what can you do about ransomware
TRANSCRIPT
![Page 1: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/1.jpg)
Ransomware and commodity malware, What can I do really to
prevent it? And how do I look to see if my system has anything odd or
malicious?
Michael Gough – Founder
MalwareArchaeology.com
MalwareArchaeology.com
![Page 2: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/2.jpg)
Who am I• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How
Creator of“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows PowerShell Logging Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @HackerHurricane also my BlogMalwareArchaeology.com
![Page 3: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/3.jpg)
RansomeWare
MalwareArchaeology.com
![Page 4: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/4.jpg)
Ransomware
• It sucks
• You probably know someone or YOU have had it
• It dominated the 2016 malware landscape
• 500% increase the last 2 years
• Estimated $1BILLION dollars ransom paid
• Targets consumers
• Targets business
• Even targets TV’s !!!
MalwareArchaeology.com
![Page 5: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/5.jpg)
Ransomware
MalwareArchaeology.com
![Page 6: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/6.jpg)
Ransomware
• Anti-Virus is failing us because it is too easy to bypass
• Ransomware heavily uses scripts
• AV doesn’t do scripts
• Even Next Gen Endpoint solutions have had issues due to script usage
• So what can we do to prevent Ransomware?
MalwareArchaeology.com
![Page 7: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/7.jpg)
Ransomware
Let’s look at the flavors of Ransomware
1. Infected Attachments
2. Links to infected websites
MalwareArchaeology.com
![Page 8: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/8.jpg)
Ransomware
• Malicious Attachment
MalwareArchaeology.com
![Page 9: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/9.jpg)
Ransomware
• Malicious link in email or just surfing
MalwareArchaeology.com
![Page 10: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/10.jpg)
Ransomware Types
• Source: Proofpoint
MalwareArchaeology.com
![Page 11: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/11.jpg)
Ransomware
MalwareArchaeology.com
![Page 12: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/12.jpg)
Ransomware
• Home user rules ! They don’t backup ;-(
MalwareArchaeology.com
![Page 13: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/13.jpg)
Ransomware
MalwareArchaeology.com
![Page 14: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/14.jpg)
Ransomware
• Attachments in SPAM/Phishing emails
– Office Docs (.Doc, .XLS, .PPT)
– PDF’s – contain links
– .js, .jse, .hta, .wsf, .wsh, .PS1
– Zip files with the above attachments inside
– Password protected attachments
• Password is in the body (obvious indicator of BAD)
MalwareArchaeology.com
![Page 15: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/15.jpg)
Ransomware
• URLs in SPAM/Phishing emails
– Javascript auto downloads and executes malware
• .js, .jse, .hta, .wsf, .wsh
– Downloads an Office Doc (.Doc, .XLS)
– Downloads a PDF
– Downloads a Zip files with the above inside
– Downloads a password protected attachment
• Password is in the body (obvious indicator of BAD)
MalwareArchaeology.com
![Page 16: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/16.jpg)
Ransomware
• Drive-by downloads
– Javascript auto downloads and executes malware
• All scripts
• .js, .jse, .hta, .wsf, .wsh
• Can download and call binary .EXE
MalwareArchaeology.com
![Page 17: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/17.jpg)
Preventing
RansoWare
MalwareArchaeology.com
![Page 18: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/18.jpg)
Ransomware
• Believe it or not you already have what you need to stop ransomware dead cold – For Windows
• And its FREE !!!!
• So how can we take the RANSOM out of Ransomware?
MalwareArchaeology.com
![Page 19: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/19.jpg)
Prevention
• Don’t enable Macro’s or Content EVER!!!! In any Office Documents
• Actually let’s assume you do enable content, because we can still stop ransomware
• We will go after what the payload actually is and does and how Windows handles it
• The file extension that is executed when the content is enabled is the key
MalwareArchaeology.com
![Page 20: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/20.jpg)
Default Programs
MalwareArchaeology.com
![Page 21: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/21.jpg)
File Type
MalwareArchaeology.com
![Page 22: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/22.jpg)
Change to Notepad
• .js, .jse, .hta, .wsf, .wsh
MalwareArchaeology.com
![Page 23: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/23.jpg)
Windows Based Script Host
• Get rid of it, they use it to execute crypto
• Consider .vbe, .vbs, .ps1 and .ps1xml too, but this is used in corporate environments
• This only affects double-clicking the file, not using the file properly (cscript bad_file.vbs)
MalwareArchaeology.com
![Page 24: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/24.jpg)
Corporate email
• Drop these file types at the email gateway and you will block 90% or more of what users see that gives them ransomware
• .js, .jse, .hta, .wsf, .wsh, .vbe, .vbs
• No reason these will be emailed to you, if so just encrypt with a password, and do NOT include the password in the body of the message.
MalwareArchaeology.com
![Page 25: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/25.jpg)
Gaps
• We are starting to see more encrypted documents, but they have the password in the body so obviously NOT secure
• If a user opens the fake email and opens the file inside, then scripting can be used properly– cscript some_bad.vbs
• Most will be Office documents and the Macro and/or Content must be enabled
• Office 2013 and 2016 can break this FINALLY
MalwareArchaeology.com
![Page 26: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/26.jpg)
Macro Malware
MalwareArchaeology.com
![Page 27: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/27.jpg)
Group Policy for the WIN
• For corporate users
MalwareArchaeology.com
![Page 28: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/28.jpg)
Or tweak the registry
Office 2016• HKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security
HKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\securityHKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security– In each key listed above, create this value:
DWORD: blockcontentexecutionfrominternet Value = 1
Office 2013•
HKCU\SOFTWARE\Policies\Microsoft\office\15.0\word\securityHKCU\SOFTWARE\Policies\Microsoft\office\15.0\excel\securityHKCU\SOFTWARE\Policies\Microsoft\office\15.0\powerpoint\security– In each key listed above, create this value:
DWORD: blockcontentexecutionfrominternet Value = 1
MalwareArchaeology.com
![Page 29: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/29.jpg)
#WINNING
• After adding these tweaks you will see this when you try and enable a macro and/or content
• You can unblock if truly need and trusted
MalwareArchaeology.com
![Page 30: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/30.jpg)
Ransomware Prevented
• If you do these simple things, which are all FREE, you will curb ransomware infections by 90-95% or more
• This does not address malicious binaries .EXE files or .DLL files
• Whitelisting with Software Restriction Policies or AppBlocker will be needed for this
MalwareArchaeology.com
![Page 31: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/31.jpg)
Whitelisting
MalwareArchaeology.com
![Page 32: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/32.jpg)
Software Restriction Policies
• Block all executions from “C:\Users\*”
• Block all USB executions from “E:\*”
MalwareArchaeology.com
![Page 33: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/33.jpg)
Software Restriction Policies
• If you set to block like I do, then when you try to launch, install or an update runs, it will fail
• Generates an Event ID 866 in the Application Log
• Copy the path that failed and create an exception
• Be careful of over trusting generic paths
• Use a * to genericize an entry C:\Users\*
MalwareArchaeology.com
![Page 34: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/34.jpg)
AppLocker
• ONLY works in Windows Enterprise versions
• Screw you Microsoft ;-(
• Has an Audit only mode so can detect what would be blocked to allow you to tweak the policy before enforcing
• Does Dlls
• Does Scripts
MalwareArchaeology.com
![Page 35: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/35.jpg)
How to inspect a system and improve logging
MalwareArchaeology.com
![Page 36: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/36.jpg)
• The Log and Malicious Discovery tool
• Audits your system and produces a report
• Also shows failed items on the console
• Helps you configure proper audit logging
• ALL VERSIONS OF WINDOWS (Win 7 & up)
• Helps you enable what is valuable
• Compares to many industry standards
• CIS, USGCB and AU standards and “Windows Logging Cheat Sheet”
MalwareArchaeology.com
![Page 37: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/37.jpg)
Free Edition
• Collect 1-7 days of logs
• Over 20 reports
• Full filesystem Hash Baseline
• Full filesystem compare to Hash Baseline
• Full system Registry Baseline
• Full system compare to Registry Baseline
• Large Registry Key discovery
MalwareArchaeology.com
![Page 38: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/38.jpg)
• Over 25 reports
• Interesting Artifacts report
• WhoIS resolution of IPs
• SRUM (netflow from/to a binary)
• AutoRuns report with whitelist and MD
• More Whitelisting
• Master-Digest to exclude hashes and files
MalwareArchaeology.com
![Page 39: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/39.jpg)
Resources• Websites
– MalwareArchaeology.com
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”– MalwareArchaeology.com
• Malware Analysis Report links too– To start your Malware Management program
MalwareArchaeology.com
![Page 40: What can you do about ransomware](https://reader033.vdocuments.us/reader033/viewer/2022051708/58870ceb1a28abf2228b550f/html5/thumbnails/40.jpg)
Questions?
• You can find us at:
• @HackerHurricane• @Boettcherpwned• Log-MD.com
• MalwareArchaeology.com• HackerHurricane.com (blog)
• http://www.slideshare.net
MalwareArchaeology.com