How to Effectively Prevent Ransomware Infections · 2019-07-22 · How to Effectively Prevent Ransomware Infections Nattapon Palviriyachot System Engineer, Palo Alto Networks (Thailand)

How to Effectively Prevent Ransomware Infections

Nattapon Palviriyachot

System Engineer, Palo Alto Networks (Thailand)

What is a Ransomware?

• “Ransomware” is a type of malware attack which is a able to block access to sensitive files until the victim pays the attacker, often in anonymous currency.

• Target File Types:• *.jpg, *.jpeg, *.raw, *.tif, *.gif, *.png, *.bmp, *.3dm, *.max, *.accdb, *.db, *.dbf, *.mdb, *.pdb,

*.sql, *.*sav*, *.*spv*, *.*grle*, *.*mlx*, *.*sv5*, *.*game*, *.*slot*, *.dwg, *.dxf, *.c, *.cpp, *.cs, *.h, *.php, *.asp, *.rb, *.java, *.jar, *.class, *.aaf, *.aep, *.aepx, *.plb, *.prel, *.prproj, *.aet, *.ppj, *.psd, *.indd, *.indl, *.indt, *.indb, *.inx, *.idml, *.pmd, *.xqx, *.xqx, *.ai, *.eps, *.ps, *.svg, *.swf, *.fla, *.as3, *.as, *.txt, *.doc, *.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd, *.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx, *.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps, *.pptx, *.pptm, *.potx, *.potm, *.ppam, *.ppsx, *.ppsm, *.sldx, *.sldm, *.wav, *.mp3, *.aif, *.iff, *.m3u, *.m4u, *.mid, *.mpa, *.wma, *.ra, *.avi, *.mov, *.mp4, *.3gp, *.mpeg, *.3g2, *.asf, *.asx, *.flv, *.mpg, *.wmv, *.vob, *.m3u8, *.csv, *.efx, *.sdf, *.vcf, *.xml, *.ses, *.dat

• Corporate Important documents, source code, product design diagrams, transaction records, product formulas, customer contacts, videos, pictures, etc.

30 active malware families

1989

AIDS malwareFirst known

ransomware

2010

WinLockLeveraging

premium SMS

2015

PClockCopycat

ransomware,

pretending to

be CryptoLocker

TeslaCrypt

gaming save files

2013 THE REVOLUTIONAnonymous online

payments with BitCoin

CryptoWallFirst demanding

Bitcoin for payment

AndroidDefender

2005

GPCoderThe return of

malware

2012

RevetonAppears to be

a fine from law

enforcement

2014

TorrentLocker

CTB-LockerUses Tor for

command-and-control

Simplocker

Android® devices

2016KeRanger

®

Locky®

word documents

Impact

>30Families

Ransomware today (1)

WanaCrypt0r ransomware emerged May 12, 2017

Please be prepared:

6 | © 2015, Palo Alto Networks. Confidential and Proprietary.

http://thehackernews.com/2017/05/smb-windows-hacking-tools.html

Wanacryt make use of Exploit & Worm & Ransomware

Cloud & Virtualization

Wanacrypt

Exploit

Malware

Exploit

MS17-010

Exploit

MS17-010

Wanacrypt

Wanacrypt WanacryptWanacrypt

Wanacrypt

Exploit

MS17-010

WanacryptWanacrypt

Wanacrypt

Wanacrypt

Exploit

MS17-010

Wanacrypt

DoublePulsar/

EternalBlue

MS17-010

Patch

MS17-010

Patch

Scans for DoublePulsar backdoor and EternalBluevulnerability on Microsoft Windows systems

DoublePulsar isanNSAbackdoorpayload,used

tospreadthewormfromoneaffected

computerstotheothervulnerablemachines

acrossthesamenetwork.

TheEternalBlue vulnerability(SMBExploit)

waspubliclydisclosedbytheShadowBrokers

groupinApril2017,a. Scan the internal LAN for SMB targets.

b. Generate random public IP address and scan them

for SMB targets. This may have led to create a big

exponential effect.

c. For every machine found, exploit and compromise

via EternalBlue / DoublePulsar.

WanaCrypt0r

encryption

MS17-010

Patch

MS17-010

Patch

SMBv1 Protocol

Automatically spreads via Windows Server Message Block v1 (SMBv1) protocol

d. Propagates itself over SMB vector, behaving like a

worm.

Once the infected computer discovers another computer

with the DoublePulsar/EternalBlue vulnerability

The “worm” contains inside a dropper

binary, which is ransomware sample part of

a WanaCrypt family,

SMBv1

SMBv1

SMBv1SMBv1

SMBv1

Widespread reach enabled by automated ransomware and outdated computer systems

• Automatedransomwarei.e.,lackofhumaninteraction

requiredtospreadinfectiontoothercomputers

• Outdatedcomputersystems/unpatchedWindowssystems

Current Solutions Fail

to PreventSecurity

Breaches


169MillionPersonal Records

Exposed in 2015

50% Increase

Over 2014*

* ITRC Data Breach Reports –

2015 Year-End Totals

38Percent

Increase in

Security Incidents

in 2015

From 2014*

* PwC TheGlobalStateofInformationSecurity

Survey2016

The Anatomy of a Targeted Attack


Steal nata/

Achieve Objective

Conduct

ReconnaissanceEstablish

Control Channel

Compromise

Endpoint

The Right Time to Prevent a Security Breach is Before an Attacker

Compromises an Endpoint to Gain a Foothold in Your Environment.

How Targeted Attacks Compromise Endpoints


Pursue

Objectives

Conduct

Reconnaissanc

e

Establish

Control Channel

Compromise

Endpoint

Targ

ete

d A

ttack S

equence

Execute Malicious Programs

Exploit Software

Vulnerabilities

Weaponized nata

Files/Content

Subvert Existing

Applications

Self-Contained,

Malicious Program

Contain Necessary

Executable Code


Traditional AV is Not the Solution

to Endpoint Protection.

It’s the Problem!

The endpoint landscape

• So many agents…compatibility issues, CPU/memory/IO consumption,

operations, etc.

• Enterprises don’t want yet another endpoint agent

• But they know they need to replace their legacy AV/HIPS


Managem

ent

Fore

nsic

s &

IR

Data

Loss

Pre

vention

Encry

ption

Firew

all

VP

N

Antivirus

Explo

it

Pre

vention

How do Palo Alto Networks Customers Accomplish This?


Traps replaces traditional antivirus

with

Multi-Method Prevention

that protects your endpoints from

known and unknown threats

Palo Alto Networks endpoint focus


Managem

ent

Fore

nsic

s &

IR

Data

Loss

Pre

vention

Encry

ption

Firew

all

VP

N

Antivirus

Explo

it

Pre

vention

TrapsGlobalProtect

Traps Prevents Known & Unknown Threats from Compromising Endpoints


Pursue

Objectives

Conduct

Reconnaissanc

e

Establish

Control Channel

Compromise

Endpoint

Targ

ete

d A

ttack S

equence

Execute Malicious

Programs

Exploit Software

Vulnerabilities

Traps prevents both

known and unknown malware

from infecting endpoints.

Traps prevents both

known and unknown exploits,

including zero-day exploits.

Online

Offline

On-Prem

Off-Prem

Executable Programs

Carry Out Malicious Activity

Weaponized nata Files & Content

Subvert Normal Applications

MalwareExploits =

Understanding the Threat

Exploit

§ Malformed data file that

is processed by a

legitimate app

§ Takes advantage of a vulnerability

in the legitimate app which allows

the attacker to run code

§ ‘Tricks’ the legitimate application into

running the attacker’s code

§ Small payload

Malware

§ Malicious code that comes

in an executable file form

§ Does not rely on any

application vulnerability

§ Already executes code – aims to control

the machine

§ Large payload

Exploit vs. Malware – What’s the nifference?

Traps Multi-Method Malware Prevention


Traps Multi-Method Malware Prevention Processes


No Match No Match Unknown

User Attempts to

Execute a

Program

Submit Program to WildFire for

Analysis

Quarantine Program

Restricted Malicious Malicious

Allowed Trusted Benign Benign

Restricted

Allowed

Block×

Run✓

Block×

Check Hash Against Override Policies

Check Against List of Trusted

Publishers

Check Hash with WildFire

Conduct Local Analysis

Check Execution Restrictions

Child Process, Folder Restricted, Removable nrive

Check Hash with Wildfire

Unknown

Benign

Malicious

User Tries to Open

Executable File

Safe

WildFire

Local Cache Server CacheEndpoint Security Manager

? Unknown

Benign

Malicious

? Unknown

Benign

Malicious

?

UnknownFile Upload

E X E

Ñ

Override? or Revoke?

Changed HashVerdict Savedto ESM Server

Execution

Stopped

ESM Console

WildFire Detects Malware Using Multiple Methods & Techniques

24 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Static Analysis

File Anomaly Detection

Static Signatures

String & Code Block Detection

Machine Learning &

Static Analysis

nynamic Analysis

Full Execution Analysis

Multi-version

Execution Environment

Multi-dimensional Scoring

Network

Traffic Analysis

WildFire Turns the Unknown into the Knownin About 5 Minutes

Traps Multi-Method Exploit Prevention


Traps Prevents Exploits At Their Core


To

tal N

um

be

r

Patching

Signature /

Behavior

Traps

Time

Requires Prior Knowledge,

Proactive Application

Requires Prior Knowledge

of Weaponized Exploits

Requires No Patching,

No Prior Knowledge of

Vulnerabilities, and

No Signatures

Toaimattherootof

theexploitationattempts

Exploit prevention Architecture

• Traps modules inject into user

process and prevent use of exploit

techniques

• Upon exploitation, process is frozen,

notification sent and forensic data

captured

TrapsConsole

UserProcess

TrapsModules

TrapsModules

Injection

TrapsAgent

Drivers

ServicePolicy&Reporting

ESM

Exploitation

Attempt

Block the Core Techniques – Not the Individual Attacks

Number of New Variants Each Year

Individual Attacks

Software Vulnerability Exploits

Thousands of new vulnerabilities and exploits

1,000s

Core Techniques

Exploitation Techniques

Only two to four new exploit techniques

2-4

Malware

Millions of new malware variations

1,000,000sMalware Techniques

Tens of new malware sub-techniques

~10s

1

2 3

Traps Multi-Method Exploit Prevention


Traps

Multi-Method

Exploit

Prevention

Memory

Corruption

Prevention

Code

Execution

Prevention

Logic

Flaw

Prevention

Exploit manipulates the operating system’s

normal memory management mechanisms

- “Heap spray”

- “return-oriented programming” (ROP)

Exploit manipulates the operating

system’s normal processes by

modify the location where dynamic

link libraries (DLLs) are loaded- “DLLhijacking.”

Every end goal of every exploit is

“execute some arbitrary code”

The attacker’s commands that are

embedded in the exploit data file

Exploits Subvert Authorized Applications

BeginMaliciousActivity

AuthorizedApplication

Heap

Spray

ROP

Utilizing

OS Function


Vendor Patches

§ Download malware

§ Steal critical data

§ Encrypt hard drive

§ Destroy data

§ More…

Vulnerabilities

BeginMaliciousActivity


Heap

Spray

ROP

Utilizing

OS Function

§ Activate key logger

§ Steal critical data

§ Encrypt hard drive

§ Destroy data

§ More…

Vendor Patch

Traps Blocks Exploit Techniques

Heap

Spray

Traps

EPM

No MaliciousActivity



Traps Blocks Exploits That Use Unknown Techniques

Unknown

Exploit

Technique

ROP

No MaliciousActivity

Traps

EPM



Exploit Prevention – The User Experience

Traps is Transparent to the User Until an

Exploitation Attempt is Made

Unsuspecting user opens

infected document

(Exploit evades Anti-Virus)

Traps injects itself

seamlessly into the

process

Exploit technique is attempted

and blocked by Traps before

any malicious activity is initiated

Traps

Traps reports the event

and collects detailed

forensics

P n FUser/Adminis Notified

Process isTerminated

Forensic Data is Collected


Preventing One Technique in the Chain will Block the Entire Attack

Traps Blocks Zero-Day ExploitsActual Zero-Day Exploits That Traps EPMs Block

DLL

Security

CVE-2013-38931

HeapSpray ROPUtilizing

OSFunctionDLLSecurity

CVE-2013-33462

HeapSpray

MemoryLimitHeapSprayCheck/Shellcode

Preallocation

DEP

CircumventionUASLR

Utilizing

OSFunction

DLL

Security

CVE-2015-30103

ROPROP

MitigationJITSpray

JIT

Mitigation

Utilizing

OSFunction

DLL

Security

MemoryLimitHeapSprayCheck

1 Operation Deputy Dog (CVE-2013-3893) 2 Turla/Snake Campaign (CVE-2013-3346) 3 Forbes Cyber-Espionage Campaign (CVE-2015-0310/0311)


ROP

Mitigation/

UASLR

Attack-Related

Forensic nataOngoing

Recording

Collect Attempted-Attack Forensics


Exploit or Malware Hits

a Trap and Triggers

Real-Time Prevention

Traps Collects Ongoing Forensics and Attack-Triggered nata

Attack-Related Forensic nataOngoing Recording

Collect Attempted-Attack Forensics


Additional Details on Traps Forensic Data Collection

Exploit or Malware Hits

a Trap and Triggers

Real-Time Prevention

For Execution of Any File:

§ Time of execution

§ File name

§ File HASH

§ User name

§ Computer name

§ IP address

§ OS version

§ File’s malicious history

§ Time stamp and full memory dump

§ Triggering file (non-executable)

§ File source, names and paths

including parents grandparents and

child processes

§ Prevented exploitation technique

§ IP address

§ OS version

§ Version of attempted vulnerable

software

§ Components loaded to memory under

attacked process

§ Indications of further memory

corruption activity

§ User name and computer name

§ Accessed URIs; Java applets source

URIs

§ Relevant DLL retrievals with their path

§ Relevant files from temp internet

folders

§ Traps Automated Dump

Analysis

Benefits: Integrate into an Enterprise Security Platform


Architecture§ Scalability

§ Ease of security administration

Operational Capabilities§ Footprint

§ Performance Impact

Platform Coverage§ Physical systems

§ Virtual systems

Threat Intelligence§ Integrated threat intelligence

§ Threat data sharing

A.

B.

C.

D.

A. Scalable ArchitectureTraps Architecture Leverages a Scalable Endpoint Security Manager (ESM)

Endpoint Security Manager (ESM)

SIEM /

External Logging

ESM Server(s)

Endpoints Running Traps

Forensic Folder(s)

WildFire

Threat Intelligence

Cloud

@

SMTP Alerting3-Tier Management Structure

§ ESM Console

§ Database

§ ESM Servers(each supports 10,000 endpoints &

scales horizontally)

On

Premise

Off

Premise


B. Flexible, Scalable, with Minimal FootprintTraps Endpoint use minimal resources with multi-method prevention


Fo

otp

rin

t § 0.1% CPU Load

§ 50 MB RAM

§ 250 MB HD

§ No scanning

Pla

tfo

rm

§ Physical & Virtual

§ All major Windows editions

§ Protects systems after end-of-support

Ap

plic

ati

on

s

§ Out-of-the-Box protection for common applications

§ Extensible to any application

Ma

na

ge

me

nt

§ Central policy management

§ Full SIEM integration support

§ Role Based Access Control

Perf

orm

an

ce

§ Not Signature-based

§ No Scanning

Required

§ No Impact on Shared

Resources

§ On-Demand

Scalability

§ Built-in License

Elasticity

Pro

tecti

on

§ Prevention of Known

& Unknown Exploits

§ Protection upon

Instantiation

§ Patching-

Independent

Prevention

§ Integrated Threat

Intelligence

C. Flexible Platform Coverage


§ WindowsXP* (32-bit,SP3orlater)

§ WindowsVista(32-bit,64-bit,SP1orlater;FIPSmode)

§ Windows7(32-bit,64-bit,RTMandSP1;FIPSmode;all

editionsexceptHome)

§ WindowsEmbedded7(StandardandPOSReady)

§ Windows8* (32-bit,64-bit)

§ Windows8.1(32-bit,64-bit;FIPSmode)

§ WindowsEmbedded8.1Pro

§ Windows10Pro(32-bitand64-bit)

§ Windows10EnterpriseLTSB

§ WindowsServer2003* (32-bit,SP2orlater)

§ WindowsServer2003R2(32-bit,SP2orlater)

§ WindowsServer2008(32-bit,64-bit;FIPSmode)

§ WindowsServer2008R2(32-bit,64-bit;FIPSmode)

§ WindowsServer2012(alleditions;FIPSmode)

§ WindowsServer2012R2(alleditions;FIPSmode)

Workstations Servers

* Microsoft no longer supports this operating system.

Virtual Environments

§ VMwareESX

§ CitrixXenServer

§ OracleVirtualbox

§ MicrosoftHyper-V

D. Threat Intelligence CloudTraps Endpoint use minimal resources with multi-method prevention


Malware

SignatureC&C/nNS

Signature

Threat Intelligence Cloud

WildFire

URL

Signature

Malware/APT Feeds

>10,000

WildFire customers

>30,000 sensors

5 minutes

~30,000

Customers

protected

Globalanalysis&Threatknowledge

WanaCrypt0r:How Palo Alto Networks Protects You

May122017

12:00am

April18

2017

2:30am:WildFire protectionsdeployed

Trapspreventstheexecutionofransomware

2:34am:AutoFocus tagcreated

Threatanalyticsandhuntingenabled

Vulnerabilityexploitblocked

Contentrelease688-2964

CVE-2017-0144(TID32422)

MS17-010(TID32494, 32424,

32427,32393,32716,32422)

3:52am:AVName:Trojan-Ransom/Win32.wanna.b

UniqueThreatID:179224458

3:01am:AVName:Trojan-Ransom/Win32.wanna.a

UniqueThreatID:179222880

PaloAltoNetworksCustomerProtection

Formoreinformation,clickhere.

May132017

12:00am

WanaCry 2.0

Spreads

Alerts to 3rd party

solutions

WildFire:• IdentifiesandPreventsnew

malwareandexploitswith

continuousanalysis

• Providesprotectionfeeds

every5mins

AutoFocus:• ViewintoWildFire datafor

latestanalyticsandhunting

• ExtractionofrelevantIoCs

todeployautomated

preventivemeasures

ThreatPrevention• ThreatPreventionfor

vulnerabilityexploitand

knownmalwareprotection

Traps• Preemptivelyblocksknown

andunknownmalwareand

exploits

• Automatespreventionby

reprogrammingitselfusing

threatIntelligencefrom

WildFireAugust

2016

TrapsLocalAnalysisprevention

Priortoattack

OngoingProtectionforEndpointsvialocalanalysisand

continuousWildFire updates

Protection Timeline

Threat

Prevention

Shadow Broker

Customer don’t have WF

WildFire

Threat Intelligence

◉ Automatically blocks all previously-seen

samples of WanaCrypt0r malware

◉ Enabled by default

Traps Multi-Method Prevention Blocks WanaCrypt0r

Check payload

WildFire

Threat IntelligenceTraps Local Analysis

(via Machine Learning)

◉ Automatically blocks new and never-before-seen samples of WanaCrypt0r malware

◉ Protected Traps customers since before the first report of WanaCrypt0r surfaced



WildFire



WildFire

Analysis

◉ Traps automatically submits unknown samples of WanaCrypt0r to WildFire for analysis


◉ Taps can easily be configured to prevent execution of unknown programs until a WildFire verdict is available


WildFire



WildFire

Analysis

Traps Malicious

Process Control

◉ Automatically prevents WanaCrypt0r malware from launching new executables to propagate itself

◉ New Content Update automatically applies the protection policies


AutomaticallyBlocks

AllPreviously-Seen

Samplesof

WanaCrypt0r

Malware

WildFire

Threat Intelligence

BlocksNewand

Never-Before-Seen

Variantsof

WanaCrypt0r

Malware

Traps Local Analysis


SubmitsUnknown

Executablesto

WildFireforRapid

Detectionand

Prevention

WildFire

Analysis

ControlsLaunchingof

ExecutablesThat

WanaCrypt0rUsesto

PropagateItself

Traps Malicious

Process Control


50 | © 2017, Palo Alto Networks. All Rights Reserved.

AutoFocus

Traps

Aperture

VM-Series

NEXT-GENERATION

FIREWALL

THREAT INTELLIGENCE

CLOUD

AUTOMATED

EXTENSIBLENATIVELY

INTEGRATED

ADVANCED ENDPOINT

PROTECTION

CLOUD

NE

TW

O

RK

EN

DP

OIN

T

WildFire

Threat Prevention

URL Filtering

GlobalProtect

Complete security delivered as a platform

• Always install the latest security updates and patches (Prevent Ethernalblue)

• Patch SMB vulnerability

• Consider disabling SMBv1 or segmenting and minimizing internal SMB traffic (Reduce Attack Surface)

• Block 445 to Internet (prevent propagation)

• Block 445 in the perimeter

• Deploy IPS signatures

• Enable DNS sinkholes

• Use an endpoint protection solution with multi-method preventions

• Backup your files on an external drive or other appropriate medium

• Practice security basics and maintain security awareness

Additional tips to protect against WanaCrypt0r


Anti-Spyware Signature for DoublePulsar

The spyware signature to prevent DoublePulsar was published on 2nd of May, and

this would have prevented this C2 channel on existing customer networks.

An example of a triggering rule during the exploit:


Traps Content UpdateOn 15th May, a Content Update was created for Traps users as a reactive measure

to the behavior of the samples

Questions?



Documents

How to Effectively Prevent Ransomware Infections · 2019-07-22 · How to Effectively Prevent Ransomware Infections Nattapon Palviriyachot System Engineer, Palo Alto Networks (Thailand)