SlideShare a Scribd company logo
1 of 40
Download to read offline
WHOAMI
I’m NOT a CEH
Creator of the Zombie Browser Toolkit
https://github.com/Z6543/ZombieBrowserPack
Creator of the HWFW Bypass tool
• Idea later(?) implemented by nation state attackers in Duqu 2.0
https://github.com/MRGEffitas/hwfwbypass
Creator of the Malware Analysis Sandbox Tester tool
https://github.com/MRGEffitas/Sandbox_tester
Invented the idea of encrypted exploit delivery via Diffie-Hellman key
exchange, to bypass exploit detection appliances
• Implemented by Angler and Nuclear exploit kit developers
https://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection-
systems/
WHAT IS A RANSOMWARE
Malware executes on your computer
Blocks access to files or computer
Pay in Bitcoin or similar pseudo-anonym means
There is a deadline to pay, after that ransom is higher or keys are deleted
forever
http://malware.dontneedcoffee.com/2013/10/kovter-even-more-abominable-also-add.html
IOS „SCREENLOCKER”
CRYPTO RANSOMWARE
https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe
C:UsersDaniDesktopnocrimenocrimeobjx86Debugturul.pdb
C:UsersuserDesktopkalosiptitkossobjx86Debugmgtow.pdb
LINUX WEBSERVER
RANSOMWARE
Encrypt the database, but the key is available for weeks/months
When the latest working backup is too old, keys are deleted
https://www.theguardian.com/technology/2015/feb/03/hackers-
websites-ransom-switching-encryption-keys
LEAKWARE/DOXWARE
Pay, or I will publish your …
• E-mails
• Browser history
• The contents of your hidden, private folder
• Things you did in front of your webcam
Not very popular (yet) …, but if too many people will have good backup, this
might be the solution for ransomware developers
• Hard to scale on attacker side, hard to automate
• Better to attack huge corporations
Everyone has secrets they want to keep private
Black Mirror S03E03
WHAT HAPPENED IN 2013? WHAT
WAS DIFFERENT 10 YEARS AGO?
More careless users
Java/Flash exploits
hidden services
WHAT IS ENCRYPTED VIA
RANSOMWARE?
ods crp arj tar raw xlsm prproj der 7zip bpw dxf ppj tib nbf dot
pps dbf qif nsf ifx cdr pdb kdbx tbl docx qbw accdb eml pptx
kdb p12 tax xls pgp rar xml sql 4dd iso max ofx sdf dwg idx rtf
dotx saj gdb wdb pfx docm dwk qba mpp 4db myo doc xlsx ppt
gpg gho sdc odp psw psd cer mpd qbb dwfx dbx mdb crt sko
nba jpg nv2 mdf ksd qbo key pdf aes 3ds qfx ppsx sxc gxk aep
odt odb dotm accdt fdb csv txt zip
Documents, Images, CAD files, Source code, Gameplay save,
Cryptocurrency wallet, Password safe database, Certificates,
Compressed files, Encrypted files, Backup files
WHAT ELSE IS DONE BY
RANSOMWARE?
Not just local files, but files on network shares
Delete volume shadow copy
• Against Windows System restore
Stealing Bitcoin
• If not protected with strong password
Stealing passwords stored in browser or FTP client
NOTORIUS CRYPTO-
RANSOMWARE
Cryptolocker
Alphalocker
Teslacrypt
Cryptowall
Locky
Petya - MFT
PETYA
PROBLEMS REGARDING CURRENT
RANSOMWARE PROTECTION
Every reactive technology is doomed to fail
• AV signature protection
• IDS/IPS
• Spam-filter (signature)
Previously reactive malware detection was good enough
• It was OK to have malware running on the computer for days
In case of Ransomware 15 minutes late is too late
Reputation based protection is much better than signature based - because
it is proactive
PREVENTION - HOME
(ALMOST) FREE TIPS –
EXPLOIT PROTECTION
Use Chrome to browse the Internet
Use EMET (as long as you need it)
• Only protects IE, not Edge, Chrome or Firefox
Instead of EMET, pay for Sophos Intercept X (HitmanPro Alert) or MBAE
• Paid versions protect all browsers
Flash click-to-play
Ublock origin adblocker against malvertising
index.hu
Use latest Windows/Office
(ALMOST) FREE TIPS –
EXPLOIT PROTECTION
Use VPN from a poor or post-soviet country 
https://www.trustwave.com/Resources/SpiderLabs-Blog/Magnitude-Exploit-Kit-Backend-Infrastructure-Insight---Part-II/
MACRO RANSOMWARE
(ALMOST)FREE TIPS –
MACRO PROTECTION
Macro malware
There is a 1% chance you need macros in your home environment. Just
disable it
Don’t enable macros, and teach your grandma/grandpa the same
(ALMOST) FREE TIPS –
SCRIPT PROTECTION
Use Notepad as default app for the following file extensions:
JS/JSE/WSH/HTA/VBS/WS/BAT/VBE
Don’t hide file extensions from users
Use generic ransomware protection
(ALMOST) FREE TIPS –
CAMOUFLAGE
Make your computer look like a malware analyst computer
• Wireshark, Fiddler, Process Explorer …
• Virtualbox Guest, VmWare Additions files
• HitmanPro Alert vaccination
https://theevilbit.blogspot.hu/2015/10/make-your-desktop-fake-
virtual-machine.html
PREVENTION - ENTERPRISE
Everything used at home, and …
Instead of blinking boxes small tips and tricks
TIPS – EXPLOIT PROTECTION
Force Chrome (or Edge) for browsing Internet on web proxy
• Filter User-agent on proxy
• Use IE6 for Intranet only
• Chrome can be managed via GPO
Web proxy filtering
• Users have to click to visit Uncategorized sites
E-mail filter
• Put suspicious files into quarantine
• Admin should approve if user wants the email
(ALMOST) FREE TIPS –
MACRO PROTECTION
Macro malware
• Only allow digitally signed macro to run
OR
• Office 2016/2013 Group policy
• Prevent macros in Office documents downloaded from the Internet
(ALMOST) FREE TIPS
Application white list C:Users
• Windows Applocker
• http://www.mcbsys.com/blog/2013/10/block-user-folder-executables/
• .exe, .scr, .com, .js, .jse, .wsh, .vbs, .cs, .cab, …
• Lot of work, lot of stuff will break. But after time, it will be worth
Reputation database is also a kind of white-list
PREPARATION
BACKUP
Ransomware actively searchers for and encrypts backup files.
Offline backup is more important than ever
My home NAS solution
• The SMB share is only writeable during backup timeframe
• Otherwise, it is read only
BACKUP
Everybody talks about this, but no one does
• Test your backup restore procedure frequently
How long does it take to restore?
• Is the Cloud backup fast enough?
HAVE ENOUGH BITCOIN AT HOME
/ AT YOUR FINANCIAL MANAGER
Bitcoin wallet should be
offline!!!
WHEN SH*T HITS THE FAN
Don’t panic
• It never helps
If the ransomware is still running
• Try to hibernate/sleep the machine
• If this does not work, shut it down immediately
There are ransomware samples which can be deciphered if you have the
memory dump
Ask for professional help
• How much is the professional? How much is my data worth?
• Don’t ask for my help, I can’t help.
SHOULD I PAY? OR NOT?
If prevention or preparation was not enough
If you don’t pay, backup the drive, data might be recoverable in the future
• Lame crypto reversed
• Ransomware servers hacked, keys leaked
• Ransomware developer gives out keys for free
IF YOU PAY
~90% chance you get back your data
You can bargain on online chats
Does it feel good that you don’t have try out the feeling of getting lot of
Bitcoin in 24 hour?
If you don’t have enough Bitcoin:
• Search for Bitcoin ATM - Budapest (next to Deák square)
• Before going there, read the instructions (mobil app)
• https://localbitcoins.com/
POST MORTEM
What happened?
What can I do to prevent this from happening again?
MY NON POPULAR OPINION
Ransomware is the tax on the Internet
• Paid by those who did not spend enough money/time on security
before
• Those who are frivolous on the Internet
• Those who think it can’t happen with them
Obviously, I don’t blame the users and
companies only.
It is time to take ITSEC seriously …
HACK THE PLANET!
zoltan.balazs@mrg-effitas.com
https://hu.linkedin.com/in/zbalazs
Twitter – @zh4ck
www.slideshare.net/bz98
Greetz to @CrySySLab, @SpamAndHex
JumpESPJump.blogspot.com

More Related Content

What's hot

Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopPriyanka Aash
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
Defcon 22-metacortex-grifter-darkside-of-the-internet
Defcon 22-metacortex-grifter-darkside-of-the-internetDefcon 22-metacortex-grifter-darkside-of-the-internet
Defcon 22-metacortex-grifter-darkside-of-the-internetPriyanka Aash
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 

What's hot (20)

Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass Protocol
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
 
Defcon 22-metacortex-grifter-darkside-of-the-internet
Defcon 22-metacortex-grifter-darkside-of-the-internetDefcon 22-metacortex-grifter-darkside-of-the-internet
Defcon 22-metacortex-grifter-darkside-of-the-internet
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 

Similar to Whoami and Ransomware Prevention Tips

[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security SystemMatthew Bricker
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesArea41
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareDEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareFelipe Prado
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 

Similar to Whoami and Ransomware Prevention Tips (20)

[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
Internet security
Internet securityInternet security
Internet security
 
Thou shalt not
Thou shalt notThou shalt not
Thou shalt not
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security System
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost Stories
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareDEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active Defense
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 

More from Zoltan Balazs

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchainZoltan Balazs
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a matchZoltan Balazs
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking Zoltan Balazs
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitőZoltan Balazs
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’sZoltan Balazs
 

More from Zoltan Balazs (13)

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain
 
MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Sandboxes
SandboxesSandboxes
Sandboxes
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
 

Recently uploaded

Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirtsrahman018755
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfrajats19920
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 

Recently uploaded (6)

Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirts
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdf
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 

Whoami and Ransomware Prevention Tips

  • 1.
  • 2. WHOAMI I’m NOT a CEH Creator of the Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack Creator of the HWFW Bypass tool • Idea later(?) implemented by nation state attackers in Duqu 2.0 https://github.com/MRGEffitas/hwfwbypass Creator of the Malware Analysis Sandbox Tester tool https://github.com/MRGEffitas/Sandbox_tester Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances • Implemented by Angler and Nuclear exploit kit developers https://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection- systems/
  • 3. WHAT IS A RANSOMWARE Malware executes on your computer Blocks access to files or computer Pay in Bitcoin or similar pseudo-anonym means There is a deadline to pay, after that ransom is higher or keys are deleted forever
  • 5.
  • 8.
  • 10.
  • 11. LINUX WEBSERVER RANSOMWARE Encrypt the database, but the key is available for weeks/months When the latest working backup is too old, keys are deleted https://www.theguardian.com/technology/2015/feb/03/hackers- websites-ransom-switching-encryption-keys
  • 12. LEAKWARE/DOXWARE Pay, or I will publish your … • E-mails • Browser history • The contents of your hidden, private folder • Things you did in front of your webcam Not very popular (yet) …, but if too many people will have good backup, this might be the solution for ransomware developers • Hard to scale on attacker side, hard to automate • Better to attack huge corporations Everyone has secrets they want to keep private Black Mirror S03E03
  • 13.
  • 14. WHAT HAPPENED IN 2013? WHAT WAS DIFFERENT 10 YEARS AGO? More careless users Java/Flash exploits hidden services
  • 15. WHAT IS ENCRYPTED VIA RANSOMWARE? ods crp arj tar raw xlsm prproj der 7zip bpw dxf ppj tib nbf dot pps dbf qif nsf ifx cdr pdb kdbx tbl docx qbw accdb eml pptx kdb p12 tax xls pgp rar xml sql 4dd iso max ofx sdf dwg idx rtf dotx saj gdb wdb pfx docm dwk qba mpp 4db myo doc xlsx ppt gpg gho sdc odp psw psd cer mpd qbb dwfx dbx mdb crt sko nba jpg nv2 mdf ksd qbo key pdf aes 3ds qfx ppsx sxc gxk aep odt odb dotm accdt fdb csv txt zip Documents, Images, CAD files, Source code, Gameplay save, Cryptocurrency wallet, Password safe database, Certificates, Compressed files, Encrypted files, Backup files
  • 16. WHAT ELSE IS DONE BY RANSOMWARE? Not just local files, but files on network shares Delete volume shadow copy • Against Windows System restore Stealing Bitcoin • If not protected with strong password Stealing passwords stored in browser or FTP client
  • 18. PETYA
  • 19. PROBLEMS REGARDING CURRENT RANSOMWARE PROTECTION Every reactive technology is doomed to fail • AV signature protection • IDS/IPS • Spam-filter (signature) Previously reactive malware detection was good enough • It was OK to have malware running on the computer for days In case of Ransomware 15 minutes late is too late Reputation based protection is much better than signature based - because it is proactive
  • 21. (ALMOST) FREE TIPS – EXPLOIT PROTECTION Use Chrome to browse the Internet Use EMET (as long as you need it) • Only protects IE, not Edge, Chrome or Firefox Instead of EMET, pay for Sophos Intercept X (HitmanPro Alert) or MBAE • Paid versions protect all browsers Flash click-to-play Ublock origin adblocker against malvertising index.hu Use latest Windows/Office
  • 22. (ALMOST) FREE TIPS – EXPLOIT PROTECTION Use VPN from a poor or post-soviet country  https://www.trustwave.com/Resources/SpiderLabs-Blog/Magnitude-Exploit-Kit-Backend-Infrastructure-Insight---Part-II/
  • 24. (ALMOST)FREE TIPS – MACRO PROTECTION Macro malware There is a 1% chance you need macros in your home environment. Just disable it Don’t enable macros, and teach your grandma/grandpa the same
  • 25. (ALMOST) FREE TIPS – SCRIPT PROTECTION Use Notepad as default app for the following file extensions: JS/JSE/WSH/HTA/VBS/WS/BAT/VBE Don’t hide file extensions from users Use generic ransomware protection
  • 26. (ALMOST) FREE TIPS – CAMOUFLAGE Make your computer look like a malware analyst computer • Wireshark, Fiddler, Process Explorer … • Virtualbox Guest, VmWare Additions files • HitmanPro Alert vaccination https://theevilbit.blogspot.hu/2015/10/make-your-desktop-fake- virtual-machine.html
  • 27. PREVENTION - ENTERPRISE Everything used at home, and … Instead of blinking boxes small tips and tricks
  • 28. TIPS – EXPLOIT PROTECTION Force Chrome (or Edge) for browsing Internet on web proxy • Filter User-agent on proxy • Use IE6 for Intranet only • Chrome can be managed via GPO Web proxy filtering • Users have to click to visit Uncategorized sites E-mail filter • Put suspicious files into quarantine • Admin should approve if user wants the email
  • 29. (ALMOST) FREE TIPS – MACRO PROTECTION Macro malware • Only allow digitally signed macro to run OR • Office 2016/2013 Group policy • Prevent macros in Office documents downloaded from the Internet
  • 30. (ALMOST) FREE TIPS Application white list C:Users • Windows Applocker • http://www.mcbsys.com/blog/2013/10/block-user-folder-executables/ • .exe, .scr, .com, .js, .jse, .wsh, .vbs, .cs, .cab, … • Lot of work, lot of stuff will break. But after time, it will be worth Reputation database is also a kind of white-list
  • 32. BACKUP Ransomware actively searchers for and encrypts backup files. Offline backup is more important than ever My home NAS solution • The SMB share is only writeable during backup timeframe • Otherwise, it is read only
  • 33. BACKUP Everybody talks about this, but no one does • Test your backup restore procedure frequently How long does it take to restore? • Is the Cloud backup fast enough?
  • 34. HAVE ENOUGH BITCOIN AT HOME / AT YOUR FINANCIAL MANAGER Bitcoin wallet should be offline!!!
  • 35. WHEN SH*T HITS THE FAN Don’t panic • It never helps If the ransomware is still running • Try to hibernate/sleep the machine • If this does not work, shut it down immediately There are ransomware samples which can be deciphered if you have the memory dump Ask for professional help • How much is the professional? How much is my data worth? • Don’t ask for my help, I can’t help.
  • 36. SHOULD I PAY? OR NOT? If prevention or preparation was not enough If you don’t pay, backup the drive, data might be recoverable in the future • Lame crypto reversed • Ransomware servers hacked, keys leaked • Ransomware developer gives out keys for free
  • 37. IF YOU PAY ~90% chance you get back your data You can bargain on online chats Does it feel good that you don’t have try out the feeling of getting lot of Bitcoin in 24 hour? If you don’t have enough Bitcoin: • Search for Bitcoin ATM - Budapest (next to Deák square) • Before going there, read the instructions (mobil app) • https://localbitcoins.com/
  • 38. POST MORTEM What happened? What can I do to prevent this from happening again?
  • 39. MY NON POPULAR OPINION Ransomware is the tax on the Internet • Paid by those who did not spend enough money/time on security before • Those who are frivolous on the Internet • Those who think it can’t happen with them Obviously, I don’t blame the users and companies only. It is time to take ITSEC seriously …
  • 40. HACK THE PLANET! zoltan.balazs@mrg-effitas.com https://hu.linkedin.com/in/zbalazs Twitter – @zh4ck www.slideshare.net/bz98 Greetz to @CrySySLab, @SpamAndHex JumpESPJump.blogspot.com