Ransomware - Northeast Ohio HFMA
Transcription
Ransomware - Northeast Ohio HFMA
Ransomware “What Keeps me up at night” Chris Voller Agenda ▪ Who is this? ▪ Intro – Disclosure Release ▪ Interesting Stats ▪ “What is Ransomware?” ▪ “Where is it coming from?” ▪ “How do I get it?” ▪ “I have to Click on things rights?” ▪ “Now what do I do?” ▪ “How can I prevent this from happening?” ▪ “What is coming up next?” House Keeping Bio ▪ Chris Voller, OSCP, CEH – IT Security Architect – University Hospitals (by day) – IT Security Researcher / Vulnerability Exploiter (by night) – Active Contributor to Kali Linux Project / Metasploit – Exploit Author – VNC/RDP – Security Bounty Hunter (Google Labs/Facebook) – IT Security Speaker – Father of 3 (Abbi 8, Calli 4, Hadley 9m) Ohio now in the to 10 120.1 Billion, who wants my $$$? http://www.go-gulf.com/blog/cyber-crime/ What keeps you up at night? Ransomware…. What is Ransomware? ▪ A type of malware that attempts to extort money from a computer user by infecting and taking control of the victim machine or the files and documents stored on it. ▪ Types – Lock Screen Ransomware (link) – Encryption Ransomware (link) – Master Boot Record (MBR) Ransomware (link) History (brief) ▪ 1989 “AIDS” Trojan / PC Cyborg – Joseph Popp ▪ 2005 “Prominent Vector” (Easy to decrypt) ▪ 2006/mid RSA Encoding used (Hard to decrypt) ▪ 2013 OS X Ransomware Found ▪ 2014 – 2016 – – – – Crypto Locker Cryptowall (v1, v2, v3) Tesla Crypt (v1, v2, v3) Locky ▪ End of 2015 Cryptowall v3 >$325 Million History (brief) “Where is it coming from?” ▪ Phishing Attacks (Mass Messages / Snow Shoe) – Malicious Attachments – Macro Enabled Attachment ▪ Macros Pull a Payload and execute the control inside of the document ▪ Malicious Links (Clicked) – User clinks on a malicious tailor domain link ▪ Pop up (typically Java Script/or Flash Applet) ▪ Will check to see if vulnerable – If not then custom “Update” linked to the payload/Crypto Installer “I have to click on things right?” ▪ NO…. ▪ Malicious Links (Drive By) – Hugo Boss (Link) ▪ Attackers are purchasing miss spelled domains ▪ Malicious 3rd party Ads – See Next “Now what do I do?” ▪ …so tell me about your backups.... ▪ It can only get better from here on... ▪ Home/Small Office (Contained Host) – – Reload OS – Reload Applications – Patch/Patch/Patch – Install Counter Defence Applicaions – Setup of User Accoutns – Remove Admin Access – Rebuild your Documents/download from backup “Now what do I do?” “Now what do I do?” ▪ Business – Find the “Encrypted User Agent” – Disable the account in Active Directory – Disable the PC Account the user is logged into (NEW) – Mapped Drives (Personal)? ▪ Copy/Rename/Delete – Actions on User Device? ▪ Physical – Rebuild ▪ Virtual – ? ▪ Server - Remove User Profile “How can I prevent this from happening?” ▪ User Education – New User – Continue Education (yearly) ▪ User Access Controls (UACs = Permission Lockdown) ▪ Patch/Patch/Patch….Patch ▪ Policies – Disable Local Admins – Disable Macros / Web Enabled Macros ▪ Backup Data “How can I prevent this from happening?” ▪ AV --- <10% ▪ Antimalware <40% ▪ Gateway Level Protection – File detonation and Discovery ▪ Application Level White Listing “What is coming up next?” ▪ Document Tagging / IP Address Lookup = Larger Ransom ▪ Advanced Polymorphic Algorithms ▪ Crypto Worms ▪ Encryption of previous Maped Network Drive (with permissions) ▪ Increased Encryption Extensions (greater then Locky) Feel Free to Reach out…. ▪ Email – Chris.Voller@uhhospitals.org ▪ Email – ChrisVoller@gmail.com ▪ Linkedin - https://www.linkedin.com/in/mrchrisvoller ▪ Twitter - @MrChrisVoller Keep Open…. Screen Lock (back) Encryption Ransomware (back) Master Boot Record (MBR) (back) Hugo Boss (FAKE SITE) back Locky File Extensions (back) ▪ .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat