WHOAMII’m NOT a CEH

Creator of the Zombie Browser Toolkithttps://github.com/Z6543/ZombieBrowserPack

Creator of the HWFW Bypass tool • Idea later(?) implemented by nation state attackers in Duqu 2.0https://github.com/MRGEffitas/hwfwbypass

Creator of the Malware Analysis Sandbox Tester toolhttps://github.com/MRGEffitas/Sandbox_tester

Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances

• Implemented by Angler and Nuclear exploit kit developershttps://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection-systems/

WHAT IS A RANSOMWAREMalware executes on your computer

Blocks access to files or computer

Pay in Bitcoin or similar pseudo-anonym means

There is a deadline to pay, after that ransom is higher or keys are deleted forever

http://malware.dontneedcoffee.com/2013/10/kovter-even-more-abominable-also-add.html

IOS „SCREENLOCKER”

CRYPTO RANSOMWARE

https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabeC:\Users\Dani\Desktop\nocrime\nocrime\obj\x86\Debug\turul.pdbC:\Users\user\Desktop\kalosip\titkoss\obj\x86\Debug\mgtow.pdb

LINUX WEBSERVER RANSOMWAREEncrypt the database, but the key is available for weeks/monthsWhen the latest working backup is too old, keys are deleted

https://www.theguardian.com/technology/2015/feb/03/hackers-websites-ransom-switching-encryption-keys

LEAKWARE/DOXWAREPay, or I will publish your …

• E-mails• Browser history• The contents of your hidden, private folder• Things you did in front of your webcam

Not very popular (yet) …, but if too many people will have good backup, this might be the solution for ransomware developers

• Hard to scale on attacker side, hard to automate• Better to attack huge corporations

Everyone has secrets they want to keep private

Black Mirror S03E03

Click icon to add picture

WHAT HAPPENED IN 2013? WHAT WAS DIFFERENT 10 YEARS AGO?More careless users

Java/Flash exploits

hidden services

WHAT IS ENCRYPTED VIA RANSOMWARE?ods crp arj tar raw xlsm prproj der 7zip bpw dxf ppj tib nbf dot pps dbf qif nsf ifx cdr pdb kdbx tbl docx qbw accdb eml pptx kdb p12 tax xls pgp rar xml sql 4dd iso max ofx sdf dwg idx rtf dotx saj gdb wdb pfx docm dwk qba mpp 4db myo doc xlsx ppt gpg gho sdc odp psw psd cer mpd qbb dwfx dbx mdb crt sko nba jpg nv2 mdf ksd qbo key pdf aes 3ds qfx ppsx sxc gxk aep odt odb dotm accdt fdb csv txt zip

Documents, Images, CAD files, Source code, Gameplay save, Cryptocurrency wallet, Password safe database, Certificates, Compressed files, Encrypted files, Backup files

WHAT ELSE IS DONE BY RANSOMWARE?Not just local files, but files on network shares

Delete volume shadow copy • Against Windows System restore

Stealing Bitcoin• If not protected with strong password

Stealing passwords stored in browser or FTP client

NOTORIUS CRYPTO-RANSOMWARECryptolockerAlphalockerTeslacryptCryptowallLockyPetya - MFT

PETYA

PROBLEMS REGARDING CURRENT RANSOMWARE PROTECTIONEvery reactive technology is doomed to fail

• AV signature protection• IDS/IPS• Spam-filter (signature)

Previously reactive malware detection was good enough• It was OK to have malware running on the computer for

days

In case of Ransomware 15 minutes late is too late

Reputation based protection is much better than signature based - because it is proactive

PREVENTION - HOME

(ALMOST) FREE TIPS – EXPLOIT PROTECTIONUse Chrome to browse the Internet

Use EMET (as long as you need it)• Only protects IE, not Edge, Chrome or Firefox

Instead of EMET, pay for Sophos Intercept X (HitmanPro Alert) or MBAE

• Paid versions protect all browsers

Flash click-to-play

Ublock origin adblocker against malvertisingindex.hu

Use latest Windows/Office

(ALMOST) FREE TIPS – EXPLOIT PROTECTIONUse VPN from a poor or post-soviet country

https://www.trustwave.com/Resources/SpiderLabs-Blog/Magnitude-Exploit-Kit-Backend-Infrastructure-Insight---Part-II/

MACRO RANSOMWARE

(ALMOST)FREE TIPS – MACRO PROTECTIONMacro malware

There is a 1% chance you need macros in your home environment. Just disable it

Don’t enable macros, and teach your grandma/grandpa the same

(ALMOST) FREE TIPS – SCRIPT PROTECTIONUse Notepad as default app for the following file extensions:JS/JSE/WSH/HTA/VBS/WS/BAT/VBE

Don’t hide file extensions from users

Use generic ransomware protection

(ALMOST) FREE TIPS – CAMOUFLAGEMake your computer look like a malware analyst computer

• Wireshark, Fiddler, Process Explorer …• Virtualbox Guest, VmWare Additions files• HitmanPro Alert vaccination

https://theevilbit.blogspot.hu/2015/10/make-your-desktop-fake-virtual-machine.html

PREVENTION - ENTERPRISEEverything used at home, and …

Instead of blinking boxes small tips and tricks

TIPS – EXPLOIT PROTECTIONForce Chrome (or Edge) for browsing Internet on web proxy

• Filter User-agent on proxy• Use IE6 for Intranet only• Chrome can be managed via GPO

Web proxy filtering• Users have to click to visit Uncategorized sites

E-mail filter• Put suspicious files into quarantine• Admin should approve if user wants the email

(ALMOST) FREE TIPS – MACRO PROTECTIONMacro malware

• Only allow digitally signed macro to run

OR

• Office 2016/2013 Group policy• Prevent macros in Office documents downloaded from the Internet

(ALMOST) FREE TIPSApplication white list C:\Users\

• Windows Applocker• http://www.mcbsys.com/blog/2013/10/block-user-folder-execu

tables/• .exe, .scr, .com, .js, .jse, .wsh, .vbs, .cs, .cab, …• Lot of work, lot of stuff will break. But after time, it will be

worth

Reputation database is also a kind of white-list

PREPARATION

BACKUPRansomware actively searchers for and encrypts backup files.Offline backup is more important than ever

My home NAS solution• The SMB share is only writeable during backup

timeframe• Otherwise, it is read only

BACKUPEverybody talks about this, but no one does

• Test your backup restore procedure frequently

How long does it take to restore?• Is the Cloud backup fast enough?

HAVE ENOUGH BITCOIN AT HOME / AT YOUR FINANCIAL MANAGERBitcoin wallet should be offline!!!

WHEN SH*T HITS THE FANDon’t panic

• It never helps

If the ransomware is still running• Try to hibernate/sleep the machine• If this does not work, shut it down immediately

There are ransomware samples which can be deciphered if you have the memory dump

Ask for professional help• How much is the professional? How much is my data

worth?• Don’t ask for my help, I can’t help.

SHOULD I PAY? OR NOT?If prevention or preparation was not enough

If you don’t pay, backup the drive, data might be recoverable in the future

• Lame crypto reversed• Ransomware servers hacked, keys leaked• Ransomware developer gives out keys for free

IF YOU PAY~90% chance you get back your data You can bargain on online chats

Does it feel good that you don’t have try out the feeling of getting lot of Bitcoin in 24 hour?

If you don’t have enough Bitcoin:• Search for Bitcoin ATM - Budapest (next to Deák square)

• Before going there, read the instructions (mobil app)• https://localbitcoins.com/

POST MORTEMWhat happened?

What can I do to prevent this from happening again?

MY NON POPULAR OPINIONRansomware is the tax on the Internet• Paid by those who did not spend enough money/time

on security before• Those who are frivolous on the Internet• Those who think it can’t happen with them

Obviously, I don’t blame the users and companies only.

It is time to take ITSEC seriously …

HACK THE PLANET!

zoltan.balazs@mrg-effitas.com

https://hu.linkedin.com/in/zbalazs

Twitter – @zh4ck

www.slideshare.net/bz98

Greetz to @CrySySLab, @SpamAndHex

JumpESPJump.blogspot.com