CryptoLocker Ransomware Variants Are Lurking "In the Shadows"

I'm Ryan know what I work at carbon black you guys have heard of that company we have a couple of cool tools give you an idea what we're going to be talking about today is kind of an extension of two of the other talks the last one with malware pipelining the one before that dealt with ransomware the difference between the talks is i'm going to show you both an attack and a defense that you can repeat that i'm not going to be you know responsible for what you do with it but you're going to have some ways to play as well as i'm going to be able to skip over a bunch of the beginning stuff of what is

ransomware and whatnot because we've already talked about it a bit and now my slides are actually going to work awesome so welcome to the presentation I currently run security operations for carbon black as a disclaimer some of the screenshots in here do you have the company's products on it but that's mostly because I don't have to pay to use them and they work pretty good but I promise you no one in marketing has seen this or HR as you'll find out so you don't have to worry about that kind of stuff i'm going to give you guys a an overview really quickly what i do some of the uses why i can talk about some of

this stuff as well as show you the entire attack chain from once you get onto the system I left out the actual exploitation portion of the attack because then I'm really going to be responsible for doing terrible things so I only want to show you the parts that you'll have to work on to reproduce the specific variant that I'm going to be talking about is cryptolocker version 1 and that's particularly because i only have time to go for one variant time box was so first of all as i said i run security operations I've been doing threat research forensics on linux mac windows for probably bout 10 plus years now slide that over and some of my daily

responsibilities now are as the main security engineer for the company I do a lot of the architecting of the solutions but I also like to go to the dark places on the internet and poke it with a stick and I've been able to actually implement a bunch of that into the products of speaking of the ransom where's I actually invented a way to block the infection of cryptolocker version 1 2 and 3 from actually happening on the system I can talk a bit more about that later because it's not particularly related to this but I'm sure we can find a beer somewhere and talk about it this is what I just grabbed my job as not

only do we eat our own dog food but we also clean up after it I highly suggest you do the same with any technologies that you guys do but first and foremost I'll jump through this real quick the what's ransomware really good before you know the basic definition it basically ransomware blocks you from being able to utilize your system from one fashion or another it encrypts files it will block processes from running it has a whole bunch of things that it can do it mostly made the news because of the encryption aspect of the ransomware previous versions were really more of crap where it was a joke right you had a nice pop up on your screen they told you that

you've looked at something terrible and you need to pay the money or they're going to tell everyone you could go kill the processing and task manager reboot your system clean the files and like nothing ever happened that's no longer the case the options that the ransomware can do to your system are pretty numerous they demand money all kinds of other good things but by far and away the most evil thing I've seen ransomware do is make you complete surveys in order to get your stuff unlocked um that is one devious maniacal d-bag for sure oh it's just as we're talking about the malware pipeline I have a one that I built and I was trying to figure out why the

execution wouldn't finish for about 10,000 runs of a file and it kept stopping every couple of runs and I finally viewed it live and it was because it was trying to get my automated system to complete a survey the always good stuff so skip it through that I'm gonna skip into what V shadow is this also got brought up during the ransomware topic because one of the things that ransomware it does is it goes in and removes V shadow your actual shadow copies on the system by using v shadow or VSS admin or one of the other tools that ends up actually interacting and managing your shadow copies on your system for those of you they don't know

what shadow copies are those are backups of your files probably everyone has seen this host property screen before and sometimes when your office application crashes you'll have those backup recoverable files and then if you click on that document that crashed sometimes it'll have previous versions saved and you can restore from those previous versions that's the most common use the V shadow is the command line tool that you use to interface with these shadows and it's a tool made by microsoft that is available after windows XP kind of pretty much available for all the systems you can get a bunch of different emulators they have a 32-bit and the 64-bit in order to go the SIS in order

to work on the different systems but prior to that this wasn't available for an attack vector because it wasn't actually built into XP and think until after service pack 3 like vista was already out and then they backported a lot of it the reason why we bring up why this is so interesting is because VSS admin is a microsoft sign binary so the attackers are leveraging legitimately signed binaries into their attack which makes them look even more like legitimate behavior on your sis much harder to detect much harder to defend against and because you're using a legitimate workflow to go through the attack you can take different vectors to get to the same legitimate execution and

it gives the attackers a lot more flexibility and what they're going to do so i'm going to show you guys how to use microsoft against itself we're going to break some stuff as the disclaimer said please use your best judgment but let's break something alright the variant of cryptolocker that i'm going to talk about is specifically known for deleting the volume shadow copies and this this basically stops you from restoring from backup locally on the system this is all going to be aimed towards if you had a ransomware infection on grandma Jo system I like that name I'm going to keep using that one not in your enterprise for this first portion so I'm only going to be looking at tools that

are available to you on grandma geos system all right um I've observed a lot of various techniques utilizing volume shadows lately it's been for avoiding detection and what's called anti analysis or anti forensics as spoke out in our pipeline talk up attackers are putting different code into their malware in order to avoid being analyzed or to be found the difference between something like this for an anti forensics angle vs. using the red pill type code snippet is this isn't trying to hide from virtualization this is trying to hide from incident responders your cert team the person who's going to go on to a system that you already know is compromised because you've been alerted somehow some way and they are

trying to hide the file system artifacts as well as the trail to where the infection actually lives the technique that I'm going to show you is a four-part technique I'm skipping over the exploitation stage and I'm going right into the attackers drop them the vial system via whatever infection mechanism they want they create a volume shadow they then mount the shadow and execute the malware and then they unmount and delete the shadow what this does is after unmounting and leaving of the shadow the executed malware is still running so i'll show you how that kind of attack works and basically what we're doing is removing filesystem artifacts so if you drop this into a copy of any

case or something like that I mean not going to have file system artifacts to work with to do that audit trail or the forensic analysis first and foremost we've got to create a shadow so what we do here is we end up running the V shadow executable with the dash p option what this is doing is this is P kind of pointing at the source that you're going to end up copying and creating the shadow of in this case we're saying the rootsy directory you can make this whatever file path you want I'm doing it to make it simple and short and what we're doing there is we're mounting this and now we have basically created a

persistent see a shadow of the full C Drive there's a bunch of links in it now so what is C / malware / bad guy dot exe is now mountable in different places in the file structure in your entire directory tree pretty much you can choose wherever you want to go one of the things to pay attention to here is where it's a shadow name I realized pointed out the screen you can't see what I point at the shadow name I named you know volume Shadow Copy three the reason I bring this up is this is basically what the identifier is for the rest of the attack so you know we're working with the same stuff so what we

do next is we mount the shadow with the make link command once again this is creating those links the pointers between what actually exists on the file system and what exists inside the shadow the next thing that we're doing is we are now taking that shadow and we're creating a new directory in the system32 directory called msdc if you guys are doing an analysis on a system and you saw something running out a system 32 / msdc probably think it's Microsoft related right normally when your own through file system you're looking for low hanging fruit what doesn't really look normal this is going to end up off of your short list for the first run a lot

of the time it looks pretty legitimate what we're doing here is we're creating a symlink between this new directory that we just created in system32 in that shadow copy of roots edirectory the malware the binary is now placed in the root of the shadow so inside the Shadow Copy c / malware exe is the actual legitimate path of this however because of the links that we created when you look at it in task manager or you're looking at it in the command prompt to look at where stuff is coming from it now looks like it's running out of system32 / msdc in this case I made the binary be called Mallory exe i actually just cloned command exe and renamed it

just it's a binary that we could have made it do whatever we wanted once the symlinks created the contents of the shadow are accessible via normal file system operations so once again you can you can der the directory you can interact with it through other scripts applications this makes it look like it exists just as if it was actually running on your file system and not inside the shadow so what we're doing here is I'm going to create in actually execute this malware and make it run I'm doing all this graphically this would all be done via a script but that's not as much fun to see and also it I get to make more

rose and I really like this Oh once the filesystem setups in place the malware started just like any other executable you can kick that off any way you want through command shell double-click in it there's a million ways to execute stuff when the malware started and is shown in a tool like process explorer or in this case we're looking at task manager it shows that it's actually running out of system 32 / MS DC / mallard exe which as we know doesn't really exist because we just created it for the shadow this does not exist on the file system there's no file system artifacts for it it's a link it does not exist so the path as we're

saying it doesn't really look that suspicious at first glance pretend it's not called malware DXE but it looks very legitimate at that time once the malware started the attacker can unmount and delete the shadow and the Mauer will continue to run the attacker wants to remove as much forensic evidence as possible so they will remain persistent and undetected one of the downsides of this technique is if they decide to reboot the system the Mauer goes away because at this point is only running in memory because they have now unmounted the shadow and deleted the shadow the file system artifacts are gone it is all in memory at this point the technique is a nice hiding mechanism throws in a

little anti forensics will really piss off investigators and is really commonly seen against server architecture not specifically grandma Joe's system because that's a one-off it's not really worth using this giant exploit in this really cool way to hide when they can just drop a normal binary on it because she'll never know what to look for so in this case you're looking specifically to put this on systems that are not often rebooted financial institutions were talked about a lot today a lot of their trading platforms anything that's right high frequency trading mainframes that have the windows plugin and attachments with it those are also really popular for these kind of things so we're going to go over a little bit of

the visibility you know what happened on the system for these next couple of steps I'm going to do a mix of what you see on the actual system versus what I can see in an IR tool that I was using you can interchange this section with any I our tool you want to use that has both visibilities of the file system as well as the memory so we're going to answer two questions here what I meant on the host from the hosts point of view and what happens on the host when you're actually doing an IR on the system keep in mind that the two main things that we're doing here is we're doing visibility and accountability and the

more you increase your visibility the tighter the loop gets around your actual target now you can account for who did what and when and that's what we're going to try and answer so you don't have to memorize the slide there will be a test later though but this is just give you an idea of these are all the different artifacts that we get to look and see and play around with the reason I bring this up first and foremost is so you have an idea you don't have to look at the very specifics but just look at the the title lines right multiple files were written multiple files read new processes respond the registry was

touched it did a ton of crap on that system pretty much right very very noisy but how will we know that if everything ran throughout the shadow we don't so let's look at what happens from these different viewpoints first and foremost the IR tool once again yes my company that i work for makes this tool I'm not marketing it I get it for free so I get to play with it process trees when you're doing an IR you're going to want to build this out anyways manually I have a nice pretty graphic it did it for me sweet but you can do this with command line tools as well there's a bunch of free options you can use

google for ir toolsfree I are tools there's another one that you can do process analysis trees or visualizing process analysis those are good keywords to search for some free tools that will actually build something very similar there's actually a tool by a guy who works for google that I was on the forensic lunch if any of you have watched that podcast we were both on at the same time and he has a freeware one that's up on github if you remind me later I'll find what the link is for you and give you that so you don't have to pay to play here in our initial investigation we can see that the process tree of this file based on the

alert that I would get that led me to this is that VSS admin exe execution and that's the thing that I really care about because that doesn't happen very often on end point systems enterprise-grade backup solutions don't use VSS admin right they're very particularly usually targeted towards your nose or your servers and those will have proprietary products on it for the backing up what I'm able to do here is I'm able to backtrack from the VSS admin all the way up to the originating file and process that kicked off this entire tree in this case you can see that it's a dot exe with a really long name because I downloaded it from a virus

share which is already mentioned marcom is also cool one I have a giant list I know there's some students in here so I ping me up later and I'll give you a list of tools that are all free that you can use to build your own maurer lab with but I'm not responsible for what you doing it one of the very interesting things they can see is that icon at the beginning on the left that's a PDF icon but it's an executable so already in the attack for how they got dropped to the system they try to obfuscate their origination they pretended they were a PDF they are really a binary and they executed and drove this whole tree

forward one of the other nice things also spoke about was virustotal already you have an API which is great there's another github that has virus total uploader I think it's called somebody already built the API Python script for you and all you have to do is download that package drop in your actual API key and then you can start submitting things and also querying virustotal for hashes you find that is free and is a really cool tool to help you start doing some automation for actually analyzing systems seeing if anybody found this stuff before and if so it'll give your reports back and prints it to a nice CSV what I have here is the equivalent of that where I

submitted this hash to virustotal and it came back as 40 score of 43 we should probably look at that right that's that's not really something you want there um ever that's just really really bad ideas and keep in mind virustotal right now only has 56 AVS that it goes through so 43 out of 56 it's probably bad i downloads from said virus share and i downloaded one that I knew had a high virustotal hit in order to make the nice pretty pictures but you're going to get different scores and the big thing here is you know following your intuition one of the things with IR is everybody's trying to bucket things and create fundamental processes and

structure and that's great but it's also similar to forensics where it's also a bit art mixed in with science the best way to learn is to do it over and over and over again until you start seeing the patterns so this is where one of the things that's a nice cheat sheet but it doesn't actually give you any extra knowledge and help going forward so let's look what the binary did so um that actually just plays pretty decent above we can see I bucketed what it did to the file system three groups here processes that it spawned so that originating process ended up spawning a child process and that child process spawned two other child processes so now we have

originating process all the way down to the grandchildren processes this is one of the things that's really hard to automate when you're looking for basically the execution chain or kill chain would however you want to describe it kill chains also inter used with the attack chain that happens so you know it depends what terminology you used to the reason why that really matters is one of actually this has been a theme so far in the conversations is behavioral analysis versus looking just at the single infection vector you want to see what chains off of it what creates the child processes what do the child processes touch because these days the originating process usually isn't the one doing the

damage and that makes it much harder to find with different I our tools and security tools that do a lot of scanning there's a lot of scan based stuff and if you're not watching the entire time you miss the creation to child processes and being able to actually find root cause for when one of these goes off another thing that happens here is registry mods so as we know and we spoke about earlier today with the ransomware is Maki and cryptolocker and a few other variants I think cripta wall was another one end up writing things to the registry usually it has two or three registry keys the first registry key is it ends up adding

an entry to either the run or run once registry value those are run at login on a system and what that does is it gives you consistent persistence you can shut down the computer you can have AV try to delete the original files but when you reboot it's going to end up restarting the executable from the registry value because those get called and get red and it points to where another copy of the binary is and you end up running over and over so this is a form of persist another thing that we see here is a bunch of new files were created and speaking of persistence these are your file system artifacts for persistence so

there's one here in appdata they drop another one in the startup directory so that directory is where all your files that load when you log into your system will load up for you you know some you stick your outlook there you set it to start whenever you log in that's where that's kind of stored that shortcut also this gets dropped into another directory on the c drive etc etc basically the attacker created about six different copies of the exact same binary and drop them in different places in the OS and then put links in the registry to kick them off so that is one very effective way because you're looking for all these binaries you find one all right are you

going to keep looking to find more are you going to keep looking to find more I salute his tenacity but that kind of paranoia is really not healthy and I'm very impressed that he went to those levels what we can see here based on all of this is you can either spend a few hours trying to clean the system or your do it most of us would do nuke it from orbit next we talked about from the host point of view so once again I had a nice fancy tool that does all this stuff for me how you going to do this without those how are you going to do this for free how you're going to do this on

grandma Jo system that doesn't have access to any of these nice shiny tools well first and foremost I'm looking for common things when I spoke about ir and forensics being a bit more art than science and you got to kind of follow your intuition you're really banking on your experience I spent years working on working at a financial institution where I dealt with banking Trojans so Zeus SpyEye etc I have massive databases of these things blackwell exploit toolkit that dropped all this crap angular all those things I had to create behavioral analysis for it I had to create databases that could core the changes in it to find out where this crap is so a couple of the places that I

look for first and foremost is things like the user app data particularly roaming so if we are on windows 7 windows 8 I don't remember Windows 10 has the same structure in appdata but depending on whether or not you have local admin for your user is where the stuff will get dropped app data for the active user is extremely common for banking Trojans and it is one of the first places I look for persistence mechanisms because it's that common it's still comin to this day to the point where I have scripts that will just go out and it will grab a few different directories and just list me the entire directory and the child directories of

it so that way I can just quickly go through and say this isn't something that I already know so now we have to start a real investigation or a BAM i found one thing excellent pull that thread follow it through there's a few other places to check we spoke about the startup programs directory that's another popular persistence mechanism directory where they drop the binaries there a lot of times they'll use something like c / driver / whatever the malware is because if any of you have ever run at Dell that's where del often expands and drops their crap which depended on who wrote that driver it could be malware extremely common and this is one of the first places I look

the second thing I do is I start looking for more persistence mechanisms once again this is the start menu one that we just dropped into so here this is actually in the the app data directory so the two that we've done is basically c / user / muslim using a master / appdata roaming that's usually where the first christeson to mechanism goes so you have the malicious file up on the internet gets dropped down your system however it's going to be email exploit kit whatever it gets executed the first place normally copies itself off to is that app data directory and then it deletes the originating file from the directory that it was in most users will be oh it

went away let me read download it etc once it gets dropped to this directory it actually starts expanding out and starting to clone itself all over the place that nice list of files that we just spoke about those are all in different persistence directories and they were all written by this file next thing we're going to look at is a couple of other nice things the malware created its own directory with a bunch of gibberish on the actual root C Drive and inside that drive lo and behold there's another copy of the malware it's just all over the system at this point you can tell them our author is very very afraid of these binaries being found and

creates backups of backups of backups of backups I already used my paranoia joke so I can't reuse it now but it's really not healthy next up is the registry actions so one of the things we just spoke about was the run lunch directory creating the mechanism for persistence and starting up on reboot and login this right here you can see from the values that what it does is it ends up creating a value inside that registry key what I can infer from this is that it is a purse essence of persistence mechanism I'm not guessing at this point putting things into this registry value will only have one of two things happen it'll start in boot or it'll break those are

your two options when you drop something in there and point it very rarely do you see more legitimate applications use this usually it's done by a system administrators who want things to start on boot so some administrators that have very complex ad environments will end up putting scripts in their builds and pointing it to the run once so every time you log in it'll correctly mount your network drive because ad is so broken in their environment that they can't do it through that mechanism there's also things like Wi-Fi fixers all kinds of stuff that would get dropped in there these are keys for background services such as the remote registry service and their only run once

per boot next up is what happens so we have the persistence mechanisms we have the binaries all over the place we have the registry values shown that it's going to get run how do we know what get hit cryptolocker one was kind of nice they they have I call this the middle finger directory because it's just showing you how boned you are this is every file that it has successfully encrypted and this is the one that makes people cry lastly um it didn't actually I have another picture that um I was actually almost already shown the cryptolocker lock screen is the last thing the user actually sees because at that point you are owned and its last

thing that you see the cryptolocker variant ass was already mentioned drops on the system runs scans for network drives tries to encrypt them first then encrypt the local drives because if the user doesn't know what's going on they're not going to shut off their computer and try to stop it from encrypting things so how do we detect this attack there was a lot of information about how if different files were created different things in the file system that were changed all these variants so first and foremost you're going to work with what tools you have right here I have broken out the attack into a few different things in particular what I'm looking for is

illegitimate use of the Microsoft binary in this binary that we're talking about is the V shadow binary there is a 32-bit in a 64-bit version for each OS and minor OS revision so this is a complete list this is just the ones I pulled off msdn a little while back so what i can do is either a manual search with these hashes to look for these files actually being on a system and then mark those systems is a higher criticality because i know that they can get exploited this way or i can have a tool or a sim end up alerting me when one of these binaries are actually executed that's your choice use the

tools that you have play around with that stuff in this case what i'm doing is i'm using the carbon black good and point respond yeah they change the names very shortly ago and i'm still getting used to them this is the one that shows me what executions happen on the system registry processing etc so what i can do is i can write a rule that specifically says if the VSS admin is executed alert me well that's cool but depending on how it's executed is whether or not it actually gets shown so we should actually more look at the dependencies of it what does VSS admin need on that system to run and then end up being used

and abused by the attacker well we can look at the DLL that it loads when VSS admin goes VSS admin can get used in different queries it can get used in various different uses but vs SPS dll is only used when VSS admin is executed so that's one of the first things i started to look for set this alert see when an executor and hows executing lo and behold this off in an environment of about five thousand endpoints and i have false positives there's this file called we're fault exe which i can't remember what it does but it also uses that DLL so I just made it ignore that pretty much and started to minimize this the

second thing that we know happens is when this happens you're kicking off basically a script to infect so what our scripts run as mostly on Windows systems their batch files and batch files when they run run under command exe is the process so it's almost like you're running directly from the command line it's just running as a script form so what I do here is I look for the command line execution of the make link command who here is actually seen make link happen in a legitimate context and no all right well you get the point the last thing that I'd look for is V shadow I to exe at the command line being run

with that Dash P option in order to create the pointer and that symlink so these are three different queries that you can run in your environment that you can run as batch scripts you can run it depending on what your security tools on the actual system can see here's three different variants one uses memory ones particularly looking at a dll one's looking at a particular executable and another one is looking for a particular command line command those are four different vectors that you can now look at for this one attack and get I don't want to say no false positives but I only ran it in a system of 5000 so I don't know what your environments going

to look like next we could also look for that volume Shadow name so we know that shadow copies are being made what we know for sure is there have some default naming schemes if you don't specify names and you just run the default commands you're going to end up with something that looks like hard disk volume Shadow Copy or hard disk volume if you've ever looked at the command line output form you mounting a drive at boot if any of you have ever gotten that blue screen of death you've probably noticed that the actual C Drive that you have mounted before it gets mounted and called the C Drive is called a hard disk because that's the actual name for the

physical asset and it's the same name used for the virtual asset so when you're running systems you shouldn't see this going off and this is another thing that you can look for so the last thing I don't know what time it is I don't know if I'm going over there o'clock alright sweet I think I only have like five more slides in this probably the one that you guys actually care about how to stop the attack so we went over the basics of around somewhere we're over the basics of V shadow some of the common places it stands for the attack but how do we stop it this is really what what I care about mostly at this

stage in my career because I run sec ops so I'm mostly defense we have to do offensive things I get to do threat research i get to poke it's tough but really matters at the end of the day is how am i protecting my enterprise so first and foremost a good backup plan that has to get put out of the way before you get technical stuff anything proactive you can do is really going to save your bacon it reduces your risk surface it ends up helping you out in the long run you can create the shadow copies manually you can restore from them this is the mechanism I i would use there's professional tools that do it

better but these are available on any windows system there's multiple methods you can look them up online there's also whitelisting options and what I'm going to do is I'm actually going to show you a white listing option those you know one of the company's products is a white listing product I'm not using that one because that costs money into 1 i'm going to show you is free so don't tell marketing or sales because they'll be very pissed at me uh-huh so well what is whitelisting like for these kind of attacks I am I equate it to basically you know computerize shot-blocking right you're just going to get slammed you try to install stuff you get denied on the more you watch

this you can see the kids soul actually get crushed short of white listing you can implement a rule based on your use case unique to your environment variables in your desired outcome write the rules that i'm going to show you are in a high level format because even if you aren't using the fancy our tools you can apply this logic and use your actual controls in your environment specifically specifically leveraging things like GPO witchcraft and a lot of cursing these are going to kind of work for you guys so first and foremost user training right don't click on the bad links here's a bunch of things that we're going to end up using as artifacts

to look for and to block what we spoke about a few minutes ago was the persistence mechanisms right so if you remember that nice pretty picture of the kill chain what we're looking at is originating execution child processes file rights violates file rights but the originating process doesn't end up doing the damage to the system it's the child processes so in order to bring down the malware we have to stop the child processes the mechanism that I created for cryptolocker version 1 2 and 3 is actually a registry block I'm going to show you a file system block because this works not just for cryptolocker but it also works for different kinds of Trojans so first and foremost let's use

your security policy so you create a software restriction policy for a single computer either using local security policy editor or for your entire domain by using a group policy editor here I've local policy editor because they wouldn't let me play with the domain one I don't know why uh-huh so first and foremost you need to create a new policy right this is boring this is stuff they got to go through in order to do it here's a bunch of steps but really matters is step number five this is where you end up finding all your software restriction policies these are where they're all written these are ones that get it out to the different systems and

these are where you're actually going to revise things tighten it up if you have false positives create exceptions etc what you're really doing here is you create a new path rule and what you're basically doing is this nice short process that will end up allowing you to create this what we're going to look at is particularly this acute abul in the app data this is how I kept Zeus out of a financial institution that I worked for it was very simple we wrote this and it stopped for a good year and a half before spy I came out with a lot of the code because the code got leaked and now started you use extra file paths when we

had to revise this but this is very similar notice that the security level is disallowed that means it won't run just as you expected it would it doesn't create flowers or clowns it doesn't let things run what really matters here is choosing the file path this is where you're going to have collateral damage things like Spotify Firefox Chrome they all update out of app data which if any of you write software no it is against best practices to do so and it's a terrible idea to run things out of app data it's bent ferd config files and storage not binaries so if you have those applications your environment environment you're going to have collateral damage with this rule so

remember to create some exceptions in there or sales will be upset and so will your si staff next up is it is now implemented there's a pretty short process you just saved your enterprise a ton of money and I'll take that in checks if you have it cash ice cream whatever form of payment you want in the words of Doctor Who you know it's defended just like the earth but really it comes down to dropping the ban hammer on things in closing ransomware is annoyingly effective recent additions of features such as you're moving shadow copies to make it even more dangerous regardless what security products you use your best defense is user training and backups rinse and repeat rinse and

repeat or instant repeat anything preventive that you can implement proactively whether it's automated tools manual implementation anything like that will help you protect your company more than any kind of shiny tool with an unlimited marketing budget and no matter what the sales guy tells you you get to live in reality nothing's a magic bullet right so thank you all for your time today my motto this you'll see on the blog post that I do flag it tag it and bag it also known as the double tap as needed and questions yes they are um not immediately after this I am presenting this at sans dfi our next month and hopefully at Def Con and black hat this

year and they have a weird rule about releasing the slides so by the end of june i'll know whether or not it can give them to you then or at end of august either way I will release them I just am contracted Lee obligated not to yet yes

just because the enterprise doesn't use it for its legitimate purposes some applications might use it it varies upon your environment so first thing you have to do is visibility accountability argument right increase your visibility do you know what applications are run in your environment for those of you who work in the enterprise I'd like to see a hand for anyone that can tell me every application running in their environment yes that is the answer snarky I know but unless you have really good auditing tools or something like an endpoint product that will give you visibility into what's running on each system you can't know and therefore you don't know your conflicts until you start implementing things so trial run small

groups etc that's the only way you can get up to the point of blocking something that is kind of built into the OS and built cool oh thanks s