Prophet Muhammad [PBUH]

Go forth & seek knowledge even if you have to travel to China

How well we are
prepared for a
Ransomware attack?
Engr. M. Naeem Akhtar
Head Technical
Panda Security Pakistan [MECASA]
What is Ransomware?

▪ Extortion (‫ )بھتہ خوری‬through Software

▪ In 2016 57% of Consumers and 43% Organizations are
affected.
▪ Must-Know Ransomware Statistics 2017
Types of Ransomware

▪ DDOS Ransomware [Website is down till the Ransomware is paid]

▪ Data Breach Ransomware [Confidential Data is taken away and
asked that if you don’t pay they will publish the data to show people
that they were vulnerable]
Types of Ransomware [continued]

▪ DOS Ransomware
[Data is encrypted
using Cryptolocker,
Like phones, servers,
Laptop etc.]
Variations of Ransomware

▪ Mobile Devices
▪ Smart Appliances
▪ Pyramid Scheme Incentive [Popcorn Ransomware, infect
two others and get your data back]
Components of Ransomware

Four Components of Ransomware:

▪ Victim
▪ Malware Distribution
▪ Ransom Demand
▪ Payment method
Anatomy of Ransomware Attack

▪ Deployment
– Drive-by download
▪ Occurs when a system automatically downloads a piece of malware or spyware
without the end user’s knowledge.
– Strategic web compromise
▪ (A subset of a drive-by download most often used when a particular target or target
demographic has been chosen.) Strategic web compromises are also called watering-hole
attacks. These rely on strategic reconnaissance of the end users, and are often reserved for
more specific targeted attacks.
– Phishing emails
▪ May be widespread, untargeted spam or specially crafted to your organization or industry.
These emails may include attachments or provide links to malicious websites.
– Exploiting vulnerabilities in Internet-accessible systems
▪ In this case scanning networks, or blatantly scouring the Internet looking for exploitable
vulnerabilities, vs. user initiated actions, like the preceding methods.
Anatomy of Ransomware Attack (continued)

▪ Installation
(How theft is organized by our inhouse MASSI, similarly it check if it has landed at
correct system or sandbox system)
– Reconstruction
– Process evasion
– Memory Access
▪ Command-and-Control
– HTTP
– Twitter
– TOR
– HTTPS
– Email
Anatomy of Ransomware Attack (continued)

▪ Destruction
– Encryption
– Locking

▪ Extortion
– Bitcoin
– Prepaid Vouchers
We have a solution (HR)?

▪ New Hiring
But no real spending on technology
KeyRanger/KeRanger Mac Ransomware

▪ 1st Mac Based Ransomware

▪ Used Stolen Developer ID from developer in Turkey
▪ By passed Apple's GateKeeper System
▪ Once Installed, establish Command & Control through TOR
▪ Wait for 2-3 days to start it’s work
▪ Later Apple Revoked the Developer ID
Why we are helpless?

We don’t have:
▪ Backup (37% of people do the backup only, what about 63%)
▪ DR Site (no DR site possible for Small Business, but for web servers
we must have)
▪ Quick Restoring procedure (We must have software's like Veeam to
have instant restore of VM in just 15 minutes)
▪ Cost of Restoration is high, as sometime the backup is in cloud
Ransomware Operators & Targets

:
▪ Ransomware accounted only for 0.0016% of the attacks
▪ Just imagine how much bigger volume of attack is there in shape of
malware.
▪ Norse Corp Live Map
▪ Checkpoint Threat Cloud
Market of Ransomware?

How people have Identified:

▪ Infect one machine in LAB
▪ Pay a small amount of Ransomware
▪ See which BITCOIN Wallet is being used to deposit the amount
▪ Monitor that wallet over a period

▪2016 it converted into

Million $ Market
Market of Ransomware? (continued…)

How people have Identified:

▪US$ 25,253,505
Till July 17
Family of Ransomware (revenue Wise)

▪ Locky [$7.8M] ▪ AlNamrood

▪ Ceber ▪ TorrentLocker
▪ CryptoLocker ▪ Spora
▪ CryptXXX ▪ CoinVault
▪ SamSam ▪ WanaCry [0.1m]
▪ CrptoWall
Real Target of Ransomware?

Get hold of your;

▪ Documents
▪ Investment
▪ Agreements
▪ Future Plans
▪ Pictures
▪ Emails
Renting-out Cybercriminal Infrastructure

See who is involved, keep away!

▪ See it…
History of Ransomware

▪ 1989 AIDS Disk (WHO Attendees, US$ 189) [Aids Trojans]

▪ May 2005 GPCoder
▪ 2010 WinLock [Premium SMS]
▪ 2012 Reveton [Hoax Message from Law Enforcement about crime]
▪ 2013 CryptoWall [Bitcoin ]
▪ 2014 Torrent Locker, CTB Loacker, Simplocker
▪ 2015 Pcloack [Tesla Crypt]
▪ 2016 Locky [Delivered via MS Office Doc], KeRanger [1st MaxOSX Ransomware]
▪ 2017 Wanacry etc. [much much more on IOT, Mobile, CCTV, Refrigerator, TV,
Watch, Cars… ]
History of Ransomware
History of Ransomware
How Ransomware spreads

▪ 1st thing to remind you that Users are Weak Link

▪ Hackers send Malware in shape of Doc File, XLS, PPT, JS, VBE, WS
through (Infection Vectors);
– Phishing Emails
▪ Major Brands, TV Companies, Netflix, Logistic Companies like DHL, FedEx, UPS
▪ Social Engineering
▪ Immediate action -Click
– Email Attachments
▪ Emails Requires action
▪ Commonly a zip, Skype Attachments, IM attachments
▪ Urgency
How Ransomware spreads [Continued]

▪ Hackers send Malware in shape of Doc File, XLS, PPT, JS, VBE, WS
through;
– Embedded Hyperlinks
▪ Normal Documents
▪ Innocent looking hyperlink
▪ Resume (LinkedIn), PO, Invoice
– Websites/Downloads
▪ Common Exploit Kits
– Angler (Locky)
– Nuetrino (Cerber)
– Magnitude (Cerber, Locky, Milicry, CrypWall)
– Rig (Growing and used by Many)
– Drive-by Infections (no User action Required, just Browse)
▪ Malvertising
How Ransomware spreads [Continued]

▪ C&C (C2) Callback

– Retrieve the encryption key, so by Blocking outbound connections you can
avoid, but few new ones are self generating key.
▪ Download the Encrypting EXE or Merges two to three components in
Payload.
▪ Run Encrypting EXE
▪ EXE Connects Hacker Server, gets Public Key and generate a Private
Key Correspondingly.
▪ Updates data on Hacker Server about Keys
▪ Upload Specific Documents Hacker is looking for, specific KEY Words.
How Ransomware spreads [Continued]

▪ Download the Encrypting EXE

▪ Run Encrypting EXE
▪ EXE Connects Hacker Server, gets Public Key and generate a Private
Key Correspondingly.
▪ Updates data on Hacker Server about Keys
▪ Upload Specific Documents Hacker is looking for, specific KEY Words.
How big is Ransomware Problem?

▪ Operates from safe distance

▪ Attack Multiple Victims
▪ Large Victim Base
▪ Highly Automated
▪ Difficult to trace
Detection & Containment

▪ Indicators of Ransomware attack

– File Extensions changed
– Bulk File Rename
– Ransom Notes
– Security Tools
▪ IDS/IPS
▪ Web content Filtering
– User Reports slow PC

▪ Importance of rapid response

▪ Approaches to containment
How WannaCry Spread?

▪ Spread through SMB v1.0 & RDP Connections

▪ Initial Components downloaded on to any machine is a worm
▪ Install a service called mssecsvc2.0 with Display Name Microsoft
Security Center (2.0) Service.
▪ Starts the Service and drops the Ransomware binary located in the
resources of the worm and it runs.
▪ Spreads itself across all machines using EternalBlue SMB
Vulnerability.
How WannaCry Spread? [continued]

▪ Downloads from
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
▪ Ports used:
22
135
139
443
9001
9004
Who are Victims of Ransomware?

▪ Police
– Destroy record of Criminals
– Avoid E – Challans (Happened in USA)

▪ Corporate Sector
– Business Plans
– Business emails
– Account Details
– Account PIN Codes

▪ Hospitals
▪ Financial Institutions
Who writes the Ransomware?

▪ Very Knowledgeable Resource

▪ Programmers
▪ Mostly Apple/Microsoft/Other OS Ex-Employees join the Hackers to
Punish their Employer Company
Recover from Attack

▪ Collect & Preserve Evidence

– use Physical to Vmware to make Backup of system

▪ Analyze forensic data (Get help from Panda Experts)

▪ Perform Root cause analysis (Share Psinfo with us)
▪ 100% Certain = re-image the targeted PC
▪ Use Local/Cloud Backup to recover data using Versions
Defending a Ransomware Attack

▪ Form an Incident Response Team (Select Good IQ & Quick Response Team
Members)
▪ Backup regularly & test backups
– Any Local/Cloud Based Backup with Versioning History will work only
– Designate an off-site and off-network location for backup media and recovery
Materials
– Place Backup in Fireproof Safe on site
– Send Backup to Locker in Bank
▪ Disable Office Macros by Default
▪ Use Firewalls to Block C&C Call-backs
▪ Scan all emails for malicious contents, (Use Endian UTM, Barracuda Spam
Firewall or Cloud based anti-spam Service)
Defending a Ransomware Attack [Continued]

▪ Segregate network where possible

▪ Use Adaptive Defense 360 protection
▪ No Administrator rights by default
▪ Enforce access control permissions
▪ Educate users about Ransomware
▪ Block ads and unnecessary web content
Defending a Ransomware Attack [Continued]

▪ Disable WSH (Windows Script Host) [Use REGEDIT, value 0, 1 to enable]

– Used for Automation of Windows
– HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings

▪ Prevent Execution in %AppData% and %LocalAppData%

▪ Enforce UAC to Prevent malware Execution (User Account Control)
– Change User Account Control settings

▪ Display Know Type Extensions (malware.pdf.exe)

▪ Use Applocker to Program Execution
▪ “Open with” in Notepad for JS, PS and WSH
Defending a Ransomware Attack [Continued]

▪ Before Enabling Office Document Click Macro

▪ See Macros inside the document [Usually it is AutoOpen, Default]
▪ Edit the Macro, Looks strange to you….
▪ If you have written it ok, other wise ask the resource who has sent it.
▪ Otherwise don’t click ENABLE CONTENT
▪ This actually calls for downloading a Ransomware from a server.
Defending a Ransomware Attack [Continued]

▪ Have Windows 2008/2012/2016 File Sharing Server

▪ Activate File Screening

▪Demo .
Parenting of now a days
Ransomware Response Checklist

1. Disconnect
a. Unplug Computer from Network
b. Turn off wireless functionality: Wi-Fi, Bluetooth, etc…..
2. Confirm (It is not a Hoax) [Mostly in IPhone, MAC)
3. Determine Scope of Infection
1. Mapped or Share drives of Infected Computer
2. Mapped or shared folders from other computers
3. Network Storage Devices of any kind
4. External Hard Drives
5. USB Storage Devices of any kind
6. Cloud based storage: DropBox, Google Drive, OneDrive etc.
Ransomware Response Checklist [continued]

4. If Confirmed Assemble the Incident Response Team

5. Save Image of System (Physical to VM)
6. Check Backup availability
7. Investigate
8. Report
9. Follow a Strict Security Protocol
The Internet of things…

▪ All items will be using

Internet….
The Internet of Ransomware things…

▪ IOT items will be at more

risk….
The Internet of Ransomware things…

▪ IOT items will be at more

risk….
Check Michael Gillespie on Twitter

▪ Michael Gillespie is a
ransomware researcher
who analyzes ransomware
so that he can create free
decryptors for ransomware
victims. He is also the
creator of the ID
Ransomware service that
can be used to identify what
ransomware a victim is
infected with.
Check Bleeping Computer on Twitter/WEB

▪ Bleeping Computer brings

you the latest news about
the security and
ransomware issues….
▪ http://https://www.bleeping
computer.com
New way of steeling data

▪ Send File-less
Malware
▪ Use
PowerShell
along with
SSL
Certificate to
send back
data.
▪ Use Netstat 1
–b -f
New wave of ATM attack

▪ Using Facebook Messenger

▪ Using Phishing Email
Experts Say Ideally….

▪ the best way to stop

ransomware is to do it
before the ransomware is
installed.
▪ [‫]اسے چلنے نہیں دو‬
▪ Panda Adaptive Defense
360
Takeaway (Lessons Learned)

▪ Working Backups are critical Protection

▪ Responding to an attack quickly is essential
▪ Isolating infected device helps to contain attack
▪ Visit X-Force studies to be vigilant…
▪ Install Panda Adaptive Defense 360 on Servers and Endpoints
Questions & Answers

Ask questions
and clear your
ambiguity…..
Your Comments

Come up and
share your
comments.
More Stupid more you Learn [‫]اچھا‬

▪ Keep
▪ Your
▪ Mouth
▪ SHUT
“Stay Hungry. Stay foolish” Steve Jobs

▪ Stamford University 2005

“I will be dead soon…” Steve Jobs
Token of thanks

Thanks for your

participation.
Naeem.Akhtar@PandaSecurity.pk
+92 333 4748082