Michael Vassigh

Dresden November 2016

Combined Intelligence against Ransomware

Cisco Security Solutions

The new security model

Network Endpoint Mobile Virtual Cloud

Point in Time ContinuousThreat Intelligence

X

DURINGDetectBlockDefend

AFTERScopeContain

Remediate

BEFOREDiscoverEnforceHarden

RECURSIVE DNS

ANY PORT

ADMIN

NGFW/UTM

Filter

URL

Leading Threat Intelligence

Research Group

I0I00I00I0I 0II0 I00I0 00I0II0 00I0I00I 0I0II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0II 00I 0I0 00II0I0II0I0I0II 0I00II

II0

I 0

0I0

0 I0

00

00

I00

00I00I0I00I00I0I00I0II00II00I0 I00I 000 I0I 0I0II000I0 0I00 I0II00 I0I000I00

I00

I 00

0I0

0I0

I00

I

Roaming User 00

II0I 0

I00

II00

I00

I 00

0I0

0I0

0I0

0I0

00

1 1

10

0

III0I 00I00I 000I00I0II0I I0I0 00 I0I I00I0II 00I00I0I 00I0I00I0 00II0I0I 00II0II0I 00I0II II

AMP for Endpoints

00I00I0I00I00I0I00I0II00II00I0 I00I 0I00 I00I 0I0 I000I I0 0I00II 00I0 I0I 00I I0I 00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I0I0 0I0 I0I00 I00 I0I I00 0I0II 00II00I 0 I00I0 0I0I0 00I0I0 I00I I0I 0I0I 0I I0 0 I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 I0 0I0 0 I0 I00 I 00 I0 0 I 0I0

0I0 0 I0 0 I 0 0I 0I 0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00II0 0I0I0I00 I0I0 I0I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0 I0I0I 00I I0I 00 I0I0 0I

I0I0I 0 0I0II0 I00 0II0I000II0I0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 0I0I 0I00 00II0I 00I00I I00I0 00I 0000I00I00II0I 00I00I 00I00II0I I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 0

I00I0II00I0I00II0I00I

I0II0I000I0I000II0I0

0I00I0I00I00I000II0 II0

I 0

0I0

0I 0

I00

I 0

0I0

I0I0

I00

I0

0I 00II0I0II0 0II0II0I 00I0I)I00II0I0 00I0I00 00II0II0I 0I0I 00II0II000I00I 000I00I00 I0I00

CTA

II00

I0 I0

0I 0

I00

I0I0

0 II0

I 0 II0

I I0I0

0I0

II0I I0

00

I00

I0

I0I0

II00

I0I0

III00

I0I0

I0I0

I0I0

I00

II0I0

II 00

0II0

II00

I00

I0I

II0 II0II 0II II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0II0I 0II0 0II0I I00I0I 000II0I 00II00I I0II00I 00II0I0III000I 0I0I II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0I0I 00II 0II0I 0II0I0II00I00 00II0I0II0I0I 00I000I0I00I 0000I

II0I0

II 00

II0I0

0 0

0I0

0I0

0I

I0I0I0 I0I00III0 0I

0II II0I00 0I00II0

AMP for Endpoints

Endpoint User

I00I0II00I0I00II0I00I

I0II0I000I0I000II0I0

0I00I0I00I00I000II0

VPN

DATACENTER

I00

I 0

0I0

II0

II0

00

II0

00

II 0

II 0

I0 0

00

I00

I 0

0I0

I II

00

00

I0I0

I0 0

0I0

I00

0I0

I0I

0II

II0

I0 II0

0I0

I00

00

00

00

II0

II0

00

II0

I 0

00

00

0II

0II

II0

I0 II0

0I0

I00

00

00

00

II0

II0

00

II0

I 0

00

00

0II

I

I0II0I II0II0 0I 0 I

00

0II0

00

I0I

00

0II0

00

I0I

0I 0I 00 II 0II 0I 0I0I0

0II I0II00I0 II00I0

NGFW

AMP for Network

00I0 0000I 00 00I 0I I0II I00I I0I00I I0II0I

I0I0I0 I0I00II0 I0I0I0 0I0I00 I0II0 0I0I 00I

0II II0I00 0I0I 000II0I 00I00 I0I00 000 I00

Block

Warn

Allow

Cloud Option

Network Traffic

Flow

Analysis

Vector TRAFFIC

AMP for

Web & Email

I00I0II00I0I00II0I00I

I0II0I000I0I000II0I0

0I00I0I00I00I000II0

Web & Email Security

Dynamic Malware

Analysis

NGIPS

NGIPS/

AMP

00I0II0I0II0I00II0I

CLOUD APPS

Identity

Services

Trustsec

PEOPLE & DEVICES

BEFORE DURING AFTER

NGIPSv

Vector

CLOUD APPS

Vector

ASAv

CES ESA

StealthwatchASA/Meraki

MX

AnyConnect VPN

AMP Threat Grid

CWS WSA

ASA

ISE

00 III 0 II0I0 II 0I0 00 III0I0 0 II 000

PEOPLE & DEVICES

WEB & EMAILWEB & EMAIL

AMP for Endpoints

AMP for

Web & Email

AMP for Network

AMP for Endpoints

NGIPS/

AMP

NGIPS

ODNSUmbrella

NGIPSv

Vector ANY PORT

Intelligent cybersecurity to protect against advanced threats

Defending againstRansomware

Ransomware: Easy Profits (*Ransom=Lösegeld)

• Most profitable malware in history

• Lucrative: Direct payment to attackers!

• Cyber-criminals collected $209 million

in the first three months of 2016

• At that rate, ransomware is on pace to

be a $1 billion a year crime this year.

• Let’s take an example:

• Looking only at the Angler exploit kit

delivering ransomware

• $60 million dollars a year in profits

The Evolution of Ransomware VariantsThe confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for victims to pay have caused an explosion of ransomware variants.

PC Cyborg

2001

GPCoder

2005 2012 2013 2014

Fake Antivirus

2006

First commercial

Android phone

2007

QiaoZhaz

20081989 2015 2016

CRYZIP

Redplus

Bitcoin network launched

RevetonRansomlock

Dirty DecryptCryptorbitCryptographic LockerUrausy

Cryptolocker

CryptoDefenseKolerKovterSimplelockCokriCBT-LockerTorrentLockerVirlockCoinVaultSvpeng

TeslaCrypt

VirlockLockdroidReveton

ToxCryptvaultDMALockChimeraHidden TearLockscreenTeslacrypt 2.0

Cryptowall

SamSam

Locky

CerberRadamantHydracryptRokkuJigsawPowerware

73V3NKerangerPetyaTeslacrypt 3.0Teslacrypt 4.0Teslacrypt 4.1

Request

of Ransom

Encryption

of Files

C2 Comms &

Asymmetric Key

Exchange

Typical Ransomware InfectionProblem: Customers can be taken hostage by malware that locks up critical resources

Infection

Vector

Ransomware

frequently uses

web and email

Ransomware takes control

of targeted systems

Ransomware holds those

systems ‘hostage’

Owner/company agrees to

pay the ‘ransom’ (bitcoins)

to free the system

How Ransomware Works–Most Variants Require All 5 Steps

Files inaccessible

Files inaccessible

Encryption Key C2

Infrastructure

User Clicks a Link or Malvertising

Ransomware Payload

MaliciousInfrastructure

Email w/ Malicious Attachment

RansomwarePayload

EMAIL-BASED INFECTION

WEB-BASED INFECTION

!

Encryption Key C2 Infrastructure

!

• Threat intelligence – Knowledge of existing Ransomware and communication vectors

• E-mail security – Block Ransomware attachments and links

• Web Security – Block web communication to infected sites and files

• DNS Security - Break the Command & Control call back

Capabilities needed to break the kill chain

DNS

• Client Security – Inspect files for Ransomware and Virus’s, quarantine and remove

• Segment infrastructure –Authenticate access, separate traffic based on role and policy

• Intrusion Prevention - Block attacks, exploitation and intelligence gathering

• Monitor Infrastructure communications – Identify and alert on abnormal traffic flows

Capability Defense against the “Kill Chain”

RECON STAGE

TARGET

CALLBACK PERSIST

BREACH

LAUNCH EXPLOIT INSTALL

COMPROMISE

End–to–EndInfrastructure

Defense

NGIPS

NGFW

Flow

Analytics

Network

Anti-

Malware

NGIPS

NGFW

Host

Anti-

Malware

DNSDNS

Security

Web

Security

Email

Security

NGIPS

DNSDNS

Security

Web

Security

NGIPS

Threat

Intelligence

Solution architecture and elements

COMPROMISED

SITES AND

MALVERTISING

PHISHING

SPAM

Blocked by Cisco

Umbrella Roaming

(DNS Security)

Blocked by Cisco

AMP for Endpoints

(Host Anti-Malware)

Web

link

Web

redirect

C2

File

drop

Email attachment

EXPLOIT

KIT

DOMAINS

Angler

Nuclear

NuTrino

C2

RANSOMWARE

PAYLOAD

Malicious

Infrastructure

Encryption Key

Infrastructure

Prevent and Contain Ransomware with Cisco

Blocked by Cisco

(Cloud) Email Security

with AMP

COMPROMISED

SITES AND

MALVERTISING

PHISHING

SPAM

Web

link

Web

redirect

C2

File

drop

Email attachment

EXPLOIT

KIT

DOMAINS

Angler

Nuclear

Rig

C2

RANSOMWARE

PAYLOAD

Malicious

Infrastructure

Encryption Key

Infrastructure

Prevent and Contain Ransomware with Cisco Email Security

Blocked by

Cisco Email Security with AMP

Incoming Mail Policies Outbreak Filters

Incoming Mail Policies Advanced Malware Protection

COMPROMISED

SITES AND

MALVERTISING

PHISHING

SPAM

Blocked by

Cisco Umbrella Roaming

(DNS Security)

Web

link

Web

redirect

C2

File

drop

Email attachment

EXPLOIT

KIT

DOMAINS

Angler

Nuclear

Rig

C2

RANSOMWARE

PAYLOAD

Malicious

Infrastructure

Encryption Key

Infrastructure

Prevent and Contain Ransomware with Cisco Umbrella (OpenDNS)

OpenDNS blocks phishing

COMPROMISED

SITES AND

MALVERTISING

PHISHING

SPAM

Blocked by

Cisco AMP for Endpoints

(Host Anti-Malware)

Web

link

Web

redirect

C2

File

drop

Email attachment

EXPLOIT

KIT

DOMAINS

Angler

Nuclear

Rig

C2

RANSOMWARE

PAYLOAD

Malicious

Infrastructure

Encryption Key

Infrastructure

Prevent and Contain Ransomware with Cisco AMP for Endpoints

DETECT AND CONTAIN IN NETWORKTalos Security

Intelligence

Cisco Ransomware Network Containment

RANSOMWARE

CONTAINED

NGIPS

deploys

the patch NP

IGS

AMP

Threat Grid

analyzes

threat

AM

P

NGFW

blocks the

connection

NG

FW

TrustSec

deploys

dynamic

Containment

TR

US

TS

EC

CLEAN

SYSTEMAMP Endpoint

protects the

system

AM

P

ISE pushes

containment

policy

ISE

StealthWatch

detects and

alerts

SW

Cisco Ransomware Defense SolutionSolution to Prevent, Detect and Contain ransomware attacks

Cisco Ransomware Defense Solution is not a silver bullet, and not a guarantee. It does help to:

• Prevent ransomware from getting into the network where possible

• Stop it at the systems before it gains command and control

• Detect when it is present in the network

• Work to contain it from expanding to additional systems and network areas

• Performs incident response to fix the vulnerabilities and areas that were attacked

This solution helps to keep business operations running with less

fear of being taken hostage and losing control of critical systems