![Page 1: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/1.jpg)
György Ács
IT Security Consulting Systems Engineer
October 2016
Advanced Malware Protection
Against ransomware
![Page 2: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/2.jpg)
Agenda
• Modern malware:
ransomware
• What can be
done?
• Ransomware
analysis examples
![Page 3: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/3.jpg)
Ransomware: Easy Profits
• Most profitable malware in history
• Lucrative: Direct payment to
attackers!
• Cyber-criminals collected $209
million in the first three months of
2016 by extorting businesses and
institutions to unlock computer
servers.
• At that rate, ransomware is on pace
to be a $1 billion a year crime this
year.
• Let’s take an example:
• Looking only at the Angler exploit
kit delivering ransomware
• $60 million dollars a year in
profits
• Ransomware as a Service, Tox
![Page 4: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/4.jpg)
The Evolution of Ransomware Variants
The confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for victims to pay have caused an explosion of ransomware variants.
PC Cyborg
2001
GPCoder
2005 2012 2013 2014
Fake Antivirus
2006
First commercial
Android phone
2007
QiaoZhaz
20081989 2015 2016
CRYZIP
Redplus
Bitcoin network launched
RevetonRansomlock
Dirty DecryptCryptorbitCryptographic LockerUrausy
Cryptolocker
CryptoDefenseKolerKovterSimplelockCokriCBT-LockerTorrentLockerVirlockCoinVaultSvpeng
TeslaCrypt
VirlockLockdroidReveton
ToxCryptvaultDMALockChimeraHidden TearLockscreenTeslacrypt 2.0
Cryptowall
SamSam
Locky
CerberRadamantHydracryptRokkuJigsawPowerware
73V3NKerangerPetyaTeslacrypt 3.0Teslacrypt 4.0Teslacrypt 4.1
![Page 5: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/5.jpg)
How Does Ransomware Work?
![Page 6: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/6.jpg)
Typical Ransomware Infection
Request of Ransom
Encryption of Files
C2 Comms & Asymmetric Key
Exchange
• Problem: Customers can be taken hostage by malware that locks up
critical resources – Ransomware
Infection Vector
Ransomware
frequently uses
web and email
Ransomware takes
control of targeted
systems
Ransomware
holds those
systems
‘hostage’
owner/company agrees to pay the
‘ransom’ (bitcoins) to free the system
($100-$1000, 0.5-1.5 bitcoin, deadline,
demo files, “customer service”
![Page 7: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/7.jpg)
Most Ransomware Relies on C2 Callbacks
COMPROMISEDSITES AND
MALVERTISING
PHISHINGSPAM
Weblink
Webredirect
C2
Filedrop
Email attachment
EXPLOITKIT
DOMAINS
Angler
Nuclear
Rig
C2
RANSOMWAREPAYLOAD
MaliciousInfrastructure
Encryption KeyInfrastructure
![Page 8: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/8.jpg)
Most Ransomware Relies on C2 Callbacks
NAME* DNS IP NO C2 TOR PAYMENT
Locky DNS
SamSam DNS (TOR)
TeslaCrypt DNS
CryptoWall DNS
TorrentLocke
r
DNS
PadCrypt DNS (TOR)
CTB-Locker DNS
FAKBEN DNS (TOR)
PayCrypt DNS
KeyRanger DNS
Encryption Key Payment MSG
*Top variants as of March 2016
![Page 9: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/9.jpg)
What can be done?
![Page 10: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/10.jpg)
Recommendations
1. Build User Awareness (check
the sender checking, macro)
2. Assume That Breaches Have
Taken Place (a security
breach is no longer a
question of “if” but “when.”)
3. Prioritize Cyber-hygiene
(patch, backup!, min.
privilege)
http://blogs.cisco.com/security/ransomware-the-race-you-dont-want-to-lose
FBI :
![Page 11: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/11.jpg)
Best-Practices Recommendations
• Solid patch management
• Non-native document rendering PDF + Office
• Users run as non-privileged users (no admin)
• Disable RDP
• Firewall enabled on endpoints
• Segmented and secured backups (tested)
• Encryption of backups and local documents
![Page 12: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/12.jpg)
Build User Awareness
![Page 13: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/13.jpg)
Cisco Ransomware Defense Solution
• Solution to Prevent, Detect and Contain ransomware
attacks
Cisco Ransomware Defense Solution is not a silver bullet, and not a guarantee.
It does help to:
• Prevent ransomware from getting into the network where possible
• Stop it at the systems before it gains command and control
• Detect when it is present in the network
• Work to contain it from expanding to additional systems and network areas
• Performs incident response to fix the vulnerabilities and areas that were attacked
This solution helps to keep business operations running with less fear of being taken hostage and losing control of critical systems
![Page 14: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/14.jpg)
Architectural Force MultiplierCisco Protects from the Network to the Endpointto the Cloud
UmbrellaSecurity from the cloud
Blocks 95% of threats before they cause damage
AMPSee a threat once, block it everywhere
Most effective solution for known and emerging advanced threats
Next-Gen FirewallPrioritizes threats
Automates response
Improved malware protection
Fully integrated management
Email SecurityOn Promise or In the Cloud
Blocks 99% of Spam, 1 in 1 million false positive rate
![Page 15: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/15.jpg)
Protection against ransomware
COMPROMISEDSITES AND
MALVERTISING
PHISHINGSPAM
Blocked byDNS Security
Blocked byCisco AMP for Endpoints or Network
Weblink
Webredirect
C2
Filedrop
Email attachment
EXPLOITKIT
DOMAINS
Angler
Nuclear
Rig
C2
RANSOMWAREPAYLOAD
MaliciousInfrastructure
Encryption KeyInfrastructure
Blocked byEmail Security
![Page 16: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/16.jpg)
AMP: Advanced Malware Protection
Host-based AMP
• Small agent
• Monitors file access (move/copy/execute)
• Gathers features (fingerprint & attributes)
• Retrieves the file’s disposition (clean, malware, unknown)
Private Cloud / SaaS Manager
Firepower or
ASA FirePower Services
Firepower Management Center
No agent
needed
AMP
Malware
license
#
✔✖
#
TALOS
Network-based AMP AMP for hosts desktop (Win, MAC,
Linux) and mobile devices (Android)
![Page 17: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/17.jpg)
The AMP Everywhere
Architecture
AMPThreat Intelligence
Cloud
Windows OS Android Mobile Virtual MAC OS CentOS, Red Hat
Linux for
datacenters
AMP on Web & Email Security AppliancesAMP on Cisco® ASA Firewall
with Firepower Services
AMP Private Cloud Virtual Appliance
AMP on Firepower NGIPS Appliance (AMP for Networks)
AMP on Cloud Web Security & Hosted Email
CWS/CTA
Threat GridMalware Analysis + Threat
Intelligence Engine
AMP on ISR with Firepower Services
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be
launched from AnyConnect
AMP Protection across the Extended Network for an Integrated Threat Defense
![Page 18: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/18.jpg)
Plan A: The Protection Framework
1-to-1
Signatures
IOCs
Dynamic
Analysis
Device Flow
Correlation
All prevention solution < 100% protection
Reputation Filtering and File Sandboxing
Machine
Learning, Spero
Fuzzy
Finger-printing, Ethos
Advanced
Analytics
![Page 19: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/19.jpg)
Plan B: Retrospective Security• When you can’t detect
100%, visibility is critical
Actual Disposition = Bad = Blocked
Antivirus
Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Retrospective Detection, Analysis Continues
Initial Disposition = Clean
Cisco AMP
Blind to
scope of
compromise
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Too Late!!
Turns back
time
Visibility and
Control are
Key
Not 100%
Analysis Stops
![Page 20: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/20.jpg)
Ransomware analysis examples
![Page 21: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/21.jpg)
CryptoLocker
![Page 22: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/22.jpg)
Cryptolocker
• CryptoLocker propagated via infected email attachments, and via an existing botnet
• malware encrypts certain types of files stored on local and mounted network drives using RSA
• private key stored only on the malware's control servers
![Page 23: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/23.jpg)
![Page 24: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/24.jpg)
Cryptolocker in Feb 2016 – device trajectory
renamed with a
".pdf.encrypted" extensionrenamed with a
".pdf.encrypted"
![Page 25: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/25.jpg)
it connected to
37.139.47.101:443
IP has been related
to Cryptolocker
![Page 26: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/26.jpg)
Retrospective alert
chrome downloaded an executable file which was then executed by explorer.exe.
The name of the executable -au_post_(rand).exe seems suspicious. The
disposition was unknown
![Page 27: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/27.jpg)
![Page 28: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/28.jpg)
![Page 29: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/29.jpg)
Artifacts – DNS traffic
![Page 30: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/30.jpg)
OpenDNS – AMP Threat Grid Collaboration
![Page 31: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/31.jpg)
Angler
exploit kit,
Teslacrypt,
Cryptowall
http://blog.talosintel.com/2015/12/cryptowall-4.html
![Page 32: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/32.jpg)
Angler infrastructure
• Angler
• 90,000 victims daily
• 40% “success” rate
• 62%: ransomware : Cryptowall
+ Teslacrypt
• A few Day0’s
• Target: IE, No: Chrome
• RIG (webzilla)
• Nuclear:
• domain shadowing
• HTTP302: URL redirect
• Referer checking
Adobe Flash, Silverlight, …
Redirect to Proxy Server
![Page 33: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/33.jpg)
TeslaCrypt
• Imitates CryptoLocker screen
• Pay in Bitcoin
• Not asymmetric (RSA2048) keys
used
• Encryption: AES CBC 256-bit
TeslaCrypt
![Page 34: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/34.jpg)
TeslaCrypt: Victory
• TeslaCrypt 0.x - Encrypts files using an AES-256 CBC algorithm
• TeslaCrypt 2.x - Same as previous versions, but uses EC to create a weak
Recovery key. The application is able to use factorization to recover the
victim's global private key.
• TeslaCrypt 3 & 4 - The latest versions. Able to decrypt thanks to the C&C
server EC private key which was recently released.
http://www.talosintelligence.com/teslacrypt_tool/
![Page 35: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/35.jpg)
t.exe -> calc.exe
![Page 36: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/36.jpg)
Vssadmin : delete shadow
copy
![Page 37: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/37.jpg)
C2 communication
![Page 38: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/38.jpg)
Cryptowall
• Version 4: Deletes all
shadow copies, encrypts
the filenames
• 2048 byte RSA public key
encryption
• Decryption software`s initial
price: $500
• if it cannot retrieve the
public RSA encryption key
from the C2 server it will not
"harm" the victim's
computer.
• excludes certain regions
from infection (Russia +…)
![Page 39: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/39.jpg)
Cryptowall : File encryption
Temp.AES256
key15/10/07 12:39 <DIR> .15/10/07 12:39 <DIR> ..15/10/07 12:36 78,971 1.jpg15/10/07 12:39 154,330 2.jpg15/10/07 12:36 123,240 3.jpg…
1.jpg
RSA publickey
random.xyz
Encrypted AES256 key
Other data
Encrypted 1.jpg
Temporary AES key can only be decrypted with the private RSA key
From C&C server
![Page 40: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/40.jpg)
Word creates and executes an exe
![Page 41: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/41.jpg)
Accesses Wordpress -> process injection
![Page 42: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/42.jpg)
![Page 43: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/43.jpg)
Locky/
Zepto
http://blog.talosintel.com/2016/06/gotta-be-swift-for-this-spam-campaign.html
![Page 44: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/44.jpg)
Locky
• Email/ phishing [137,731 emails per 4 days]
• Spam spike -> spam level like in 2010
• Doc or Javascript, attachment : swift [XXX|XXXX].js X: numbers
• Please allow macro : “if the data encoding is incorrect.”
• Deletes shadow copies, 'wscript.exe’ send HTTP GET requests to C2 domains
• extension:
• .locky
• RSA and
AES
algorithms
(Windows
CryptoAPI)
![Page 45: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/45.jpg)
![Page 46: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/46.jpg)
One more thing ...
![Page 47: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/47.jpg)
Host Analysis
![Page 48: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/48.jpg)
Retrospective Alert
![Page 49: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/49.jpg)
Result of Dynamic Analysis
![Page 50: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/50.jpg)
Summary
![Page 51: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/51.jpg)
AMP and Ransomware
• Most profitable malware, targeting
corporates
• Main goal : focus on protection, but quick
detections and countermeasures
[retrospective analysis] can minimize the
costs.
• AMP : Time-to-detect : [TTD] 13 hours vs
100-200 days,
• NSS Labs : 91.8 % [>3min]
![Page 52: Advanced Malware Protection Against ransomware](https://reader034.vdocument.in/reader034/viewer/2022042707/58a305bc1a28ab02228bbf07/html5/thumbnails/52.jpg)