![Page 1: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/1.jpg)
MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK
HealthcareSecurityForum.com/Boston/2017 #HITsecurity
SEPTEMBER 11–13, 2017 BOSTON, MA
![Page 2: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/2.jpg)
My Background Professor at Northeastern University, Boston • Started malware research in about 2004 • Helped build and release popular malware analysis and detection systems
(Anubis, EXPOSURE, Wepawet, …)
Co-founder of Lastline and Lastline Labs • Lastline offers protection against zero-day threats and advanced malware • Commercialization of many years of advanced research • Lastline Labs is the research and development arm of Lastline
![Page 3: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/3.jpg)
Key Takeaways The majority of ransomware launches relatively straight-forward attack payloads • Using bad cryptography, or standard cryptography
libraries • Deleting files, but not wiping them off disk Compared to other malware, ransomware has very distinct, predictable behavior • Ransom notes with background behavior, change in
entropy of files, iterating over large numbers of files, etc.
![Page 4: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/4.jpg)
What We Will Discuss • Significance of the ransomware threat • Complexity and sophistication of attacks • Attack mechanisms • Main ransomware weaknesses • Better mitigation
![Page 5: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/5.jpg)
The Anatomy of an Attack A victim machine is compromised • Ransomware is installed • Once the attack payload is executed (if there is one), ransomware informs
victim of the attack • The victim needs to pay -- otherwise, his/her data is kept hostage or destroyed
![Page 6: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/6.jpg)
![Page 7: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/7.jpg)
![Page 8: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/8.jpg)
Ransomware Landscape
![Page 9: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/9.jpg)
Ransomware Evolution The ransomware concept dates back to 1989 Clearly, ransomware attacks have increased in numbers over the last 5 years • Many security reports talk about the sophistication and complexity of
individual attacks • The general public is left with the impression that we are faced with a
new threat that is very difficult or impossible to prevent
![Page 10: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/10.jpg)
![Page 11: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/11.jpg)
– FBI Security Bulletin, June 2015
“Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.”
![Page 12: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/12.jpg)
![Page 13: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/13.jpg)
Complexity and Sophistication Typical way of measuring ransomware sophistication • Looking at evasion (e.g., packing, dynamic checks, encryption, etc.)
• In this work, we are looking at the sophistication of the attack after compromise
![Page 14: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/14.jpg)
BETTER MITIGATION
Better Mitigation
![Page 15: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/15.jpg)
Achilles’ Heel of Ransomware Ransomware has to inform victim that attack has taken place • Behavior inherent in its nature
Ransomware has certain behaviors that are predictable • e.g., entropy changes, modal dialogs and
background activity, accessing “honey” files
![Page 16: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/16.jpg)
Example: Dissecting Cryptolocker Analysis Overview
![Page 17: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/17.jpg)
Example: Dissecting Cryptolocker
Loaded libraries…
![Page 18: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/18.jpg)
Apocalypse
![Page 19: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/19.jpg)
Chimera
![Page 20: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/20.jpg)
Almalocker
![Page 21: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/21.jpg)
Behavior Summary
Which common ransomware behaviors did you observe?
![Page 22: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/22.jpg)
Detectable Behaviors
![Page 23: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/23.jpg)
Some Ransomware Families almalocker apocalypse Bart blackshades / troldesh blocker bucbi cerber chimera coverton cribit critroni crowti cryakl cryfile crypfort crypmod crypmodadv
crypren cryproto crypt cryptear cryptodef
cryptolocker cryptowall cryptxxx cryrar crysis cryzip dalexis/CTBLocker/crypctb deshacop
dircrypt diskcoder dmalocker
domino doubleeagle ducry empercrypt exxroute
fantomcrypt filecoder filecryptor filelocker Geograph goopic gpcode gulcrypt
hexzone hmblocker hydracrypt
jigsaw jigsawlocker jobcrypter keeplock kryptik
lockscreen locky loktrom lortok lvbp maktub manamecrypt mbrlock
memekap nanolocker nymaim
ophionlock orxlocker padcrypt Petya/Mikhail/Mischa pinkblocker
pornoasset pottieq qikencrypt
rackcrypt radamcrypt rakhni rokku rsarist ruqwili ryzerlo samas
sarento teerac tescrypt threatfin torrentlocker
tovicrypt toxkrypt vbcrypt venuslocker virlock winlock winplock wlock
xorist yakes zepto zerolocker
![Page 24: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/24.jpg)
Common Infection Vectors Email attachments / URL’s • ZIP, DOC, JS, JSE, JScript, VBS, VBE, JAR, BAT, PS1, HTA • Usually with a Social Engineering component Web • Exploit Kits • Some social engineering Server • RDP brute force • OWA brute force
![Page 25: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/25.jpg)
Defenses Email • Block attachment types which are high risk and limited business value • Restrict use of web mail on employer hardware (policy) • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train employees to use an “inside / “outside” browser model
— IE/Edge with business necessary high risk plug-ins for inside — Firefox with adblockplus or ublock origin for outside
Server • Multifactor authentication to slow down EVERYONE! J
![Page 26: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/26.jpg)
Key Takeaways The majority of ransomware launches relatively straight-forward attack payloads • Using bad cryptography, or standard cryptography
libraries • Deleting files, but not wiping them off disk Compared to other malware, ransomware has very distinct, predictable behavior • Ransom notes with background behavior, change in
entropy of files, iterating over large numbers of files, etc.
![Page 27: MOST RANSOMWARE MAY NOT BE AS COMPLEX AS YOU MAY THINK€¦ · • Encourage employees to forward suspicious mail to InfoSec / IT team Web • Restrict risky browser plugins • Train](https://reader033.vdocuments.us/reader033/viewer/2022053013/5f109fee7e708231d44a0647/html5/thumbnails/27.jpg)
Engin Kirda Northeastern University / Lastline, Inc.
HealthcareSecurityForum.com/Boston/2017 #HITsecurity