1. #RSAC
SESSION ID:SESSION ID:
Ben Potter
We Built a Honeypot and p4wned
Ransomware Developers Too
FLE-F02
Senior Security & Compliance Consultant
Amazon Web Services
@benji_potter
Christiaan Beek
Lead Scientist & Principal Engineer
McAfee
@ChristiaanBeek

2. #RSAC
The state of Ransomware

3. #RSAC
$a1={
51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75
04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01
46 56 E8
}
$a2={
03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00
10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00
30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00
38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00
44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00
68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00
FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0
08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0
10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0
2B C0 2C C0 FF FE
}
condition:
((uint16(0) == 0x5A4D)) and (filesize < 15000000) and
all of them
Remember WannaCry?

4. #RSAC
4
• Started by organized crime with affiliate programs
• Now open-sourced code available
• Buying ransomware-kits is easy
• Ransomware-as-a-Service programs
• Customer Satisfaction
Why is ransomware so successful?

5. #RSAC
New ransomware families 2016 - 2017
40
Jan Feb Mar Apr May
40 38
55
42
64
Dec
45
40
Nov
39
Oct
41
Jun

6. #RSAC
namespace hidden_tear_decrypter
{
public partial class Form1 : Form
{
string userName = Environment.UserName;
string userDir = "C:Users";
public Form1()
{
InitializeComponent();
}
public byte[] AES_Decrypt(byte[] bytesToBeDecrypted, byte[]
passwordBytes)
{
byte[] decryptedBytes = null;
// Set your salt here, change it to meet your flavor:
// The salt bytes must be at least 8 bytes.
byte[] saltBytes = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 };
Ransomware based on ‘one source-code’
Original source-code
Derived variants

7. #RSAC
Another example
$105k in a little more than a month…

8. #RSAC
Customer Support
10/4/2017

9. #RSAC
Who is behind Ransomware?
Let the code speak…..

10. #RSAC
No More Ransom!

11. #RSAC
Fightback Begins
10/4/2017

12. #RSAC
Demystifying the Problem

13. #RSAC
Decryption tools
• Decrypting over 57 ransomware families
• Prevented $ 17,5 Million USD going into criminal
pockets so far
• Multiple take-down operations and arrests
• More to come

14. #RSAC
Some “event” on May 12th Caused a little spike

15. #RSAC
Someone Is Not Happy
10/4/2017

16. #RSAC
Fake site asking for money to decrypt….
10/4/2017

17. #RSAC
#Hashtag Analysis
Analysis by SocialSafeguard: May 2017
17

18. #RSAC
Under Attack

19. #RSAC
Attack!
Of the attacks made to the site, approximately 95% of the attacks
came from IP’s that were a proxy or VPN service
A significant percentage of the attacks had specific signatures that
were easy to block
The day of launch was the “busiest” day
Does this stop ransomware?
Sadly no
— It stops the loss of information to third parties
— It does allow the blue team to defend the network more easily

20. #RSAC
Attack!
CDN:
Amazon
CloudFronT
DNS:
Amazon
Route 53
The Internet
Content:
Amazon S3
WAF:
AWS WAF
Barracuda
WAF Elastic Load
Balancing
Load
Balancing
Elastic Load
Balancing
Load
Balancing
Web Servers;
Auto scaled

21. #RSAC
Attack!
Use publicly available lists to block known bad IP’s and User Agents
Automatically block subsequent requests that behave “badly”
Obscure HTTP response codes – everything is 200
Know what “good” looks like– makes finding “bad” easy
Plan for the worst, then… – humans are the weakest link
Automate everything you can
Is Crypto Sheriff really PHP….

22. #RSAC
Interesting
CDN Reported Responses:
Hits 116,322,764 = hit cache
Misses 41,534,770 = missed cache eg CryptoSheriff
Error 51,37,011 = bad requests
Redirect 383,262 = http to https
Interesting Requests:
x0dx0a x0dx0a C_E_R_B_E_R
R_A_N_S_O_M_W_A_R_Ex0dx0a x0dx0a x0dx0a
#########################################################################
x0dx0a x0dx0a x0dx0a Cannot you find the files you
need?x0dx0a Is the content of the files that you looked for not
readable???x0dx0a x0dx0a It is normal because the files'
names, as well as the data in your filesx0dx0a have been
encrypted.x0dx0a x0dx0a ...

23. #RSAC
Interesting
More Interesting Requests:
x0dx0aJe doCUMeNTen, fOTO's, dAtAbAsES en anDERe bElaNgrijKE
bESTanDeN zIJN vERsLeUtelDx0dx0amet de sTErkstE eNCRYpTiE eN uNieke
sLEutEl, geGeNEReERd vOor deze
cOMpUTErx0dx0ax0dx0aPrIvxc3xa9 dEcRYPtIE sLEUtel iS
oPGeSLaGen op eEn geheIme seRVER eN nIeManD kan je x0dx0abestAnDEn
ontsLEUTEleN toTdaT eR beTaAld iS eN je de slEUtEl
ontVANgT.x0dx0ax0dx0aAlS je dE hOoFd loCK vEnSTEr zIEt, voLG
dan de instruCTiES op vAn dE locKER. ...
All your files have been encrypted!x0dx0ax0dx0aAll your
documents (databases, texts, images, videos, musics etc.) were encrypted. The
encryption was done using a secret key x0dx0athat is now on our
servers.x0dx0ax0dx0aTo decrypt your files you will need to
buy the secret key from us. We are the only on the world who can provide this
for you.x0dx0ax0dx0aNote that every 6 hours, a random file is
permanently deleted. The faster ...

24. #RSAC
Top Query Strings
Query #
nsextt=%250d%250ans%253anetsparker056650%253dvuln 14999
nsextt=%250ans%253anetsparker056650%253dvuln 14999
hTTp://r87.com/n 14995
http://r87.com/? 14995
utm_medium=blg&utm_source=kd_post_160725&utm_campaign=ww_promo 6373
utm_medium=smm&utm_source=fb_p_160725&utm_campaign=ww_nomoreransom_
facebook 3558
utm_medium=blg&utm_source=kd_post_160725&utm_campaign=us_kl_release 1861
platform=hootsuite 1600
utm_campaign=Ransomware&utm_source=CambsCops&utm_medium=Social+medi
a&utm_content=Ransomware 1455
utm_source=smm_tw&utm_medium=de_tw_o_0516 1440

25. #RSAC
Apply What You Have Learned Today
Choose DNS provider, secure registrar records
Use a CDN with WAF capability that scales
Defense in depth + obscurity
Too much visibility is never enough – take action
Whitelist vs Blacklist
Out-scaling attacks