In 2016, the presenters co-founded the ‘nomoreransom’ platform to provide an answer to victims of ransomware. Supported by Amazon’s AWS and Barracuda technology, they never estimated that they had created the largest honeypot ever. In this presentation they will share in short what nomoreransom is, how victims can use it, but moreover insights in the daily attacks we are facing.
1. #RSAC
SESSION ID:SESSION ID:
Ben Potter
We Built a Honeypot and p4wned
Ransomware Developers Too
FLE-F02
Senior Security & Compliance Consultant
Amazon Web Services
@benji_potter
Christiaan Beek
Lead Scientist & Principal Engineer
McAfee
@ChristiaanBeek
4. #RSAC
4
• Started by organized crime with affiliate programs
• Now open-sourced code available
• Buying ransomware-kits is easy
• Ransomware-as-a-Service programs
• Customer Satisfaction
Why is ransomware so successful?
6. #RSAC
namespace hidden_tear_decrypter
{
public partial class Form1 : Form
{
string userName = Environment.UserName;
string userDir = "C:Users";
public Form1()
{
InitializeComponent();
}
public byte[] AES_Decrypt(byte[] bytesToBeDecrypted, byte[]
passwordBytes)
{
byte[] decryptedBytes = null;
// Set your salt here, change it to meet your flavor:
// The salt bytes must be at least 8 bytes.
byte[] saltBytes = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 };
Ransomware based on ‘one source-code’
Original source-code
Derived variants
13. #RSAC
Decryption tools
• Decrypting over 57 ransomware families
• Prevented $ 17,5 Million USD going into criminal
pockets so far
• Multiple take-down operations and arrests
• More to come
19. #RSAC
Attack!
Of the attacks made to the site, approximately 95% of the attacks
came from IP’s that were a proxy or VPN service
A significant percentage of the attacks had specific signatures that
were easy to block
The day of launch was the “busiest” day
Does this stop ransomware?
Sadly no
— It stops the loss of information to third parties
— It does allow the blue team to defend the network more easily
21. #RSAC
Attack!
Use publicly available lists to block known bad IP’s and User Agents
Automatically block subsequent requests that behave “badly”
Obscure HTTP response codes – everything is 200
Know what “good” looks like– makes finding “bad” easy
Plan for the worst, then… – humans are the weakest link
Automate everything you can
Is Crypto Sheriff really PHP….
22. #RSAC
Interesting
CDN Reported Responses:
Hits 116,322,764 = hit cache
Misses 41,534,770 = missed cache eg CryptoSheriff
Error 51,37,011 = bad requests
Redirect 383,262 = http to https
Interesting Requests:
x0dx0a x0dx0a C_E_R_B_E_R
R_A_N_S_O_M_W_A_R_Ex0dx0a x0dx0a x0dx0a
#########################################################################
x0dx0a x0dx0a x0dx0a Cannot you find the files you
need?x0dx0a Is the content of the files that you looked for not
readable???x0dx0a x0dx0a It is normal because the files'
names, as well as the data in your filesx0dx0a have been
encrypted.x0dx0a x0dx0a ...
23. #RSAC
Interesting
More Interesting Requests:
x0dx0aJe doCUMeNTen, fOTO's, dAtAbAsES en anDERe bElaNgrijKE
bESTanDeN zIJN vERsLeUtelDx0dx0amet de sTErkstE eNCRYpTiE eN uNieke
sLEutEl, geGeNEReERd vOor deze
cOMpUTErx0dx0ax0dx0aPrIvxc3xa9 dEcRYPtIE sLEUtel iS
oPGeSLaGen op eEn geheIme seRVER eN nIeManD kan je x0dx0abestAnDEn
ontsLEUTEleN toTdaT eR beTaAld iS eN je de slEUtEl
ontVANgT.x0dx0ax0dx0aAlS je dE hOoFd loCK vEnSTEr zIEt, voLG
dan de instruCTiES op vAn dE locKER. ...
All your files have been encrypted!x0dx0ax0dx0aAll your
documents (databases, texts, images, videos, musics etc.) were encrypted. The
encryption was done using a secret key x0dx0athat is now on our
servers.x0dx0ax0dx0aTo decrypt your files you will need to
buy the secret key from us. We are the only on the world who can provide this
for you.x0dx0ax0dx0aNote that every 6 hours, a random file is
permanently deleted. The faster ...
25. #RSAC
Apply What You Have Learned Today
Choose DNS provider, secure registrar records
Use a CDN with WAF capability that scales
Defense in depth + obscurity
Too much visibility is never enough – take action
Whitelist vs Blacklist
Out-scaling attacks