Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ransomware - what is it, how to protect against it

1,480 views

Published on

Ransomware - what is it, how to protect against it

Published in: Internet

Ransomware - what is it, how to protect against it

  1. 1. WHOAMI I’m NOT a CEH Creator of the Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack Creator of the HWFW Bypass tool • Idea later(?) implemented by nation state attackers in Duqu 2.0 https://github.com/MRGEffitas/hwfwbypass Creator of the Malware Analysis Sandbox Tester tool https://github.com/MRGEffitas/Sandbox_tester Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances • Implemented by Angler and Nuclear exploit kit developers https://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection- systems/
  2. 2. WHAT IS A RANSOMWARE Malware executes on your computer Blocks access to files or computer Pay in Bitcoin or similar pseudo-anonym means There is a deadline to pay, after that ransom is higher or keys are deleted forever
  3. 3. http://malware.dontneedcoffee.com/2013/10/kovter-even-more-abominable-also-add.html
  4. 4. IOS „SCREENLOCKER”
  5. 5. CRYPTO RANSOMWARE
  6. 6. https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe C:UsersDaniDesktopnocrimenocrimeobjx86Debugturul.pdb C:UsersuserDesktopkalosiptitkossobjx86Debugmgtow.pdb
  7. 7. LINUX WEBSERVER RANSOMWARE Encrypt the database, but the key is available for weeks/months When the latest working backup is too old, keys are deleted https://www.theguardian.com/technology/2015/feb/03/hackers- websites-ransom-switching-encryption-keys
  8. 8. LEAKWARE/DOXWARE Pay, or I will publish your … • E-mails • Browser history • The contents of your hidden, private folder • Things you did in front of your webcam Not very popular (yet) …, but if too many people will have good backup, this might be the solution for ransomware developers • Hard to scale on attacker side, hard to automate • Better to attack huge corporations Everyone has secrets they want to keep private Black Mirror S03E03
  9. 9. WHAT HAPPENED IN 2013? WHAT WAS DIFFERENT 10 YEARS AGO? More careless users Java/Flash exploits hidden services
  10. 10. WHAT IS ENCRYPTED VIA RANSOMWARE? ods crp arj tar raw xlsm prproj der 7zip bpw dxf ppj tib nbf dot pps dbf qif nsf ifx cdr pdb kdbx tbl docx qbw accdb eml pptx kdb p12 tax xls pgp rar xml sql 4dd iso max ofx sdf dwg idx rtf dotx saj gdb wdb pfx docm dwk qba mpp 4db myo doc xlsx ppt gpg gho sdc odp psw psd cer mpd qbb dwfx dbx mdb crt sko nba jpg nv2 mdf ksd qbo key pdf aes 3ds qfx ppsx sxc gxk aep odt odb dotm accdt fdb csv txt zip Documents, Images, CAD files, Source code, Gameplay save, Cryptocurrency wallet, Password safe database, Certificates, Compressed files, Encrypted files, Backup files
  11. 11. WHAT ELSE IS DONE BY RANSOMWARE? Not just local files, but files on network shares Delete volume shadow copy • Against Windows System restore Stealing Bitcoin • If not protected with strong password Stealing passwords stored in browser or FTP client
  12. 12. NOTORIUS CRYPTO- RANSOMWARE Cryptolocker Alphalocker Teslacrypt Cryptowall Locky Petya - MFT
  13. 13. PETYA
  14. 14. PROBLEMS REGARDING CURRENT RANSOMWARE PROTECTION Every reactive technology is doomed to fail • AV signature protection • IDS/IPS • Spam-filter (signature) Previously reactive malware detection was good enough • It was OK to have malware running on the computer for days In case of Ransomware 15 minutes late is too late Reputation based protection is much better than signature based - because it is proactive
  15. 15. PREVENTION - HOME
  16. 16. (ALMOST) FREE TIPS – EXPLOIT PROTECTION Use Chrome to browse the Internet Use EMET (as long as you need it) • Only protects IE, not Edge, Chrome or Firefox Instead of EMET, pay for Sophos Intercept X (HitmanPro Alert) or MBAE • Paid versions protect all browsers Flash click-to-play Ublock origin adblocker against malvertising index.hu Use latest Windows/Office
  17. 17. (ALMOST) FREE TIPS – EXPLOIT PROTECTION Use VPN from a poor or post-soviet country  https://www.trustwave.com/Resources/SpiderLabs-Blog/Magnitude-Exploit-Kit-Backend-Infrastructure-Insight---Part-II/
  18. 18. MACRO RANSOMWARE
  19. 19. (ALMOST)FREE TIPS – MACRO PROTECTION Macro malware There is a 1% chance you need macros in your home environment. Just disable it Don’t enable macros, and teach your grandma/grandpa the same
  20. 20. (ALMOST) FREE TIPS – SCRIPT PROTECTION Use Notepad as default app for the following file extensions: JS/JSE/WSH/HTA/VBS/WS/BAT/VBE Don’t hide file extensions from users Use generic ransomware protection
  21. 21. (ALMOST) FREE TIPS – CAMOUFLAGE Make your computer look like a malware analyst computer • Wireshark, Fiddler, Process Explorer … • Virtualbox Guest, VmWare Additions files • HitmanPro Alert vaccination https://theevilbit.blogspot.hu/2015/10/make-your-desktop-fake- virtual-machine.html
  22. 22. PREVENTION - ENTERPRISE Everything used at home, and … Instead of blinking boxes small tips and tricks
  23. 23. TIPS – EXPLOIT PROTECTION Force Chrome (or Edge) for browsing Internet on web proxy • Filter User-agent on proxy • Use IE6 for Intranet only • Chrome can be managed via GPO Web proxy filtering • Users have to click to visit Uncategorized sites E-mail filter • Put suspicious files into quarantine • Admin should approve if user wants the email
  24. 24. (ALMOST) FREE TIPS – MACRO PROTECTION Macro malware • Only allow digitally signed macro to run OR • Office 2016/2013 Group policy • Prevent macros in Office documents downloaded from the Internet
  25. 25. (ALMOST) FREE TIPS Application white list C:Users • Windows Applocker • http://www.mcbsys.com/blog/2013/10/block-user-folder-executables/ • .exe, .scr, .com, .js, .jse, .wsh, .vbs, .cs, .cab, … • Lot of work, lot of stuff will break. But after time, it will be worth Reputation database is also a kind of white-list
  26. 26. PREPARATION
  27. 27. BACKUP Ransomware actively searchers for and encrypts backup files. Offline backup is more important than ever My home NAS solution • The SMB share is only writeable during backup timeframe • Otherwise, it is read only
  28. 28. BACKUP Everybody talks about this, but no one does • Test your backup restore procedure frequently How long does it take to restore? • Is the Cloud backup fast enough?
  29. 29. HAVE ENOUGH BITCOIN AT HOME / AT YOUR FINANCIAL MANAGER Bitcoin wallet should be offline!!!
  30. 30. WHEN SH*T HITS THE FAN Don’t panic • It never helps If the ransomware is still running • Try to hibernate/sleep the machine • If this does not work, shut it down immediately There are ransomware samples which can be deciphered if you have the memory dump Ask for professional help • How much is the professional? How much is my data worth? • Don’t ask for my help, I can’t help.
  31. 31. SHOULD I PAY? OR NOT? If prevention or preparation was not enough If you don’t pay, backup the drive, data might be recoverable in the future • Lame crypto reversed • Ransomware servers hacked, keys leaked • Ransomware developer gives out keys for free
  32. 32. IF YOU PAY ~90% chance you get back your data You can bargain on online chats Does it feel good that you don’t have try out the feeling of getting lot of Bitcoin in 24 hour? If you don’t have enough Bitcoin: • Search for Bitcoin ATM - Budapest (next to Deák square) • Before going there, read the instructions (mobil app) • https://localbitcoins.com/
  33. 33. POST MORTEM What happened? What can I do to prevent this from happening again?
  34. 34. MY NON POPULAR OPINION Ransomware is the tax on the Internet • Paid by those who did not spend enough money/time on security before • Those who are frivolous on the Internet • Those who think it can’t happen with them Obviously, I don’t blame the users and companies only. It is time to take ITSEC seriously …
  35. 35. HACK THE PLANET! zoltan.balazs@mrg-effitas.com https://hu.linkedin.com/in/zbalazs Twitter – @zh4ck www.slideshare.net/bz98 Greetz to @CrySySLab, @SpamAndHex JumpESPJump.blogspot.com

×