Defending Your Organization Against Ransomware Sean Heffley TRISS 2017

and so next up is Shawn Heffley he's with logarithm and he has 20 years of IT experience and five years now in cybersecurity I should also tell you this is a very important bit of information about Shawn he is a reluctant expert on Disney Princesses you are reluctant and now Shawn because I have four four small children's because I'm a reluctance it's this sorry can you guys hear me fun back there you guys hear me raise your hand if you can hear me it's good all right fantastic fantastic so who out there wants to volunteer put their hands up if they have ever been experienced or got busted by some ransomware or Amell maybe don't raise

your hey does anybody know anybody that has good and caught by ransomware okay I think everybody knows or at least you've certainly seen the headlines which will we'll cover in a few moments here but what we're going to cover today I'm going to spend the first couple five five minutes or so just going over a few stats probably a lot of things you've seen before just to explain you know what ransomware is and why you should protect your network against ransomware and of course so you can go to your seaso and say hey this is why we need to protect yourselves from ransomware and I'm going to dive in to the common themes of what ransomware does I'm gonna

get deep technical on the common themes now there's no silver bullet on getting catching ransomware I mean it's always changing but I'm gonna cover the most basic things you will see as far as ransomware is concerned and then I'm going to show you how to defend against it and then we'll bring it all together at the end so ransomware for the executive team obviously we all know about the threat pandemic out there this is of course just showing the last 10 years 11 years I guess you could say I mean back in no six there was 321 breaches that were forted moving on 2010 that tripled 2015 about 4,000 obviously the number keeps increasing right so I think we all know

you you all don't want to be on this list right well ransomware as as a survey of all the ceases out there last year were your biggest concerns for next year ransomware is on every list that's no surprise as well these of these other things but ransomware is high on a priority on everybody's list and you will see the United States is getting the most detections of ransomware of course of course side this is data from last year and why of course we have the money right you know we're paying the ransom we have the money so they're coming after folks in the United States I'm sure maybe that might change since I guess UK got hit pretty hard with one a

cry this Pat this last few months but there's that and you know rain somewhere is in the news right just you see the headlines I don't need to greet all these headlines to you but you guys know how how huge this is right the impact and you've seen all the headlines a few a few headlines I think are fairly interesting Montgomery I have a couple two two stories at least Montgomery County in Alabama actually I'm just gonna come down here I'll try to move back and forth here I'd like to talk with my hands so sorry about that but Montgomery County in Alabama they were down for their whole infrastructure was down for two weeks this has happened in

this past September it's pretty interesting you know they had all their tax appraisals all anything had to do with this admitting that the county was down even marriage licenses was down for almost two weeks and they paid about $50,000 and then they decided okay we need to invest in our infrastructure I mean unfortunately that's what it took to get them to protect themselves and of course you have the Kansas Heart Hospital that happen past this past May you know they paid a ransom and then of course the heck that the bad guys said well hey we're gonna give you some then we we want more right so so they're the prenup arias so this I don't expect you all to

read this this is the history of ransomware history of rents are back and started back in an 89 was the first case of ransomware PETA specie cyborg they demanded one hundred and eighty nine dollars and all these that was bit before Bitcoin but this is what the last seventeen years I believe you can see it just it's just exploding right ransomware is becoming bigger and bigger and of course as of last shoot well a few months ago they projected fifty fifty percent growth in 2017 I just read last night I was out doing some last-minute prepping maybe updating some slides here and I saw that it increased 300% this year I have invented that I

don't know if that's real but you know it's it's it continues to get bigger and bigger and the threats haven't changed so you have commodity malware right ransomware of course any spyware trying to get money obviously you have insiders think Edward Snowden I'm cool story I was on speaking with a prospective customer in Ohio this past spring and they were talking about how the reason they came to us is because they had some sales folks leave the company go to a different company and then over the next few months they serve losing a bunch of deals to this company and of course you know that exfiltration right they knew what the bids were they start

undercutting and that's of course a bit major concern to them also something we see in people's networks colleagues have seen in people's networks haven't seen it is temporary accounts right you have people may be an admin who has rights to be able to create accounts they create account use the account and then delete it within a 24 hour period that's pretty shady that happens in people's networks and we alert on that hacktivists wiki links anonymous terrorists of course you have Isis organized crime actually the FBI did a speech a talk couple years ago Alan green tree that I attended they were talking about those scanners those credit card scanners I'm sure you've heard about it you know if you have they

have your credit card number they're able to use these little scanner things and run it through and put the magnetic strip on it and they actually there's a ring in Pittsburgh a few years ago that they busted where there was people going around a blitzkrieg of running through all the department stores buying a bunch of merchandise buying it and they they they bust them in their hotel room I thought that was pretty interesting and then finally I have Oh state-sponsored obviously there's a lot of that going on right you hear about the Russia North Korea with Sony you know I'd say to a Stuxnet anybody out here know about Stuxnet if that's that's back in two

thousand some people I'm sure many you've heard of it but that was where we actually with combined with Israelis we infiltrated the Iranians centrifuges nuclear whatever and talk of like talk about 20% of their centrifuges down that was back in 2010 and the anatomy of the attack that hasn't hasn't changed either I mean they're pretty predictable you have recon sense right they're going out they're going to look through and do recon who they going to attack they're going to do the initial compromise typically through spearfishing command-and-control you're gonna go out and talk to a server somewhere out there in the world and get that the malicious code they're gonna move laterally into your network they're gonna you might

start seeing a bunch of authentication failures across your network you should be looking for that type of stuff they're going to find their target they're gonna have that connection in the backdoor and then they're gonna export rate your data so let's dive into ransomware I'm gonna go through each of these in the following slides so I'm gonna do real quick just go over you know that obviously that exploitation right the infection happens within five seconds they're already talking to command control server downloading that code it happens very quickly and then they're gonna start deleting your backups that's called backup spoil Asian and that's the local I'll talk about that a little more and then you have file

encryption and then within 15 minutes typically it takes about 15 it could be as little as two minutes your files are encrypted but it could take up to 15 maybe even longer if you have a huge server unfortunately it doesn't hit your server network it's just stays your PC but and then they're gonna notify you so let's let's stop in each one of these here's an example of you might you might go to a website and you need a font to be able to look at the what's what's on the website so you might it's pretty looks pretty innocent you hit the Update button and then you're infected that's that's one way people will get infected

and then of course you go probably recognize this from the back you may not be able to read but I'm sure most people have seen this this is Microsoft you have to verify your copy of Microsoft and you hit the button and that's of course you might get infected with some malware this is another example of an email you might you might get looks like it's from Bank of America looks legit it's actually coming from a different domain name right there's Bank of American com it's not really the legit it's not legit obviously but they're asking themselves that way and of course we all know about that Nigerian prince says 30 million dollars I've heard the people replied to

this I I don't know anybody who has and then if I if I was a bad person right and I'm trying to I'm a hacker I'm trying to find you know I want to expose when I get some malware on something or maybe I want to go after somebody like my mother-in-law I'm putting the kitty cats on my little messages and all right you know I'm sorry I do this for my mom and my wife and kids I'm like all you have to make this a little more exciting so you got kitty cats and I actually update last night my my son really wanted um Lego Batman so I put that up there for you so

guys this is real okay there's no sorties doing pillow fights right don't click on that link you get that email I hope you don't and but phishing is the most popular way people are getting infected right whether it's an email with a link on you click on a link or maybe there's an attachment with some macros maybe a PDF or something so that's the most popular but also you have exploit kits exploit kits if you don't know what exploit kit is you know it's malicious software that's going to scan scan the internet trying to find legit websites are vulnerable and they put their code on that website and so you as an unsuspecting user might go to that

website and then you can get infected now that's in general what an exploit kit is and that's just an example of an infection via an exploit kit by the way 8 out of 10 exploit kits come from Adobe Flash and then so the path to compromise it to go along with that obviously you get the phishing links right you click on it or you're browsing the internet most are coming from a browser but also you have attachments right and use all these different attachments that are specified here Adobe very vulnerable Microsoft Office macros Android is an interesting story I was doing an implementation of our software and we have a threat map and we brought up for the first time we're like

ok we're bringing our firewall logs in using geolocation you see a threat map around the world you see dots all over the place look like Christmas tree like wow you guys are doing business in Ukraine China Russia kakaka Stan like you guys do business worse worst kick kack does anybody know where kakaka stan is I'm sure some people might know but it was really interesting I would say what's going on here and see you start looking into it as I okay so there's one node internally that's that's talking everywhere tor servers never where else Android it was Android device on their network BYOD device that was infected and just talking everywhere I saw that firsthand I thought that was interesting

so a connection to a command-and-control so you're infected now you're going to go talk to a command and control server CNC server your your laptop hit the link and it's really a bad site right and then it redirects you to the actual command and control site and you're gonna download that malicious code that's essentially how it happens some some ransomware some different malware is actually self-contained you don't actually talk to a command control server but in general often times it does and you know they're going to deliver it via an encrypted channel and when they do oftentimes the executable goes to the app data or at the temp directory that's not a common place where executables

should be run from so that's a dead giveaway that potentially potentially that it's malicious also they're gonna set it up for auto execution that restart so the registry keys right they're gonna put some registry keys first startup to automatically start to application so that's another dead giveaway that perhaps Oh mal ware or ransomware is running on the machine people should be instantly especially if they're not allowed to install software on their PCs remove Windows shadow copies this who here I assume that most people were pretty technical who here is PC support for their family and friends okay pretty much everybody okay I certainly am i have well at least for my dad ivory bonus machine a few

times you know about that last known config last known good configuration is and in general so there's processes actually can run that managed that if you see VSS admin right now running on on a machine that's a pretty good indication that perhaps ransomware same with wmic exe you know they're gonna delete those shadow copies actually my dad I since I you know Sony Rizzo got married I for kids I'm like that I can't help you anymore he actually has was that the Geek Squad and actually do a very good job I mean I'm impressed he call a BBB uses those people think oh he doesn't call me on stuff I'm waiting for the time and he calls me

has ransomware I haven't slept with a pretty good backup I was like okay dad you got to be backing up all this stuff to out in the cloud so we got that set up hopefully I wouldn't have to restore that at any point anyway it's moving on they also they're going to modify your Master Boot Record as well that's another thing that they're going to do so here's an example of a new process that's running you can see the process is 7zb you know so on exe that's a process it's a strange name and it's never rained on this computer before so that's running it's running from the app data directory as well and it starts scanning right in

this case this isn't a one minute period it starts scanning over 2600 files that's a little strange shouldn't do is there's a new application running on a PC that should be doing that unless you're a 19 you're doing something doing some certain scanning and then they're gonna encrypt right they're gonna start the file encryption they're gonna get the the key right from the internet from the command control server and they usually use very very strong encryption and oftentimes they're gonna well they're always gonna append the files with something and 1ik we're want to cry they used dot WNC why krypter wall is using a foul extensions you know random whines lucky uses locky by the way does anybody know that what

ransomware was the most profitable is the most profitable year today or through the history of ransomware it's crypt of wall 300 it's it's made I think it grossed over it came back it was around 2015 when that one came out I think they gross well over 300 million 325 million was why was what I read but I thought that was interesting and they're gonna notify they're gonna notify the user so blue screen of death I know we have some some younger folks in there may be in their 20s don't know what that is I'm sure a lot of people I hear do know it is I went to college when Windows 95 came out so I'm very I know when do I

know blue screen of death very well so that's of course there I have a toll-free number that you can call that's convenient to do for your ransom so these are all I have a couple screenshots of some ransomware notifications here's another one asking for $100 this is from a 2013 this is a nice one for Chum shocker I don't know if you see this down there but they even have the gall to say have a nice day here's a couple more aired this is the most recent one one a cry this is what one a cry looks like that in this case you're asking for $600 they're asking for either 300 or 600 dollars in

bitcoins I don't know if anybody here is invested in Bitcoin I keep on kicking myself and I'm seeing the price of Bitcoin last year I did this talk last year it was like $700 per Bitcoin I just took last night it's pushing six thousand dollars per Bitcoin so if you if you had the hindsight right this or the not to hindsight we all wish you had that hindsight if we invest it if you invested in Bitcoin years ago you'd be very wealthy I'm debating just buy one one just see well it goes but after your wife approval for that one I don't know if that's going to work anyways then they're going to clean that where ransom

was gonna clean itself up right here's some of the processes are gonna run was from our labs team put this together they just watching what ransomware does and then it's gonna is that next last line it's actually deal deleting himself and then they're given the instructions to how to pay the ransom what it was the ransom so what you do if you get infected with ransomware what's gonna happen I heard of things that I heard of people who were very savvy that can fit have figured out the crit that crack maybe there's some companies you might be able to hire today I've I've read that you can I worked with a dude do it the that used to they actually cracked

the the light user license for Infoblox back when I worked at UPMC I was like wow that's pretty impressive that you did that for your home use but you know that's that's possible but most likely you're you're out of luck okay you're you're gonna you are I'm gonna have to pay that ransom if you have fouls on that before derp there you have to pay here something hopefully they're gonna give you your access to your data back or you just gonna have to wipe this wipe it and restore from backup hopefully you have those files backed up so let's uh let's talk about defending yourself against ransomware so you should be maintaining backups tell Joanna County not to you know put those

spreadsheets on the desktop not good practice you should also be you know on a backup server you should be having drives mapped out to there but then have a way that map drives you know you're backing up your backups right so backups are very important for defending against ransomware unfortunately you need to educate yourself and your users right you know tell Sally the Secretariat don't click on that there's no $50 Amazon card waiting out there for you all right if it's too good to be true don't click it and of course you should develop run books I know that's kind of boring a lot of people don't do it mature security plans for companies typically have a response plan if Rose

you have your CCI SP I'm sure you are familiar at least write about it and patch you need the patch does anybody know what the average time from it when a var nobility is not just discovered but announced to the public and that people actually patch their systems does anybody know what the average time is maybe might want to take a guess 30 days never months nine and a half months that's that's probably I don't even know that how that calculates the days I'm not gonna do the math 120 days is what I read recently is what I've been told so you know that gives 120 days to think about think about on average for a

malicious hacker person to develop some code and hit that vulnerability also you should be investing in your security right next to in firewalls you should have an IDs or IPS intrusion detection you should be doing C mail fields as a vendor here that might you might want to talk to about that you should have good AV you should have a sim tool as well which is what we do and you need to pay for your security analyst I'm sure there's folks out here who hire and it is tough to find I always hear this it's tough to find good security not just good but but somebody who's gonna is willing to work for the price

that you're allowed to pay so I know there's some young folks here who's our students who who I'm sure you are probably ger to learn and would be fantastic candidates even though they don't know what the blue screen screen of death is also at least privileged you should have at least privileged policy out there I go into P I'm in people's networks all the time and it's amazing how many people don't follow this right they have admin rights to everything the things that they don't need rights to so you should you should have at least privilege policy out there with your company you should be correlated against threat lists there's a lot of companies out there this paid and open-source

threat list that you can correlate against definitely in your IDs slash IPS or your sim tool you should be correlating with threat lists you should have good endpoint tools and type you know obviously update and you're looking for signatures is one thing but I heard one of the most effective ways to stop Prince Moore's application whitelisting that's to me if I'm admitting it well I'm sure it's a nightmare to admin but you think about it if you're on your your your you're doing application whitelisting and you're trying to go to GoToMeeting or WebEx and then oh it's blocked it's a put exception it's kind of a nightmare to manage but it's the most effective way to you know lock down your folks

from from and hopefully not getting ransomware or any other malware you should be monitoring for the ransomware behaviors that I just described you should have a password complexity enforcement and insurance policies they do have insurance companies offer insurance companies for other companies specifically for ransomware believe it or not so that's maybe something you want to look into so here's an example of a connection to a command control node so right here what I'm showing is you have a list of known bad URLs they where ransomware was actually hosted at some point in the past and then on the other side I also have a list of IPs that were that at some point in the past hosted

ransomware so you should be correlating against it here's just an alert that came across this is the logs associated with that alert connection to a threat list but you can see here there's a host inside the network name Dorado - that's connected to this one IP that's actually located in Roanoke Virginia but they're communicating - with an IP that's on that threat list so you should be monitoring for that here's an example of at least one of our rule blocks any sim should be able to do all this stuff but in this in this case this is looking for files or executing in the app data and temp directory should be happening you should be monitoring for that on your

endpoints you also should be monitoring those registry keys as I mentioned earlier and you can see there's a there's four of them mentioned here but you should have a product that's monitoring at least on your servers right monitor your registry for changes or looking for specific keys you might not want to monitor all your registry keys because that's a lot of logs a lot of CPU it's going to he'd eat up but you certainly can and then you want to be able to contain it if you in fact get ransomware on the endpoint you want to be able to contain you want to be able to kill the processes it's great to be able to do that or you know disable the

NIC or even you know be able to reach out and shut down the van node so that's another thing you want to be able to do so I'm gonna bring it all together here I don't know how I'm doing with time I think maybe I'm going too fast we I guess we would have some time for a little bit of conversation at the end but so I'm gonna bring it all together this is the last slide by the way so you have your sitting your laptop you connect to the command control you you're infected or Thran somewhere so so what's gonna happen here first of all well you should be doing this right you should be getting alerted that okay

there's a node inside my network that's communicating to our threat list a known bad IP you should get alarmed on that also you should be monitoring your endpoints or at least your servers saying there's a process that's never ran before in a starting to scan all the computer all the all the files on this computer you should alerted with that and then hey there's a new registry key autorun registry key that was just a salt on an assent point you should know you would want to know about that and you know there's there's many different indicators of ransomware this is just three of them but it'd be great this weekís do this to cooperate all of them

perhaps have a rule that says out of these five ransomware behaviors if within a one minute period of time if three of these five happen within that one-minute period of time there's a pretty good chance as ransomware so that's in fact what this high-risk alert is is it you know there's a pretty good high probability that those ransomware and you want to be able to run a script automate a process to be able to lock that down or disable the the NIC so that's that's essentially well that's that's all I had so do we now typically I wasn't sure I was I wasn't expecting they to zoom through this I mean I was talking too fast I hopefully and skip

too much but we do we have time for questions yes okay so is there anybody out there that perhaps wants to share a story maybe maybe they want to add to what I've mentioned don't challenge me I don't claim to be an expert I've certainly read a lot about ransomware I know a lot about it but there might be I'm sure those people out here that know even more than me so if anybody wants a share a story feel free to do so or if you have any questions we can we can talk about it not all at once anybody would admit today if you have ransomware has it happened what what kind anybody like sending your version of

files yeah the bad one the real bad one yes some all right well

that's convenient for those who didn't it didn't here's so it's like outsource I ran codes what's the website yeah yeah this great ransomware is really there's it's getting more and more complex and easier to do there's there's like this gentleman just said there's a there's a website out there they you can put the company name in you want to go after and they'll go after for you I don't know how much you pay for it but you know they have chat centers right you can if you get infected by ransomware and you don't know how to buy Bitcoin they'll help you buy Bitcoin so that's that's real and that's happening anybody else have anything you want to add or I

wouldn't feel free I'll be sitting over there I actually have to run to pay my respects if you're home right after this but I'll be right back early afternoon so if anyone wanted to stop by and talk to me I'll be sitting right over there alright thanks Sean Oh