SlideShare a Scribd company logo

What can you do about ransomware

Michael Gough
Michael Gough

LOG-MD Malware Archaeology What can you really do about ransomware? And how do i check my system for anything malicious.

Technology
1 of 40
Download to read offline
Ransomware and commodity malware, What can I do really to prevent it? And how do I look to see if my system has anything odd or malicious? Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
RansomeWare MalwareArchaeology.com
Ransomware • It sucks • You probably know someone or YOU have had it • It dominated the 2016 malware landscape • 500% increase the last 2 years • Estimated $1BILLION dollars ransom paid • Targets consumers • Targets business • Even targets TV’s !!! MalwareArchaeology.com
Ransomware MalwareArchaeology.com
Ransomware • Anti-Virus is failing us because it is too easy to bypass • Ransomware heavily uses scripts • AV doesn’t do scripts • Even Next Gen Endpoint solutions have had issues due to script usage • So what can we do to prevent Ransomware? MalwareArchaeology.com
Ransomware Let’s look at the flavors of Ransomware 1. Infected Attachments 2. Links to infected websites MalwareArchaeology.com
Ransomware • Malicious Attachment MalwareArchaeology.com
Ransomware • Malicious link in email or just surfing MalwareArchaeology.com
Ransomware Types • Source: Proofpoint MalwareArchaeology.com
Ransomware MalwareArchaeology.com
Ransomware • Home user rules ! They don’t backup ;-( MalwareArchaeology.com
Ransomware MalwareArchaeology.com
Ransomware • Attachments in SPAM/Phishing emails – Office Docs (.Doc, .XLS, .PPT) – PDF’s – contain links – .js, .jse, .hta, .wsf, .wsh, .PS1 – Zip files with the above attachments inside – Password protected attachments • Password is in the body (obvious indicator of BAD) MalwareArchaeology.com
Ransomware • URLs in SPAM/Phishing emails – Javascript auto downloads and executes malware • .js, .jse, .hta, .wsf, .wsh – Downloads an Office Doc (.Doc, .XLS) – Downloads a PDF – Downloads a Zip files with the above inside – Downloads a password protected attachment • Password is in the body (obvious indicator of BAD) MalwareArchaeology.com
Ransomware • Drive-by downloads – Javascript auto downloads and executes malware • All scripts • .js, .jse, .hta, .wsf, .wsh • Can download and call binary .EXE MalwareArchaeology.com
Preventing RansoWare MalwareArchaeology.com
Ransomware • Believe it or not you already have what you need to stop ransomware dead cold – For Windows • And its FREE !!!! • So how can we take the RANSOM out of Ransomware? MalwareArchaeology.com
Prevention • Don’t enable Macro’s or Content EVER!!!! In any Office Documents • Actually let’s assume you do enable content, because we can still stop ransomware • We will go after what the payload actually is and does and how Windows handles it • The file extension that is executed when the content is enabled is the key MalwareArchaeology.com
Default Programs MalwareArchaeology.com
File Type MalwareArchaeology.com
Change to Notepad • .js, .jse, .hta, .wsf, .wsh MalwareArchaeology.com
Windows Based Script Host • Get rid of it, they use it to execute crypto • Consider .vbe, .vbs, .ps1 and .ps1xml too, but this is used in corporate environments • This only affects double-clicking the file, not using the file properly (cscript bad_file.vbs) MalwareArchaeology.com
Corporate email • Drop these file types at the email gateway and you will block 90% or more of what users see that gives them ransomware • .js, .jse, .hta, .wsf, .wsh, .vbe, .vbs • No reason these will be emailed to you, if so just encrypt with a password, and do NOT include the password in the body of the message. MalwareArchaeology.com
Gaps • We are starting to see more encrypted documents, but they have the password in the body so obviously NOT secure • If a user opens the fake email and opens the file inside, then scripting can be used properly – cscript some_bad.vbs • Most will be Office documents and the Macro and/or Content must be enabled • Office 2013 and 2016 can break this FINALLY MalwareArchaeology.com
Macro Malware MalwareArchaeology.com
Group Policy for the WIN • For corporate users MalwareArchaeology.com
Or tweak the registry Office 2016 • HKCUSOFTWAREPoliciesMicrosoftoffice16.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 Office 2013 • HKCUSOFTWAREPoliciesMicrosoftoffice15.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 MalwareArchaeology.com
#WINNING • After adding these tweaks you will see this when you try and enable a macro and/or content • You can unblock if truly need and trusted MalwareArchaeology.com
Ransomware Prevented • If you do these simple things, which are all FREE, you will curb ransomware infections by 90-95% or more • This does not address malicious binaries .EXE files or .DLL files • Whitelisting with Software Restriction Policies or AppBlocker will be needed for this MalwareArchaeology.com
Whitelisting MalwareArchaeology.com
Software Restriction Policies • Block all executions from “C:Users*” • Block all USB executions from “E:*” MalwareArchaeology.com
Software Restriction Policies • If you set to block like I do, then when you try to launch, install or an update runs, it will fail • Generates an Event ID 866 in the Application Log • Copy the path that failed and create an exception • Be careful of over trusting generic paths • Use a * to genericize an entry C:Users* MalwareArchaeology.com
AppLocker • ONLY works in Windows Enterprise versions • Screw you Microsoft ;-( • Has an Audit only mode so can detect what would be blocked to allow you to tweak the policy before enforcing • Does Dlls • Does Scripts MalwareArchaeology.com
How to inspect a system and improve logging MalwareArchaeology.com
• The Log and Malicious Discovery tool • Audits your system and produces a report • Also shows failed items on the console • Helps you configure proper audit logging • ALL VERSIONS OF WINDOWS (Win 7 & up) • Helps you enable what is valuable • Compares to many industry standards • CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
Free Edition • Collect 1-7 days of logs • Over 20 reports • Full filesystem Hash Baseline • Full filesystem compare to Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery MalwareArchaeology.com
• Over 25 reports • Interesting Artifacts report • WhoIS resolution of IPs • SRUM (netflow from/to a binary) • AutoRuns report with whitelist and MD • More Whitelisting • Master-Digest to exclude hashes and files MalwareArchaeology.com
Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program MalwareArchaeology.com
Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net MalwareArchaeology.com

Recommended

Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 

Recommended

Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 

More Related Content

What's hot

Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 

What's hot (20)

Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 

Viewers also liked

Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
2 introduccion al direccionamiento
2 introduccion al direccionamiento2 introduccion al direccionamiento
2 introduccion al direccionamiento
Alexander Hernandez
 
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandboxTécnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Juan Salas Santillana
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
Michael Gough
 
Tipos de malware
Tipos de malwareTipos de malware
Tipos de malware
panda_emilly123
 
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Stratesys
 
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Ryan G. Murphy
 
Où sont mes données ? | Résowest
Où sont mes données ? | RésowestOù sont mes données ? | Résowest
Où sont mes données ? | Résowest
resowest
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?
ATN Groupe
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
Symantec
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 

Viewers also liked (13)

Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
2 introduccion al direccionamiento
2 introduccion al direccionamiento2 introduccion al direccionamiento
2 introduccion al direccionamiento
 
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandboxTécnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Tipos de malware
Tipos de malwareTipos de malware
Tipos de malware
 
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
 
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
 
Où sont mes données ? | Résowest
Où sont mes données ? | RésowestOù sont mes données ? | Résowest
Où sont mes données ? | Résowest
 
Risque cyber
Risque cyberRisque cyber
Risque cyber
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 

Similar to What can you do about ransomware

Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about it
JoAnna Cheshire
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
Michael Gough
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
Robert Vidal
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Eric Kolb
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
Felipe Prado
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
Zane Lackey
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
Paul Melson
 

Similar to What can you do about ransomware (16)

Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about it
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 

Recently uploaded

Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
Federico Razzoli
 

Recently uploaded (20)

Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
 

What can you do about ransomware

  • 1. Ransomware and commodity malware, What can I do really to prevent it? And how do I look to see if my system has anything odd or malicious? Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 4. Ransomware • It sucks • You probably know someone or YOU have had it • It dominated the 2016 malware landscape • 500% increase the last 2 years • Estimated $1BILLION dollars ransom paid • Targets consumers • Targets business • Even targets TV’s !!! MalwareArchaeology.com
  • 6. Ransomware • Anti-Virus is failing us because it is too easy to bypass • Ransomware heavily uses scripts • AV doesn’t do scripts • Even Next Gen Endpoint solutions have had issues due to script usage • So what can we do to prevent Ransomware? MalwareArchaeology.com
  • 7. Ransomware Let’s look at the flavors of Ransomware 1. Infected Attachments 2. Links to infected websites MalwareArchaeology.com
  • 9. Ransomware • Malicious link in email or just surfing MalwareArchaeology.com
  • 10. Ransomware Types • Source: Proofpoint MalwareArchaeology.com
  • 12. Ransomware • Home user rules ! They don’t backup ;-( MalwareArchaeology.com
  • 14. Ransomware • Attachments in SPAM/Phishing emails – Office Docs (.Doc, .XLS, .PPT) – PDF’s – contain links – .js, .jse, .hta, .wsf, .wsh, .PS1 – Zip files with the above attachments inside – Password protected attachments • Password is in the body (obvious indicator of BAD) MalwareArchaeology.com
  • 15. Ransomware • URLs in SPAM/Phishing emails – Javascript auto downloads and executes malware • .js, .jse, .hta, .wsf, .wsh – Downloads an Office Doc (.Doc, .XLS) – Downloads a PDF – Downloads a Zip files with the above inside – Downloads a password protected attachment • Password is in the body (obvious indicator of BAD) MalwareArchaeology.com
  • 16. Ransomware • Drive-by downloads – Javascript auto downloads and executes malware • All scripts • .js, .jse, .hta, .wsf, .wsh • Can download and call binary .EXE MalwareArchaeology.com
  • 18. Ransomware • Believe it or not you already have what you need to stop ransomware dead cold – For Windows • And its FREE !!!! • So how can we take the RANSOM out of Ransomware? MalwareArchaeology.com
  • 19. Prevention • Don’t enable Macro’s or Content EVER!!!! In any Office Documents • Actually let’s assume you do enable content, because we can still stop ransomware • We will go after what the payload actually is and does and how Windows handles it • The file extension that is executed when the content is enabled is the key MalwareArchaeology.com
  • 22. Change to Notepad • .js, .jse, .hta, .wsf, .wsh MalwareArchaeology.com
  • 23. Windows Based Script Host • Get rid of it, they use it to execute crypto • Consider .vbe, .vbs, .ps1 and .ps1xml too, but this is used in corporate environments • This only affects double-clicking the file, not using the file properly (cscript bad_file.vbs) MalwareArchaeology.com
  • 24. Corporate email • Drop these file types at the email gateway and you will block 90% or more of what users see that gives them ransomware • .js, .jse, .hta, .wsf, .wsh, .vbe, .vbs • No reason these will be emailed to you, if so just encrypt with a password, and do NOT include the password in the body of the message. MalwareArchaeology.com
  • 25. Gaps • We are starting to see more encrypted documents, but they have the password in the body so obviously NOT secure • If a user opens the fake email and opens the file inside, then scripting can be used properly – cscript some_bad.vbs • Most will be Office documents and the Macro and/or Content must be enabled • Office 2013 and 2016 can break this FINALLY MalwareArchaeology.com
  • 27. Group Policy for the WIN • For corporate users MalwareArchaeology.com
  • 28. Or tweak the registry Office 2016 • HKCUSOFTWAREPoliciesMicrosoftoffice16.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 Office 2013 • HKCUSOFTWAREPoliciesMicrosoftoffice15.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 MalwareArchaeology.com
  • 29. #WINNING • After adding these tweaks you will see this when you try and enable a macro and/or content • You can unblock if truly need and trusted MalwareArchaeology.com
  • 30. Ransomware Prevented • If you do these simple things, which are all FREE, you will curb ransomware infections by 90-95% or more • This does not address malicious binaries .EXE files or .DLL files • Whitelisting with Software Restriction Policies or AppBlocker will be needed for this MalwareArchaeology.com
  • 32. Software Restriction Policies • Block all executions from “C:Users*” • Block all USB executions from “E:*” MalwareArchaeology.com
  • 33. Software Restriction Policies • If you set to block like I do, then when you try to launch, install or an update runs, it will fail • Generates an Event ID 866 in the Application Log • Copy the path that failed and create an exception • Be careful of over trusting generic paths • Use a * to genericize an entry C:Users* MalwareArchaeology.com
  • 34. AppLocker • ONLY works in Windows Enterprise versions • Screw you Microsoft ;-( • Has an Audit only mode so can detect what would be blocked to allow you to tweak the policy before enforcing • Does Dlls • Does Scripts MalwareArchaeology.com
  • 35. How to inspect a system and improve logging MalwareArchaeology.com
  • 36. • The Log and Malicious Discovery tool • Audits your system and produces a report • Also shows failed items on the console • Helps you configure proper audit logging • ALL VERSIONS OF WINDOWS (Win 7 & up) • Helps you enable what is valuable • Compares to many industry standards • CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
  • 37. Free Edition • Collect 1-7 days of logs • Over 20 reports • Full filesystem Hash Baseline • Full filesystem compare to Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery MalwareArchaeology.com
  • 38. • Over 25 reports • Interesting Artifacts report • WhoIS resolution of IPs • SRUM (netflow from/to a binary) • AutoRuns report with whitelist and MD • More Whitelisting • Master-Digest to exclude hashes and files MalwareArchaeology.com
  • 39. Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program MalwareArchaeology.com
  • 40. Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net MalwareArchaeology.com