Ransomware Defense
Aigerim Issabayeva
Consulting Systems Engineer
30th September 2016
Video – Ransomware anatomy of an
attack
https://www.youtube.com/watch?v=4gR
562GW7TI
© 2015 Cisco and/or its affiliates. All rights reserved.
2
Ransomware Problem
Problem: Customers can be taken
hostage by malware that locks up
critical resources–Ransomware
Effect: This can be catastrophic to
businesses for a period of time
1. Ransomware gains access to systems through
web, email, servers…
• Education
2. Ransomware takes control of those systems,
and holds the data is these systems ‘hostage’
until the owner/company agrees to pay the
‘ransom’ (bitcoins) to free the system.
• Public safety
• Hospitals
• Financial banking
• Retail
© 2015 Cisco and/or its affiliates. All rights reserved.
3
Ransomware: Easy Profits
• Most profitable malware in history
• Lucrative: Direct payment to attackers!
• Cyber-criminals collected $209 million
in the first three months of 2016
• At that rate, ransomware is on pace to
be a $1 billion a year crime this year.
• Let’s take an example:
• Looking only at the Angler exploit kit
delivering ransomware
• $60 million dollars a year in profits
© 2015 Cisco and/or its affiliates. All rights reserved.
4
The Evolution of Ransomware Variants
The confluence of easy and effective encryption, the popularity of
exploit kits and phishing, and a willingness for victims to pay have
caused an explosion of ransomware variants.
SamSam
Locky
Cryptowall
PC
Cyborg
1989
Fake
Antivirus
CRYZIP
Redplus
First commercial
Android phone
TeslaCrypt
Cryptolocker
Virlock
Lockdroid
Reveton
2001 2005 2006
GPCoder
2007 2008
QiaoZhaz
Bitcoin
network launched
2012
2013
Reveton
Ransomlock
Dirty Decrypt
Cryptorbit
Cryptographic Locker
Urausy
2014
CryptoDefense
Koler
Kovter
Simplelock
Cokri
CBT-Locker
TorrentLocker
Virlock
CoinVault
Svpeng
73V3N
Keranger
Petya
Teslacrypt 3.0
Teslacrypt 4.0
Teslacrypt 4.1
2015
Tox
Cryptvault
DMALock
Chimera
Hidden Tear
Lockscreen
Teslacrypt 2.0
2016
Cerber
Radamant
Hydracrypt
Rokku
Jigsaw
Powerware
© 2015 Cisco and/or its affiliates. All rights reserved.
5
Typical Ransomware Infection
Problem: Customers can be taken hostage by malware that locks up critical resources
Infection
Vector
Ransomware
frequently uses
web and email
C2 Comms &
Asymmetric Key
Exchange
Ransomware takes control
of targeted systems
Encryption
of Files
Ransomware holds those
systems ‘hostage’
Request
of Ransom
Owner/company agrees to
pay the ‘ransom’ (bitcoins)
to free the system
© 2015 Cisco and/or its affiliates. All rights reserved.
6
Most Ransomware Relies on C2 Callbacks
Encryption Key
NAME*
DNS
IP
NO C2
Payment MSG
TOR
PAYMENT
Locky
DNS
SamSam
DNS (TOR)
TeslaCrypt
DNS
CryptoWall
DNS
TorrentLocker
DNS
PadCrypt
DNS (TOR)
CTB-Locker
DNS
FAKBEN
DNS (TOR)
PayCrypt
DNS
KeyRanger
DNS
*Top variants as of March 2016
© 2015 Cisco and/or its affiliates. All rights reserved.
7
Ransomware Defense Overview
© 2015 Cisco and/or its affiliates. All rights reserved.
8
Cisco Ransomware Defense Solution
Solution to Prevent, Detect and Contain ransomware attacks
Cisco Ransomware Defense Solution is not a silver bullet, and not a guarantee.
It does help to:
•
Prevent ransomware from getting into the network where possible
•
Stop it at the systems before it gains command and control
•
Detect when it is present in the network
•
Work to contain it from expanding to additional systems and network areas
•
Performs incident response to fix the vulnerabilities and areas that were attacked
ü
This solution helps to keep business operations running with less
fear of being taken hostage and losing control of critical systems
© 2015 Cisco and/or its affiliates. All rights reserved.
9
How Ransomware Works–Most Variants Require All 5 Steps
WEB-BASED INFECTION
!
User Clicks a Link
or Malvertising
Malicious
Infrastructure
Ransomware
Payload
Encryption Key
C2
Infrastructure
Files
inaccessible
EMAIL-BASED INFECTION
!
Email w/ Malicious
Attachment
Ransomware
Payload
Encryption Key C2
Infrastructure
Files
inaccessible
© 2015 Cisco and/or its affiliates. All rights reserved.
10
Cisco Ransomware Defense
OR
Umbrella blocks
the request
Umbrella blocks
the request
NGFW blocks
the connection
NGFW blocks
the connection
AMP for Endpoint
blocks the file
Umbrella blocks
the request to
Encryption Key
Infrastructure
Email Security
w/AMP blocks the
phishing email
Umbrella
Next-Gen Firewall
Email w/AMP
AMP Endpoint
© 2015 Cisco and/or its affiliates. All rights reserved.
11
NPIGS
ISE
TrustSec
deploys
dynamic
Containment
NGIPS
deploys
the patch
AMP Endpoint
protects the
system
ISE pushes
containment
policy
StealthWatch
detects and
alerts
AMP
NGFW
blocks the
connection
TRUSTSEC
AMP
Threat Grid
analyzes
threat
DETECT AND CONTAIN IN NETWORK
NGFW
AMP
Talos Security
Intelligence
SW
Cisco Ransomware Defense
CLEAN
SYSTEM
RANSOMWARE
CONTAINED
© 2015 Cisco and/or its affiliates. All rights reserved.
12
What to Do
1
2
3
30 DAYS
60 DAYS
90-180 DAYS
Plan for the worst
Have an effective disaster
recovery plan and back up
frequently
Prevent when Possible
1. Quick protection: Deploy
Umbrella and AMP for
Endpoint (prevent when
possible)
2. Add AMP to Email Security
(CES or ESA)
• Deploy AMP Threat Grid,
NGFW/NGIPS with Firepower
4100 series
• Detect and contain in the
network infrastructure (security
driven network refresh)
• Cisco Incident Response
Services to better prepare
© 2015 Cisco and/or its affiliates. All rights reserved.
13
Breaking the Ransomware Kill Chain
© 2015 Cisco and/or its affiliates. All rights reserved.
15
INFRASTRUCTURE
USED BY ATTACKER
End-to-End “Kill Chain” Defense Infrastructure
ATTACKER
FILES/PAYLOADS
USED BY ATTACKER
File
Trajectory
COMPROMISE
TARGET
RECON
STAGE
LAUNCH
DNSLayer
Security
EXPLOIT
BREACH
INSTALL
Host
AntiMalware
DNS
CALLBACK
DNSLayer
Security
Email
Security
Network
AntiMalware
NGFW
Web
Security
NGFW
Web
Security
NGIPS
NGIPS
NGIPS
NGIPS
Threat
Intelligence
PERSIST
DNS
Flow
Analytics
© 2015 Cisco and/or its affiliates. All rights reserved.
16
INFRASTRUCTURE
USED BY ATTACKER
End-to-End “Kill Chain” Defense Infrastructure
ATTACKER
FILES/PAYLOADS
USED BY ATTACKER
COMPROMISE
TARGET
RECON
Cloud
Defense
STAGE
TALOS
research
only
Quick Win!
Protect MeOnce They’re In!
Umbrella
on/off-net
OpenDNS intel
CES/ESA+AMP
off-net, TALOS intel
EXPLOIT
AMP+TG
(for content)
on/off-net
FTD, ISE+
TrustSec
on-net
prevent
nmap
OpenDNS
Investigate
Internet-wide
visibility
FTD
WSA/ESA
on-net
TALOS intel
INSTALL
CALLBACK
AMP+TG
(for endpoint)
on/off-net
Umbrella
on/off-net
all ports
DNS & IP layer
PERSIST
CWS/WSA & CTA
ports 80/443
on/off-net
proxy all
CWS/WSA
off-net
proxy all
WEB
Defense
Rapid
Defense
LAUNCH
BREACH
FTD & AMP
(for network)
on-net
FTD
on-net
all ports
IP layer
FTD, ISE+TrustSec
& Stealthwatch
on-net segmentation
& netflow
© 2015 Cisco and/or its affiliates. All rights reserved.
17
How You Get Infected
SALESMEN RESEARCHING
NEW PRODUCTS
Secure outbound web access
MANAGER OPENING
E-MAIL FROM VENDOR
Secure mail
EMPLOYEE ACCESSING
FILES ON SERVER
Secure file access
© 2015 Cisco and/or its affiliates. All rights reserved.
18
Without a Defense In Depth strategy you have the problems we see today
Access
Distribution
Core
Local Services
Web Proxy
Switch
Ransomware
Downloaded
Webpage retrieval
requested
Web
Browsing
Corporate
Device
Access
Switch
Distribution
Switch
Core
Switch
Firepower
Appliance
Switch
Router
© 2015 Cisco and/or its affiliates. All rights reserved.
19
Defense In Depth – Best Threat Surface Coverage Possible
Access
Distribution
Core
Command
& Control
Local Services
Malware
Sandbox
(Threat Grid)
Web Security
Policy
(AMP4E)
Threat
Intelligence
(Talos)
DNS-Layer
Security
(Umbrella)
CLOUD SERVICES
Switch
Ransomware
Downloaded
DNS
Webpage retrieval
requested
Web
Browsing
Corporate
Device
Access
Switch
Distribution
Switch
Core
Switch
Firepower
Appliance
Switch
Router
© 2015 Cisco and/or its affiliates. All rights reserved.
20
Services for Ransomware Defense
© 2015 Cisco and/or its affiliates. All rights reserved.
21
Cisco Security Services to address Ransomware
BEFORE
DURING/AFTER
• Diagnose and demonstrate security weakness
and vulnerabilities and provide recommendations
• Perform incident response and Identify “Root
Cause” of the attack
• Review people, process and technology to
identify exposed areas that may lead to a data
breach
• Respond with expert resources to quickly
and effectively mitigate security incidents
• Assess Incident Response Readiness
• Design and deployment services of new
technologies and products
• Increase efficiency and efficacy of security
operations
• Free up personnel to focus on confirmed
threats
ADVISORY CONSULTING
ENGINEERING
OPERATIONS
© 2015 Cisco and/or its affiliates. All rights reserved.
22