WHOAMII’m NOT a CEH
Creator of the Zombie Browser Toolkithttps://github.com/Z6543/ZombieBrowserPack
Creator of the HWFW Bypass tool • Idea later(?) implemented by nation state attackers in Duqu 2.0https://github.com/MRGEffitas/hwfwbypass
Creator of the Malware Analysis Sandbox Tester toolhttps://github.com/MRGEffitas/Sandbox_tester
Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances
• Implemented by Angler and Nuclear exploit kit developershttps://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection-systems/
WHAT IS A RANSOMWAREMalware executes on your computer
Blocks access to files or computer
Pay in Bitcoin or similar pseudo-anonym means
There is a deadline to pay, after that ransom is higher or keys are deleted forever
http://malware.dontneedcoffee.com/2013/10/kovter-even-more-abominable-also-add.html
IOS „SCREENLOCKER”
CRYPTO RANSOMWARE
https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabeC:\Users\Dani\Desktop\nocrime\nocrime\obj\x86\Debug\turul.pdbC:\Users\user\Desktop\kalosip\titkoss\obj\x86\Debug\mgtow.pdb
LINUX WEBSERVER RANSOMWAREEncrypt the database, but the key is available for weeks/monthsWhen the latest working backup is too old, keys are deleted
https://www.theguardian.com/technology/2015/feb/03/hackers-websites-ransom-switching-encryption-keys
LEAKWARE/DOXWAREPay, or I will publish your …
• E-mails• Browser history• The contents of your hidden, private folder• Things you did in front of your webcam
Not very popular (yet) …, but if too many people will have good backup, this might be the solution for ransomware developers
• Hard to scale on attacker side, hard to automate• Better to attack huge corporations
Everyone has secrets they want to keep private
Black Mirror S03E03
Click icon to add picture
WHAT HAPPENED IN 2013? WHAT WAS DIFFERENT 10 YEARS AGO?More careless users
Java/Flash exploits
hidden services
WHAT IS ENCRYPTED VIA RANSOMWARE?ods crp arj tar raw xlsm prproj der 7zip bpw dxf ppj tib nbf dot pps dbf qif nsf ifx cdr pdb kdbx tbl docx qbw accdb eml pptx kdb p12 tax xls pgp rar xml sql 4dd iso max ofx sdf dwg idx rtf dotx saj gdb wdb pfx docm dwk qba mpp 4db myo doc xlsx ppt gpg gho sdc odp psw psd cer mpd qbb dwfx dbx mdb crt sko nba jpg nv2 mdf ksd qbo key pdf aes 3ds qfx ppsx sxc gxk aep odt odb dotm accdt fdb csv txt zip
Documents, Images, CAD files, Source code, Gameplay save, Cryptocurrency wallet, Password safe database, Certificates, Compressed files, Encrypted files, Backup files
WHAT ELSE IS DONE BY RANSOMWARE?Not just local files, but files on network shares
Delete volume shadow copy • Against Windows System restore
Stealing Bitcoin• If not protected with strong password
Stealing passwords stored in browser or FTP client
NOTORIUS CRYPTO-RANSOMWARECryptolockerAlphalockerTeslacryptCryptowallLockyPetya - MFT
PETYA
PROBLEMS REGARDING CURRENT RANSOMWARE PROTECTIONEvery reactive technology is doomed to fail
• AV signature protection• IDS/IPS• Spam-filter (signature)
Previously reactive malware detection was good enough• It was OK to have malware running on the computer for
days
In case of Ransomware 15 minutes late is too late
Reputation based protection is much better than signature based - because it is proactive
PREVENTION - HOME
(ALMOST) FREE TIPS – EXPLOIT PROTECTIONUse Chrome to browse the Internet
Use EMET (as long as you need it)• Only protects IE, not Edge, Chrome or Firefox
Instead of EMET, pay for Sophos Intercept X (HitmanPro Alert) or MBAE
• Paid versions protect all browsers
Flash click-to-play
Ublock origin adblocker against malvertisingindex.hu
Use latest Windows/Office
(ALMOST) FREE TIPS – EXPLOIT PROTECTIONUse VPN from a poor or post-soviet country
https://www.trustwave.com/Resources/SpiderLabs-Blog/Magnitude-Exploit-Kit-Backend-Infrastructure-Insight---Part-II/
MACRO RANSOMWARE
(ALMOST)FREE TIPS – MACRO PROTECTIONMacro malware
There is a 1% chance you need macros in your home environment. Just disable it
Don’t enable macros, and teach your grandma/grandpa the same
(ALMOST) FREE TIPS – SCRIPT PROTECTIONUse Notepad as default app for the following file extensions:JS/JSE/WSH/HTA/VBS/WS/BAT/VBE
Don’t hide file extensions from users
Use generic ransomware protection
(ALMOST) FREE TIPS – CAMOUFLAGEMake your computer look like a malware analyst computer
• Wireshark, Fiddler, Process Explorer …• Virtualbox Guest, VmWare Additions files• HitmanPro Alert vaccination
https://theevilbit.blogspot.hu/2015/10/make-your-desktop-fake-virtual-machine.html
PREVENTION - ENTERPRISEEverything used at home, and …
Instead of blinking boxes small tips and tricks
TIPS – EXPLOIT PROTECTIONForce Chrome (or Edge) for browsing Internet on web proxy
• Filter User-agent on proxy• Use IE6 for Intranet only• Chrome can be managed via GPO
Web proxy filtering• Users have to click to visit Uncategorized sites
E-mail filter• Put suspicious files into quarantine• Admin should approve if user wants the email
(ALMOST) FREE TIPS – MACRO PROTECTIONMacro malware
• Only allow digitally signed macro to run
OR
• Office 2016/2013 Group policy• Prevent macros in Office documents downloaded from the Internet
(ALMOST) FREE TIPSApplication white list C:\Users\
• Windows Applocker• http://www.mcbsys.com/blog/2013/10/block-user-folder-execu
tables/• .exe, .scr, .com, .js, .jse, .wsh, .vbs, .cs, .cab, …• Lot of work, lot of stuff will break. But after time, it will be
worth
Reputation database is also a kind of white-list
PREPARATION
BACKUPRansomware actively searchers for and encrypts backup files.Offline backup is more important than ever
My home NAS solution• The SMB share is only writeable during backup
timeframe• Otherwise, it is read only
BACKUPEverybody talks about this, but no one does
• Test your backup restore procedure frequently
How long does it take to restore?• Is the Cloud backup fast enough?
HAVE ENOUGH BITCOIN AT HOME / AT YOUR FINANCIAL MANAGERBitcoin wallet should be offline!!!
WHEN SH*T HITS THE FANDon’t panic
• It never helps
If the ransomware is still running• Try to hibernate/sleep the machine• If this does not work, shut it down immediately
There are ransomware samples which can be deciphered if you have the memory dump
Ask for professional help• How much is the professional? How much is my data
worth?• Don’t ask for my help, I can’t help.
SHOULD I PAY? OR NOT?If prevention or preparation was not enough
If you don’t pay, backup the drive, data might be recoverable in the future
• Lame crypto reversed• Ransomware servers hacked, keys leaked• Ransomware developer gives out keys for free
IF YOU PAY~90% chance you get back your data You can bargain on online chats
Does it feel good that you don’t have try out the feeling of getting lot of Bitcoin in 24 hour?
If you don’t have enough Bitcoin:• Search for Bitcoin ATM - Budapest (next to Deák square)
• Before going there, read the instructions (mobil app)• https://localbitcoins.com/
POST MORTEMWhat happened?
What can I do to prevent this from happening again?
MY NON POPULAR OPINIONRansomware is the tax on the Internet• Paid by those who did not spend enough money/time
on security before• Those who are frivolous on the Internet• Those who think it can’t happen with them
Obviously, I don’t blame the users and companies only.
It is time to take ITSEC seriously …
HACK THE PLANET!
https://hu.linkedin.com/in/zbalazs
Twitter – @zh4ck
www.slideshare.net/bz98
Greetz to @CrySySLab, @SpamAndHex
JumpESPJump.blogspot.com