WEEPWatchEvaluateEnrichPunch

An anti-ransomware proof-of-concept

Laziest bio slide ever

Konrads Smelkovs

• Senior Manager, KPMG UK

• 17 years IT experience

• Security researcher, developer

Adrian Sanabria

• Founder, Savage Security

• 16 years IT/security experience

• Practictioner, consultant, industry analyst background

Agenda and Goals

Agenda

1. Why ransomware? A brief justification.

2. Why WEEP? Another justification.

3. Demos and Technical Explanations

4. Q&A

Goals

• Prove ransomware can be stopped with modest spend and effort

• Pitch the use of common sense defense as a broad malware strategy

• Make the endpoint security industry very angry with us ;-)

Ransomware: a brief historyA hard lesson for soft targets...

Defense

C

confidentiality

A

availability

I

integrity

Offense

D

disclosure

D

denial & destruction

D

distrustCredit: Terrance Lillard

What isn’t working? Where’s our safety net?

Unrealistic assumptions

“It’s easy, just patch everything, always! Quickly!”

This works great when we can install patches quickly.

What about when we can’t?

Prevention-only capabilities

For example:

• AV, NGAV, NGFW, IDS/IPS

• Expensive, noisy

• High labor for the value

Prevention-only is self-imposed blindness

Shaking things up a bit: Wannacry

Notable Facts• Spread as a worm, not via

phishing

• Patch was available 51 days prior

• ETERNALBLUE code was easily discovered via binary analysis

• Many behavioral red flags

• Didn’t even try to hide

• Didn’t work on WinXP

Lessons Learned• Can’t blame users for this one

• Patching IS part of basic hygine,

• Patching should NOT be viewed or depended on as a defensive measure

• No AV vendor should have missed it

Design defenses as if critical vulnerabilities are always presentand as if patches will never come.

Visibility and root-cause analysis are the key to finding red-flags which allow us to stop entire classes of attacks instead of

specific, individual attacks.

You don’t need a malware research lab – the work is already done by others!

Key to resilience is visibility and simplicity

What is a red flag?

• Something that’s always bad, almost zero chance for false positive

• Could be a combination of events (e.g. endpoint + network)

• Strategy for filtering noise and addressing alert fatigue

Examples:

1. ARP Route Poisoning

2. Long (>40char) domain names

3. Account creation from non-admin systems

4. TOR/.onion use where none existed previously

5. CryptAPI use not associated with sanctioned/installed app

Introducing WEEP

• What is WEEP?

• An anti-ransomware POC

• Showcases anti-malware strategies and tactics

• Strategies and tactics can be adapted and used in other FOSS or commercial tools

• A description of the current state of endpoint security?

WatchEvaluateEnrichPunch

Visibility is critical for detection

Without a detection strategy, we just

create more noise

Context is the key to eliminating false positives

The speed of automation is often necessary to halt

irreversible damages

Ransomware examples

Common Behaviors Mitigations

Disables Shadow Copy Services (vssvc.exe)

if net stop VSS, kill requesting

process

Use of CryptAPI from Win32 PEshim CryptAPI and save keys (see

PayBreak)

Random, invalid file extensions appended to files

1.create canary files/directories

2.kill any process using unrecognized

file ext

Very long domainsQuarantine any system requesting DNS

for domains > 40 chars

Paybreak

Source: https://eugenekolo.com/static/paybreak.pdf

Demo time!

Q&A and Thanks!

Konrads Smelkovs

ks@kpmg.co.uk

@truekonrads

Adrian Sanabria

adrian@savagesec.com

@sawaba