![Simple steps to tackle and cripple WannaCry and Petya type ransomware
Hit by ransomware [again]
JesperNielsen | @dotjesper
#ateaitexpo](https://image.slidesharecdn.com/itexpo-hitbyransomware-again1-171019134329/85/ATEA-IT-EXPO-Hit-by-ransomware-again-1-320.jpg)
![Hit by ransomware [again]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
More Related Content
What's hot
What's hot (18)
Similar to ATEA IT EXPO: Hit by ransomware - again
Similar to ATEA IT EXPO: Hit by ransomware - again (20)
Recently uploaded
Recently uploaded (20)
ATEA IT EXPO: Hit by ransomware - again
- 1. Simple steps to tackle and cripple WannaCry and Petya type ransomware Hit by ransomware [again] JesperNielsen | @dotjesper #ateaitexpo
- 2. Hit by ransomware [again]
- 3. Once upon a time, not that long time ago… Microsoft patches SMB 1 exploit (They even patched Windows XP) March 2017 Shadow Brokers dump Eternal Blue April 2017 WannaCry hits May 12th 2017 People *still* haven't patched, and NotPetya hits June 27th 2017 Emotet Trojan emerge using network sniffing and password harvesting techniques July 2017 Another attack on a computer near you – we are open 24/7… August 2017
- 4. Petya type malware Threat Research SeShutdownPrivilege SeDebugPrivilege SeTcbPrivilege User Rights checking As local admin As non-local admin (Smoke and mirrors – when weaponized) Data Encryption Mimikatz technics Credentials harvesting EternalBlue Admin$ share SMB propagation Network sniffer
- 8. Windows as a service April JuneMay New security updates New non security updates Exiting fixes from previous cumulative updates KB4015583 KB4016240 New KB#1 New KB#2 New KB#3 New KB#4
- 9. How Microsoft Stays Up to Date 80% of patching and reboots are handled with natural reboots, no user interruption or notifications DAY 1 – 6 DAY 7 User can choose to install update and reboot now or schedule for a later time The user receives final restart notification with a 60 minute countdown timer DAY 7+ZERO DAY Move deadline forward and update 75% within 24 hours, 25% additional 24-36 hours Patch Tuesday (+ 1) 10:00 PST Monday 10:00 PST Tuesday 23:59 PST
- 10. Preparing the tackle Hit by ransomware [again]
- 11. Device Control Credential Control Application Control Access Control
- 12. Device Control 1. Windows 10 is part of the solution (… and Windows Server 2016) 2. Ensure to update regular - Follow Best Practice, validate and then add your own requirements 3. Enable Modern authentication 4. Start using Modern hardware security 5. Start Monitoring your devices 6. Ensure Hard disk encryption on all devices – OFFCAUSE! 7. Follow Best Practice, validate and then add your own requirements
- 13. Credential Control 1. Multi Factor Authentication (MFA) for all users and administrators 2. No High Risk login on any devices 3. Consider Local Administrative Privileges – DO NOT add domain groups to give Local Administrative Privileges to users! 4. Password Randomization (LAPS etc.) 5. Ensure Strong Password(s) Policies – Follow Best Practice, validate and then add your own requirements 6. Ensure to use Credential Guard or similar
- 14. Application Control 1. Implement Microsoft AppLocker or similar 2. Implement Software Restriction Policies as a minimum 3. Enforce Windows Defender SmartScreen 4. Enforce User account Control (UAC) 5. Microsoft Edge and Enterprise Mode for Internet Explorer 11 Whitelisting
- 15. Access Control 1. Implement Just Enough Rights Philosophy -Follow Best Practice, validate and then add your own requirements 2. Limit Remote Access to mobile devices (… and servers) 3. Limit Remote Access to mobile devices to named Jump Station only (… and servers) 4. Use Windows Firewall Actively – Disabled is not an option (… on servers to) 5. Prepare to upgrade to Latest Windows 10 version and start using Application- and Exploit Guard (Windows 10 1709+)
- 16. Summary Hit by ransomware [again]
- 18. Device Control Credential Control Application Control Access Control
- 19. Thank you
Editor's Notes
- Slide 1 [:00:00] Hit by malware [again] Simple steps to tackle and cripple WannaCry and Petya type ransomware //
- Slide 2 [HIDDEN SLIDE] Deck information //
- Slide 3 [HIDDEN SLIDE] Abstract //
- Slide 4 [00:00] Hit by ransomware [again] Ransomware is a type of malicious software from crypto virology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called crypto viral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented crypto viral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", traveled automatically between computers without user interaction. Source: https://en.wikipedia.org/wiki/Ransomware //
- Slide 5 [00:00] Once upon a time… Over the summer, companies all over the globe has been hit by some really nasty attacks – not all was due to missing patches Time-line (spring-summer 2017) A widespread ransomware attack targets Windows systems that do not have the latest updates. Microsoft announce: Given the severity of this threat, update your Windows systems as soon as possible. The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. The attack began on Friday, 12 May 2017, and within a day was reported to have infected more than 230,000 computers in over 150 countries. Parts of the United Kingdom's National Health Service (NHS) were infected, causing it to run some services on an emergency-only basis during the attack, Spain's Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide. Shortly after the attack began, Marcus Hutchins, a 22-year-old web security researcher from North Devon in England then known as MalwareTech discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but new versions have since been detected that lack the kill switch – These tools are now being weaponized! The Equifax hack In May, hackers broke into Equifax’s computer systems, stealing personal information of over 140 million Americans. While the details of what was pilfered is still forthcoming, it appears Social Security numbers, addresses, account information, and personal details were taken. In terms of hacks, this is by far one of the largest in history, and to date has been underreported, most likely due to competition from the recent hurricanes and North Korea stories dominating the news headlines. In terms of financial hacks, this is possibly the worst in history. Millions of American consumers are affected. And, unless there are major structural changes made to the way credit is handled, the hacked information could permanently impact victims. In other words, if your information is available for criminals to use, you could be subject to identity theft at any point in the future. It appears, at this point, thieves may have virtually everything they need to steal your identity going forward if you are one of the people listed in the attack. Equifax did not disclose the hacks until several months after they happened, effectively potentially giving hackers more time to disseminate consumer information. Although Equifax has followed legal guidelines in regards to disclosure, the issue still remains: Millions of consumers now have their sensitive personal information exposed, putting them at risk for identity theft. Source: http://rapidcityjournal.com/news/local/communities/chadron/opinion/guest-commentary/equifax-hack-steps-to-protect-yourself/article_fa5e649c-a2e2-11e7-8524-73264d03a5d6.html The CCleaner hack he attack took place by piggy-backing onto CCleaner by infiltrating the servers that distribute the software, infecting version 5.33 of the Windows utility and version 1.07 of its cloud-based sister application. Those servers belonged to Piriform, the London company that created CCleaner. In July of this year, Piriform was acquired by the Prague-based antivirus maker Avast. If you've updated CCleaner since Aug. 15 and you're running 32-bit Windows, you may be infected. You should roll back to a pre-Aug. 15 snapshot of your system, or run a malware scan. Following either (or both) of those steps, visit Piriform's site to download and install the latest, clean version of CCleaner. Source: https://www.tomsguide.com/us/ccleaner-utility-malware-infected,news-25851.html NotPetya: Timeline of a Ransom worm https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/notpetya-timeline-of-a-ransomworm/ Other hacks The sophisticated NotPetya cyberattack, which Ukraine blamed on Russia, targeted Ukrainian tax software in June, but infected companies around the globe. FedEx said the attack cost the company $300 million. Sophisticated attacks are a threat, but the biggest hacks can be the result of known vulnerabilities that don't get fixed in time. //
- Slide 6 [00:00] Petya type malware Threat Research On June 27, public announcements were made about a large-scale campaign of ransomware attacks across Europe. The ransomware impacted notable industries such as Maersk, the world’s largest container shipping company. The initial infection vector appears to be the exploitation of a Ukrainian tax software called MEDoc. Spreading on the internal network via exploitation of the EternalBlue SMB vulnerability, PsExec, WMI, and Admin$ shares. User Rights Checking (Different Effect on Malware Logic) Looks for three different types of privileges to perform its actions: SeShutdownPrivilege. Required to shutdown the system SeDebugPrivilege. A token field that allows the owning process to adjust the memory of other processes on the computer. This is a very powerful privilege that allows the malware to perform near system level tasks. SeTcbPrivilege. This is another very powerful privilege that allows the owning process to act as part of the operating system. Based upon the overall values constructed from these checks, the malware will perform varying sets of routines. Data Encryption If the running user has the SeDebugPrivilege permission, the malware will assume it has administrative privileges, it will then attempt to encrypt the drive using the known Petya code. Alternatively, if the user is not running with administrative privileges, as determined by a lack of SeDebugPrivilege, the malware will use a user-space encryption routine. Credential Harvesting If the variant detects that its process is running with SeDebugPrivilege privileges, it will call a function to harvest credentials SMB propagation Like other recent malware the ransomware utilizes the highly effective EternalBlue exploit for Windows SMB vulnerabilities to copy itself to other systems and execute. In addition to the SMB exploit propagation method, the malware also attempts to establish default administrative network shares (Admin$) with a call to WNetAddConnection2() using a null username and password. By using null for these two values, the network connection is made using the current user’s credentials, which directly affect organizations with shared local administrator accounts Source: https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/ Network sniffer There seem to be new malware coming out, with network sniffing capabilities, whatever Petya type malware have/will have these functionality is properly just a mater of time as it has been seen in e.g. the Emotet Trojan. //
- Slide 7 [00:00] So, consider this… //
- Slide 8 [00:00] Safe harbor Imagine one of these boats had four small holes, not anything notable, it will require a needle to get through, it is a hole though – would you patch these small holes before going out? //
- Slide 9 [00:00] Real life This is the environment a boat is build to withstand. Imagine this boat have four small holes, not anything notable, it will require a needle to get through, it is holes though – would you patch these now? The principles same can be applied to a modern device these days, with a few exceptions; Safe harbor used to be “in the office” – today it is more of a kind if the device is turned off and stowed away in a bag. The weather conditions are hardly mild these days – prepare for stormy weather! //
- Slide 10 [00:00] Windows as a service Predictable and clear timeframes Releases are aligned with Microsoft Office products twice a year (Spring and fall) Microsoft System Center Configuration Manager will be aligned as well, but with an additional update. //
- Slide 11 [00:00] Windows as a service New update options for Windows 10, version 1703 and above With the release of Windows 10, we simplified the servicing process by moving to cumulative updates, where each update released contains all the new fixes for that month, as well as all the older fixes from previous months. Today, most organizations deploy these cumulative updates when they are released on the second Tuesday of every month, also called “Update Tuesday.” Because these updates contain new security fixes, they are considered “Security Updates” in Windows Server Update Services (WSUS) and System Center Configuration Manager. Based on feedback from customers, we are making some adjustments to the updates that we are releasing for Windows 10, version 1703 (also known as the “Creators Update”). With these changes, we will routinely offer one (or sometimes more than one) additional update each month. These additional cumulative updates will contain only new non-security updates, so they will be considered “Updates” in WSUS and Configuration Manager. https://blogs.technet.microsoft.com/windowsitpro/2017/04/24/new-update-options-for-windows-10-1703/ //
- Slide 12 [00:00] How Microsoft Stays Up to Date Microsoft 365: Modern management and deployment https://techcommunity.microsoft.com/t5/Microsoft-Ignite-Content-2017/Microsoft-365-Modern-management-and-deployment/m-p/106056 //
- Slide 13 [00:00] Preparing the tackle Let´s get into the tackle and cripple some attacks Tackle (Rugby move). Most forms of football have a move known as a tackle. The primary and important purposes of tackling are to dispossess an opponent of the ball, to stop the player from gaining ground towards goal or to stop them from carrying out what they intend. https://en.wikipedia.org/wiki/Tackle_(football_move) //
- Slide 14 [00:00] Preparing the tackle Device Control Windows 10 is part of the solution (… and Windows Server 2016) Ensure to update regular - Follow Best Practice, validate and then add your own requirements Enable Modern authentication Start using Modern hardware security Start Monitoring your devices Ensure Hard disk encryption on all devices – OFFCAUSE! Follow Best Practice, validate and then add your own requirements Credential Control MFA for all users and administrators No High Risk login on mobile devices Consider Local Administrative Privileges Password Randomization (LAPS etc.) Ensure Strong Password(s) Policies – Follow Best Practice, validate and then add your own requirements Ensure to use Credential Guard or similar Application Control Implement Microsoft AppLocker or similar Implement Software Restriction Policies as a minimum Consider Enterprise Mode for Internet Explorer 11 Whitelisting Access Control Implement Just Enough Rights Philosophy -Follow Best Practice, validate and then add your own requirements Limit Remote Access to mobile devices (… and servers) Limit Remote Access to mobile devices to named Jump Station only (… and servers) Use Windows Firewall Actively – Disabled is not an option (… on servers to) Upgrade to Latest Windows 10 version and start using Application- and Exploit Guard //
- Slide 15 [00:00] Preparing the tackle Device Control Windows 10 is part of the solution (… and Windows Server 2016) Ensure to update regular - Follow Best Practice, validate and then add your own requirements Enable Modern authentication Start using Modern hardware security Start Monitoring your devices Ensure Hard disk encryption on all devices – OFFCAUSE! Follow Best Practice, validate and then add your own requirements //
- Slide 16 [00:00] Preparing the tackle Credential Control Multi Factor Authentication (MFA) for all users and administrators No High Risk login on mobile devices Consider Local Administrative Privileges Password Randomization (LAPS etc.) Ensure Strong Password(s) Policies – Follow Best Practice, validate and then add your own requirements Ensure to use Credential Guard or similar //
- Slide 17 [00:00] Preparing the tackle Application Control Implement Microsoft AppLocker or similar Implement Software Restriction Policies as a minimum Enforce Windows Defender SmartScreen Enforce User account Control (UAC) Microsoft Edge and Enterprise Mode for Internet Explorer 11 Whitelisting //
- Slide 18 [00:00] Preparing the tackle Access Control Implement Just Enough Rights Philosophy -Follow Best Practice, validate and then add your own requirements Limit Remote Access to mobile devices (… and servers) Limit Remote Access to mobile devices to named Jump Station only (… and servers) Use Windows Firewall Actively – Disabled is not an option (… on servers to) Upgrade to Latest Windows 10 version and start using Application- and Exploit Guard //
- Slide 19 [00:00] Preparing the tackle (DEMO) //
- Slide 20 [00:00] Summary //
- Slide 21 [00:00] Imagine you were the one… //
- Slide 22 [00:00] Preparing the tackle Device Control Windows 10 is part of the solution (… and Windows Server 2016) Ensure to update regular - Follow Best Practice, validate and then add your own requirements Enable Modern authentication Start using Modern hardware security Start Monitoring your devices Ensure Hard disk encryption on all devices – OFFCAUSE! Follow Best Practice, validate and then add your own requirements Credential Control MFA for all users and administrators No High Risk login on mobile devices Consider Local Administrative Privileges Password Randomization (LAPS etc.) Ensure Strong Password(s) Policies – Follow Best Practice, validate and then add your own requirements Ensure to use Credential Guard or similar Application Control Implement Microsoft AppLocker or similar Implement Software Restriction Policies as a minimum Consider Enterprise Mode for Internet Explorer 11 Whitelisting Access Control Implement Just Enough Rights Philosophy -Follow Best Practice, validate and then add your own requirements Limit Remote Access to mobile devices (… and servers) Limit Remote Access to mobile devices to named Jump Station only (… and servers) Use Windows Firewall Actively – Disabled is not an option (… on servers to) Upgrade to Latest Windows 10 version and start using Application- and Exploit Guard //
- Slide 23 [00:00] Thank you //
- Slide 24 [00:00] About :: Biography Who he is and what he do: Jesper Nielsen is a Solutions Architect and Technology Evangelist, Microsoft Most Valuable Professional (MVP) and is part of the Microsoft Partner Technology Solutions Professional (P-TSP) program. He has been working hands-on with small and large scale IT-Infrastructure in many different industries for more than 20 years. With a long background in supporting Windows technologies, Jesper Nielsen have designed and implemented several generations of Windows and is always happy to share his knowledge around this subject and related technologies. Jesper Nielsen is the founder of the Everything Windows User Group, Denmark and is active in the community and can often be found at user group events as both speaker and attendee. He has been facilitating numerous seminars and events and has made several speaker appearances over the years were his passionate style of delivery, combined with his sense of humor, has made him a recognize speaker. He does the work he does, because he is loving it, he likes the people he meets and is always embracing the inner nerd and good presentation skills. He finished a marathon around the four hours’ mark, have been a gymnastics instructor for more than 30 years, he enjoying exploring technology and guide his kids into new technologies and is currently teaching himself C# for Windows app development. He was awarded the MVP Status for Windows and Devices for IT for the first time, July 2016. Find him: E-mail: j.nielsen@atea.dk Phone: +45 3078 1393 Follow him: Twitter: https://twitter.com/dotjesper/ LinkedIn: https://www.linkedin.com/in/dotjesper/ Join him: Everything User Group Denmark: http://ewug.dk //
- Slide 25 [00:00] References :: Links Emotet Banking Malware Steals Data Via Network Sniffing www.securityweek.com/emotet-banking-malware-steals-data-network-sniffing Network Spreading Capabilities Added to Emotet Trojan http://www.securityweek.com/network-spreading-capabilities-added-emotet-trojan Privileged Access Workstations (PAW) https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations Software Restriction Policies https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies Windows 10 User Account Control (UAC) https://docs.microsoft.com/en-us/windows/access-protection/user-account-control/user-account-control-overview Local Administrator Password Solution (LAPS) https://technet.microsoft.com/en-us/mt227395.aspx Microsoft AppLocker https://docs.microsoft.com/en-us/windows/device-security/applocker/applocker-overview Windows Defender Application Guard https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview Windows Defender Exploit Guard https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard Windows Defender SmartScreen https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview ';--have i been pwned? https://haveibeenpwned.com/ Mimikatz https://github.com/gentilkiwi/mimikatz //