Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Инциденты с использованием ransomware. Расследование

207 views

Published on

В докладе поэтапно воспроизводится процесс заражения конечного ПК программой Osiris с демонстрацией примера на «живой» системе.

Published in: Technology
  • Be the first to comment

Инциденты с использованием ransomware. Расследование

  1. 1. 1ACRONIS © 2017 ENTERPRISE FORENSICS: RANSOMWARE INCIDENTS Mona Arkhipova Unit Manager of information security architecture and monitoring POSITIVE HACK DAYS VII, Moscow, Russia
  2. 2. 2ACRONIS © 2017 #whoami Unit Manager of information security architecture and monitoring, Acronis Past: • Head of SOC and OPS monitoring, Lead information security expert at QIWI group; • Security analyst at General Electric (GE Capital); • Independent security consultant at fintech start-ups; • *nix systems and network administrator
  3. 3. 3ACRONIS © 2017 Previous year references (Backwards) Enterprise forensics 101 (for those who’d missed) https://www.slideshare.net/monasax1/enterprise-forensics-101 http://2016.phdays.ru/broadcast/ Let’s apply the basics to the real case
  4. 4. 4ACRONIS © 2017 What is Ransomware? • Started with simple lock-screens • Evolved to cryptolockers • “Pay-to-unlock”
  5. 5. 5ACRONIS © 2017 Intro Sometimes it’s just happens…Evening email may be like this:
  6. 6. 6ACRONIS © 2017 Backwards: First steps • Write down all the non-technical incident details – gathered user answers • Possibility of live response? – yes, in the same area • Grab all the checksums/hardware details/images/etc – next • Inspect all the related systems (if applicable) - next
  7. 7. 7ACRONIS © 2017 Backwards: Windows live response • MIR-ROR script with Sysinternals suite package • DLLs, setupapi.log • Mapped drives, opened shares • Prefetch • Policies • RAW registry files (hives) • Autorun, NTUSER.DAT from all accounts • Imaging software: AccessData FTK imager (image+memdump)
  8. 8. 8ACRONIS © 2017 Backwards: Imaging • Prepared a proper drive for imaging • Write down date, time, S/N and size of the device • Dump memory with FTK imager or Memoryze • Image with FTK Imager in RAW mode, write checksum for report • Gather all the files hierarchy • Begin to prepare your live stand
  9. 9. 9ACRONIS © 2017 Imaging: report notes Physical Evidentiary Item (Source) Information: [Device Info] Source Type: Physical [Drive Geometry] Cylinders: 30,401 Tracks per Cylinder: 255 Sectors per Track: 63 Bytes per Sector: 512 Sector Count: 488,397,168 [Physical Drive Information] Drive Model: Samsung SSD 850 EVO M.2 250GB Drive Serial Number: S33CNX0H536900H Drive Interface Type: IDE Removable drive: False Source data size: 238475 MB Sector count: 488397168 [Computed Hashes] MD5 checksum: 4d4cc4e6c7c21d93ff62909368f7a10f SHA1 checksum: 0f12c8c0456c09685e98c06e4f2407a3c1e29af9 Sample note Disk imaging has been performed with AccessData FTK imager in RAW (dd) mode. Acquisition started: Mon Jan 30 14:06:22 2017 Acquisition finished: Mon Jan 30 15:49:15 2017 http://accessdata.com/product-download/ftk-imager-version-3.4.3
  10. 10. 10ACRONIS © 2017 Digital forensics stand • May be Physical or Virtual (preferable physical) • Win7 or later • SW for R/O mount: FTK Imager or OSFmount • SW for MFT investigation: Mft2Csv • AV tools, KFF (if needed), FAR and so on
  11. 11. 11ACRONIS © 2017 Mounting Never. Mount. Original. Evidence. Partitions. Use hardware write blockers if possible.
  12. 12. 12ACRONIS © 2017 Investigating • Known files DB if you’re using enterprise suites • User-related incident: • IM logs • Browsers history and cache • Recently opened files and downloads • Devices history • Remote control tools artefacts • You may try to run some AV tools against the RO image:
  13. 13. 13ACRONIS © 2017 MFT fun – origin timestamps • Temp folder (first point found) • Browsers folders • MFT
  14. 14. 14ACRONIS © 2017 MFT fun – drill-down Files in the same time in temp locations (suspected download)
  15. 15. 15ACRONIS © 2017 Show me your caches
  16. 16. 16ACRONIS © 2017 Original attachment Original file had been lost: only the executable had been found on FS. Finding audit trails on the user and file:
  17. 17. 17ACRONIS © 2017 Sandboxing (fast way) You may use public(malwr, hybrid analysis) or private (such as Cuckoo) sandboxes for fast investigation on calls. Infection path overview 1. User downloads the file Ground-Label-05496793.doc.zip 2. This archive file contains one more Ground-Label- 05496793.doc.zip in it 3. After double-clicking both archives unzipped one by one and original .lnk file with notepad icon extracted 4. Dropper script execution
  18. 18. 18ACRONIS © 2017 Dropper • The dropper script is continuously connecting to CnC domain with the following requests, downloads the a1.exe (or a2.exe) attachment
  19. 19. 19ACRONIS © 2017 Updates and certs A little bit of network requests: self-update
  20. 20. 20ACRONIS © 2017 Meanwhile in system • Two random test files %TEMP%a.doc and %TEMP%a.txt with 10000b length created (seems like it’s for testing purposes only) and the following script is injected to HKCU hive • The file with decryption instructions added to FF or another default browser • Execution of self-destroy
  21. 21. 21ACRONIS © 2017 Case Conclusion & Recovery Investigation revealed user mistake and problems with AV on system (had not prevented infection) • User downloaded the file from CRM case • Tried to run • ”No result” (encryption started in background) Workstation recovery • Rolled back from backup copy • Reinstalled AV for proper work
  22. 22. 22ACRONIS © 2017 Backwards: Enterprise notes • Export all the related information from your security tools • IDS/IPS, • firewall logs, • proxies, • SIEM records, • DLP, • AV alerts • Sometimes the initial point of compromise is not what you’ve suspected • If you do not see something strange in your SIEM – it is not a reason to relax. • Perform regular agents review on every subsystem
  23. 23. 23ACRONIS © 2017 Backwards: Reporting Forensics part Common information • Case summary (brief overview what’s happened and when) • Serial numbers, make, model etc. • All the preparation steps Investigation process • Tools used, start and end dates • Detailed information about process – artifacts, pictures, documents… Conclusion Incident response part • Preparation • Identification • Containment • Eradication • Recovery • Lessons learned (I know you still hate doing that ;))
  24. 24. Questions? Mona Arkhipova Unit Manager of information security architecture and monitoring Mona@acronis.com /monaarkhipova mona.sax m0na_sax

×