CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard Approaches To Stop It?

2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

RANSOMWARE

DAN BROWN

DETECTION ARCHITECT

Continuous Breach Prevention

MANAGEDHUNTING

ENDPOINT DETECTION AND RESPONSE

NEXT-GEN ANTIVIRUS

Cloud Delivered2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

WHAT WE DO


What is Ransomware?

How Bad is it?

What can we do about it?

What will Tomorrow’s Ransomware Look Like?

RANSOMWAREWHAT IS IT?


TREND


TYPES OF CYBER RANSOM ATTACKS

IaaVInfrastructure-as-a-Victim

DataEncrypting

Scareware

FILE ENCRYPTING RANSOMWARE



A YEAR IN RANSOMWARE

TopFamilies

• Locky• Cerber

InfectionTrend

• LargeIncreasein2016over2015• Currentlylowervolumethan2016


COMMON ACTIONS

DirectoryTraversal

• Localdirectories• Mappedshares

FileEncryption

• VictimFiles:Whitelistvs.Blacklist• Encryption:Strongvs.Weak• Fileaccessmethods

NotificationofRansom

• BrowserinvokedwithWebPage• Textfilecreated


FILE ENCRYPTION

File-basedvsFile-less

• Useofknowngood(Powershell,cmd.exe,javascript)• NSISInstallers

NarrowvsBroad

• Targetedpaths• Victimfiletype

CryptoLibraries

• Customlibrariesmorestealthy• Systemlibrariesstronger,morereliable


OTHER ACTIONS

DeletingBackups

• VolumeShadowSnapshots• Accessibleonlinebackupdeletion

BootConfigData

• DisablingWindowsrecoverysequence• DisablingWindowsstartuprepair

MaliciousBehaviors

• Datatheft• Passwordtheft(e.g.RAA/PonyStealer)


RANSOMWAREHOW BAD IS IT?

RANSOMWARE TRENDS



NOTABLE ATTACKS IN PAST YEAR

§ SFC rail system

§ U.K. National Health Services

§ Indiana county gov

§ Apple ransom demand§ “Turkish Crime Family”§ Questionable credibility§ Threatening to wipe data§ Ostensible deadline of April 7


VOLUME BREAKDOWN

1H/2016 2H/2016

Worldwide Locky Cerber

U.S. Locky Locky*

* Mostly new Locky variants: Zepto, Osiris, etc.


WHO?

Perpetrators

• ~75%DevelopedbyEasternEuropeanCriminalGroups

Targets

• EuropeandAsiamoretargeted• U.S.relativelylesstargeted


HOW?

Locky

• WidespreadNecurs botnet• DominatedLocky disseminationin2016• Nowdisseminating“pump&dump”schemeemailspam

Cerber

• RIG• Magnitude• PseudoDarkleech• Neutrino


RECENT LULL


NSIS EVASION

§ New NSIS installer based ransomware

§ Scripting and “in memory” techniques

§ Intended to evade AV

§ IOA approach unaffected by obfuscation


RANSOMWAREWHAT CAN WE DO ABOUT IT?


BACKUPS

§ A secure, robust backup strategy is the single most important factor

§ Ensure that backups are not susceptible to malicious encryption/deletion§ Avoid using mapped drives, Windows shares, or similar mechanisms for backups

§ Offline and/or rolling

§ Backup restoration has its own cost

§ Previous Versions feature in Windows


IF YOU ARE ATTACKED

§ Ransom – to pay or not to pay?

§ Data recovery§ Volume Shadow Snapshots (Previous Versions feature)

§ www.NoMoreRansom.org/decryption-tools.html


PARALLEL APPROACHES

Prevention

Next-GenAV(NGAV)

PEFile-based

Pre-execution

PEFiles(exe,dll,ocx,…) Signatureless

IndicatorsofAttack(IOA)

Behavioral

PEFiles

Exploitation

TargetedTTP

Fileless


BENEFITS OF PARALLEL APPROACH

§ Each approach has its own strengths:§ NGAV: volume of coverage for known and some unknown malware

§ IOA: unknown malware by behavior and prevents malicious use of e.g. powershell

§ When only one approach identifies malware§ Opportunity to improve IOA coverage of a class of malware

§ Opportunity to train ML on new/unknown samples

§ “Virtuous cycles”


EXPLOIT MITIGATION

§ Heap Spray blocking

§ Force DEP enforcement

§ Force ASLR enforcement

§ Coming soon:§ Null page blocking

§ Structured Exception Handling Overwrite Protection (SEHOP)


EXPLOIT IOA

§ Targeting a class of post-exploit actions in commonly exploited contexts

§ Browsers / plugins

§ Document handling applications


INDICATORS OF ATTACK

IOA IOC

Information Behaviors Artifacts

Timeliness Realtime After-the-fact

Preventability Almostalways Seldom

Effort Req’d toEvade High Low

Relevance Indefinite Typically short


WHAT GOES INTO FALCON IOA

§ High performance, high-efficiency on-sensor correlation

§ Quality of event data

§ Rapid development and deployment

§ High quality cloud data supporting analysis

§ Tools supporting IOA analysis and development


EVENT STREAM PROCESSING (ESP)

§ Category of techniques used to efficiently process streams of data

§ Naïve approach§ Centralize all data required for correlation§ Perform retrospective queries periodically over centralized data§ Result: Bottleneck

§ Slightly Less naïve approach:§ Centralize all data required for correlation§ Event Stream Processing on centralized data§ Result: Slightly smaller bottleneck

§ Best approach*:§ Perform correlation efficiently on endpoints when possible§ Use cloud for correlation where necessary, e.g.: prevalence, first-seen, etc.§ Result: Highly efficient behavioral detection and prevention

* For more information, see:https://www.crowdstrike.com/blog/understanding-indicators-attack-ioas-power-event-stream-processing-crowdstrike-falcon/


WHAT MAKES A USEFUL IOA?

§ Identifies behaviors that are uniquely malicious

§ Identifies behaviors that can be blocked§ Credential theft

§ Backdoors

§ Post-exploit behaviors

§ Web shells

§ Document droppers

§ Process migration / hollowing

…



§ Quality of event data§ Beyond procmon, filenames, command-lines, etc.

§ Code injection

§ Evidence of ROP

§ What process scheduled this task?

§ What process installed this service?

§ What process caused WMI to create a process?

§ What commands were executed from this shell?

Among many others …



§ Rapid Development and Deployment§ Frictionless delivery of new IOAs from the cloud

§ Rapid low friction development and revision cycle

§ Analysis tools that make IOA development broadly accessible to analysts

§ Data, data, data…


DEVELOPING IOAS

§ Research areas:§ Behavioral machine learning

§ New sources of event data§ Network

§ Inter-process and intra-system communication

§ Script engines

§ Experimental pattern-matching graph query language

§ Behavioral fingerprinting


EXAMPLE: DROPPERS VS INSTALLERS

§ Question: Is this process an installer or a dropper?

§ IOA:1. Process A creates executable E

2. Process A launches executable E à child Process B

3. Wait for exit of processes A and B

§ If process A exits first à Dropper

§ If process B exits first à Installer


RANSOMWARE IOA

§ What behavior is universal and unique to file-encrypting ransomware?

§ More than one behavior = IOA correlation

§ Filesystem scanning

§ Patterns of file access

§ File modification / Encryption

§ Ransomware note dropping


FALCON CLOUD DATA

§ Falcon provides cloud data to CrowdStrike analysts and customers

§ Indexed data (Endpoint Activity Monitor)§ Fast query results

§ Large, rich event data set

§ Graph database (ThreatGraph™)§ Links related data

§ Substantial speed improvement compared to “join” style queries

§ Contains “linking” events that represent relationships beyond just process/child

RANSOMWAREWHAT WILL TOMORROW’SRANSOMWARE LOOK LIKE?



RANSOMWARE’S FUTURE

§ Larger targets = larger payoff

§ One-time attacks

§ Infrastructure-as-a-Victim§ SCADA / ICS / DCS§ Public transportation§ Connected cars§ IoT

§ File encrypting ransomware§ Unlikely to go away any time soon§ Possibility of increases in other platforms such as Mac, Linux


Questions?Please submit all questions in the Q&A chat

right below the presentation slides

Contact Us

Additional Information

JoinWeeklyDemos

crowdstrike.com/productdemos

UpcomingCrowdCast Topics

Mac Prevention – April 12th

Proactive Hunting – April 26th

Website: crowdstrike.comEmail: [email protected]: 1.888.512.8902 (US)

Technology

CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard Approaches To Stop It?