Upload File

ransomware detection - bro€¢ransomware behavior –smb ... •check for smb traffic ... •check...

  • Home
  • Documents
  • Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection
28
Ransomware detection with Bro Mike Stokkel 13 Sept 2016

Upload: buiminh

Post on 16-Apr-2018

230 views

Category:

Documents


5 download

Report

TRANSCRIPT

Page 1: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Ransomware detectionwith Bro

Mike Stokkel

13 Sept 2016

Page 2: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Who am I?

– Mike Stokkel

– Security Analyst @ Fox-IT

– Internship at Fox-IT

– Bachelor July 2016

Introduction

Introduction

Page 3: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• What am I going to talk about?

– Fox-IT

– Ransomware

– Bro Policy

– Results

– Demo

Agenda

Page 4: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Fox-IT

Page 5: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Located: Delft, The Netherlands

• IT security

– Managed Security Services

– Auditing

– Cryptographic solutions

Company

Fox-IT

Page 6: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Snort-based detection

• Bro

Security Operation Center

Fox-IT

Page 7: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Ransomware

Page 8: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Malware

– Encryption

– Payment

– Decryption

• Rising concern

Explanation

Ransomware

Page 9: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Process

– Master key (public and private key)

– Generating a key for the victim

– Encrypting the victim’s key

Encryption

Ransomware

Page 10: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Personal Computer

– Local files

• Company

– Network Share

• To pay or not to pay?

Impact

Ransomware

Page 11: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Exploit Kits

– Browser vulnerabilities

• E-mail

– Malicious document

– Macros

Spreading Methods

Ransomware

Page 12: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Version check

• IP check

• Download ransomware payload

• Run payload

Exploit Kit

Ransomware

Page 13: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Macro

• VBS script

• Download & execute payload

Malicious document

Ransomware

Page 14: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• TeamViewer hack

• RDP brute force

Remote desktop programs

Ransomware

Page 15: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• IDS

– Snort rules

• Problem

Detection Methods

Ransomware

Page 16: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Bro Policy

Page 17: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Ransomware behavior

– SMB

• Possible solutions

– File extension listing

– Threshold SMB commands

– Command-and-Control communication

Approach

Bro Policy

Page 18: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Randomness of data

• 0 – 8 bits per character

Entropy

Bro policy

Page 19: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Compressed files

• Images

• PDF

• Mime/Media type

What about ….

Bro policy

Page 20: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• SMB parser

– Events

• File over new connection

• Chunk event

• SumStat

– Threshold

• Notice.log

Functions

Bro Policy

Page 21: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Check for SMB traffic

• Check for certain filenames

• Check for Mime type

• Check for SMB action

• Check if SMB action equals Write

• Add File analyzer

File over new connection

Bro Policy

Page 22: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Check if the offset equals 0

• Calculate entropy of data collected from SMB

write command

• Use SumStat to add +1 for the threshold

• Write to log file

• Write a Notice.log

Chunk event

Bro Policy

Page 23: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Results

Page 24: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Two new kinds of Ransomware

Live Testing

Bro Policy

Page 25: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Two new kinds of Ransomware

– Google Chrome & Mozilla Firefox

• Encrypted cache

• Encryption tools

– TrueCrypt

– VeraCrypt

• Documents

– Printing

– Creating

Live Testing

Bro Policy

Page 26: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Demo

Page 27: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Locky/Zepto

• Cryptowall

• CTBLocker

• Jigsaw (and all families)

• Mobef

• Shade

• Maktub

• Cerber/Alpha

• Teslacrypt

• Rokku

• Crysis

• Cerber

• Bandarchor

Samples

Demo

Page 28: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Thank you for having me!


Hive Ransomware

SMB VOIP. SMB VOIP – RTX8630 2 SMB VOIP Other Wireless Enterprise PBX

RANSOMWARE - healthyagingcore.ca

Ransomware and tips to prevent ransomware attacks

Ransomware Statistics 2016: A Ransomware Roundup

Ransomware infographicITU - itu.int · ransomware detections were flagged as crypto-ransomware. a 27% increase since it was discovered. A ransomware variant seen in Russia that zipped

Datto’s State of the Channel Ransomware Report EUROPE · cite SMB clients recently victimised by ransomware, ... IT’S NO LONGER A QUESTION OF IF, ... Datto’s State of the Channel

Einfache Möglichkeit, zu deinstallieren PadCrypt ransomware: Entfernen PadCrypt ransomware

Windows Backup for SMB Environments - Clouds Dubai · ransomware attack. Get SMS, email alerts. Used by NASA, Volvo, Cessna, MIT, Stanford, and others! Customers in over 146 countries

Smb 22052014 corina kuiper health venture check

AtomSilo Ransomware

Ransomware: Modern Day PiratesRansomware • What is ransomware • History of ransomware • Actors and their motivations • Anatomy of a ransomware attack • Cost of a ransomware

Can Your SMB Withstand a Cyber Attack? Your... · Ransomware attackers hide their malware in common attachments like text documents, invoices, faxes, etc., and an infection often

Ransomware: una guía de aproximación para el …...8 Ransomware: una guía de aproximación para el empresario2.5 Variedades de ransomware El ransomware es una actividad criminal

SMB-C SMB-D 多彩な組み合わせにより SMB-DM 排気系の能力を …€¦ · SMBSeries SMB-200 SMB-C06~SMB-C25 SMB-100D~SMB-600D SMB-5000/ SMB-10000 Vacuum Pumps Catalogue

ANIMAL - gravograph.no · 12041 12049. 12073. 12033. 12065. smb 12081 .smb 2089. smb 12097.smb 2074. 12091 _ 12068.smb 12092_smb 12029smb 12069.smb 12093_smb 12030 smb

Ransomware ly

Windows in SMB - · PDF file- Enterprise Management Associates Load Balance Server/Application Health Check Persistence Do you already have a session in progress? ... Windows in SMB

RANSOMWARE - Check Point Software · for Jigsaw ransomware. These flaws are either fixed in a newer version, or the ransomware is abandoned. There seems to be a fairly large difference

UNMASKING RANSOMWARE

Ransomware - asecuritysite.com · Types •Locker Ransomware. Locks the computer. •Crypto Ransomware. Requires decryption key. •Master Boot Record Ransomware. Attack MBR so that

Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE

SMB Protection Gap - Symanteceval.symantec.com/.../b-SMB-Protection-Gap_WP_20094842.en-us.pdf · White Paper: SMB Survey SMB Protection Gap SMB security and data protection: survey

Ransomware: Wannacry

RANSOMWARE - Check Point Software - Blog · agencies and security vendors to trace back to the malware operator. ... Once the user enables the macro, ... In April 2016, a new ransomware

Ransomware Handbook

Ransomware Characteristics

Kaspersky Security for Small and Medium Business · Kaspersky Security for SMB Advantages of cloud-based endpoint protection management ... ransomware and other attacks. We do this

Responding To Ransomware - NYMISSA · Ransomware is getting more sophisticated, and shifting to an enterprise threat. Ransomware Nightmares ... 50% of ransomware victims have paid

Thermostat Ransomware

Malwarebytes Anti-Ransomware Administrator Guide · Malwarebytes Anti-Ransomware Administrator Guide 1 What is Ransomware? In the simplest terms, the name ransomware says it all

Poradnik ransomware

SMB FOUNDATION - SMB Training Programs

RANSOMWARE PROTECTION€¦ · RANSOMWARE PROTECTION UIDE . ... Exploitation Exploit Mitigations Application Behavior Payload Execution ... PREVENTION AGAINST RANSOMWARE

Conti Ransomware