Ransomware – Prepare: Have a Plan

Jim Olmstead

Incident Response Consultant

Ransomware

• It is Prevalent

• It is Profitable

• If you Pay the ransom, you provide incentive for the Bad Actors to continue

• Let’s break the cycle

• Prepare now

2

Threat Vectors

• Delivery methods of ransomware

• Email (Mass spam and possible targeted spam)

• Locky, Teslacrypt, …

• Exploits weaknesses in your security

• Launched by employees eager to “click” on email

• Hack and Attack

• Samsa, Samas (aka, samsam.exe and other variant names)

Secure:

» Computers on your network and under your control (Password & Kerberos Reset)

» 3rd Party Vendor or Unmanaged systems on your network

» Review computers placed in your DMZ and their connectivity back to your network

3

Response: Initial

• If infected, immediately detach the system from your network

• Physically disconnect system, or use

• Host Intrusion Protection System (HIPS)

• Automate the response if a detection occurs, or

• Manually isolate

• Ensure your Anti-Virus is up-to-date with signatures

• Schedule FULL (Daily) workstations and Servers

• Any excluded systems or portions of systems MUST be scanned

• Schedule Additional (Daily) targeted scans

• Remediate the system or wipe it clean?

• Have you done enough to prepare?

4

Response: Be Proactive - Prepare

• BACKUP your data to an offsite location or detach your backup storage

• Block or reduce access to Open and Mapped Shares

• Update, Upgrade, and patch your Operating System (OS)

• Use Whitelisting / Application Control

• Block and Filter email & attachments

• Remove or reduce Remote Desktop (RDP) use

• Educate your end-users (To be Suspicious of email and attachments)

• Run up-to-date Anti-virus protection & signatures (Use extra.dat’s)

5

Be Ready- Prepare Now

• Incidents are going to happen

• Incidents are part of doing business

• Need for an endpoint solution & other security products

• Have a Plan before you have the Need to Respond

6

The RansomWare Landscape

@ChristiaanBeek

TeslaCrypt

CryptoWall Crysis

Locky

Reveton

CryptoFortress

Criakl

Tobfy

CTB-Locker

LockScreen

CrypTear

Samas

Other

8

RansomWare Statistics Q1 - 2016

272,712240,767

674,778

Jan Feb Mar

9

“In Q1 2016, TeslaCrypt hit many European

countries, where Turkey was hit the most

according to our statistics.”

Countries hit by RansomWare

10

11

“Where we started with around 10 families

in Jan 2016, Currently we are tracking 57+

different ransomware families..”

Observations Q1

- Ransomware as a Service increased massively

- Source-code for ransomware publicly available

- Targeted ransomware campaign on mostly Healthcare industry

- Ransomware encrypting Master-Boot-Record

- Apple users hit with Ransomware

- Ransomware going after web-content management systems

12

#who s behind ransomware?

Wannabee Affiliate Organized Crime

Wannabee

Wannabee

Affiliate

Ransomware as a Service

Botnet Affiliate/Service

Provider

RAAS

Operator

Cash Management

Organized Crime

Experienced group

Involved in multiple (ransomware) campaigns

Fast response times

Server image for fast deployment

Cautious in affiliate program

Tracking news, forums around their ‘product’ and adjust

Profitable business?

SamSa example

• 45.00 BT

• 40.00 BTC

• 21.94 BTC

• 22.00 BTC

• 22.00 BTC

• 40.00 BTC

$100,000.00 so far…...

What is Intel Security doing about it?

Ransomware Kill-chain

Btc

wallet2

Exploit Kits

URL

URL URL

URL

Many

transactions

Btc wallet1

Final Wallets

Delivery

Infrastructure

Infection Back end

InfrastructurePayment Infra

Phishing

URL

Attachment

Victim infected Proxy

servers

Proxy

URL

1

Proxy

URL

2

Proxy

URL

X

Distribution

servers

Btc wallet3

What is Intel Security doing about it?

Ransomware

• Focused group on ransomware

• Participate in investigations and operations with Law Enforcement and other Vendors

• Innovating new technology

23

What can we expect next?

Compared to 2015, we already have seen a few new directions like targeted ransomware and encrypting full systems.

We expect that embedded devices, more targeted attacks on certain industries and related business applications will increase in 2016 and beyond.

24

There is Hope!!

- Petya (boot-disk encryption)

- Teslacrypt (older versions)

- TorrentLocker

- Jigsaw ransomware

- Linux.Encoder

- Double-DMA

25

Ransomware Recommendations

Josh Thurston

Security Strategist – Office of the CTO

Avoid RiskFilter run-rate threats and protect data to reduce exploitable surface area and

operational burden

Mitigate RiskOptimize decision making

Compress mean time to resolution Minimize impact

Reduce RiskIsolate signal from noise for rapid, hi-fidelity risk

comprehension and response prioritization

Threat Defense Lifecycle

27

Applied integration, automation, and orchestration driving a defense lifecycle

Disrupt in-bound attacks

Control data access

Automate defensive workflow

Illuminate low-threshold breaches

Discover unmanaged systems

Monitor data access

Contain and repair compromised systems

Programmatically share intelligence

Adjust and extend policies

Optimize Resources

Protect Recommendations

• Patch management and Hygiene

• Tune VirusScan and Endpoint Security Access Protection Rules

• KB81095 and KB54812

• Use GTI and leverage +4 million unique ransomware signatures

• Use HIPS signatures to limit unknown processes

• 3894 Prevent SVCHOST.exe executing non Windows .exe‘s

• 6010 and 6011 to block the injection immediately

• Use Whitelisting / Application Control

• Fortify critical Systems

• Legacy Operating Systems & Applications

28

Protect Recommendations

• Use Web Security to stop threats before they get to the endpoint

29

Filter Known Bad

Sandbox / Reverse-engineering (zero-day)

Real-time Behavioral Emulation (zero-day)

McAfee Web Protection McAfee ATD

Dynamic and Static Analysis

Gateway Anti-Malware

AV

Input

Quantity

Depth of Inspection

Detect Recommendations

30

• Limit software installs with VSE access protection rules

• Use HIPS & Change Control to block changes from unapproved processes

• Use TIE to detect new PE’s

• Use Sandboxing / ATD to inspect “grey” files upon execution

• Use IPS to block TOR traffic used by ransomware to obfuscated communications

• Integrate Endpoint with Network to reveal malicious process communications

Correct Recommendations

31

• Use ATD to educate TIE reputations DB

• Use AR to hunt for latent malicious code and eradicate

• USE SIEM and IPS to discover and blacklist malicious IP’s

• Use frequent backups to restore systems (last resort)

Neutralize Emerging Threats

Safeguard Vital Data Optimize Security Operations

Fortify Critical Environments

Intel Security: Capability Offerings

Endpoint Protection

Network Security

Data Security

Web Security

Security Management

Endpoint Detection &

Response

Server Security

Threat Sandboxing

Security Services

Threat Intelligence

33