ransomware seminar - rsa conference · pdf fileransomware seminar. #rsac 2 36% ... ninja /...

#RSAC

Ransomware Seminar

#RSAC

2

36% increase in ransomware attacksAs per Symantec’s 2017 report

Source: https://bit.ly/rsa-apj-rw-001

#RSAC

3

4,000 attacks per dayAs per US Department of Justice


#RSAC

4

97% of phishing emails deliver ransomwareAs per PhishMe


#RSAC

5Source: https://bit.ly/rsa-apj-rw-004

#RSAC

6

Welcome!

Start End

9:00 9:10 Opening remarks

9:10 9:55 Everything of Nothing: Understanding Cyber-Crime OrganizationsAamir Lakhani

10:00 10:45 From Ransomware to Extortion: The Inevitable Underground Economy EvolutionAndrei Barysevich

10:45 11:00 Networking Break

11:00 11:35 Defending Better by Understanding Cybercriminal MotivationsPanel discussion

11:40 12:10 Ransomware of Tomorrow: How To Be Ready For Future ThreatsEugene Aseev

12:15 12:50 Getting the Board On-Board: Ransomware’s Impact on your BusinessPanel discussion

SESSION ID:SESSION ID:

#RSAC

Aamir Lakhani

Everything of Nothing: Understanding Cyber-Crime Organizations

SEM-W01

Senior Security StrategistFortinet / FortiGuard@aamirlakhani

#RSAC

Disclaimer

8

This talk should be considered a work of fiction. Any resemblance, likelihood, and similarities to other events are purely coincidental. Any details inspired from real life events have been significantly changed or altered. The views, opinions, research do not necessarily represent anyone except my own. This talk to not endorsed by employerThis presentation involves an on-going case, active investigation. Key information has been changed, modified, anonymized, or redacted based on this.This case would have been possible without the many man hours of law-enforcement and district attorneys assigned to this investigation

#RSAC

Who Am I?

Aamir LakhaniResearcher / ConsultantNinja / Pirate / Hacker

Time Magazine’s Person of the Year 2006…

#RSAC

Person of the Year 2006

And so were...

#RSAC

What I do for a living

What my friends think I do

What my mom think I do

What I wish I did What I really do

#RSAC

How did we get here?

12

Introduced to captain of a large vice squad in the US

They are dealing with small crimes when it comes to cyber

Most cyber crimes are not investigated

Lack of resources

#RSACThis presentation is around a real cyber crime investigation

13

This is not breaking, hot, Mr. Robot tale of a Hollywood hacker

This will not change the way you look at cyber

This will show you how every day law enforcement has to deal with ”cyber” criminals

#RSAC

Understanding how credit card fraud works

14

Fraud is built into the cost of the card services

Card companies and most consumers expect fraud

Never taken seriously

#RSACMoving to a new city and getting called by the police

15

How did I get started helping law enforcement fight cyber-crime

#RSAC

How it all started….

Getting from A to B

Investigation into credit card fraud

Victims were

noticing lots of

charges to eBay,

PayPal, other retail

New officer wanted to investigate

Most officers would have dismissed it

Obtained search

warrant. Retailers gave

shipping address of

merchandise

Receiving address was

tied to multiple

fraud, stolen merchandise

Search warrant on receiver led to

further investigation

Most officers would have dismissed it.

Local police department were

receiving and investigating

claims of identity fraud and credit

card fraud.

New officer wanted to investigate

#RSAC

Details around the Investigation

17

Items purchased with VISA gift cards. VISA gift card numbers are sent in batches to cities and stores. It took very little work to find out where VISA gift cards were purchased from.

Most gift cards were purchased from cash, but a large number were purchased on credit cards (STUPID).

Criminal was sent cash or gift cards to buy from local business and resell them.

#RSAC

Mules

18

#RSAC

Internet Mules

19

#RSAC

Wild Union Security Services

20

Local business was operating as Wild Union Security Services (WUSS). Not their real name

Found no registered business under that name, no website. Investigation found that business.

Business reported over $5 million USD income over the last 4 years and paid taxes. Sold phone cards, gift cards, Web Money, BitCoinexchanges

#RSAC

Money Exchange

21

Prepaid cards were being sold as high as 70% for convenience markup

Money Laundering?

Registering web sites (Registrars, and WHOIS)

BitCoin Exchanges

$20,000 of BitCoins

$10,000 of WebMoney or Reloadit Cards

$7,000 of Gift Cards

$5,000 of cash

#RSAC

Trading BitCoins

22

Exchanged BitCoins for a gift cardGot receiver's BitCoin address

Using clustering and multiple transactions found multiple BitCoinaddresses associated with Western Union Security Exchange, Shopping, and Shipping Services, Inc.

To use BitCoins with WUSSS, one had to deposit BitCoints to their account. Those account was identified with other accounts

#RSAC

Significant Developments

23

Event 1:

» Minor credit card fraud

Event 2:

» Warrants and Investigations led to illegal, unlicensed business.

Event 3:

» BitCoin clustering led to finding additional BitCoin wallets linked to major cyber crime and money laundering operations. Searched additional BitCoin addresses, found matches on Real Deal Black Market run on TOR

#RSAC

BitCoins Linked to Criminals

24

#RSAC

Additional Investigations

25

#RSAC

26

#RSAC

27

#RSAC

Connecting the Dots (cyber-crime network)

28

Other cyber-criminals were involved in network of cyber-criminals

Similar cases found in other States and countries. Is this a cookbook for cyber-crime

Working with law-enforcement around the world.

#RSAC

WalletExplorer – the Ideal Investigation tool

29

#RSAC

Catching the Criminal

30

Function GetMyPublicIP() As String Dim HttpRequest As Object On Error Resume Next'Create the XMLHttpRequest object. Set HttpRequest = CreateObject("MSXML2.XMLHTTP") 'Check if the object was created. If Err.Number<> 0 Then 'Return error message. GetMyPublicIP = "Could not create the XMLHttpRequest object!" 'Release the object and exit. Set HttpRequest = Nothing ExitFunction End If On Error GoTo 0 'Create the request - no special parameters required.HttpRequest.Open "GET", "http://myip.dnsomatic.com", False 'Send the request to the site. HttpRequest.Send 'Return the result of the request (the IP string).GetMyPublicIP = HttpRequest.ResponseText End Function Function GetMyLocalIP() As String 'Declaring the necessary variables. Dim strComputer As String DimobjWMIService As Object Dim colItems As Object Dim objItem As Object DimmyIPAddress As String 'Set the computer. strComputer = "." 'The root\cimv2 namespace is used to access the Win32_NetworkAdapterConfiguration class. SetobjWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 'A select query is used to get a collection of IP addresses from the network adapters that have the property IPEnabled equal to true. Set colItems = objWMIService.ExecQuery("SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True") 'Loop through all the objects of the collection and return the first non-empty IP. For Each objItem IncolItems If Not IsNull(objItem.IPAddress) Then myIPAddress = Trim(objItem.IPAddress(0)) Exit For Next 'Return the IP string. GetMyLocalIP = myIPAddress End Function Function GetMyMACAddress() As String 'Declaring the necessary variables. Dim strComputer As String Dim objWMIService As Object DimcolItems As Object Dim objItem As Object Dim myMACAddress As String 'Set the computer. strComputer = "." 'The root\cimv2 namespace is used to access the Win32_NetworkAdapterConfiguration class. Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 'A select query is used to get a collection of network adapters that have the property IPEnabled equal to true.Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True") 'Loop through all the collection of adapters and return the MAC address of the first adapter that has a non-empty IP. For Each objItem In colItems If Not IsNull(objItem.IPAddress) ThenmyMACAddress = objItem.MACAddress Exit For Next 'Return the IP string.GetMyMACAddress = myMACAddress End Function

Warrant issued for “John Doe” by district attorney.

After significant communications with ”John Doe” we exchanged emails.

Inserted VB Code to get real IP, this was not malware or macro virus. Simply recorded MAC, Internal, External IP and saved to meta data.

New court order let us obtain identity of public account holder

#RSAC

What Did We Find?

31

Cyber criminal was a user in his late teens

Eventually we seized $1.8 million in gift cards.

$3 million in sales of stolen good tracked thru eBay, PayPal, Craigslist, Back Page

New court order let us obtain identity of public account holder

#RSAC

BitCoin Mixing

32

Bitcoins transactions are recorded in the ledger

Step #1: Create a wallet on the Internet. (wallet #1)

Step #2: Buy Bitcoins, and send the amount you want to mix to wallet #1.

Step #3: Create a second wallet, this time over the Tor network. (wallet #2)

Step #4: Send your bitcoins from wallet #1 directly to wallet #2.

Step #5: Create a third wallet, also over the Tor network. (wallet #3).

Step #6: Select which mixer you will be using, and set up your transaction there using the address(s) from wallet #3. It is best to use multiple addresses, and to set random time delays.

Step #7: Send the coins from wallet #2, over Tor, to the address generated for you by the mixer.Step #8: Assuming these coins are going to be sent to a darknet market… if you don’t already have your deposit address, log in and get it while having JavaScript disabled. Never use any market that requires you to enable JS!

Source: https://darknetmarkets.org/a-simple-guide-to-safely-and-effectively-mixing-bitcoins/

#RSAC

Defense

Court order deemed too broad

Cannot send blindly malware

We ended up using FAX records from Western Union Security Exchange, Shopping, and Shipping Services, Inc

Issued new warrant to seize computer assets

Defense attorneys were representing John Doe on records

#RSAC

Next Steps

Had judge issue new warrant to search for evidence of tax evasion

Forensics on copy machines and faxed machines contained evidence

SMOKING GUN: Faxes contained attacker’s Bitcoin wallet address and name.

» Able to use walletexplorer to tie all transactions to a person

Judge has ruled against District Attorney as a RICO case (Racketeer Influence and Corrupt Organization)

Defense attorneys are arguing digital forensic evidence should be allowed in trial from copy and fax machines.

#RSAC

Next Steps

Spliced power to battery to keep fax machine turned on

Specialized devices to freeze memory, clone memory.

Created memory image file (e.g. you can use tools such as FTK or Volatility Memory Forensics

Fax Machine was running embedded Windows

Defense may be arguing on how we collected the fax machines

#RSAC

Verdict

Catching more Cyber Criminals can be a deterrent

Investigations take time

Attribution is more of an art, then science

Understand the flow of funds, digital currency

On-Going case

I am not a lawyer nor law enforcement

#RSAC

Did we make a difference?

#RSAC

How do you protect yourself?

38

Should be fight fraud cases?

Is it too good to be true?

Self-Awareness

#RSAC

How do I protect my organization

39

How to protect your organization?

Data feedsEmail filteringReputation FilteringLeaked credentials Leaked credit cards

#RSAC

You are a victim, what’s next?

40

What can you do if you are victim?Do not ignore the situationWork with law-enforcement

Report to your employer’s IT department.

Cyber Hygiene Change passwordsVPNsNo open wireless

#RSAC

Q and A

41

You can ask question now

Or

We can sit here awkwardly in

silence.

#RSAC

42

Start End

10:00 10:45 From Ransomware to Extortion: The Inevitable Underground Economy EvolutionAndrei Barysevich






#RSAC

Andrei Barysevich

From Ramsomware to Extortion: The Inevitable Underground Economy Evolution

SEM-W01

Director of Advanced CollectionRecorded Future@DeepSpaceEye

#RSAC

Agenda

44

Three takeaways

History – from automated spreading to targeted phone calls

The actors – nobody knows your name

The future of victimization – difficult situation incentivizing additional ransomware

#RSAC

History

45

#RSAC

46

#RSAC

Product Market Fit

47

#RSACCryptoLocker – First Global Ransomware Campaign

48

#RSAC

CryptoLocker – First Global Ransomware Campaign

49

#RSAC

Brute Force Your Way In…

50

Off-the-shelf tools available cheaply

#RSAC

Or Simply Buy the Access

51

#RSAC

Actors

52

#RSACCryptoLocker – First Global Ransomware Campaign

53

500,000 victims

$3 - $27 million in payments

#RSAC

Copycats Took Over the Market

54

Over 100 ransomware variants between 2014-2016

#RSAC

2015 – Introduction of Ransomware as a Service

55

• NO UPFRONT COST• 50/50 PROFIT SPLIT

#RSAC

Ingenious Methods of Ransom Gangsters

56

NO C2C INFRASTRUCTURE DIRECT ENGAGEMENT WITH VICTIM

#RSAC

TDO - Opportunistic Lifecycle

57

#RSAC

58

#RSAC

Extortion or Blackmail?

59

“Extortion is a form of theft that occurs when an offender obtains money, property, or services from another person through coercion. To constitute coercion, the necessary act can be the threat of violence, destruction of property, or improper government action. Inaction of the testimony or the withholding of testimony in a legal action are also acts that constitute coercion.”

“Blackmail, in contrast to extortion, is when the offender threatens to reveal information about a victim or his family members that is potentially embarrassing, socially damaging, or incriminating unless a demand for money, property, or services is met. Even if the information is true or actually incriminating, you can still be charged with blackmail if you threaten to reveal it unless the victim meets your demand.”

*source:criminal-law.freeadvice.com

#RSAC

The Future of Victimization

60

#RSAC

Change of Mindset

61

ETHICAL DILEMA: INFECT OR NOT INFECT

$3.6 million demanded$17,000 Paid

“From the bottom of my heart, I wish that mothers of ransomware distributors end up in an intensive care unit and their respiratory system is infected with ransomware. ”

#RSAC

No Honor Among Thieves

62

• PARALYZED PRODUCTION• IMMENSE LOSSES

#RSAC

How Big Is Too Big?

63

#RSAC

San Francisco MTA

64

[email protected]

[email protected]

#RSAC

Perfect cover-up weapon

65

WannaCry

NotPetya

#RSAC

Data Mining for Gold

66

One example of this is Mr. John Jenkins, who at the time of data entry was an Atlanta Hawks player. His row is the following:

****942204,1,Jenkins,John," ",19**-0*-0*,21* Ivy *****, Hend**********,TN,37***,61*97*44*6,***50674,NULL,JENKINS,1***50674,***878*8*0,,NULL,20**-0*-0* 14:53:08.570,20**-0*-2* 12:42:05.573,,0***1303**99,Jenkins,John,***10306000000

We also found FBI: ****061278,1,G*******,Mark,F,19**-0*-*8,M,,**29 ***** Mill ******,,Law**********,GA,30***,202***6****,,,10156752,,,,MARK.G*******@IC.FBI.GOV

#RSAC

Innocent Victims

67

Let's take Mrs. N**** M***** for example: Her SSN, address, email, phone numbers, insurance information, etc. are all there. We also know that according to her record, she is 65 inches tall and weighs 215. Blood pressure 13478 and a pulse of 76. She also has Osteoarthrosis and joint pain in her lower leg. Her prescription records state she has been prescribed oxycodone for "severe pain", alprazolam for "anxiety sleep", fentanyl, and oxycontin.

#RSAC

68

#RSAC

Ask Yourself: Will You Pay or Not?

69

Ask Yourself: Will You Pay or Not?

• How much is your data worth?• How much are you prepared to pay?• Do you have funds in reserve?

Stand your ground

I will not payYes I will

#RSAC

Takeaways

70

• Criminals use every tool available for $$• No target is too small or too big• Evaluate and be ready


#RSAC

Andrei Barysevich

Thank You!

SEM-W01

Director of Advanced CollectionRecorded Future@DeepSpaceEye

#RSAC

72

Start End





#RSAC

Defending Better by Understanding Cybercriminal Motivations

#RSAC

74

Etay MaorExecutive Security Advisor, IBM Security

Ben PotterSenior Security and Compliance Consultant, Amazon Web Services

Christiaan BeekLead Scientist and Principal Engineer, McAfee

Panelists

#RSAC

75

How does the human element of ransomware work?Core Question

#RSAC

Your Panelists

76

Etay Maor Ben Potter Christiaan Beek

#RSAC

77

Start End




#RSAC

Eugene Aseev

Ransomware Of Tomorrow: How To Be Ready For Future Threats

SEM-W01

Head of Singapore R&D CentreAcronis@toxzique

#RSAC

Current landscape and major security flaws

Ransomware Today

What to look out for in the future

Ransomware Of Tomorrow

Exploring the recent breakthrough solutions

Modern Technology

Agenda

#RSAC

Ransomware is a type of malicious software used by cybercriminals that is designed to extort money from

their victims, either by

• Encrypting data on the disk or • By blocking access to the system

#RSAC

Ransomware Types

Lock screen ransomware• Shows threatening window

stating user’s computer is blocked

• Can be usually resolved without harmful consequences

File encryption ransomware• Encrypts user’s files, shows

a threatening window

• Cannot be usually resolved, as only cybercriminals have decryption key

Boot-level ransomware• Rewrites MBR (master boot

record), encrypts hard disk, shows threatening message while system is booting

• Cannot be usually resolved, as only cybercriminals have decryption key

#RSAC

Attacks Volume

#RSAC

Attacks Impact

#RSAC

Recent Examples

Difficult to detect as it uses standard Windows components to download and execute the payload (scripts and libraries)

Can also be distributed via CRM/customer support systems across organizational boundaries. Infected user in one organization can send an email to CRM system email address

Directly attacks Microsoft Volume Shadow Copy Service available in every MS Windows installation, deletes already created shadow copies

Osiris WannaCryIn order to spread like a worm, utilized an exploit called ETERNALBLUE, one of the leaked NSA hacking tools released by the Shadow Brokers hacking group in April 2017

The patch for the SMB vulnerability was available for 59 days prior to the attack

Hit critical infrastructure in some countries such as Germany and Russia. In the U.K., the health care sector received a hard hit: hospitals had to turn away patients, reroute ambulances, paralyze emergency services, and reschedule surgeries and appointments

#RSAC

From Consumers to Businesses and Targeted Attacks

#RSAC

Data Alteration and Attack on the Cloud

Ransomware of the future will simply alter your data and demand money to let you know what exactly they changed. Hitting businesses where it hurts most

Current ransomware already block access to cloud storages like Dropbox or Google Drive. Next step will be compromising cloud backups of your backup providers

#RSAC

Future Targets

#RSAC

Simple Rules to Avoid Grave Damage

#RSAC

Comprehensive Anti-Malware Solution

• Actively protects files (including local backups) from unauthorized modification and/or encryption

• Actively protects cloud backups from alteration by hardening the agent application from attacks

• Based on a behavioral heuristic approach and whitelisting, active data protection is future proofed

The result? Data can never be compromised. If any files were impacted prior to the deflection of an attack, they can be easily and automatically restored

Ransomware

Active detection and restore

Physical data loss dueto various reasons

Cloud backup

Data restored from cloud in case of

attack

Secured cloud backups

#RSAC

Predictive Protection

Proactive detection and blocking based on behavior heuristics + predictive analysis + context of attacks for analysts and incident response intelligence.

Trusted processes

behavior DB

Infected processes

behavior DB

Data related behavior DB

Anomalies detector

Blacklist monitor

User/system behavior monitor

Events collector

File/register/network operations as input data

Outliers detection, Support Vector Machine

(SVM), cluster based models

Deep learning, Bayes Neural Network (NN),

Trees models

Deep learning, Graph models

File/register/network operations as train data

Results

Detect anomalies

Detect known threats

Detect unknown threats

Data-related threats detection

#RSAC

Apply What You Have Learned Today

Next week you should:Backup all your devices (just in case you have not done this yet)

In the first three months following this presentation you should:Configure 3-2-1 backup, choose and install comprehensive anti-malware solution

Within six months you should:Implement all ransomware prevention practices at home and at workplace


#RSAC

Eugene Aseev

Thank you!

SEM-W01

Head of Singapore R&D CentreAcronis@toxzique

#RSAC

93

Start End


#RSAC

Getting the Board On-Board: Ransomware’s Impact on your Business

#RSAC

95

Jonathan TrullGlobal Chief Cybersecurity Advisor, Microsoft

Kristof PhilipsenManaging Executive, Verizon

Joyce ChuaAssistant Vice President, Singapore Post Ltd.

Panelists

#RSAC

96

What is the real business impact of ransomware?Core Question

#RSAC

Your Panelists

97

Jonathan Trull Kristof Philipsen Joyce Chua

#RSAC

98

Thank you!

ransomware seminar - rsa conference · pdf fileransomware seminar. #rsac 2 36% ... ninja /...

Documents