1

2

Recover from Ransomware in Minutes

Darren Swift

Principal System Engineer

www.virtuallyonit.com

@Difd_11

3

$209 Million Q1 2016Est $1 Billion FY 16

1month =56,000 infections

101+ Ransomware Families (62 new)

Email campaigns still dominate 6000% increase

Finance & healthcare most targeted

Understanding the Depth

4

$1,200 ransom & 70%

4 out of 5 recover from backup

Average 8 hours recovery

<50% Success rate

54% of organizations affected

Understanding the Depth

5

Recent Example

Attack vector SMB vulnerability “Eternal Blue” MS-17-010

200,000 attacks in 150 countries

Remote exploit kit automation

All connected computers files encrypted

$600 for each computer

VSS deleted & backup files deleted

7

• We cannot go any further without discussing the events on the 12th May

• 2 Standout points for me were:

• Delivery Mechanism

• Scale

#WannaCry

8

Cerber-6 – How it Works…

“The Hound of Hades”

9

• Cerber has been the most prolific and advanced ransomware family throughout 2016–2017 (first observed FEB 16)

• Thought to have originated in Russia

• Cerber ransomware available through a private affiliate program earning 60% of the profits

• Rapid development / customization

• Unique Bitcoin address generated for each victim along with a “Bitcoin Mixing Service”

RaaS Eco-System

10

• Configuration file is an encrypted JSON • Can be customized for each attack / campaign• Example is on GITHUB• Contains all customization parameters

• Folders & files to infect • Check for AntiV or VM• Language checks / Blacklist• Statistic checks / sending• Ransom note v

Cerber Design

11

• Attack vector 2 main methods • Email (example CV)

• 2 line emails .rtf

• Exploit kits (3 main ones)

• Magnitude, Neutrino & RIG

• Living on webservers as links .etc.

• Same output, Cerber payload is Initialized (js or .ps1)

• Creates a Mutex

• Persistence is gained %APPDATA% \ Roaming \ GUID

• Registry keys are added Computer\HKEY_Current_User\Printers\Defaults

• Multiple processes are spun up (division of work)

Cerber Attack

12

• Code is not readable, uses encrypted strings and only de-crypts just before the string is needed

• Configuration file is referenced (Blacklist and Language settings)

• Anti-VM

• Anti-Virus

• Anti-Sandbox

• Sends home Stat’s

• -Watchdog mode is started

• -Shadow mode removes VSS and edits bcdedit.exe

• UAC mode is bypassed (Default or lower = silent bypass)

Cerber Evasion Techniques

13

• Cerber-6 can encrypt in offline mode!

• Searches Config file for blacklists then encrypts:

• Local & shared drives

• Encryption process has a high entropy

• Content is different after every encryption

• RSA 2048 bit key embedded in program

• Creates 3 files displaying Ransom note

• Terminates –Watchdog

• Clears Registry keys

• Sends C&C server statistics File name = [0-9a-zA-Z_-]{10}.cerber

Cerber Encryption

14

Cerber Result “Quod me non necat me

fortiorem facit” or

“What doesn’t kill me, makes me stronger”

15

Stop Infections Today

16

Users, IT Dept, External

- Train users & IT

- Anti-virus/malware

- Restrict domain admins

- Disable content & auto-play

- Isolated external users

- Software restriction policies –

Applocker %AppData%

- Enable file extensions

- Audit file shares

- Audit permissions

- Apply read-only

- Firewall policies

- User VLANs

- Honey trap & alerting

- FSRM Policies

- Restrict SMB

access/ports 445

Disks, Network

- Secure entry points

- Filter web traffic

- Scan / block email attachments

- Block USB devices (Packet Fence)

- Isolated BYOD

- No web access on VMs

- Patching

- JS default open in notepad.exe

Web, Email, USB, BYOD

Stopping Infections

17

Day “0” It Can Still Happen

- Data Protection

- Secured infrastructure

- Isolated test networking

- Payment is never advised

Protect Respond

- Infection response

- Communication

- Isolate source

- Control spread

Restore

- Test data

- Decryption Key

- Restore

- Root cause analysis

18

We can Win!

19

BC/DR Site

Protected VM Changed-Block

Journal vDisk

ReplicavDisk

Configure Journal SLAs, max size, datastore, average 10% space

History min 1 hour max 4 weeks, recommended 96 hours+

Compressed write to journal, write-order maintained

Kept for journal history then write flushed to replica vDisk

Journaling for Point-in-Time Recovery

20

Multi-Site Protection

• Protect a VM in multiple VPGs

• Full replica, journal with RPO in seconds

• Per VPG SLAs, journal retention

• Recover applications to BC/DR site

• Restore files & VMs direct to production

• Powerful local data protection

• Protect to cloud, longer retention

• All-In-One SolutionProductionSite

Local Copy

BC/DRSite

21

Isolated Failover Testing

Isolated VLAN

Scratch vDisk

VM

VM

VM

Journal vDisk

Replica vDisk

VRA

Inline I/O Re-Direction

Writes to scratch, reads to anyVRA Automatically Re-Directs I/OInstant access, minimal overhead

No impact to productionAccess VM Console for VerificationReplication continues

No ability to re-infectVMs connected to Isolated Port GroupSecure test of point in time

Stop failover test, record resultScratch Disk & Writes Deleted

Checkpoint marked for further use

22

Single File / Folder Recovery

Select VM

Restore Request

File server data

Application files

SQL databases

Oracle databases

Exchange databases

Select Files & Folders

Browser download

Instant-access on ZVM

Mount network share

Data restored from seconds before

Restore Anywhere

Disks mounted

No impact or agent

Select point in time

23

Disrupting Data Protection

“Average 8 hours versus Minutes”

• Leverage replicated data• No more daily backup Windows • No performance impact • Remove admin overhead • Granularity of seconds • Minimize data loss • Meet 24/7 business

requirements

24

Test Your Readiness

25

26

Research Notes & Papers

https://zerto.box.com/s/vbct5316wry74iz7t81ft52gd0l2uf7p

27

Thank You!Darren Swift

Darren@zerto.com