4What if there were no hypothetical questions?
Because it is profitable!
$ 209 Million damage
(according to FBI)
5A clear conscience is usually the sign of a bad memory.
– Link to malicious file on Dropbox & Co.
– Office document with malicious macro
• Sometimes in container (Zip, RAR, HTA, WSF, LNK,…) with password
• Infected Websites
– Web exploit toolkits (1.4 Mio attacks blocked / day)
• Rig, Magnitude etc.
• With any coding language out there
– Incl. Python, Powershell, JS, Google's Go Language,…
The common infection vector
6Hard work never killed anyone, but why take the chance?
Enabling Macros with Social Engineering
7I don’t suffer from insanity; I enjoy every minute of it.
Infection droppers trends
Use of scripting languages to evade detection/sandboxes
– JS conditional compilation trick /*@cc_on @*/
– Macro to check for VM (environment checks)
• “InkPicture_Painted” instead Document_Open() or AutoOpen() trigger
• Application.RecentFiles.Count <3
– Script to check IPs before payload download (e.g. MaxMind service)
• Payload execution
– Execute dll with rundll32.exe and export string
– Seed parameter from JS (to decrypt payload)
– Encrypted archive or installer package
powershell.exe -ExecutionPolicy Bypass -WindowStyle
(New-Object -com WScript.Shell).Exec($f)
2 + 2 = 5 for extremely large values of 2!
9I used to be indecisive. Now I'm not sure.
Ransomware Cryptolocker expansion
100 new families identified in 2015
77 in 2014, 88 in 2016*
CAPS LOCK – Preventing Login Since 1980.
11I'd like to help you out, which way did you come in?
Top 10 infections on 29.10.2016
12… error joke not found
Show me the money
2014 2015 2016
• Ransom is usually requested in Bitcoins
• The average ransom has more than doubled last year
Artificial intelligence is no match for natural stupidity.
How to make even more money?
• Payment features
– Tesla chat support and free sample decryption
– CryptXXX steals Bitcoin wallet data
– Cerber adds machines to botnet to carry out DDoS attacks.
– Use of Amazon/iTunes/phone gift cards instead of Bitcoins
• New threats added to ransom note
– Chimera threatens to post personal data online
– Jigsaw deletes random files over time
– Stampado re-encrypts already encrypted files from other cryptolockers
– Virolock Spreads to shares and cloud storage as fileinfector
14I didn't say it was your fault, I said I was blaming you.
Where are the victims?
Is “NO” the correct answer to this question?
Currently big wave in Brazil
Businesses as a target
43% of ransomware infections occur inside organizations
Employees like to open private emails at work
Smith & Wesson: The original point and click interface.
Advanced attack techniques
Recent ransomware attacks use tactics and techniques typically seen in “APT”-style attacks
Infiltration Exploit server-side vulnerabilities to gain access to the network.
Attackers gather information that may help in later stages of the attack,
such as back-up policy. Information gathered may also be used in the
Attackers use publicly available tools to plot out and traverse the
network and gain access to strategic locations like ICS or DB systems
Once the attack has been successfully carried out the attackers attempt
to hide their tracks by removing any tools used.
What happens if you get scared half to death, twice?
Example: SamSam case
• Entry point was unpatched web server; exploited JBoss vulnerability with JexBoss
• Used psExec and retrieved passwords to traverse the network
• Deleted backups to make recovery difficult
• Deployed SamSam strain of ransomware
• Removed copies of malware and associated tools to hide tracks
• Ransom was 1.5 Bitcoin (~US$989) for each computer
18Everyone is entitled to his own opinion, but not to his own facts.
Further TTPs seen
• Attack remote access tools
– Bruteforcing passwords for RDP, Teamviewer, VNC, FTP, …
• Exploit webserver and jump further from there
– SQLinjection to modify DB content
• Spear phishing
• Some groups try POS or BEC scams first, and then move to ransomware
• Some «ATP» groups use ransomware instead of wiper to hide intention
19I can explain it to you, but I can not undestand it for you
Not very sophisticated
But often successful
What are they after?
• Databases (encrypt data or change password)
• Fileshares/cloud (even if not mapped: passwords from mimikatz or enumtools)
– E.g. added «mcrypt_encrypt()» to DB calls
• The backups (to delete them, infect them or encrypt them)
• In some rare cases industrial controller, more likely classical blackmailing
20If I agreed with you we’d both be wrong
Victim organization profile
Finance, Insurance, &
Comms, & Utilities
Agri, Forestry, & Fishing
Healthcare seeing more
targeted attacks and
therefore not reflected in
21All generalizations are false.
Crypto is difficult (for most people)
22Press SPACEBAR once to quit or twice to save changes..
• Backup your data (out of reach!)
• Keep your system and software up-to-date
• Doublecheck shared folders
– Does it auto sync to cloud?
– How is your fileserver protected?
• Follow best practices (2FA, security software,…)
– Disable scripts, powershell etc. if you dont use it
• Be prepared - play the exercise drill
• Some have experimented with «honeyfiles» and «folder-sinkholes»
23Always remember you're unique, just like everyone else.
Don’t forget your phones
• Android Ransomware is out there
• IoT device ransomware not seen at large in the wild, but possible
100 new families identified in 2015, most not sophisticated
Scripts are popular to evade first-step detection
Employees in organizations represent 43% of infections
There are ransomware groups going after organizations
Most attacks are not targeted, but still devastating
It is profitable for the attackers, so it won’t go away overnight
Summary – keep your data safe!
25Better to understand a little than to misunderstand a lot.