remove or restrict Admin access.
• Disconnect any shared drives.
• Train your staff, send them test phishing emails
• Use a test lab and see if you can recover from a simulated attack.
• Sign up for a Bitcoin account in case you need to pay!
Prep Plan
• Test Phishing Emails
Ransomware Potential Breakpoints
The ransomware must execute and unpack itself and then collect system information.
The ransomware has to change registry settings to maintain persistence.
More advanced ransomware disables system restore and deletes everything in the Volume Shadow Copy (VSC).
Most, but not all, ransomware has to call out to command-and-control infrastructure to get a public key that will be used to encrypt the files.
The ransomware now has to enumerate the files.
It then begins to read and encrypt the files.
If each encrypted file is written to a new file, the original files must be deleted.
Finally, the encryption key is removed from the local machine and sent back to the controller.
Bitcoin
Resources
http://riis.com/blog
https://www.knowbe4.com/phishing-security-test-offer
https://github.com/ytisf/theZoo
https://www.bleepingcomputer.com/download/jigsaw-decrypter/dl/321/
http://www.talosintelligence.com/teslacrypt_tool/
https://noransom.kaspersky.com/
https://www.ghacks.net/2016/03/30/anti-ransomware-overview/
Call(s) to Action
• Set up a Test Lab
• Run a Ransomware drill
Mobile App Partners
Contact us!
riis.com
248.351.1200
1250 Stephenson Hwy, Troy, MI 48083
