ransomware detection - zeek
Post on 04-Jan-2022
6 Views
Preview:
TRANSCRIPT
Ransomware detectionwith Bro
Mike Stokkel
13 Sept 2016
• Who am I?
– Mike Stokkel
– Security Analyst @ Fox-IT
– Internship at Fox-IT
– Bachelor July 2016
Introduction
Introduction
• What am I going to talk about?
– Fox-IT
– Ransomware
– Bro Policy
– Results
– Demo
Agenda
Fox-IT
• Located: Delft, The Netherlands
• IT security
– Managed Security Services
– Auditing
– Cryptographic solutions
Company
Fox-IT
• Snort-based detection
• Bro
Security Operation Center
Fox-IT
Ransomware
• Malware
– Encryption
– Payment
– Decryption
• Rising concern
Explanation
Ransomware
• Process
– Master key (public and private key)
– Generating a key for the victim
– Encrypting the victim’s key
Encryption
Ransomware
• Personal Computer
– Local files
• Company
– Network Share
• To pay or not to pay?
Impact
Ransomware
• Exploit Kits
– Browser vulnerabilities
– Malicious document
– Macros
Spreading Methods
Ransomware
• Version check
• IP check
• Download ransomware payload
• Run payload
Exploit Kit
Ransomware
• Macro
• VBS script
• Download & execute payload
Malicious document
Ransomware
• TeamViewer hack
• RDP brute force
Remote desktop programs
Ransomware
• IDS
– Snort rules
• Problem
Detection Methods
Ransomware
Bro Policy
• Ransomware behavior
– SMB
• Possible solutions
– File extension listing
– Threshold SMB commands
– Command-and-Control communication
Approach
Bro Policy
• Randomness of data
• 0 – 8 bits per character
Entropy
Bro policy
• Compressed files
• Images
• Mime/Media type
What about ….
Bro policy
• SMB parser
– Events
• File over new connection
• Chunk event
• SumStat
– Threshold
• Notice.log
Functions
Bro Policy
• Check for SMB traffic
• Check for certain filenames
• Check for Mime type
• Check for SMB action
• Check if SMB action equals Write
• Add File analyzer
File over new connection
Bro Policy
• Check if the offset equals 0
• Calculate entropy of data collected from SMB
write command
• Use SumStat to add +1 for the threshold
• Write to log file
• Write a Notice.log
Chunk event
Bro Policy
Results
• Two new kinds of Ransomware
Live Testing
Bro Policy
• Two new kinds of Ransomware
– Google Chrome & Mozilla Firefox
• Encrypted cache
• Encryption tools
– TrueCrypt
– VeraCrypt
• Documents
– Printing
– Creating
Live Testing
Bro Policy
Demo
• Locky/Zepto
• Cryptowall
• CTBLocker
• Jigsaw (and all families)
• Mobef
• Shade
• Maktub
• Cerber/Alpha
• Teslacrypt
• Rokku
• Crysis
• Cerber
• Bandarchor
Samples
Demo
Thank you for having me!
top related