Ransomware Defense

Presenter: Arief Santoso

Title: Cyber Security Specialist
Ransomware Problem
Problem: Customers can be taken
hostage by malware that locks up
critical resources–Ransomware
1. Ransomware gains access to systems through
web, email, servers…
2. Ransomware takes control of those systems,
and holds the data is these systems ‘hostage’
until the owner/company agrees to pay the
‘ransom’ (bitcoins) to free the system.
Effect: This can be catastrophic to
businesses for a period of time
• Hospitals taking care of patients and losing the
ability to give them real-time care (admittance,
surgeries, medications, etc)
• Public safety not being able to respond to 911 or
emergency calls
• Financial banking systems offline from trading or
banking activities
• Retail not processing payments, customers not
able to purchase
Ransomware: Easy Profits

• Most profitable malware in history

• Lucrative: Direct payment to attackers!
• Cyber-criminals collected $209 million
in the first three months of 2016
• At that rate, ransomware is on pace to
be a $1 billion a year crime this year.
• Let’s take an example:
• Looking only at the Angler exploit kit
delivering ransomware
• $60 million dollars a year in profits
 The Evolution of Ransomware Variants
The confluence of easy and effective encryption, the popularity of
exploit kits and phishing, and a willingness for victims to pay have SamSam
caused an explosion of ransomware variants.
Locky
Cryptowall
73V3N
Keranger
CRYZIP First commercial TeslaCrypt Petya
PC Fake Cryptolocker Teslacrypt 3.0
Antivirus Redplus Android phone
Cyborg Teslacrypt 4.0
Virlock Teslacrypt 4.1
Lockdroid
Reveton

1989 2001 2005 2006 2007 2008 2012 2013 2014 2015 2016

CryptoDefense
Koler
GPCoder QiaoZhaz Reveton Kovter Tox Cerber
Ransomlock Simplelock Cryptvault Radamant
Cokri DMALock Hydracrypt
Bitcoin CBT-Locker Chimera Rokku
network launched TorrentLocker Hidden Tear Jigsaw
Dirty Decrypt Virlock Lockscreen Powerware
Cryptorbit CoinVault Teslacrypt 2.0
Cryptographic Locker Svpeng
Urausy
Typical Ransomware Infection
Problem: Customers can be taken hostage by malware that locks up critical resources

Infection C2 Comms & Encryption Request

Vector Asymmetric Key of Files of Ransom
Exchange

Ransomware Ransomware takes control Ransomware holds those Owner/company agrees to

frequently uses of targeted systems systems ‘hostage’ pay the ‘ransom’ (bitcoins)
web and email to free the system
Most Ransomware Relies on C2 Callbacks
Encryption Key Payment MSG
NAME* DNS IP NO C2 TOR PAYMENT
Locky DNS
SamSam DNS (TOR)
TeslaCrypt DNS
CryptoWall DNS
TorrentLocker DNS
PadCrypt DNS (TOR)
CTB-Locker DNS

FAKBEN DNS (TOR)

PayCrypt DNS
KeyRanger DNS

*Top variants as of March 2016

How Ransomware Works–Most Variants Require All 5 Steps
WEB-BASED INFECTION

User Clicks a Link Malicious Ransomware Encryption Key Files

or Malvertising Infrastructure Payload C2 inaccessible
Infrastructure
EMAIL-BASED INFECTION

Email w/ Malicious Ransomware Files

Encryption Key C2
Attachment Payload inaccessible
Infrastructure
 Hello ‘WannaCry’
• New Ransomware variant began compromising systems on May 12
• Exploits MS17-010 using tools leaked by Shadow Brokers
 Propagation
Scans IP subnet

445 TCP
445 TCP

ETERNALBLUE

DOUBLEPULSAR
445 TCP
Scans external IPs
 Velocity of Propagation
Honeypot 445 TCP Connections Kill Switch Domain DNS Queries
 Infection Process – network

Exploits remote system

ETERNALBLUE Checks kill switch (http GET)

Used to
Installs
install Scans TCP 445
DOUBLEPULSAR
mssecsvc.exe

Drops
Creates service
mssecsvc2.0 &
starts
tasksche.exe
 Infection Process - encryption

Encrypts files
RSA 2048 tasksche.exe taskse.exe @wannadecr
yptor@.exe
Drops

Deletes
temp files taskdl.exe Tor.exe
Executes
 Mitigation
• Apply the MS17-010 patch to your systems
• Microsoft has released this update for XP/Server 2003 systems
• Block ALL Inbound/Outbound SMB traffic
• ports 139, 445
• Snort Rules
• 42329-42332 DoublePulsar (April 25)
• 42340 Anonymous SMB (April 25)
• 41978 Samba buffer overflow (March 14)
 Prevention

• Use an actively supported operating system that receives security

updates
• Implement an effective patch management process
• Implement a disaster recovery plan to back-up/restore systems
Ransomware Defense Solution
Cisco Ransomware Defense Solution
Solution to Prevent, Detect and Contain ransomware attacks

Cisco Ransomware Defense Solution is not a silver bullet, and not a guarantee.
It does help to:
• Prevent ransomware from getting into the network where possible
• Stop it at the systems before it gains command and control
• Detect when it is present in the network
• Work to contain it from expanding to additional systems and network areas
• Performs incident response to fix the vulnerabilities and areas that were attacked

 This solution helps to keep business operations running with less

fear of being taken hostage and losing control of critical systems
Prevent and Contain Ransomware with Cisco
Email Security, Umbrella, and AMP
Encryption Key
Web Infrastructure
redirect
COMPROMISED EXPLOIT
SITES AND KIT
C2
MALVERTISING DOMAINS
C2
Web Angler Malicious
link Infrastructure
Nuclear
PHISHING File RANSOMWARE
SPAM NuTrino drop PAYLOAD

Email attachment

Blocked by Cisco Blocked by Cisco Blocked by Cisco

Cloud Email Security Umbrella Roaming AMP for Endpoints
with AMP (DNS Security) (Host Anti-Malware)
 Cisco Ransomware Defense - Advanced Prevention
StealthWatch
detects and alerts
SW ISE ISE
TALOS Security DETECT AND CONTAIN IN NETWORK
Intelligence and ISE pushes
AMP Threat Grid containment
Stealthwatch policy using
detects and alerts TrustSec

Malicious C2 callbacks Worm propagation

Infrastructure
ISE+TrustSec
NGFW blocks deploys dynamic NGFW segments
Zero-day Attack inbound and outbound Containment infected host from
and Infection connections clean systems
RANSOMWARE
INFECTED
RANSOMWARE
CONTAINED CLEAN
SYSTEMS

Detection with Cisco Containment with Detection and Segmentation with

Stealthwatch Cisco Identity Services Engine Cisco FirePower Threat Defense
Network visibility & Security Analytics (ISE) and TrustSec and FirePower Management
Center
What to Do

1 2 3

30 DAYS 60 DAYS 90-180 DAYS

Plan for the worst • Deploy AMP Threat Grid, • Detect and contain in the
Have an effective disaster NGFW/NGIPS with Firepower network infrastructure (security
recovery plan and back up 4100 series driven network refresh)
frequently • Cisco Incident Response
Prevent when Possible Services to better prepare
1. Quick protection: Deploy
Umbrella and AMP for
Endpoint (prevent when
possible)
2. Add AMP to Email Security
(CES or ESA)
Breaking the Ransomware KillChain
 INFRASTRUCTURE
USED BY ATTACKER

End-to-End “Kill Chain” Defense Infrastructure ATTACKER

FILES/PAYLOADS
USED BY ATTACKER

File
Trajectory

TARGET COMPROMISE BREACH

RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST

DNS- Host DNS-

Layer DNS Anti- Layer DNS

Security Malware Security

Network
Email
Anti-
Security
Malware
Threat
Intelligence
Web Web
NGFW NGFW
Security Security

Flow
NGIPS NGIPS NGIPS NGIPS Analytics
 Capability Defense Against the Kill Chain
RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST
Host
End–to–End DNS DNS Anti- DNS DNS

Infrastructure Security Malware Security

Defense
Network
Email Windows
Anti-
Threat Security Malware
Intelligence
Mac
NGFW Web NGFW Web
Policy & Security Security
Access Unix/Linux
Control
NGIPS Flow
NGIPS NGIPS NGIPS
Mobile Analytics

Ransomware Defense Quick Ransomware Defense Advanced

Prevention Solution Prevention and Containment Solution
How You Get Infected

SALESMEN RESEARCHING
Secure outbound web access
NEW PRODUCTS

MANAGER OPENING
Secure mail
E-MAIL FROM VENDOR

EMPLOYEE ACCESSING
Secure file access
FILES ON SERVER
Without a Defense In Depth strategy you have the problems we see today
Access Distribution Core Local Services

Web Proxy

Switch
Ransomware
Downloaded

Webpage retrieval
requested

Web
Corporate Access Distribution Core Firepower Switch Router
Browsing
Device Switch Switch Switch Appliance
Defense In Depth – Best Threat Surface Coverage Possible
Access Distribution Core Local Services

Malware Policy Threat DNS-Layer

Command Sandbox (AMP4E) Intelligence Security
Web Security
& Control (Threat Grid) (Talos) (Umbrella)

CLOUD SERVICES

Switch
Ransomware
Downloaded

DNS

Webpage retrieval
requested

Web
Browsing Corporate Access Distribution Core Firepower Switch Router
Device Switch Switch Switch Appliance
Services for Ransomware Defense
Cisco Security Services to address Ransomware

BEFORE DURING/AFTER

• Diagnose and demonstrate security weakness
and vulnerabilities and provide recommendations
• Review people, process and technology to
identify exposed areas that may lead to a data
breach
• Assess Incident Response Readiness
• Design and deployment services of new
technologies and products
• Perform incident response and Identify “Root
Cause” of the attack
• Respond with expert resources to quickly
and effectively mitigate security incidents
• Increase efficiency and efficacy of security
operations
• Free up personnel to focus on confirmed
threats

ADVISORY CONSULTING

ENGINEERING OPERATIONS
Backup
 SECURITY EVERYWHERE

Attack Continuum

Before During After

Endpoint Branch Edge Campus Data Cloud Operational

Center Technology

Services
 BEFORE DURING AFTER
Discover Detect Scope
Enforce Block Contain
Harden Defend Remediate

Next Generation Firewall Next Generation IPS Advanced Malware Protection

VPN + AnyConnect Web / Email Security (cloud) Operational Security
NAC (ISE)

Network as an Enforcer Network as a Sensor

 Talos Intel Breakdown
Threat Intel Intel Sharing
1.5M 600B
Daily Malware Samples Daily Email Messages Customer Data Service Provider
Sharing Programs Coordination Program

Internet-Wide 16B
Scanning 20B Daily Web Requests 500+
Threats Industry Participants
Blocked Sharing Open Source
Product Telemetry Honeypots Partnerships Intel Sharing
(ISACs)
Vulnerability Open Source
Discovery (Internal) Communities Third Party Programs
(MAPP)

250+ Millions 4 100+ 1100+

Full Time Threat of Telemetry Agents Global Data Threat Intelligence Threat Traps
Intel Researchers Centers Partners
 Breach NSS-Tested
Product
Detection Rate1 Throughput

Cisco Firepower 8120 with NGIPS v6.0

and Advanced Malware Protection 100% 1,000 Mbps

False Drive-by Social HTTP SMTP Online Stability &

Positives Exploits Exploits Malware Malware Infections Evasions Reliability

0.33% 100.0% 100.0% 100.0% 100.0% 100.0% 100.0% PASS

“Cisco Advanced Malware

Protection Leads Again in
NSS Test”

100%
Only Cisco can build a true E2E security architecture

Best of Breed
Portfolio The Cisco
Architectural
Approach
Advantage
Cisco Security Solution Partners
Combined Program – Over 60+ Partners
Vulnerability Management Custom Detection Full Packet Capture Remediation Incident Response

BEFORE DURING AFTER

Policy Analysis
Identification and
and and Block
Control Remediation

IAM/SSO Network Access Taps Infrastructure & Mobility Visualization SIEM

Combined API Framework and Integration Points

Security Advisory Services

5. Physical
2. Risk & 3. Network 4. Application 6. Threat
1. Strategy &
Compliance Security Security Management
Operational

Security Information Security Penetration Testing Penetration Testing Security Incident Response
Segmentation Risk Assessments and External and Internal Web, Mobile & Binary Operations Emergency & Retainer
High-Level Designs & Program Development, Network; Wireless Application Plan, Design and
Strategy GDPR Operate

Board and Compliance Network Assessments Assessments Proactive Services

Executives PCI Readiness Assessments Application and Voice & Email Phishing, Planning, Proactive
Reporting & Metrics Assessments, Health Network Architecture, Software Design; Cloud Device/Hardware Threat Hunting & Table-
Checks & Scanning, Vulnerability, Breakout Application top Exercises
ISO 27001
Cloud & Mobile Development
Infrastructure Secure Developer
Strategy Third Party Assessments Development Red Team/Blue Team
Training, DevOps
Strategy Workshops Due Diligence, Risk Cellular, VPN, VoIP Code Review and Scenario based testing
Assessment, Digital
& Assessments Assessments and Telephony Threat Modeling
Profiling
 Security Implementation Services

1. Advise & 2. Fixed 4. Optimisation 5. Technology

Implement Deployment 3. Migration Verification
& ELA

Custom Improve Customer Migration Ongoing Support Try Before Buy

Implementation Outcomes Custom-scoped and Kickstart Access, review and
Custom/Complex AMP for Endpoints delivered for brownfield Technology Readiness test source code,
Deployment Firepower Solutions Third Party Migrations Design Review & Support hardware, software &
Technology Readiness & ISE Design & PoC ASA & NGFW Validation & Testing firmware in a dedicated,
Design Development Stealthwatch Deployment, ACS to ISE Performance Tuning secure facility.
SOC Services Integration and Automation Knowledge Transfer
Security Managed Services
Cisco Security Products
24x7x365 SOC
+ 3rd party

Advanced Analytics
Rule/signature
tuning and optimization
Cisco Collective
24x7 Proactive Threat Intelligence
Device Monitoring
Threat Analysis,
Policy/Change Incident Monitoring
Management & Forensics

Correlate your SOC Identify gaps in current

data with Cisco TALOS security infrastructure
See threats that may have
been missed with IOC’s
You Can’t Protect What You Can’t See
The Network Gives Deep and Broad Visibility

0101
0100
1011

0101
0100
1011

0101
0100
1011

0101
0100
1011

39
What Can the Network Do for You?
Network as Sensor

Detect Anomalous Traffic Flows, Malware

e.g. Communication with Malicious Hosts, Internal Malware Propagation, Data Exfiltration

Detect App Usage, User Access Policy Violations

e.g. Maintenance Contractor Accessing Financial Data

Detect Rogue Devices, APs and More

e.g. Maintenance Contractor Connecting an Unauthorized AP in Bank Branch to Breach
40
Visibility Through NetFlow 172.168.134.2

10.1.8.3 Switches Routers

Internet
Flow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION
172.168.134.2
NetFlow Provides ADDRESS

• A trace of every conversation in your network SOURCE PORT 47321

• An ability to collect records everywhere in your DESTINATION PORT 443

network (switch, router, or firewall) INTERFACE Gi0/0/0
• Network usage measurements IP TOS 0x00
• An ability to find north-south as well as IP PROTOCOL 6
east-west communication NEXT HOP 172.168.25.1
• Lightweight visibility compared to Switched Port TCP FLAGS 0x1A
Analyzer (SPAN)-based traffic analysis SOURCE SGT 100
• Indications of compromise (IOC) : :
• Security group information NBAR SECURE-
APPLICATION NAME
HTTP
StealthWatch System Overview

Network
Non-NetFlow- Devices
Capable Device NetFlow / NBAR / NSEL
Generate
NetFlow
SPAN
• Collect and analyze
StealthWatch StealthWatch • Up to 4000 sources
FlowSensor FlowCollector • Up to 240,000 flows per
second (FPS) sustained

StealthWatch • Management and reporting

Management • Up to 25 FlowCollectors
Console • Up to 6 million FPS globally
StealthWatch System

Context Information
NetFlow

pxGrid StealthWatch

Real-Time Visibility into All Network Layers

Cisco® Identity • Data intelligence throughout network
Services Engine Mitigation Action • Discovery of assets
• Network profile
• Security policy monitoring
• Anomaly detection
• Accelerated incident response
 1. Internal user connects to Terminal Server
ALERT: Insider Threat

10.201.3.18 10.201.0.23
.
.

Scenario: An internal user is stealing data!

The user could be a:
• Disgruntled employee
2. Terminal server used to collect sensitive data
• Person about to leave the company from within the same subnet inside the10.201.0.55
datacenter.
10.201.0.23
• Person with privileged credentials .
.

• Person stealing and selling trade secrets

Security events have triggered indicating a user

is connecting to a terminal server, collecting
74.213.99.97
data from a sensitive database, and tunneling 3. Terminal server used to encrypt data and
10.201.0.23
the traffic out of the network using P2P through tunnel through
. DNS port to an upload server
.

UDP port 53 (DNS port).

© 2014 Lancope, Inc. All rights reserved.
 1. Initial infection enters through broadband card
ALERT: Malware Propagating Internally infecting a vulnerable version of VNC,
bypassing any perimeter defenses.

10.201.3.50
10.201.3.83
Scenario: Malware is quickly propagating .
.

inside the network!

The malware could have entered via:

2. Once within the network the malware begins
• Mobile broadband card to propagate to other systems running VNC.
• Infected laptop while it was out of office 10.201.3.83
. .
. .

• User opening attachment in email

• User clicking link on website .
.

Security events have triggered indicating a host .

.

is infected with malware and it’s propagating

throughout the network.
© 2014 Lancope, Inc. All rights reserved.