Ransomware - what is it, how to protect against it
- 2. WHOAMI
I’m NOT a CEH
Creator of the Zombie Browser Toolkit
https://github.com/Z6543/ZombieBrowserPack
Creator of the HWFW Bypass tool
• Idea later(?) implemented by nation state attackers in Duqu 2.0
https://github.com/MRGEffitas/hwfwbypass
Creator of the Malware Analysis Sandbox Tester tool
https://github.com/MRGEffitas/Sandbox_tester
Invented the idea of encrypted exploit delivery via Diffie-Hellman key
exchange, to bypass exploit detection appliances
• Implemented by Angler and Nuclear exploit kit developers
https://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection-
systems/
- 3. WHAT IS A RANSOMWARE
Malware executes on your computer
Blocks access to files or computer
Pay in Bitcoin or similar pseudo-anonym means
There is a deadline to pay, after that ransom is higher or keys are deleted
forever
- 11. LINUX WEBSERVER
RANSOMWARE
Encrypt the database, but the key is available for weeks/months
When the latest working backup is too old, keys are deleted
https://www.theguardian.com/technology/2015/feb/03/hackers-
websites-ransom-switching-encryption-keys
- 12. LEAKWARE/DOXWARE
Pay, or I will publish your …
• E-mails
• Browser history
• The contents of your hidden, private folder
• Things you did in front of your webcam
Not very popular (yet) …, but if too many people will have good backup, this
might be the solution for ransomware developers
• Hard to scale on attacker side, hard to automate
• Better to attack huge corporations
Everyone has secrets they want to keep private
Black Mirror S03E03
- 14. WHAT HAPPENED IN 2013? WHAT
WAS DIFFERENT 10 YEARS AGO?
More careless users
Java/Flash exploits
hidden services
- 15. WHAT IS ENCRYPTED VIA
RANSOMWARE?
ods crp arj tar raw xlsm prproj der 7zip bpw dxf ppj tib nbf dot
pps dbf qif nsf ifx cdr pdb kdbx tbl docx qbw accdb eml pptx
kdb p12 tax xls pgp rar xml sql 4dd iso max ofx sdf dwg idx rtf
dotx saj gdb wdb pfx docm dwk qba mpp 4db myo doc xlsx ppt
gpg gho sdc odp psw psd cer mpd qbb dwfx dbx mdb crt sko
nba jpg nv2 mdf ksd qbo key pdf aes 3ds qfx ppsx sxc gxk aep
odt odb dotm accdt fdb csv txt zip
Documents, Images, CAD files, Source code, Gameplay save,
Cryptocurrency wallet, Password safe database, Certificates,
Compressed files, Encrypted files, Backup files
- 16. WHAT ELSE IS DONE BY
RANSOMWARE?
Not just local files, but files on network shares
Delete volume shadow copy
• Against Windows System restore
Stealing Bitcoin
• If not protected with strong password
Stealing passwords stored in browser or FTP client
- 19. PROBLEMS REGARDING CURRENT
RANSOMWARE PROTECTION
Every reactive technology is doomed to fail
• AV signature protection
• IDS/IPS
• Spam-filter (signature)
Previously reactive malware detection was good enough
• It was OK to have malware running on the computer for days
In case of Ransomware 15 minutes late is too late
Reputation based protection is much better than signature based - because
it is proactive
- 21. (ALMOST) FREE TIPS –
EXPLOIT PROTECTION
Use Chrome to browse the Internet
Use EMET (as long as you need it)
• Only protects IE, not Edge, Chrome or Firefox
Instead of EMET, pay for Sophos Intercept X (HitmanPro Alert) or MBAE
• Paid versions protect all browsers
Flash click-to-play
Ublock origin adblocker against malvertising
index.hu
Use latest Windows/Office
- 22. (ALMOST) FREE TIPS –
EXPLOIT PROTECTION
Use VPN from a poor or post-soviet country
https://www.trustwave.com/Resources/SpiderLabs-Blog/Magnitude-Exploit-Kit-Backend-Infrastructure-Insight---Part-II/
- 24. (ALMOST)FREE TIPS –
MACRO PROTECTION
Macro malware
There is a 1% chance you need macros in your home environment. Just
disable it
Don’t enable macros, and teach your grandma/grandpa the same
- 25. (ALMOST) FREE TIPS –
SCRIPT PROTECTION
Use Notepad as default app for the following file extensions:
JS/JSE/WSH/HTA/VBS/WS/BAT/VBE
Don’t hide file extensions from users
Use generic ransomware protection
- 26. (ALMOST) FREE TIPS –
CAMOUFLAGE
Make your computer look like a malware analyst computer
• Wireshark, Fiddler, Process Explorer …
• Virtualbox Guest, VmWare Additions files
• HitmanPro Alert vaccination
https://theevilbit.blogspot.hu/2015/10/make-your-desktop-fake-
virtual-machine.html
- 28. TIPS – EXPLOIT PROTECTION
Force Chrome (or Edge) for browsing Internet on web proxy
• Filter User-agent on proxy
• Use IE6 for Intranet only
• Chrome can be managed via GPO
Web proxy filtering
• Users have to click to visit Uncategorized sites
E-mail filter
• Put suspicious files into quarantine
• Admin should approve if user wants the email
- 29. (ALMOST) FREE TIPS –
MACRO PROTECTION
Macro malware
• Only allow digitally signed macro to run
OR
• Office 2016/2013 Group policy
• Prevent macros in Office documents downloaded from the Internet
- 30. (ALMOST) FREE TIPS
Application white list C:Users
• Windows Applocker
• http://www.mcbsys.com/blog/2013/10/block-user-folder-executables/
• .exe, .scr, .com, .js, .jse, .wsh, .vbs, .cs, .cab, …
• Lot of work, lot of stuff will break. But after time, it will be worth
Reputation database is also a kind of white-list
- 32. BACKUP
Ransomware actively searchers for and encrypts backup files.
Offline backup is more important than ever
My home NAS solution
• The SMB share is only writeable during backup timeframe
• Otherwise, it is read only
- 33. BACKUP
Everybody talks about this, but no one does
• Test your backup restore procedure frequently
How long does it take to restore?
• Is the Cloud backup fast enough?
- 34. HAVE ENOUGH BITCOIN AT HOME
/ AT YOUR FINANCIAL MANAGER
Bitcoin wallet should be
offline!!!
- 35. WHEN SH*T HITS THE FAN
Don’t panic
• It never helps
If the ransomware is still running
• Try to hibernate/sleep the machine
• If this does not work, shut it down immediately
There are ransomware samples which can be deciphered if you have the
memory dump
Ask for professional help
• How much is the professional? How much is my data worth?
• Don’t ask for my help, I can’t help.
- 36. SHOULD I PAY? OR NOT?
If prevention or preparation was not enough
If you don’t pay, backup the drive, data might be recoverable in the future
• Lame crypto reversed
• Ransomware servers hacked, keys leaked
• Ransomware developer gives out keys for free
- 37. IF YOU PAY
~90% chance you get back your data
You can bargain on online chats
Does it feel good that you don’t have try out the feeling of getting lot of
Bitcoin in 24 hour?
If you don’t have enough Bitcoin:
• Search for Bitcoin ATM - Budapest (next to Deák square)
• Before going there, read the instructions (mobil app)
• https://localbitcoins.com/
- 39. MY NON POPULAR OPINION
Ransomware is the tax on the Internet
• Paid by those who did not spend enough money/time on security
before
• Those who are frivolous on the Internet
• Those who think it can’t happen with them
Obviously, I don’t blame the users and
companies only.
It is time to take ITSEC seriously …