2. Who We Are
RIIS is a boutique IT firm focused on joining business
and technology through Custom Mobile , Software
Development and Premium IT Professional Services
3. Mobile Apps Web Dev Professional Services Security Audits User Experience
Our Specialties
4. Agenda
• Wanna Cry
• What is Ransomware?
• Different Flavors
• Test Lab Setup
• Fixes
• Preparation Plan
• Call to Action
18. Test Lab
Setup
• Wipe machines
• Install fresh copy of Windows 7
• Use dedicated wifi hotspot of test phone
• Download Ransomware from the Zoo
• https://github.com/ytisf/theZoo
• Choose your flavor and install
28. Ransomware Prep Plan
• Backup your data and keep a copy offsite.
• Disconnect from all cloud backup services such as Dropbox.
• Use Antivirus, Firewalls and Email scanners.
• Update your OS when a new patch appears.
• Use Microsoft’s shadow drives (VSS) or Mac’s Time Machine.
• Uninstall Flash.
• Remove or restrict Admin access.
• Disconnect any shared drives.
• Train your staff, send them test phishing emails
• Use a test lab and see if you can recover from a simulated attack.
• Sign up for a Bitcoin account in case you need to pay!
30. Ransomware Potential Breakpoints
The ransomware must execute and unpack itself and then collect system information.
The ransomware has to change registry settings to maintain persistence.
More advanced ransomware disables system restore and deletes everything in the Volume
Shadow Copy (VSC).
Most, but not all, ransomware has to call out to command-and-control infrastructure to get
a public key that will be used to encrypt the files.
The ransomware now has to enumerate the files.
It then begins to read and encrypt the files.
If each encrypted file is written to a new file, the original files must be deleted.
Finally, the encryption key is removed from the local machine and sent back to the
controller.
THE DAY WE INFECTED OURSELVES WITH RANSOMWARE
Last month we decided to take a bunch of the older computers and in a controlled environment we infected them with Ransomware. We usually replace an employee’s computer every two years. At any time we have 5 to 10 old computers sitting in our admin room that we’re never going to use. In the past we’ve given these away to schools, friends, and employees who are looking for machines for their kids. Some of them are so old that nobody wants them and eventually they get recycled. If you’re lucky enough to have your own stash of old computers then we strongly suggest you do the same. As odd as it sounds there is no better learning tool for how to stop a Ransomware attack than having to save a computer nobody wants. If your first encounter with Ransomware is during an attack then it’s probably going to be too late and you may as well admit defeat and sign up for a bitcoin account to pay the hackers.
(You could of course use virtual machines to do the same thing - but they look better all lined up on a desk)
Wanna Cry
What is Ransomware?
Different Flavors
Test Lab Setup
Fixes
Preparation Plan
Call to Action
For all the press it got WannaCry only generated $96k from the people who wrote the ransomware.
It used a 0 day exploit from the NSA that wikileaks released. Or in other words, a known exploit was used to gain control of the computer and then encrypt the files.
How was it stopped – Ransomware talks to a backend server, someone registered the domain it was talking to and stopped the software calling home for it’s instructions.
Fix is to use wanakiwi which will only work if the victim hasn’t restarted the infected system and you hasn’t killed the ransomware process (wnry.exe or wcry.exe).
Lots of people blamed Microsoft as they didn’t release a new patch for Windows XP if your XP didn’t have support.
Trust but verify – XP was not the issue – microsoft didn’t need to get all that grief
Some random news stories about Ransomware. Already know that we should be careful in what we believe. Today going to try to get a better understanding on how we can begin to get to grips with this issue. This is a brain dump of what we’ve found out over the last few months as well as some lessons learned that you can apply to your own environment. To date this is not really a Linux, Chrome or Mac thing. It’s a Windows thing. That’s not to say that might change in the future.
There isn’t just one type of Ransomware that you need to protect yourself against there are many different types or flavors and they behave differently. But they typically encrypt your files and then demand a ransom in bitcoin so it can’t be easily traced. They also all operate in this Deployment/Installation/Commandand Control/Destruction and Extortion phases.
Drive-by download Occurs when a system automatically downloads a piece of malware or spyware without the end user’s knowledge. Strategic web compromise(A subset of a drive-by download most often used when a particular target or target demographic has been chosen.) Strategic web compromises are also called watering-hole attacks. These rely on strategic reconnaissance of the end users, and are often reserved for more specific targeted attacks. Phishing emails May be widespread, untargeted spam or specially crafted to your organization or industry. These emails may include attachments or provide links to malicious websites. Exploiting vulnerabilities in Internet-accessible systems In this case scanning networks, or blatantly scouring the Internet looking for exploitable vulnerabilities, vs. user initiated actions, like the preceding methods.
Most modern crypto ransomware uses a few methods to gain entry into a system. Most gain access to networks by requiring user interaction through an infected file or malicious link sent via email or through malicious advertising injected into legitimate advertisement networks. The malvertising types of ransomware use JavaScript or Adobe Flash in the background while the ad downloads and runs the ransomware without any user interaction or knowledge (see Figure 4-1).
Once a malicious payload has been delivered to the victim system, the infection begins. The infection is delivered in a variety of ways, no matter what the target system is. One method of installation would actually use the download dropper methodology, where the first file is a small piece of code designed to evade detection and communicate with extortionist’s command-and-control channels. The executable would then receive commands to download the ransomware itself for infection on the compromised system. Once it has landed on the system, the ransomware application will install itself on the system. In the case of a Windows system, it will set keys in the Windows registry that will ensure the malcode starts up every time with the computer. For other systems, it will either take advantage of insecure app stores (typically for Android devices) or stolen or valid application development certificates for iOS. The installation of the ransomware is really where the adversary begins to take hold. Oftentimes, the components are broken down into a variety of scripts, processes, batch files, and other tools in order to avoid detection by signature-based AV scanners.
The installation process can be complicated. In many cases, the effective modern variants of crypto ransomware first will leverage some form of macro virus or exploited PDF to get onto the system; they also have been known to use WSF, Java, and Adobe Flash. Once the malware has been downloaded to the system, it will execute its embedded code and then begin to analyze the system to determine if it is on a real machine or in a virtual sandbox as shown in
All actions require some form of command-and-control systems to effectively determine the next actions to take. This is the same in traditional warfare as it is in cyberspace; therefore, ransomware requires some form of communication channel to be established to ensure these communications can occur. Think about it this way: without receiving orders, it is possible you could have a piece of ransomware on your computer right now lying dormant, waiting for orders.
In a ransomware attack, once the malicious code is deployed and installed, it will begin to reach out to its command servers, looking for instructions. These instructions will be any number of specific requests. They include everything from identifying the types of files they should target for encryption, how long they should wait to begin the process, and whether they should continue to spread prior to beginning the process. In some ransomware variants, they will also report back a significant volume of system information, including IP address, domain name, operating system, installed browsers, and anti-malware products. This information could help a criminal organization determine not only who they have infected, but also if they managed to hit a high-value target, thereby suggesting this compromise be used for more nefarious purposes than a simple ransomware infection
In virtually all cases of ransomware, the malicious code that has been deployed on the victim system is a client, and the command-and-control server operated by the criminal adversary is exactly that, a server. The client that has been placed on your system will ensure it is communicating with the correct bad guy’s server through a prearranged handshake protocol. This handshake protocol is different for every ransomware family, if it’s symmetric should be able to beat it, if it’s asymmetric then you’re looking for holes.
Destruction
At this point the key that will be used to render the files on the system locked or encrypted is now active and ready for use by the malware on the victim device. All the files that have been identified by the command-and-control processes will begin to be encrypted by the malcode. This could include anything from all forms of Microsoft Office documents to JPGs, GIFs, and any number of other file types. Some variants not only encrypt the files, but also the filenames, making it even more difficult for you to know how far the attackers have gotten and which files you have lost.
Extortion
After the files have been encrypted, the victims are shown a screen that tells them how they have been compromised. Extortionists use any number of methods to enforce payment. Some ransomware variants will allow you to decrypt one file for free to prove that there is a key to your system. Other variants have escalating payments, where the price you will need to pay before the key is deleted increases with time. The typical cost for unlocking a system is between $300 and $500 worth of bitcoins, but some of the variants targeting corporations have costs that reach into the tens of thousands of dollars.
Because that’s where the money is; • Because attackers know that a successful infection can cause major business disruptions, which will increase their chances of getting paid; • Because computer systems in companies are often complex and prone to vulnerabilities that can be exploited through technical means
Large organizations find it really difficult to upgrade software and update machines. There are too many moving parts.
But this is Y2K all over again, we need to fix this.
Any large organization that typically does not have a strong IT presence.
Ransomware isn’t any one thing. It’s got lots of different flavors and varieties. But they do typically follow the same pattern
Some of examples are Locky, Cryptowall, CryptXXX, Jigsaw and TeslaCrypt and of course WannaCry.
To date according to Kaspersky Labs Ransomware is a very small fraction of the malware attacks that it encounters. But it can be one of the more expensive viruses if you get hit and you have no backups so it pays to plan ahead. This is our attempt at getting ahead of the game and we hope you can learn something too.
Locky is usually delivered as spam with attachments. At first Locky was primarily delivered via Microsoft Office attachments, sent as part of a spam campaign. The Office document asked the user to enable macros on the downloaded document, which allowed Locky to run on the system. This method of delivery is surprisingly effective—all the attacker has to do is give the victim a compelling reason to open the document.
At one point CryptoWall was the most popular ransomware family and was delivered in a variety of ways. Most likely authored by a Russian hacker team, CryptoWall was originally delivered through spam campaigns, usually through attachments. Most anti-virus will protect against Cryptowall
The first iteration of the CryptXXX family was discovered in April 2016 as part of the Angler exploit kit. This version of CryptXXX had a flaw in the encryption process that allowed researchers at Kaspersky Labs to quickly develop a tool to decrypt any system that had been infected by that early version.4 Later versions of the malware used a different encryption scheme, one that deleted the VSS, making it impossible to restore a file from a local backup (offline backup restoration is still possible).
We have 5 machines here infected so you can see what it looks like. We’ve recovered files from Jigsaw and Telsacrypt to date.
Ransomware As A Service
If you know where to look on the dark web then you can roll your own Ransomware with little or no effort
Each of the machines we tested was first wiped and then Windows 7 was reinstalled. Ransomware needs to talk base to base so you’re going to need an internet connection. To minimize the risk of infection use a dedicated wifi hotspot or a burner phone. In our case we used a cheap Android test phone with a Ting sim card and a data plan.
You can find many of the different flavors of Ransomware that have been collected in the wild at https://github.com/ytisf/theZoo
Visit site https://github.com/ytisf/theZoo
Download the files by using the git clone command. Choose which flavor of Ransomware you want to begin with from the binaries folder and then run the executable. The password to unzip the file should be in the same folder. Warning: do not do this on a machine you ever want to use again and make sure it is not connected to your wifi.
5 machines, feel free to play with them
For our first test we infected a PC with the Jigsaw virus which you can find in the Ransomware.jigsaw folder. Install Jigsaw. The ransomware doesn’t start the encryption process right away. It’s triggered when a user opens a text file when you’re notified that the file doesn’t exist and then Jigsaw opens its own window asking for payment. Figure 2 shows the Jigsaw screen demanding a bitcoin payment of $150.
This is the before and after
Not every flavor of ransomware has a corresponding tool that will decrypt the files. However Jigsaw has been around for a while and thankfully someone has figured out how to fix it. Download the Jigsaw Decrypter tool from the link in the resources and run it on the infected computer.
Point the tool at the directory you want to decrypt. Figure 4 shows the tool in action.
Once it is finished, copy everything off the desktop you want onto a USB. The PC is still infected so reinstall Windows 7 using a bootable CD or USB before you try another type of ransomware.
TeslaCrypt was not the most widely deployed ransomware family, its longevity—it was used in campaigns from early 2015 through May 2016—meant that that whoever was behind it made a great deal of money. From February through April 2015, researchers at FireEye determined that TeslaCrypt generated $77,000 for its developer.3 Following the escalated rate of deployment as the developer improved the software, TeslaCrypt likely generated more than $500,000.
This is the before and after
The team behind TeslaCrypt famously stopped all operations in May of 2016. When a researcher from ESET antivirus company contacted them, the team apologized and made their private key available, which allowed folks to develop a free decryption tool. This one is from Talos.
Ransomware isn’t any one thing. It’s got lots of different flavors and varieties. But they do typically follow the same pattern
Some of examples are Locky, Cryptowall, CryptXXX, Jigsaw and TeslaCrypt and of course WannaCry.
To date according to Kaspersky Labs Ransomware is a very small fraction of the malware attacks that it encounters. But it can be one of the more expensive viruses if you get hit and you have no backups so it pays to plan ahead. This is our attempt at getting ahead of the game and we hope you can learn something too.
Locky is usually delivered as spam with attachments. At first Locky was primarily delivered via Microsoft Office attachments, sent as part of a spam campaign. The Office document asked the user to enable macros on the downloaded document, which allowed Locky to run on the system. This method of delivery is surprisingly effective—all the attacker has to do is give the victim a compelling reason to open the document.
At one point CryptoWall was the most popular ransomware family and was delivered in a variety of ways. Most likely authored by a Russian hacker team, CryptoWall was originally delivered through spam campaigns, usually through attachments. Most anti-virus will protect against Cryptowall
The first iteration of the CryptXXX family was discovered in April 2016 as part of the Angler exploit kit. This version of CryptXXX had a flaw in the encryption process that allowed researchers at Kaspersky Labs to quickly develop a tool to decrypt any system that had been infected by that early version.4 Later versions of the malware used a different encryption scheme, one that deleted the VSS, making it impossible to restore a file from a local backup (offline backup restoration is still possible).
We have 5 machines here infected so you can see what it looks like. We’ve recovered files from Jigsaw and Telsacrypt to date.
Ransomware is usually introduced into your network by someone clicking on a link or email attachment. It just takes one employee to click on a link and the Ransomware can begin to take hold. A good way of train your users is to send them a practice phishing email and see who clicks on the link. There are several websites that will do that for free and then upsell you other services such as https://www.knowbe4.com/phishing-security-test-offer Using one of these free trials is a great way to begin to see where the cracks are in your organization.
Choose something topical
Use Know4be.com’s free tool
Notice that there are a number of potential break points in the the attack chain that a hardened system could disrupt and stop the installation process.
System administrators can set policy using the Microsoft Group Policy Management Console (GPMC) that prevents files from executing outside directories commonly used by ransomware.
Takes a few days to be able to have a valid account where you can add $500 to your bitcoin account
May want to open one up now just in case you need it.
Our Ransomware computer lab is just one attempt at getting ahead of a ransomware attack. Here’s our top 10 recommendations for a Ransomware Preparation plan that you should implement.
Sync each day if you must but don’t keep it permanently connected, otherwise it’ll get infected during an attack.
Plan and run a mock ‘ransomware drill’ that temporarily locks out a user’s device.
Tell them it’s a drill, also tell them in advance the first time.