threat landscape - stallion.lv · why ransomware? •valueof’stolenrecords’has’declined...

1 | © 2016, Palo Alto Networks. Confidential and Proprietary.

THREAT LANDSCAPE

Mikko KuljukkaSystems EngineerPalo Alto Networks

Ransomware


Bitcoin USD rates

How big of a problem?

• $1 billion in 2016

• >6 million unique samples

• >55 million sessions

• >100 families.

• Typical payment is 1 BTC;; tailored for organizations.

• Targeted attacks seen, butlargely victim agnostic.

3 | © 2017, Palo Alto Networks.

AutoFocus: Ransomware Total

Why ransomware?

• Value of stolen records has declined

• Monitored by financial authorities and law enforcement

• PoS systems form a sub-set of the total target

• Motivation to pay

• Anonymity - Bitcoin and Tor

• MaaS / RaaS lowers cost-of-entry, fuels ecosystem


KeRanger

• First discoveredransomware forMac OS.

• Authors back-doored a popular BitTorrent clientfor OSX in early 2016.

• It attempted to encrypt about 300 types of files after 72 hours.

5 | © 2017, Palo Alto Networks

Samsa / SamSam

• Targeted campaign from 2016.

• Leveraged unpatched instancesof JBoss to spread.

• Ransom reached around45 BTC (approximately $20,000).

• Almost 100 distinct samples.

• Diversifying in target verticals & attack/spread techniques.

• Profits over $500k6 | © 2017, Palo Alto Networks.


Cerber Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan


Locky

• Jaff ransomware

• Distributed through similar channels as Locky and Dridex

• Using different key derivation format from Locky

• Capable of offline decryption.

• DOCM file embedded in PDF

• PDF uses JavaScript to load DOCM


LOCKY -> JAFF (DOCM -> PDF(DOCM))

• Friday May 12th, 2017

• v2.0 of WanaCrypt0r, spreading using SMB protocol exploit

• Kill switch

• 17th May: 36 BTCs (~$63k) in multiple wallets• Ransom of ~$300 infers ~210 victims


WanaCrypt0r (Wanacry, Wcry)

WanaCrypt0r

• Initial attack vector indications (theories):• Spam and/or phishing email.• Direct attack against MS17-010• RDP

• Port 445 scans on local networks and random external IP ranges.• Checks all IPs on the class-C network of each given vulnerable host

• No C2 per se

• Uses TOR network to communicate encryption keys

• DOUBLEPULSAR backdoor reportedly used to execute the malware after successful ETERNALBLUE exploitation


WanaCrypt0r Exploit

• EternalBlue vulnerability (CVE-2017-0144) on Windows • SYSTEM-level remote code execution (RCE) in the handling of the Server Message Block (SMB) protocol

• Publicly disclosed in Equation Group dump by Shadow Brokers in their 5thleak, April 14th 2017

• Microsoft patch available in March 2017 (MS17-010)


EternalRocks

• Wannacry exploits + 5 more

• Sleeps for 24h and downloads Tor for C2

• No apparent kill switch

• Does not contain any malicious payload yet


Ransomware trends

• Indiscriminate high-volume / low-ransom attacks continue to be popular

• Social engineering is heavily used

• Targeted, high-value ransom is on the rise.

• Database attacks:

• NoSQL: MongoDB’s default security settings

• SQL: MySQL, bruteforce passwords

• RaaS

• IOT on the horizon


Ransomware trends and oddities

• Non-financial (coercion) ransom

• Pop-corn time

• Jigsaw

• Doxware / When backups don’t matter3

“Dox: search for and publish private or identifying information about (a particular individual) on the Internet, typically with malicious intent.”


In order to have relationship with us, and pay the ransom;must go the following steps.1. Launch a subdomain named:

killxxxxxx.xxxxxx.xxx.xx2. Make a txt file named:

Ransomware.txt including:

Banking Trojans


Banking Trojans

• User gets infected the normal way

• Trojan starts to monitor when user visits supported sites

• Trojan captures PINs and/or uses webinjects to change or add to user’s input

• Trojan mimics the real site and “proxies” user’s input to them


Banking Trojans

• Less money than ransomware

• Stealthier

• Needs more sophistication and customization than ransomware

• Very old strains still alive too• Zeus (2007)• Dridex (2014)• Ursnif/Gozi (2007)• Xbot (Android)


IOT


Why IOT?

• Lifecycle of a thermostat is longer than that of a laptop

• In some cases they are impossible to patch

• In most cases, no endpoint protection

• Unless the attack is destructive or impairing, users might not notice

• Owners don’t care, don’t realize the threat

• Vendors don’t care, don’t realize the threat

• Lots of default passwords because of 2 above


Botnet platforms

• Leet• 650Gbps and 150 Mpps

• Mirai• 280 Gbps and 130 Mpps

• Easy money for the herders


IOT Ransomware


Malware delivery


Delivery methods

• Filename.pdf_______________.exe still a good choise

• Regular purchase_order.exe :s work well too

• Malicious scripts in documents that rely on user approval

• Phishing

• Exploits and exploit kits valid for real actors due to the cost

• Shadow Brokers 0-day subscription service• $21k/month


Protection



The three threat vectors by D. Rumsfeld

• IPS

• AV

• URLF

• Threat feeds

• Sandboxing

• User Education

• Technique blocking

• Automated defences

• Layered defence

• Segmentation

• Surface reduction

• Behavioral analysis

Known Knowns Known Unknowns Unknown Unknowns

COMPLETEVISIBILITY

REDUCEATTACKSURFACE

PREVENTKNOWNTHREATS

PREVENTUNKNOWNTHREATS


PREVENTING SUCCESSFUL ATTACKS

Next-Gen Security Platform


threat landscape - stallion.lv · why ransomware? •valueof’stolenrecords’has’declined...

Documents