Ransomware Seminar - RSA Conference · PDF fileRansomware Seminar. #RSAC 2 36% ... Ninja /...
Transcript of Ransomware Seminar - RSA Conference · PDF fileRansomware Seminar. #RSAC 2 36% ... Ninja /...
#RSAC
Ransomware Seminar
#RSAC
2
36% increase in ransomware attacksAs per Symantec’s 2017 report
Source: https://bit.ly/rsa-apj-rw-001
#RSAC
3
4,000 attacks per dayAs per US Department of Justice
Source: https://bit.ly/rsa-apj-rw-002
#RSAC
4
97% of phishing emails deliver ransomwareAs per PhishMe
Source: https://bit.ly/rsa-apj-rw-003
#RSAC
5Source: https://bit.ly/rsa-apj-rw-004
#RSAC
6
Welcome!
Start End
9:00 9:10 Opening remarks
9:10 9:55 Everything of Nothing: Understanding Cyber-Crime OrganizationsAamir Lakhani
10:00 10:45 From Ransomware to Extortion: The Inevitable Underground Economy EvolutionAndrei Barysevich
10:45 11:00 Networking Break
11:00 11:35 Defending Better by Understanding Cybercriminal MotivationsPanel discussion
11:40 12:10 Ransomware of Tomorrow: How To Be Ready For Future ThreatsEugene Aseev
12:15 12:50 Getting the Board On-Board: Ransomware’s Impact on your BusinessPanel discussion
SESSION ID:SESSION ID:
#RSAC
Aamir Lakhani
Everything of Nothing: Understanding Cyber-Crime Organizations
SEM-W01
Senior Security StrategistFortinet / FortiGuard@aamirlakhani
#RSAC
Disclaimer
8
This talk should be considered a work of fiction. Any resemblance, likelihood, and similarities to other events are purely coincidental. Any details inspired from real life events have been significantly changed or altered. The views, opinions, research do not necessarily represent anyone except my own. This talk to not endorsed by employerThis presentation involves an on-going case, active investigation. Key information has been changed, modified, anonymized, or redacted based on this.This case would have been possible without the many man hours of law-enforcement and district attorneys assigned to this investigation
#RSAC
Who Am I?
Aamir LakhaniResearcher / ConsultantNinja / Pirate / Hacker
Time Magazine’s Person of the Year 2006…
#RSAC
Person of the Year 2006
And so were...
#RSAC
What I do for a living
What my friends think I do
What my mom think I do
What I wish I did What I really do
#RSAC
How did we get here?
12
Introduced to captain of a large vice squad in the US
They are dealing with small crimes when it comes to cyber
Most cyber crimes are not investigated
Lack of resources
#RSACThis presentation is around a real cyber crime investigation
13
This is not breaking, hot, Mr. Robot tale of a Hollywood hacker
This will not change the way you look at cyber
This will show you how every day law enforcement has to deal with ”cyber” criminals
#RSAC
Understanding how credit card fraud works
14
Fraud is built into the cost of the card services
Card companies and most consumers expect fraud
Never taken seriously
#RSACMoving to a new city and getting called by the police
15
How did I get started helping law enforcement fight cyber-crime
#RSAC
How it all started….
Getting from A to B
Investigation into credit card fraud
Victims were
noticing lots of
charges to eBay,
PayPal, other retail
New officer wanted to investigate
Most officers would have dismissed it
Obtained search
warrant. Retailers gave
shipping address of
merchandise
Receiving address was
tied to multiple
fraud, stolen merchandise
Search warrant on receiver led to
further investigation
Most officers would have dismissed it.
Local police department were
receiving and investigating
claims of identity fraud and credit
card fraud.
New officer wanted to investigate
#RSAC
Details around the Investigation
17
Items purchased with VISA gift cards. VISA gift card numbers are sent in batches to cities and stores. It took very little work to find out where VISA gift cards were purchased from.
Most gift cards were purchased from cash, but a large number were purchased on credit cards (STUPID).
Criminal was sent cash or gift cards to buy from local business and resell them.
#RSAC
Mules
18
#RSAC
Internet Mules
19
#RSAC
Wild Union Security Services
20
Local business was operating as Wild Union Security Services (WUSS). Not their real name
Found no registered business under that name, no website. Investigation found that business.
Business reported over $5 million USD income over the last 4 years and paid taxes. Sold phone cards, gift cards, Web Money, BitCoinexchanges
#RSAC
Money Exchange
21
Prepaid cards were being sold as high as 70% for convenience markup
Money Laundering?
Registering web sites (Registrars, and WHOIS)
BitCoin Exchanges
$20,000 of BitCoins
$10,000 of WebMoney or Reloadit Cards
$7,000 of Gift Cards
$5,000 of cash
#RSAC
Trading BitCoins
22
Exchanged BitCoins for a gift cardGot receiver's BitCoin address
Using clustering and multiple transactions found multiple BitCoinaddresses associated with Western Union Security Exchange, Shopping, and Shipping Services, Inc.
To use BitCoins with WUSSS, one had to deposit BitCoints to their account. Those account was identified with other accounts
#RSAC
Significant Developments
23
Event 1:
» Minor credit card fraud
Event 2:
» Warrants and Investigations led to illegal, unlicensed business.
Event 3:
» BitCoin clustering led to finding additional BitCoin wallets linked to major cyber crime and money laundering operations. Searched additional BitCoin addresses, found matches on Real Deal Black Market run on TOR
#RSAC
BitCoins Linked to Criminals
24
#RSAC
Additional Investigations
25
#RSAC
26
#RSAC
27
#RSAC
Connecting the Dots (cyber-crime network)
28
Other cyber-criminals were involved in network of cyber-criminals
Similar cases found in other States and countries. Is this a cookbook for cyber-crime
Working with law-enforcement around the world.
#RSAC
WalletExplorer – the Ideal Investigation tool
29
#RSAC
Catching the Criminal
30
Function GetMyPublicIP() As String Dim HttpRequest As Object On Error Resume Next'Create the XMLHttpRequest object. Set HttpRequest = CreateObject("MSXML2.XMLHTTP") 'Check if the object was created. If Err.Number<> 0 Then 'Return error message. GetMyPublicIP = "Could not create the XMLHttpRequest object!" 'Release the object and exit. Set HttpRequest = Nothing ExitFunction End If On Error GoTo 0 'Create the request - no special parameters required.HttpRequest.Open "GET", "http://myip.dnsomatic.com", False 'Send the request to the site. HttpRequest.Send 'Return the result of the request (the IP string).GetMyPublicIP = HttpRequest.ResponseText End Function Function GetMyLocalIP() As String 'Declaring the necessary variables. Dim strComputer As String DimobjWMIService As Object Dim colItems As Object Dim objItem As Object DimmyIPAddress As String 'Set the computer. strComputer = "." 'The root\cimv2 namespace is used to access the Win32_NetworkAdapterConfiguration class. SetobjWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 'A select query is used to get a collection of IP addresses from the network adapters that have the property IPEnabled equal to true. Set colItems = objWMIService.ExecQuery("SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True") 'Loop through all the objects of the collection and return the first non-empty IP. For Each objItem IncolItems If Not IsNull(objItem.IPAddress) Then myIPAddress = Trim(objItem.IPAddress(0)) Exit For Next 'Return the IP string. GetMyLocalIP = myIPAddress End Function Function GetMyMACAddress() As String 'Declaring the necessary variables. Dim strComputer As String Dim objWMIService As Object DimcolItems As Object Dim objItem As Object Dim myMACAddress As String 'Set the computer. strComputer = "." 'The root\cimv2 namespace is used to access the Win32_NetworkAdapterConfiguration class. Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 'A select query is used to get a collection of network adapters that have the property IPEnabled equal to true.Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True") 'Loop through all the collection of adapters and return the MAC address of the first adapter that has a non-empty IP. For Each objItem In colItems If Not IsNull(objItem.IPAddress) ThenmyMACAddress = objItem.MACAddress Exit For Next 'Return the IP string.GetMyMACAddress = myMACAddress End Function
Warrant issued for “John Doe” by district attorney.
After significant communications with ”John Doe” we exchanged emails.
Inserted VB Code to get real IP, this was not malware or macro virus. Simply recorded MAC, Internal, External IP and saved to meta data.
New court order let us obtain identity of public account holder
#RSAC
What Did We Find?
31
Cyber criminal was a user in his late teens
Eventually we seized $1.8 million in gift cards.
$3 million in sales of stolen good tracked thru eBay, PayPal, Craigslist, Back Page
New court order let us obtain identity of public account holder
#RSAC
BitCoin Mixing
32
Bitcoins transactions are recorded in the ledger
Step #1: Create a wallet on the Internet. (wallet #1)
Step #2: Buy Bitcoins, and send the amount you want to mix to wallet #1.
Step #3: Create a second wallet, this time over the Tor network. (wallet #2)
Step #4: Send your bitcoins from wallet #1 directly to wallet #2.
Step #5: Create a third wallet, also over the Tor network. (wallet #3).
Step #6: Select which mixer you will be using, and set up your transaction there using the address(s) from wallet #3. It is best to use multiple addresses, and to set random time delays.
Step #7: Send the coins from wallet #2, over Tor, to the address generated for you by the mixer.Step #8: Assuming these coins are going to be sent to a darknet market… if you don’t already have your deposit address, log in and get it while having JavaScript disabled. Never use any market that requires you to enable JS!
Source: https://darknetmarkets.org/a-simple-guide-to-safely-and-effectively-mixing-bitcoins/
#RSAC
Defense
Court order deemed too broad
Cannot send blindly malware
We ended up using FAX records from Western Union Security Exchange, Shopping, and Shipping Services, Inc
Issued new warrant to seize computer assets
Defense attorneys were representing John Doe on records
#RSAC
Next Steps
Had judge issue new warrant to search for evidence of tax evasion
Forensics on copy machines and faxed machines contained evidence
SMOKING GUN: Faxes contained attacker’s Bitcoin wallet address and name.
» Able to use walletexplorer to tie all transactions to a person
Judge has ruled against District Attorney as a RICO case (Racketeer Influence and Corrupt Organization)
Defense attorneys are arguing digital forensic evidence should be allowed in trial from copy and fax machines.
#RSAC
Next Steps
Spliced power to battery to keep fax machine turned on
Specialized devices to freeze memory, clone memory.
Created memory image file (e.g. you can use tools such as FTK or Volatility Memory Forensics
Fax Machine was running embedded Windows
Defense may be arguing on how we collected the fax machines
#RSAC
Verdict
Catching more Cyber Criminals can be a deterrent
Investigations take time
Attribution is more of an art, then science
Understand the flow of funds, digital currency
On-Going case
I am not a lawyer nor law enforcement
#RSAC
Did we make a difference?
#RSAC
How do you protect yourself?
38
Should be fight fraud cases?
Is it too good to be true?
Self-Awareness
#RSAC
How do I protect my organization
39
How to protect your organization?
Data feedsEmail filteringReputation FilteringLeaked credentials Leaked credit cards
#RSAC
You are a victim, what’s next?
40
What can you do if you are victim?Do not ignore the situationWork with law-enforcement
Report to your employer’s IT department.
Cyber Hygiene Change passwordsVPNsNo open wireless
#RSAC
Q and A
41
You can ask question now
Or
We can sit here awkwardly in
silence.
#RSAC
42
Start End
10:00 10:45 From Ransomware to Extortion: The Inevitable Underground Economy EvolutionAndrei Barysevich
10:45 11:00 Networking Break
11:00 11:35 Defending Better by Understanding Cybercriminal MotivationsPanel discussion
11:40 12:10 Ransomware of Tomorrow: How To Be Ready For Future ThreatsEugene Aseev
12:15 12:50 Getting the Board On-Board: Ransomware’s Impact on your BusinessPanel discussion
SESSION ID:SESSION ID:
#RSAC
Andrei Barysevich
From Ramsomware to Extortion: The Inevitable Underground Economy Evolution
SEM-W01
Director of Advanced CollectionRecorded Future@DeepSpaceEye
#RSAC
Agenda
44
Three takeaways
History – from automated spreading to targeted phone calls
The actors – nobody knows your name
The future of victimization – difficult situation incentivizing additional ransomware
#RSAC
History
45
#RSAC
46
#RSAC
Product Market Fit
47
#RSACCryptoLocker – First Global Ransomware Campaign
48
#RSAC
CryptoLocker – First Global Ransomware Campaign
49
#RSAC
Brute Force Your Way In…
50
Off-the-shelf tools available cheaply
#RSAC
Or Simply Buy the Access
51
#RSAC
Actors
52
#RSACCryptoLocker – First Global Ransomware Campaign
53
500,000 victims
$3 - $27 million in payments
#RSAC
Copycats Took Over the Market
54
Over 100 ransomware variants between 2014-2016
#RSAC
2015 – Introduction of Ransomware as a Service
55
• NO UPFRONT COST• 50/50 PROFIT SPLIT
#RSAC
Ingenious Methods of Ransom Gangsters
56
NO C2C INFRASTRUCTURE DIRECT ENGAGEMENT WITH VICTIM
#RSAC
TDO - Opportunistic Lifecycle
57
#RSAC
58
#RSAC
Extortion or Blackmail?
59
“Extortion is a form of theft that occurs when an offender obtains money, property, or services from another person through coercion. To constitute coercion, the necessary act can be the threat of violence, destruction of property, or improper government action. Inaction of the testimony or the withholding of testimony in a legal action are also acts that constitute coercion.”
“Blackmail, in contrast to extortion, is when the offender threatens to reveal information about a victim or his family members that is potentially embarrassing, socially damaging, or incriminating unless a demand for money, property, or services is met. Even if the information is true or actually incriminating, you can still be charged with blackmail if you threaten to reveal it unless the victim meets your demand.”
*source:criminal-law.freeadvice.com
#RSAC
The Future of Victimization
60
#RSAC
Change of Mindset
61
ETHICAL DILEMA: INFECT OR NOT INFECT
$3.6 million demanded$17,000 Paid
“From the bottom of my heart, I wish that mothers of ransomware distributors end up in an intensive care unit and their respiratory system is infected with ransomware. ”
#RSAC
No Honor Among Thieves
62
• PARALYZED PRODUCTION• IMMENSE LOSSES
#RSAC
How Big Is Too Big?
63
#RSAC
Perfect cover-up weapon
65
WannaCry
NotPetya
#RSAC
Data Mining for Gold
66
One example of this is Mr. John Jenkins, who at the time of data entry was an Atlanta Hawks player. His row is the following:
****942204,1,Jenkins,John," ",19**-0*-0*,21* Ivy *****, Hend**********,TN,37***,61*97*44*6,***50674,NULL,JENKINS,1***50674,***878*8*0,,NULL,20**-0*-0* 14:53:08.570,20**-0*-2* 12:42:05.573,,0***1303**99,Jenkins,John,***10306000000
We also found FBI: ****061278,1,G*******,Mark,F,19**-0*-*8,M,,**29 ***** Mill ******,,Law**********,GA,30***,202***6****,,,10156752,,,,MARK.G*******@IC.FBI.GOV
#RSAC
Innocent Victims
67
Let's take Mrs. N**** M***** for example: Her SSN, address, email, phone numbers, insurance information, etc. are all there. We also know that according to her record, she is 65 inches tall and weighs 215. Blood pressure 13478 and a pulse of 76. She also has Osteoarthrosis and joint pain in her lower leg. Her prescription records state she has been prescribed oxycodone for "severe pain", alprazolam for "anxiety sleep", fentanyl, and oxycontin.
#RSAC
68
#RSAC
Ask Yourself: Will You Pay or Not?
69
Ask Yourself: Will You Pay or Not?
• How much is your data worth?• How much are you prepared to pay?• Do you have funds in reserve?
Stand your ground
I will not payYes I will
#RSAC
Takeaways
70
• Criminals use every tool available for $$• No target is too small or too big• Evaluate and be ready
SESSION ID:SESSION ID:
#RSAC
Andrei Barysevich
Thank You!
SEM-W01
Director of Advanced CollectionRecorded Future@DeepSpaceEye
#RSAC
72
Start End
10:45 11:00 Networking Break
11:00 11:35 Defending Better by Understanding Cybercriminal MotivationsPanel discussion
11:40 12:10 Ransomware of Tomorrow: How To Be Ready For Future ThreatsEugene Aseev
12:15 12:50 Getting the Board On-Board: Ransomware’s Impact on your BusinessPanel discussion
#RSAC
Defending Better by Understanding Cybercriminal Motivations
#RSAC
74
Etay MaorExecutive Security Advisor, IBM Security
Ben PotterSenior Security and Compliance Consultant, Amazon Web Services
Christiaan BeekLead Scientist and Principal Engineer, McAfee
Panelists
#RSAC
75
How does the human element of ransomware work?Core Question
#RSAC
Your Panelists
76
Etay Maor Ben Potter Christiaan Beek
#RSAC
77
Start End
11:40 12:10 Ransomware of Tomorrow: How To Be Ready For Future ThreatsEugene Aseev
12:15 12:50 Getting the Board On-Board: Ransomware’s Impact on your BusinessPanel discussion
SESSION ID:SESSION ID:
#RSAC
Eugene Aseev
Ransomware Of Tomorrow: How To Be Ready For Future Threats
SEM-W01
Head of Singapore R&D CentreAcronis@toxzique
#RSAC
Current landscape and major security flaws
Ransomware Today
What to look out for in the future
Ransomware Of Tomorrow
Exploring the recent breakthrough solutions
Modern Technology
Agenda
#RSAC
Ransomware is a type of malicious software used by cybercriminals that is designed to extort money from
their victims, either by
• Encrypting data on the disk or • By blocking access to the system
#RSAC
Ransomware Types
Lock screen ransomware• Shows threatening window
stating user’s computer is blocked
• Can be usually resolved without harmful consequences
File encryption ransomware• Encrypts user’s files, shows
a threatening window
• Cannot be usually resolved, as only cybercriminals have decryption key
Boot-level ransomware• Rewrites MBR (master boot
record), encrypts hard disk, shows threatening message while system is booting
• Cannot be usually resolved, as only cybercriminals have decryption key
#RSAC
Attacks Volume
#RSAC
Attacks Impact
#RSAC
Recent Examples
Difficult to detect as it uses standard Windows components to download and execute the payload (scripts and libraries)
Can also be distributed via CRM/customer support systems across organizational boundaries. Infected user in one organization can send an email to CRM system email address
Directly attacks Microsoft Volume Shadow Copy Service available in every MS Windows installation, deletes already created shadow copies
Osiris WannaCryIn order to spread like a worm, utilized an exploit called ETERNALBLUE, one of the leaked NSA hacking tools released by the Shadow Brokers hacking group in April 2017
The patch for the SMB vulnerability was available for 59 days prior to the attack
Hit critical infrastructure in some countries such as Germany and Russia. In the U.K., the health care sector received a hard hit: hospitals had to turn away patients, reroute ambulances, paralyze emergency services, and reschedule surgeries and appointments
#RSAC
From Consumers to Businesses and Targeted Attacks
#RSAC
Data Alteration and Attack on the Cloud
Ransomware of the future will simply alter your data and demand money to let you know what exactly they changed. Hitting businesses where it hurts most
Current ransomware already block access to cloud storages like Dropbox or Google Drive. Next step will be compromising cloud backups of your backup providers
#RSAC
Future Targets
#RSAC
Simple Rules to Avoid Grave Damage
#RSAC
Comprehensive Anti-Malware Solution
• Actively protects files (including local backups) from unauthorized modification and/or encryption
• Actively protects cloud backups from alteration by hardening the agent application from attacks
• Based on a behavioral heuristic approach and whitelisting, active data protection is future proofed
The result? Data can never be compromised. If any files were impacted prior to the deflection of an attack, they can be easily and automatically restored
Ransomware
Active detection and restore
Physical data loss dueto various reasons
Cloud backup
Data restored from cloud in case of
attack
Secured cloud backups
#RSAC
Predictive Protection
Proactive detection and blocking based on behavior heuristics + predictive analysis + context of attacks for analysts and incident response intelligence.
Trusted processes
behavior DB
Infected processes
behavior DB
Data related behavior DB
Anomalies detector
Blacklist monitor
User/system behavior monitor
Events collector
File/register/network operations as input data
Outliers detection, Support Vector Machine
(SVM), cluster based models
Deep learning, Bayes Neural Network (NN),
Trees models
Deep learning, Graph models
File/register/network operations as train data
Results
Detect anomalies
Detect known threats
Detect unknown threats
Data-related threats detection
#RSAC
Apply What You Have Learned Today
Next week you should:Backup all your devices (just in case you have not done this yet)
In the first three months following this presentation you should:Configure 3-2-1 backup, choose and install comprehensive anti-malware solution
Within six months you should:Implement all ransomware prevention practices at home and at workplace
SESSION ID:SESSION ID:
#RSAC
Eugene Aseev
Thank you!
SEM-W01
Head of Singapore R&D CentreAcronis@toxzique
#RSAC
93
Start End
12:15 12:50 Getting the Board On-Board: Ransomware’s Impact on your BusinessPanel discussion
#RSAC
Getting the Board On-Board: Ransomware’s Impact on your Business
#RSAC
95
Jonathan TrullGlobal Chief Cybersecurity Advisor, Microsoft
Kristof PhilipsenManaging Executive, Verizon
Joyce ChuaAssistant Vice President, Singapore Post Ltd.
Panelists
#RSAC
96
What is the real business impact of ransomware?Core Question
#RSAC
Your Panelists
97
Jonathan Trull Kristof Philipsen Joyce Chua
#RSAC
98
Thank you!