ransomware detection
play

Ransomware detection with Bro Mike Stokkel 13 Sept 2016 - PowerPoint PPT Presentation

Sep 05, 2022 •684 likes •983 views

Ransomware detection with Bro Mike Stokkel 13 Sept 2016 Introduction Who am I? Mike Stokkel Security Analyst @ Fox-IT Internship at Fox-IT Bachelor July 2016 Introduction Agenda What am I going to talk about?

  1. Ransomware detection with Bro Mike Stokkel 13 Sept 2016

  2. Introduction • Who am I? – Mike Stokkel – Security Analyst @ Fox-IT – Internship at Fox-IT – Bachelor July 2016 Introduction

  3. Agenda • What am I going to talk about? – Fox-IT – Ransomware – Bro Policy – Results – Demo

  4. Fox-IT

  5. Company • Located: Delft, The Netherlands • IT security – Managed Security Services – Auditing – Cryptographic solutions Fox-IT

  6. Security Operation Center • Snort-based detection • Bro Fox-IT

  7. Ransomware

  8. Explanation • Malware – Encryption – Payment – Decryption • Rising concern Ransomware

  9. Encryption • Process – Master key (public and private key) – Generating a key for the victim – Encrypting the victim’s key Ransomware

  10. Impact • Personal Computer – Local files • Company – Network Share • To pay or not to pay? Ransomware

  11. Spreading Methods • Exploit Kits – Browser vulnerabilities • E-mail – Malicious document – Macros Ransomware

  12. Exploit Kit • Version check • IP check • Download ransomware payload • Run payload Ransomware

  13. Malicious document • Macro • VBS script • Download & execute payload Ransomware

  14. Remote desktop programs • TeamViewer hack • RDP brute force Ransomware

  15. Detection Methods • IDS – Snort rules • Problem Ransomware

  16. Bro Policy

  17. Approach • Ransomware behavior – SMB • Possible solutions – File extension listing – Threshold SMB commands – Command-and-Control communication Bro Policy

  18. Entropy • Randomness of data • 0 – 8 bits per character Bro policy

  19. What about …. • Compressed files • Images • PDF • Mime/Media type Bro policy

  20. Functions • SMB parser – Events • File over new connection • Chunk event • SumStat – Threshold • Notice.log Bro Policy

  21. File over new connection • Check for SMB traffic • Check for certain filenames • Check for Mime type • Check for SMB action • Check if SMB action equals Write • Add File analyzer Bro Policy

  22. Chunk event • Check if the offset equals 0 • Calculate entropy of data collected from SMB write command • Use SumStat to add +1 for the threshold • Write to log file • Write a Notice.log Bro Policy

  23. Results

  24. Live Testing • Two new kinds of Ransomware Bro Policy

  25. Live Testing • Two new kinds of Ransomware – Google Chrome & Mozilla Firefox • Encrypted cache • Encryption tools – TrueCrypt – VeraCrypt • Documents – Printing – Creating Bro Policy

  26. Demo

  27. Samples • Locky/Zepto • Cryptowall • CTBLocker • Jigsaw (and all families) • Mobef • Shade • Maktub • Cerber/Alpha • Teslacrypt • Rokku • Crysis • Cerber • Bandarchor Demo

  28. Thank you for having me!

Recommend

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

798 views • 54 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

772 views • 75 slides
What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary 1 Confidential & Proprietary Ransomware Overview Malware that blocks access to a system, device, or file until a ransom is paid

248 views • 11 slides
Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top Leaders-2019 www.vembu.com How to protect your business from a Ransomware attack? What is Ransomware? Types of Ransomware How it attacks? Stats for year

454 views • 16 slides
Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi with the help of many people from UCSD, NYU, and Chainalysis Only 37% of users backup their data g.co/research/protect Since 2016 ransomware

746 views • 62 slides
Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern

Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern

Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern Ransomware-as-a-Service: An Evolving Business Model Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording

999 views • 23 slides
Preparing for a Ransomware Attack MCCA Global TEC Forum June 19, 2017 Monica Patel, IBM

Preparing for a Ransomware Attack MCCA Global TEC Forum June 19, 2017 Monica Patel, IBM

Preparing for a Ransomware Attack MCCA Global TEC Forum June 19, 2017 Monica Patel, IBM Aravind Swaminathan, Orrick, Herrington & Sutcliffe Darren Teshima, Orrick, Herrington & Sutcliffe What is ransomware? Malicious software

200 views • 17 slides
How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @ Kaspersky Hands-on work: coding, reverse engineering, vulnerability research Malware analysis trainings T ags: GTD (Getting Things

392 views • 24 slides
Prepping for Ransomware in 2017 Risks change, and so should you. THM Group & Infrascale

Prepping for Ransomware in 2017 Risks change, and so should you. THM Group & Infrascale

Prepping for Ransomware in 2017 Risks change, and so should you. THM Group & Infrascale ABOUT THM GROUP Providing custom end-to-end voice & data solu4ons At a Glance Key Focus Founded: 20 years ago HQ: Barrie, Ontario Businesses

691 views • 38 slides
What We Learned Key Takeaways from the 2018 Ransomware Attack on Colorado Department of

What We Learned Key Takeaways from the 2018 Ransomware Attack on Colorado Department of

What We Learned Key Takeaways from the 2018 Ransomware Attack on Colorado Department of Transportation February March 2018 Topics How It Happened What It Did Timeline How We Responded Business Response Cyber Incident

669 views • 20 slides
Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low

Detection of neutral particles detection of neutrons detection of neutrinons detection of low energy photons (detection of high energy photons calorimeters) Peter Krizan, Neutron and neutrino detection Detection of neutral particles

1.21k views • 67 slides
Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017

Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017

Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017 Anupam Jagdish Chomal Tech Lead/Principal Software Engineer DellEMC Isilon 1 Who am I? The Eternal Question Who am I? Principal

636 views • 18 slides
Ransomware & More Quick Note About Me Michael Zimmer, Director of Information Security

Ransomware & More Quick Note About Me Michael Zimmer, Director of Information Security

Ransomware & More Quick Note About Me Michael Zimmer, Director of Information Security Services at Northern Arizona University Working in IT at NAU 23 years, from Help Desk to Deskside Support to Sys Admin to InfoSec WHEN, not if

305 views • 8 slides

More recommend