Detecting & Automatically Blocking Ransomware

Martin Overton

EMEA Cyber Risk Specialist

AIG

#IoTDS

• I’m not an underwriter

• I’m not an insurance specialist

• I am a techie with almost 30 years of real-world, hands-on experience of security, including:

• Almost 30 years of experience in malware analysis, defence and remediation

• Over 15 years of Ethical Hacking experience (including social engineering)

• Over 10 years of digital forensics experience

• Been lecturing at UK universities for over 12 years

• Been at AIG since August 1st 2016

• Any of the companies/products mentioned are for illustrative purposes only and should not be taken as any form of endorsement

Disclaimer

#IoTDS

Agenda

• Definitions

• Types

• Examples

• How do they get in?

• What can you do to try and stop it happening in the first place?

• Can we get the files back?

• Conclusions and Recommendations…

#IoTDS

Agenda

What is RansomWare?

• Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive (cryptoviral extortion, a threat originally envisioned by Adam Young and Moti Yung), while some may simply lock the system and display messages intended to coax the user into paying.

• While initially popular in Russia, the use of ransomware scams has grown internationally; in June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013—more than double the number it had obtained in the first quarter of 2012…

Since then the growth has been explosive!

#IoTDS

What Types of Ransomware are There?• Lockers

• Lockers do not encrypt data or drives, they simply lock the user out of their system until they pay up to back access to their system. This style of ransomware is not as prevalent as it used to be. Often this type used scare tactics, often claiming to be from Law Enforcement (Police) or national agencies, such as the FBI, Interpol and Europol…

• Crypto Ransomware• This type is the one that most individuals and companies now get hit

by. When triggered this type encrypts data or drives using either symmetric (single key) or asymmetric encryption (public/private key) that if properly implemented is impossible to break. This type of ransomware also tends to securely delete the original files, remove restore points and shadow copies of files.

#IoTDS

Malware Myth - Malware extortion (RansomWare)started with GPCode

#IoTDS

AIDS Disk

#IoTDS

Typical Examples

• CryptoLocker/CryptoWall

• CTB-Locker

• CryptoDefense

• TorrentLocker

• Reveton

• GPG Code

• CryZip

• SamSam

• Locky

• WannaCry

• Petya/NotPetya

• Lots of others…

#IoTDS

Private Key

Public Key

Victim

Bad Guys Server

Initial Infection Source

InternetKey Creation

Outbound Bad Traffic

Inbound Bad Traffic

Outbound Key Request

Inbound Public Key

Encryption Path

Malware or

Dropper

#IoTDS

How a typical Ransomware works…

Source: https://threatpost.com/fbi-says-cryptowall-cost-victims-18-million-since-2014/113432

“FBI Says Cryptowall

Cost Victims

$18 Million Since 2014”

#IoTDS

Ransomware that spreads… WannaCry• The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry

ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It used the EternalBlue zero-day exploit stolen from the NSA by the ShadowBrokers.

• Within a day it was reported to have infected more than 230,000 computers in over 150 countries. Parts of the United Kingdom's National Health Service (NHS) were infected, causing it to run some services on an emergency-only basis during the attack. Spain's Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide

• Shortly after the attack began, Marcus Hutchins, a 22-year-old web security researcher from North Devon in England then known as MalwareTech discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but new versions have since been detected that lack the kill switch. Researchers have also found ways to recover data from infected machines under some circumstances.

We will see more Ransomware that can move from system to system on their own…

#IoTDS

Ransomware that spreads… NotPetya• 27th June 2017, a major global cyberattack began (Ukrainian companies were among the first to state they were being

attacked, utilizing a new variant of Petya. On that day, Kaspersky Lab reported infections in France, Germany, Italy, Poland, the United Kingdom, and the United States, but that the majority of infections targeted Russia and Ukraine, where more than 80 companies initially were attacked, including the National Bank of Ukraine. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. Experts believed this was a politically-motivated attack against Ukraine, since it occurred on the eve of the Ukrainian holiday Constitution Day.

• Kaspersky dubbed this variant "NotPetya", as it has major differences in its operations in comparison to earlier variants. McAfee engineer Christiaan Beek stated that this variant was designed to spread quickly, and that it had been targeting "complete energy companies, the power grid, bus stations, gas stations, the airport, and banks".

• It was believed that the software update mechanism of M.E.Doc (uk) — a Ukrainian tax preparation program that, according to F-Secure analyst Mikko Hyppönen, "appears to be de facto" among companies doing business in the country—had been compromised to spread the malware.

We will see more Ransomware that can move from system to system on their own…

#IoTDS

How do they get in?

• Email• Attachment (DOC, PDF, ZIP, CAB,etc.)

• Link to a booby-trapped website

• Phishing Emails

• Drive-by-Download• Malvertising

• Compromised web-sites

• Links in social networking posts (FaceBook, Twitter, etc.)

• Previously Compromised/Infected System• Already under the remote control of the bad guys n

girls…

• Usually with a bot client (malware)

• Generally rely on Social Engineering…

#IoTDS

Ransomware - Targets• Windows

• Mac

• Unix

• Cloud

• Smart Devices (including Phones and Tablets)

• IoT

• Websites

• Databases

#IoTDS

Decoy, honeypots and other early warning systems

• Decoy/Deception• Allure Security Technology, Acalvio

Technologies, Attivo Networks, CounterCraft, CyberTrap, Cymmetria, ForeScout, GuardiCore, Hexis Cyber Solutions, Illusive Networks, LogRhythm, Percipient Networks, Rapid7, Ridgeback Network Defense, Shape Security, Smokescreen Technologies, Specter, Thinkst, TrapX Security and Topspin Security.

• Others• FireEye, BluVector, CrowdStrike,

DarkTrace, CarbonBlack,

• Intrusion Detection / Prevention

• Security Information and Event Management (SIEM)

• Honeypots, Honeynets, Tarpits, etc.

#IoTDS

Ransomware Incidents – Pay or Not to Pay, That is the Question!

“The quickest and most efficient way to restore our systems and

administrative functions was to pay the ransom”

- Allen Stefanek, president and chief executive of Hollywood Presbyterian

“We are not going to pay... we wouldn't pay a ransom fee.”

- Judith Hetherington-Smith, Lincolnshire County Council

#IoTDS

By paying you are validating the bad guys ’n girls business model; you may, in some cases, also be supporting terrorists … At the very least you are perpetuating the risk for yourself and others!

So How Many Actually Pay Up?• Recent survey carried out by the University of Kent found that a whopping 41% hit by

ransomware, paid up!

• We know that the following organisations have paid to get their data back:

• Tewksbury, Mass. police department was taken over by CryptoLocker and paid up

• Midlothian, Ill. cops pay ransom

• Lincoln County, Maine Sheriff's Office and four local police departments also fell victim to ransomware and paid up

• Several Maine police agencies reported being hit by ransomware and paid up

• In some cases you can’t even pay to get your data back…

• Including backend databases powering webservers

• Even whole disks/partitions encrypted

#IoTDS

What can you do to try and stop it happening in the first place? –Overview…• Improved email and web scanning/url filtering

• Use multiple AV engines and reputational scoring

• Anti-spam that does SPF and/or DKIM checks

• Threat data feeds (input into Firewalls, IPS, SIEM, etc.)

• User education• Regular test “phishing” campaigns

• Restrict rights• On workstations and especially server/corporate shares

• Tighten Windows Policies• Use software restriction policies

• Patch the OS and ALL applications quickly (especially Adobe Acrobat, Flash and Java)

• Use specific anti-ransomware tools…

#IoTDS

What can you do to try and stop it happening in the first place?

• Improved email and web scanning/URL filtering

• Use multiple AV engines and reputational scoring

• Anti-spam that does SPF and/or DKIM checks

• Block access to TOR proxies/gateways

• Investigate all connection attempts to TOR or to TOR proxies/gateways as this should be indicative of an infected system

#IoTDS

What can you do to try and stop it happening in the first place?

• User education

• Keep it Simple

• Back it up with acceptable use and security policies that they can understand and can be held accountable against.

• However, you will find that you will have 10-20% of your staff that are untrainable…

• Regular test “phishing” campaigns

• This includes the following• Phishing (Email and Web)

• Phishing (Phone)

#IoTDS

What can you do to try and stop it happening in the first place?

• Restrict rights On workstations and shares

• Do not allow all staff to have Administrator level access to their system (laptop, desktop)

• Only allow the least level of rights required to perform their role

• Restrict write access on shares, rather than allow all staff to write to shares

• Do not allow staff to install software….more on that shortly

#IoTDS

What can you do to try and stop it happening in the first place?

• Tighten Windows Policies - Use software restriction policies

• AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that replaces the Software Restriction Policies feature.

• AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as executable files, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:

• Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.

• Assign a rule to a security group or an individual user.

• Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe).

• Use audit-only mode to deploy the policy and understand its impact before enforcing it.

• Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.

• Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.

#IoTDS

Disable Windows Scripting Host

• This will stop malware that is using .JS (JavaScript) or .VBS and related malware scripts from running.

• This can be centrally done via Group Policy; create the following registry key and value:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled and set the ‘Value data’ field of Enabled to ‘0’ (That is a zero without the quotes).

• This will effectively de-fang any Ransomware or other malware that attempts to use JavaScript or VBScript to infect a system; instead of happily executing the script, the following will be shown to the user:

• This warning message box is preferable to your users seeing a Ransom Note, because by then it is too late…

#IoTDS

Too Late, We’ve Been Hit - Can we get the files back? If your files have become encrypted and you are not going to pay the ransom then there are a few methods you can try to restore your files.

• Method 1: Backups• The first and best method is to restore your data from a recent backup. If

you have been performing backups, then you should use your backups to restore your data.

• Method 2: File Recovery Software• When CryptoWall encrypts a file it first makes a copy of it, encrypts the

copy, and then deletes the original. Due to this you can use file recovery software to possibly recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.

#IoTDS

Too Late, We’ve Been Hit - Can we get the files back?

If your files have become encrypted and you are not going to pay the ransom then there are a few methods you can try to restore your files.

• Method 3: Shadow Volume Copies• As a last resort, you can try to restore your files via Shadow Volume Copies.

Unfortunately, this infection will attempt to delete any Shadow Volume Copies on your computer, but sometimes it fails to do so and you can use them to restore your files. For more information on how to restore your files via Shadow Volume Copies

• Note: Newer variants of RansomWare will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so you should continue to try restoring your files using this method.

#IoTDS

Too Late, We’ve Been Hit - Can we get the files back?

If you are VERY lucky you may be able to either recover the encryption key or find a decryptor:

• https://noransom.kaspersky.com/

• https://download.bleepingcomputer.com/demonslay335/AlphaDecrypter-fp.zip - To extract the decryptor, you need to use the password: false-positive.

• http://www.talosintel.com/teslacrypt_tool/

• http://www.tripwire.com/state-of-security/security-data-protection/ransomware-happy-ending-10-known-decryption-cases/

• https://www.grahamcluley.com/2016/04/decryption-tool-released-locky-ransomware-impersonator/

• https://www.grahamcluley.com/2016/04/petya-ransomware-unlock-tool/

#IoTDS

Conclusions and Recommendations• There is NO 100% solution, no Silver Bullet!

• However there are things you can do to help minimise an attack:

• Harden systems, reduce rights, disable macros (unless signed or on a whitelist)

• Disable Windows Scripting Host (stops .JS and .WSH scripts used by bad guys n girls)

• Train staff (and regularly test them)

• Use software restriction policies, or AppLocker

• Use a specific tool

• Improve URL and email filtering (anti-spam, reputational checks, blacklists, etc.) as well as checking to see if the Message-ID has a valid FULL domain name

• Use multiple AV engines to scan all e-mail and web content

• Set up a dedicated reporting email address and monitor it

• Make your security policy and internet usage policy clearer and enforce it…

• Ensure that you take regular backups, preferably off-site to optical media/tape, etc.

#IoTDS

2017 is turning out to be the

year of Business

Interruption…

28

martin.overton@aig.com

M +44 (0) 7740 500 979 | T +44 (0) 207 954 7129

Twitter: @martin_sec

LinkedIn: https://uk.linkedin.com/in/overtonm

Visit: www.aig.com/cyberedgeand watch our CyberEdge Partner videos…

Visit: www.aig.com/cyberriskconsultingto learn more…

Thank you for

your participation!

Questions

#IoTDS

Software Restriction Policies…Examples

• Block executables run from archive attachments opened with 7zip:• Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe

• Security Level: Disallowed

• Description: Block executables run from archive attachments opened with 7zip.

• Block executables run from archive attachments opened with WinZip:• Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe

• Security Level: Disallowed

• Description: Block executables run from archive attachments opened with WinZip.

• Block executables run from archive attachments opened using Windows built-in Zip support:

• Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe

• Security Level: Disallowed

• Description: Block executables run from archive attachments opened using Windows built-in Zip support.

#IoTDS

Software Restriction Policies…Examples (cont.)

• Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

• Block CryptoWall executable in %AppData%

• Path: %AppData%\*.exe

• Security Level: Disallowed

• Description: Don't allow executables to run from %AppData%.

• Block CryptoWall executable in %LocalAppData%

• Path if using Windows Vista/7/8: %LocalAppData%\*.exe

• Security Level: Disallowed

• Description: Don't allow executables to run from %AppData%.

• But there’s more….

#IoTDS

Software Restriction Policies…Examples (cont.)• Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block

attachments from being executed when opened in an e-mail client.

• Block Zbot executable in %AppData%

• Path: %AppData%\*\*.exe

• Security Level: Disallowed

• Description: Don't allow executables to run from immediate subfolders of %AppData%.

• Block Zbot executable in %LocalAppData%

• Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe

• Security Level: Disallowed

• Description: Don't allow executables to run from immediate subfolders of %AppData%.

• Block executables run from archive attachments opened with WinRAR:

• Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe

• Security Level: Disallowed

• Description: Block executables run from archive attachments opened with WinRAR.

#IoTDS

Recent Breaches In The NewsSan Francisco MUNI

• November, 2016 - A hacker infects over 2,000 workstations with ransomware, ticket terminals, and servers within the San Francisco MUNI infrastructure causing fare station terminals to carry the message, “You are Hacked. ALL Data Encrypted.”

• Unable to issue tickets or accept fares, the City opened all gates and charged no fare for transit system use

• Attacker demanded 100 bitcoins, or approximately $75,000 in ransom

• MUNI was able to restore systems from clean backups after several days of outage

Krebs On Security(November 2016) San Francisco Rail System Hacker Hacked retrieved from https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-hacked/

#IoTDS

Recent Municipality Breaches In The NewsWashington D.C. Police

• On January 12, D.C. police noticed four camera sites were not functioning properly and notified their technology office. The technology office found two forms of ransomware in the four recording devices and launched a citywide sweep of the network where they found more infected sites

• Hackers infected 70 percent of storage devices that record data and 123 of 187 network video recorders from D.C. police surveillance cameras, eight days before President Trump’s inauguration

• The ransom was not paid and the system was restored to working order over the next 4 days by taking the devices offline, removing all software and restarting the system at each site.

Washington Post(January 2017) Hackers hit D.C. police closed-circuit camera network, city officials discloseretrieved from https://www.washingtonpost.com/local/public-safety/hackers-hit-dc-police-closed-circuit-camera-network-city-officials-disclose/2017/01/27/d285a4a4-e4f5-11e6-ba11-63c4b4fb5a63_story.html?utm_term=.12e39545e0ce

#IoTDS

Recent Hotel & Leisure Breaches In The NewsAustrian Hotel – Romantik Seehotel Jaegerwirt

• In January 2017, the 4 star ski resort/hotel Romantik, had their electronic key card and reservation systems compromised with ransomware

• With the systems shut down, guests were unable to lock guest room doors, new key cards could not be issued, and no reservations or check in services could be performed

• The attackers demanded a ransom of $1500 Euros to unlock the systems

• The hotel felt, in this case, they had no choice but to pay the ransom. After the ransom was paid, the systems were unlocked and normal services resumed.

• The hotel is still work to resolve the initial vector of attack to prevent the same from happening again.

#IoTDS