Upload
mcafee
View
2.077
Download
0
Embed Size (px)
Citation preview
Ransomware – Prepare: Have a Plan
Jim Olmstead
Incident Response Consultant
Ransomware
• It is Prevalent
• It is Profitable
• If you Pay the ransom, you provide incentive for the Bad Actors to continue
• Let’s break the cycle
• Prepare now
2
Threat Vectors
• Delivery methods of ransomware
• Email (Mass spam and possible targeted spam)
• Locky, Teslacrypt, …
• Exploits weaknesses in your security
• Launched by employees eager to “click” on email
• Hack and Attack
• Samsa, Samas (aka, samsam.exe and other variant names)
Secure:
» Computers on your network and under your control (Password & Kerberos Reset)
» 3rd Party Vendor or Unmanaged systems on your network
» Review computers placed in your DMZ and their connectivity back to your network
3
Response: Initial
• If infected, immediately detach the system from your network
• Physically disconnect system, or use
• Host Intrusion Protection System (HIPS)
• Automate the response if a detection occurs, or
• Manually isolate
• Ensure your Anti-Virus is up-to-date with signatures
• Schedule FULL (Daily) workstations and Servers
• Any excluded systems or portions of systems MUST be scanned
• Schedule Additional (Daily) targeted scans
• Remediate the system or wipe it clean?
• Have you done enough to prepare?
4
Response: Be Proactive - Prepare
• BACKUP your data to an offsite location or detach your backup storage
• Block or reduce access to Open and Mapped Shares
• Update, Upgrade, and patch your Operating System (OS)
• Use Whitelisting / Application Control
• Block and Filter email & attachments
• Remove or reduce Remote Desktop (RDP) use
• Educate your end-users (To be Suspicious of email and attachments)
• Run up-to-date Anti-virus protection & signatures (Use extra.dat’s)
5
Be Ready- Prepare Now
• Incidents are going to happen
• Incidents are part of doing business
• Need for an endpoint solution & other security products
• Have a Plan before you have the Need to Respond
6
The RansomWare Landscape
@ChristiaanBeek
TeslaCrypt
CryptoWall Crysis
Locky
Reveton
CryptoFortress
Criakl
Tobfy
CTB-Locker
LockScreen
CrypTear
Samas
Other
8
RansomWare Statistics Q1 - 2016
272,712240,767
674,778
Jan Feb Mar
9
“In Q1 2016, TeslaCrypt hit many European
countries, where Turkey was hit the most
according to our statistics.”
Countries hit by RansomWare
10
11
“Where we started with around 10 families
in Jan 2016, Currently we are tracking 57+
different ransomware families..”
Observations Q1
- Ransomware as a Service increased massively
- Source-code for ransomware publicly available
- Targeted ransomware campaign on mostly Healthcare industry
- Ransomware encrypting Master-Boot-Record
- Apple users hit with Ransomware
- Ransomware going after web-content management systems
12
#who s behind ransomware?
Wannabee Affiliate Organized Crime
Wannabee
Wannabee
Affiliate
Ransomware as a Service
Botnet Affiliate/Service
Provider
RAAS
Operator
Cash Management
Organized Crime
Experienced group
Involved in multiple (ransomware) campaigns
Fast response times
Server image for fast deployment
Cautious in affiliate program
Tracking news, forums around their ‘product’ and adjust
Profitable business?
SamSa example
• 45.00 BT
• 40.00 BTC
• 21.94 BTC
• 22.00 BTC
• 22.00 BTC
• 40.00 BTC
$100,000.00 so far…...
What is Intel Security doing about it?
Ransomware Kill-chain
Btc
wallet2
Exploit Kits
URL
URL URL
URL
Many
transactions
Btc wallet1
Final Wallets
Delivery
Infrastructure
Infection Back end
InfrastructurePayment Infra
Phishing
URL
Attachment
Victim infected Proxy
servers
Proxy
URL
1
Proxy
URL
2
Proxy
URL
X
Distribution
servers
Btc wallet3
What is Intel Security doing about it?
Ransomware
• Focused group on ransomware
• Participate in investigations and operations with Law Enforcement and other Vendors
• Innovating new technology
23
What can we expect next?
Compared to 2015, we already have seen a few new directions like targeted ransomware and encrypting full systems.
We expect that embedded devices, more targeted attacks on certain industries and related business applications will increase in 2016 and beyond.
24
There is Hope!!
- Petya (boot-disk encryption)
- Teslacrypt (older versions)
- TorrentLocker
- Jigsaw ransomware
- Linux.Encoder
- Double-DMA
25
Ransomware Recommendations
Josh Thurston
Security Strategist – Office of the CTO
Avoid RiskFilter run-rate threats and protect data to reduce exploitable surface area and
operational burden
Mitigate RiskOptimize decision making
Compress mean time to resolution Minimize impact
Reduce RiskIsolate signal from noise for rapid, hi-fidelity risk
comprehension and response prioritization
Threat Defense Lifecycle
27
Applied integration, automation, and orchestration driving a defense lifecycle
Disrupt in-bound attacks
Control data access
Automate defensive workflow
Illuminate low-threshold breaches
Discover unmanaged systems
Monitor data access
Contain and repair compromised systems
Programmatically share intelligence
Adjust and extend policies
Optimize Resources
Protect Recommendations
• Patch management and Hygiene
• Tune VirusScan and Endpoint Security Access Protection Rules
• KB81095 and KB54812
• Use GTI and leverage +4 million unique ransomware signatures
• Use HIPS signatures to limit unknown processes
• 3894 Prevent SVCHOST.exe executing non Windows .exe‘s
• 6010 and 6011 to block the injection immediately
• Use Whitelisting / Application Control
• Fortify critical Systems
• Legacy Operating Systems & Applications
28
Protect Recommendations
• Use Web Security to stop threats before they get to the endpoint
29
Filter Known Bad
Sandbox / Reverse-engineering (zero-day)
Real-time Behavioral Emulation (zero-day)
McAfee Web Protection McAfee ATD
Dynamic and Static Analysis
Gateway Anti-Malware
AV
Input
Quantity
Depth of Inspection
Detect Recommendations
30
• Limit software installs with VSE access protection rules
• Use HIPS & Change Control to block changes from unapproved processes
• Use TIE to detect new PE’s
• Use Sandboxing / ATD to inspect “grey” files upon execution
• Use IPS to block TOR traffic used by ransomware to obfuscated communications
• Integrate Endpoint with Network to reveal malicious process communications
Correct Recommendations
31
• Use ATD to educate TIE reputations DB
• Use AR to hunt for latent malicious code and eradicate
• USE SIEM and IPS to discover and blacklist malicious IP’s
• Use frequent backups to restore systems (last resort)
Neutralize Emerging Threats
Safeguard Vital Data Optimize Security Operations
Fortify Critical Environments
Intel Security: Capability Offerings
Endpoint Protection
Network Security
Data Security
Web Security
Security Management
Endpoint Detection &
Response
Server Security
Threat Sandboxing
Security Services
Threat Intelligence
33