Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Инциденты с использованием ransomware. Расследование


Published on

В докладе поэтапно воспроизводится процесс заражения конечного ПК программой Osiris с демонстрацией примера на «живой» системе.

Published in: Technology
  • Be the first to comment

Инциденты с использованием ransomware. Расследование

  1. 1. 1ACRONIS © 2017 ENTERPRISE FORENSICS: RANSOMWARE INCIDENTS Mona Arkhipova Unit Manager of information security architecture and monitoring POSITIVE HACK DAYS VII, Moscow, Russia
  2. 2. 2ACRONIS © 2017 #whoami Unit Manager of information security architecture and monitoring, Acronis Past: • Head of SOC and OPS monitoring, Lead information security expert at QIWI group; • Security analyst at General Electric (GE Capital); • Independent security consultant at fintech start-ups; • *nix systems and network administrator
  3. 3. 3ACRONIS © 2017 Previous year references (Backwards) Enterprise forensics 101 (for those who’d missed) Let’s apply the basics to the real case
  4. 4. 4ACRONIS © 2017 What is Ransomware? • Started with simple lock-screens • Evolved to cryptolockers • “Pay-to-unlock”
  5. 5. 5ACRONIS © 2017 Intro Sometimes it’s just happens…Evening email may be like this:
  6. 6. 6ACRONIS © 2017 Backwards: First steps • Write down all the non-technical incident details – gathered user answers • Possibility of live response? – yes, in the same area • Grab all the checksums/hardware details/images/etc – next • Inspect all the related systems (if applicable) - next
  7. 7. 7ACRONIS © 2017 Backwards: Windows live response • MIR-ROR script with Sysinternals suite package • DLLs, setupapi.log • Mapped drives, opened shares • Prefetch • Policies • RAW registry files (hives) • Autorun, NTUSER.DAT from all accounts • Imaging software: AccessData FTK imager (image+memdump)
  8. 8. 8ACRONIS © 2017 Backwards: Imaging • Prepared a proper drive for imaging • Write down date, time, S/N and size of the device • Dump memory with FTK imager or Memoryze • Image with FTK Imager in RAW mode, write checksum for report • Gather all the files hierarchy • Begin to prepare your live stand
  9. 9. 9ACRONIS © 2017 Imaging: report notes Physical Evidentiary Item (Source) Information: [Device Info] Source Type: Physical [Drive Geometry] Cylinders: 30,401 Tracks per Cylinder: 255 Sectors per Track: 63 Bytes per Sector: 512 Sector Count: 488,397,168 [Physical Drive Information] Drive Model: Samsung SSD 850 EVO M.2 250GB Drive Serial Number: S33CNX0H536900H Drive Interface Type: IDE Removable drive: False Source data size: 238475 MB Sector count: 488397168 [Computed Hashes] MD5 checksum: 4d4cc4e6c7c21d93ff62909368f7a10f SHA1 checksum: 0f12c8c0456c09685e98c06e4f2407a3c1e29af9 Sample note Disk imaging has been performed with AccessData FTK imager in RAW (dd) mode. Acquisition started: Mon Jan 30 14:06:22 2017 Acquisition finished: Mon Jan 30 15:49:15 2017
  10. 10. 10ACRONIS © 2017 Digital forensics stand • May be Physical or Virtual (preferable physical) • Win7 or later • SW for R/O mount: FTK Imager or OSFmount • SW for MFT investigation: Mft2Csv • AV tools, KFF (if needed), FAR and so on
  11. 11. 11ACRONIS © 2017 Mounting Never. Mount. Original. Evidence. Partitions. Use hardware write blockers if possible.
  12. 12. 12ACRONIS © 2017 Investigating • Known files DB if you’re using enterprise suites • User-related incident: • IM logs • Browsers history and cache • Recently opened files and downloads • Devices history • Remote control tools artefacts • You may try to run some AV tools against the RO image:
  13. 13. 13ACRONIS © 2017 MFT fun – origin timestamps • Temp folder (first point found) • Browsers folders • MFT
  14. 14. 14ACRONIS © 2017 MFT fun – drill-down Files in the same time in temp locations (suspected download)
  15. 15. 15ACRONIS © 2017 Show me your caches
  16. 16. 16ACRONIS © 2017 Original attachment Original file had been lost: only the executable had been found on FS. Finding audit trails on the user and file:
  17. 17. 17ACRONIS © 2017 Sandboxing (fast way) You may use public(malwr, hybrid analysis) or private (such as Cuckoo) sandboxes for fast investigation on calls. Infection path overview 1. User downloads the file 2. This archive file contains one more Ground-Label- in it 3. After double-clicking both archives unzipped one by one and original .lnk file with notepad icon extracted 4. Dropper script execution
  18. 18. 18ACRONIS © 2017 Dropper • The dropper script is continuously connecting to CnC domain with the following requests, downloads the a1.exe (or a2.exe) attachment
  19. 19. 19ACRONIS © 2017 Updates and certs A little bit of network requests: self-update
  20. 20. 20ACRONIS © 2017 Meanwhile in system • Two random test files %TEMP%a.doc and %TEMP%a.txt with 10000b length created (seems like it’s for testing purposes only) and the following script is injected to HKCU hive • The file with decryption instructions added to FF or another default browser • Execution of self-destroy
  21. 21. 21ACRONIS © 2017 Case Conclusion & Recovery Investigation revealed user mistake and problems with AV on system (had not prevented infection) • User downloaded the file from CRM case • Tried to run • ”No result” (encryption started in background) Workstation recovery • Rolled back from backup copy • Reinstalled AV for proper work
  22. 22. 22ACRONIS © 2017 Backwards: Enterprise notes • Export all the related information from your security tools • IDS/IPS, • firewall logs, • proxies, • SIEM records, • DLP, • AV alerts • Sometimes the initial point of compromise is not what you’ve suspected • If you do not see something strange in your SIEM – it is not a reason to relax. • Perform regular agents review on every subsystem
  23. 23. 23ACRONIS © 2017 Backwards: Reporting Forensics part Common information • Case summary (brief overview what’s happened and when) • Serial numbers, make, model etc. • All the preparation steps Investigation process • Tools used, start and end dates • Detailed information about process – artifacts, pictures, documents… Conclusion Incident response part • Preparation • Identification • Containment • Eradication • Recovery • Lessons learned (I know you still hate doing that ;))
  24. 24. Questions? Mona Arkhipova Unit Manager of information security architecture and monitoring /monaarkhipova mona.sax m0na_sax