Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF CertifiedConsulting Systems Engineer, Cyber Security, Denmark

6/2 - 2018

Ransomware DefenseTechnical Session

The Evolution of Ransomware VariantsThe confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for victims to pay have caused an explosion of ransomware variants.

PC Cyborg

2001

GPCoder

2005 2012 2013 2014

Fake Antivirus

2006

First commercial Android phone

2007

QiaoZhaz

20081989 2015 2016

CRYZIP

Redplus

Bitcoin network launched

RevetonRansomlock

Dirty DecryptCryptorbitCryptographic LockerUrausy

Cryptolocker

CryptoDefenseKolerKovterSimplelockCokriCBT-LockerTorrentLockerVirlockCoinVaultSvpeng

TeslaCrypt

VirlockLockdroidReveton

ToxCryptvaultDMALockChimeraHidden TearLockscreenTeslacrypt 2.0

Cryptowall

SamSam

Locky

CerberRadamantHydracryptRokkuJigsawPowerware

73V3NKerangerPetyaTeslacrypt 3.0Teslacrypt 4.0Teslacrypt 4.1

Worm typeRansomware/ Desstructionware

WannaCryNotPetya

2017

TALOS brings the intelligence – Smarter every day

TALOS detects vulnerabilities

Customers with NGFW, IPS, Meraki MX are protected

Customers with NGFW, IPS, Meraki MX already protected

Plus

AMP caught the payload and Umbrella blocked the callout

2017

TALOS detects exploits

Customers with NGFW, IPS, Meraki MX are protected

Microsoft vulnerability identifiedMar 14

Shadow Brokersexploit leakedApr 14

WannaCry ransomware releasedMay 12

Ransomware Defense Overview

Cisco Ransomware Defense SolutionSolution to Prevent, Detect and Contain ransomware attacks

Cisco Ransomware Defense Solution is not a silver bullet, and will not decrypt the already infected system. It does help to: • Prevent ransomware from getting into the network where possible• Stop it at the systems before it gains command and control • Detect when it is present in the network • Work to contain it from expanding to additional systems and network areas• Performs incident response to fix the vulnerabilities and areas that were attacked

This solution helps to keep business operations running with less fear of being taken hostage and losing control of critical systemsü

Ransomware Kill Chain - Seven Stages of an Attack

RECON STAGE

TARGET

CALLBACK PERSIST

BREACH

LAUNCH EXPLOIT INSTALL

COMPROMISE

ATTACKER INFRASTRUCTURE USED BY ATTACKER

FILES/PAYLOADSUSED BY ATTACKER

Breaking the Ransomware KillChain

• Threat intelligence – Knowledge of existing Ransomware and communication vectors

• E-mail security – Block Ransomware attachments and links

• Web Security – Block web communication to infected sites and files

• DNS Security - Break the Command & Control call back

Capabilities needed to break the kill chain

DNS

• Client Security – Inspect files for Ransomware and Virus’s, quarantine and remove

• Segment infrastructure –Authenticate access, separate traffic based on role and policy

• Intrusion Prevention - Block attacks, exploitation and intelligence gathering

• Monitor Infrastructure communications – Identify and alert on abnormal traffic flows

Capability Defense against the “Kill Chain”

RECON STAGE

TARGET

CALLBACK PERSIST

BREACH

LAUNCH EXPLOIT INSTALL

COMPROMISE

End–to–EndInfrastructure

Defense

NGIPS

NGFW

FlowAnalytics

NetworkAnti-

Malware

NGIPS

NGFW

HostAnti-

MalwareDNSDNS

Security

WebSecurity

EmailSecurity

NGIPS

DNSDNS Security

WebSecurity

NGIPS

Threat Intelligence

10

Defend against the entire “Kill Chain”

RECON STAGE

TARGET

CALLBACK PERSIST

BREACH

LAUNCH EXPLOIT INSTALL

COMPROMISE

AMP + TG(everywhere) to log pivots

Quick DefenseWith Cloud!

AdvancedWEB Defense

Rapid DefenseProtect Me-

Once They’re In!

FTD, ISE+TrustSecon-net

InvestigateInternet-wide

visibility

TALOSresearch

Umbrellaon/off-netODNS intel

CES + TGoff-net

TALOS intel

CWS/WSAoff-net

proxy all

FTDWSA/ESA

on-netTALOSintel

AMP + TG(for content)on/off-net

FTD & AMP network

on-net

AMP + TG(for endpoint)

on/off-net

Umbrellaon/off-netall ports

CWS/WSA & CTA

on/off-netproxy all

FTDon-net

all portsIP layer

FTDISE+TrustSecStealthwatch

on-netsegmentation

& netflow

Simplified Solution Architecture view

COMPROMISEDSITES AND

MALVERTISING

PHISHINGSPAM

Blocked by CiscoUmbrella Roaming (DNS Security)

Blocked by CiscoAMP for Endpoints(Host Anti-Malware)

Weblink

Webredirect

C2

Filedrop

Email attachment

EXPLOITKIT

DOMAINS

Angler

Nuclear

NuTrino

C2

RANSOMWAREPAYLOAD

MaliciousInfrastructure

Encryption KeyInfrastructure

Prevent and Contain Ransomware with Cisco Email Security, Umbrella, and AMP

Blocked by CiscoCloud Email Securitywith AMP

Layers of Defense

Quick Prevention Overview

CES – Phishing e-mail with ransomware malware link getting replaced on CES

ODNS – Bad link getting blocked by ODNS

AMP4E – Ransomware getting submitted to TG, TG Report, and Ransomware now blocked on different system.

The outer most layer – Email security

COMPROMISEDSITES AND

MALVERTISING

PHISHINGSPAM

Weblink

Webredirect

C2

Filedrop

Email attachment

EXPLOITKIT

DOMAINS

Angler

Nuclear

Rig

C2

RANSOMWAREPAYLOAD

MaliciousInfrastructure

Encryption KeyInfrastructure

Prevent and Contain Ransomware with Cisco Cloud Email Security

Blocked by Cisco Cloud Email Security with AMP

When CES identifies an unknown URL that is potentially malicious, the URL is re-written using the Outbreak Filters feature and users can be re-directed to a confirmation page. This behavior is configurable.

The CES policy in this example was set to strip Ransomware attachments, and send the remainder of the message so that our testing could be validated. Cisco recommends to configure the policy to drop the entire message, not just remove the attachment.

Incoming Mail Policies Outbreak Filters

Incoming Mail Policies Advanced Malware Protection

Auto remediation of malicious file by CES

AMP and Threatgrid integration by CES

The second layer – DNS security

COMPROMISEDSITES AND

MALVERTISING

PHISHINGSPAM

Blocked by Cisco Umbrella Roaming(DNS Security)

Weblink

Webredirect

C2

Filedrop

Email attachment

EXPLOITKIT

DOMAINS

Angler

Nuclear

Rig

C2

RANSOMWAREPAYLOAD

MaliciousInfrastructure

Encryption KeyInfrastructure

Prevent and Contain Ransomware with Cisco Umbrella (formerly OpenDNS)

OpenDNS blocks phishing

The last layer – Host Anti-Malware

COMPROMISEDSITES AND

MALVERTISING

PHISHINGSPAM

Blocked by Cisco AMP for Endpoints(Host Anti-Malware)

Weblink

Webredirect

C2

Filedrop

Email attachment

EXPLOITKIT

DOMAINS

Angler

Nuclear

Rig

C2

RANSOMWAREPAYLOAD

MaliciousInfrastructure

Encryption KeyInfrastructure

Prevent and Contain Ransomware with Cisco AMP for Endpoints

COMPROMISEDSITES AND

MALVERTISING

PHISHINGSPAM

Blocked by CiscoUmbrella Roaming (DNS Security)

Blocked by CiscoAMP for Endpoints(Host Anti-Malware)

Weblink

Webredirect

C2

Filedrop

Email attachment

EXPLOITKIT

DOMAINS

Angler

Nuclear

NuTrino

C2

RANSOMWAREPAYLOAD

MaliciousInfrastructure

Encryption KeyInfrastructure

Prevent and Contain Ransomware with Cisco Email Security, Umbrella, and AMP

Blocked by CiscoCloud Email Securitywith AMP