How to Effectively Prevent Ransomware Infections
Nattapon Palviriyachot
System Engineer, Palo Alto Networks (Thailand)
What is a Ransomware?
• “Ransomware” is a type of malware attack which is a able to block access to sensitive files until the victim pays the attacker, often in anonymous currency.
• Target File Types:• *.jpg, *.jpeg, *.raw, *.tif, *.gif, *.png, *.bmp, *.3dm, *.max, *.accdb, *.db, *.dbf, *.mdb, *.pdb,
*.sql, *.*sav*, *.*spv*, *.*grle*, *.*mlx*, *.*sv5*, *.*game*, *.*slot*, *.dwg, *.dxf, *.c, *.cpp, *.cs, *.h, *.php, *.asp, *.rb, *.java, *.jar, *.class, *.aaf, *.aep, *.aepx, *.plb, *.prel, *.prproj, *.aet, *.ppj, *.psd, *.indd, *.indl, *.indt, *.indb, *.inx, *.idml, *.pmd, *.xqx, *.xqx, *.ai, *.eps, *.ps, *.svg, *.swf, *.fla, *.as3, *.as, *.txt, *.doc, *.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd, *.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx, *.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps, *.pptx, *.pptm, *.potx, *.potm, *.ppam, *.ppsx, *.ppsm, *.sldx, *.sldm, *.wav, *.mp3, *.aif, *.iff, *.m3u, *.m4u, *.mid, *.mpa, *.wma, *.ra, *.avi, *.mov, *.mp4, *.3gp, *.mpeg, *.3g2, *.asf, *.asx, *.flv, *.mpg, *.wmv, *.vob, *.m3u8, *.csv, *.efx, *.sdf, *.vcf, *.xml, *.ses, *.dat
• Corporate Important documents, source code, product design diagrams, transaction records, product formulas, customer contacts, videos, pictures, etc.
30 active malware families
1989
AIDS malwareFirst known
ransomware
2010
WinLockLeveraging
premium SMS
2015
PClockCopycat
ransomware,
pretending to
be CryptoLocker
TeslaCrypt
gaming save files
2013 THE REVOLUTIONAnonymous online
payments with BitCoin
CryptoWallFirst demanding
Bitcoin for payment
AndroidDefender
2005
GPCoderThe return of
malware
2012
RevetonAppears to be
a fine from law
enforcement
2014
TorrentLocker
CTB-LockerUses Tor for
command-and-control
Simplocker
Android® devices
2016KeRanger
®
Locky®
word documents
Impact
>30Families
Ransomware today (1)
WanaCrypt0r ransomware emerged May 12, 2017
Please be prepared:
6 | © 2015, Palo Alto Networks. Confidential and Proprietary.
http://thehackernews.com/2017/05/smb-windows-hacking-tools.html
Wanacryt make use of Exploit & Worm & Ransomware
Cloud & Virtualization
Wanacrypt
Exploit
Malware
Exploit
MS17-010
Exploit
MS17-010
Wanacrypt
Wanacrypt WanacryptWanacrypt
Wanacrypt
Exploit
MS17-010
WanacryptWanacrypt
Wanacrypt
Wanacrypt
Exploit
MS17-010
Wanacrypt
DoublePulsar/
EternalBlue
MS17-010
Patch
MS17-010
Patch
Scans for DoublePulsar backdoor and EternalBluevulnerability on Microsoft Windows systems
DoublePulsar isanNSAbackdoorpayload,used
tospreadthewormfromoneaffected
computerstotheothervulnerablemachines
acrossthesamenetwork.
TheEternalBlue vulnerability(SMBExploit)
waspubliclydisclosedbytheShadowBrokers
groupinApril2017,a. Scan the internal LAN for SMB targets.
b. Generate random public IP address and scan them
for SMB targets. This may have led to create a big
exponential effect.
c. For every machine found, exploit and compromise
via EternalBlue / DoublePulsar.
WanaCrypt0r
encryption
MS17-010
Patch
MS17-010
Patch
SMBv1 Protocol
Automatically spreads via Windows Server Message Block v1 (SMBv1) protocol
d. Propagates itself over SMB vector, behaving like a
worm.
Once the infected computer discovers another computer
with the DoublePulsar/EternalBlue vulnerability
The “worm” contains inside a dropper
binary, which is ransomware sample part of
a WanaCrypt family,
SMBv1
SMBv1
SMBv1SMBv1
SMBv1
Widespread reach enabled by automated ransomware and outdated computer systems
• Automatedransomwarei.e.,lackofhumaninteraction
requiredtospreadinfectiontoothercomputers
• Outdatedcomputersystems/unpatchedWindowssystems
Current Solutions Fail
to PreventSecurity
Breaches
11 | © 2016, Palo Alto Networks. Confidential and Proprietary.
169MillionPersonal Records
Exposed in 2015
50% Increase
Over 2014*
* ITRC Data Breach Reports –
2015 Year-End Totals
38Percent
Increase in
Security Incidents
in 2015
From 2014*
* PwC TheGlobalStateofInformationSecurity
Survey2016
The Anatomy of a Targeted Attack
12 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Steal nata/
Achieve Objective
Conduct
ReconnaissanceEstablish
Control Channel
Compromise
Endpoint
The Right Time to Prevent a Security Breach is Before an Attacker
Compromises an Endpoint to Gain a Foothold in Your Environment.
How Targeted Attacks Compromise Endpoints
13 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Pursue
Objectives
Conduct
Reconnaissanc
e
Establish
Control Channel
Compromise
Endpoint
Targ
ete
d A
ttack S
equence
Execute Malicious Programs
Exploit Software
Vulnerabilities
Weaponized nata
Files/Content
Subvert Existing
Applications
Self-Contained,
Malicious Program
Contain Necessary
Executable Code
14 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Traditional AV is Not the Solution
to Endpoint Protection.
It’s the Problem!
The endpoint landscape
• So many agents…compatibility issues, CPU/memory/IO consumption,
operations, etc.
• Enterprises don’t want yet another endpoint agent
• But they know they need to replace their legacy AV/HIPS
15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Managem
ent
Fore
nsic
s &
IR
Data
Loss
Pre
vention
Encry
ption
Firew
all
VP
N
Antivirus
Explo
it
Pre
vention
How do Palo Alto Networks Customers Accomplish This?
16 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Traps replaces traditional antivirus
with
Multi-Method Prevention
that protects your endpoints from
known and unknown threats
Palo Alto Networks endpoint focus
17 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Managem
ent
Fore
nsic
s &
IR
Data
Loss
Pre
vention
Encry
ption
Firew
all
VP
N
Antivirus
Explo
it
Pre
vention
TrapsGlobalProtect
Traps Prevents Known & Unknown Threats from Compromising Endpoints
18 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Pursue
Objectives
Conduct
Reconnaissanc
e
Establish
Control Channel
Compromise
Endpoint
Targ
ete
d A
ttack S
equence
Execute Malicious
Programs
Exploit Software
Vulnerabilities
Traps prevents both
known and unknown malware
from infecting endpoints.
Traps prevents both
known and unknown exploits,
including zero-day exploits.
Online
Offline
On-Prem
Off-Prem
Executable Programs
Carry Out Malicious Activity
Weaponized nata Files & Content
Subvert Normal Applications
MalwareExploits =
Understanding the Threat
Exploit
§ Malformed data file that
is processed by a
legitimate app
§ Takes advantage of a vulnerability
in the legitimate app which allows
the attacker to run code
§ ‘Tricks’ the legitimate application into
running the attacker’s code
§ Small payload
Malware
§ Malicious code that comes
in an executable file form
§ Does not rely on any
application vulnerability
§ Already executes code – aims to control
the machine
§ Large payload
Exploit vs. Malware – What’s the nifference?
Traps Multi-Method Malware Prevention
21 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Traps Multi-Method Malware Prevention Processes
22 | © 2015, Palo Alto Networks. Confidential and Proprietary.
No Match No Match Unknown
User Attempts to
Execute a
Program
Submit Program to WildFire for
Analysis
Quarantine Program
Restricted Malicious Malicious
Allowed Trusted Benign Benign
Restricted
Allowed
Block×
Run✓
Block×
Check Hash Against Override Policies
Check Against List of Trusted
Publishers
Check Hash with WildFire
Conduct Local Analysis
Check Execution Restrictions
Child Process, Folder Restricted, Removable nrive
Check Hash with Wildfire
Unknown
Benign
Malicious
User Tries to Open
Executable File
Safe
WildFire
Local Cache Server CacheEndpoint Security Manager
? Unknown
Benign
Malicious
? Unknown
Benign
Malicious
?
UnknownFile Upload
E X E
Ñ
Override? or Revoke?
Changed HashVerdict Savedto ESM Server
Execution
Stopped
ESM Console
WildFire Detects Malware Using Multiple Methods & Techniques
24 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Static Analysis
File Anomaly Detection
Static Signatures
String & Code Block Detection
Machine Learning &
Static Analysis
nynamic Analysis
Full Execution Analysis
Multi-version
Execution Environment
Multi-dimensional Scoring
Network
Traffic Analysis
WildFire Turns the Unknown into the Knownin About 5 Minutes
Traps Multi-Method Exploit Prevention
25 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Traps Prevents Exploits At Their Core
26 | © 2016, Palo Alto Networks. Confidential and Proprietary.
To
tal N
um
be
r
Patching
Signature /
Behavior
Traps
Time
Requires Prior Knowledge,
Proactive Application
Requires Prior Knowledge
of Weaponized Exploits
Requires No Patching,
No Prior Knowledge of
Vulnerabilities, and
No Signatures
Toaimattherootof
theexploitationattempts
Exploit prevention Architecture
• Traps modules inject into user
process and prevent use of exploit
techniques
• Upon exploitation, process is frozen,
notification sent and forensic data
captured
TrapsConsole
UserProcess
TrapsModules
TrapsModules
Injection
TrapsAgent
Drivers
ServicePolicy&Reporting
ESM
Exploitation
Attempt
Block the Core Techniques – Not the Individual Attacks
Number of New Variants Each Year
Individual Attacks
Software Vulnerability Exploits
Thousands of new vulnerabilities and exploits
1,000s
Core Techniques
Exploitation Techniques
Only two to four new exploit techniques
2-4
Malware
Millions of new malware variations
1,000,000sMalware Techniques
Tens of new malware sub-techniques
~10s
1
2 3
Traps Multi-Method Exploit Prevention
29 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Traps
Multi-Method
Exploit
Prevention
Memory
Corruption
Prevention
Code
Execution
Prevention
Logic
Flaw
Prevention
Exploit manipulates the operating system’s
normal memory management mechanisms
- “Heap spray”
- “return-oriented programming” (ROP)
Exploit manipulates the operating
system’s normal processes by
modify the location where dynamic
link libraries (DLLs) are loaded- “DLLhijacking.”
Every end goal of every exploit is
“execute some arbitrary code”
The attacker’s commands that are
embedded in the exploit data file
Exploits Subvert Authorized Applications
BeginMaliciousActivity
AuthorizedApplication
Heap
Spray
ROP
Utilizing
OS Function
30 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Vendor Patches
§ Download malware
§ Steal critical data
§ Encrypt hard drive
§ Destroy data
§ More…
Vulnerabilities
BeginMaliciousActivity
AuthorizedApplication
Heap
Spray
ROP
Utilizing
OS Function
§ Activate key logger
§ Steal critical data
§ Encrypt hard drive
§ Destroy data
§ More…
Vendor Patch
Traps Blocks Exploit Techniques
Heap
Spray
Traps
EPM
No MaliciousActivity
AuthorizedApplication
32 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Traps Blocks Exploits That Use Unknown Techniques
Unknown
Exploit
Technique
ROP
No MaliciousActivity
Traps
EPM
AuthorizedApplication
33 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Exploit Prevention – The User Experience
Traps is Transparent to the User Until an
Exploitation Attempt is Made
Unsuspecting user opens
infected document
(Exploit evades Anti-Virus)
Traps injects itself
seamlessly into the
process
Exploit technique is attempted
and blocked by Traps before
any malicious activity is initiated
Traps
Traps reports the event
and collects detailed
forensics
P n FUser/Adminis Notified
Process isTerminated
Forensic Data is Collected
34 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Preventing One Technique in the Chain will Block the Entire Attack
Traps Blocks Zero-Day ExploitsActual Zero-Day Exploits That Traps EPMs Block
DLL
Security
CVE-2013-38931
HeapSpray ROPUtilizing
OSFunctionDLLSecurity
CVE-2013-33462
HeapSpray
MemoryLimitHeapSprayCheck/Shellcode
Preallocation
DEP
CircumventionUASLR
Utilizing
OSFunction
DLL
Security
CVE-2015-30103
ROPROP
MitigationJITSpray
JIT
Mitigation
Utilizing
OSFunction
DLL
Security
MemoryLimitHeapSprayCheck
1 Operation Deputy Dog (CVE-2013-3893) 2 Turla/Snake Campaign (CVE-2013-3346) 3 Forbes Cyber-Espionage Campaign (CVE-2015-0310/0311)
35 | © 2016, Palo Alto Networks. Confidential and Proprietary.
ROP
Mitigation/
UASLR
Attack-Related
Forensic nataOngoing
Recording
Collect Attempted-Attack Forensics
36 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Exploit or Malware Hits
a Trap and Triggers
Real-Time Prevention
Traps Collects Ongoing Forensics and Attack-Triggered nata
Attack-Related Forensic nataOngoing Recording
Collect Attempted-Attack Forensics
37 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Additional Details on Traps Forensic Data Collection
Exploit or Malware Hits
a Trap and Triggers
Real-Time Prevention
For Execution of Any File:
§ Time of execution
§ File name
§ File HASH
§ User name
§ Computer name
§ IP address
§ OS version
§ File’s malicious history
§ Time stamp and full memory dump
§ Triggering file (non-executable)
§ File source, names and paths
including parents grandparents and
child processes
§ Prevented exploitation technique
§ IP address
§ OS version
§ Version of attempted vulnerable
software
§ Components loaded to memory under
attacked process
§ Indications of further memory
corruption activity
§ User name and computer name
§ Accessed URIs; Java applets source
URIs
§ Relevant DLL retrievals with their path
§ Relevant files from temp internet
folders
§ Traps Automated Dump
Analysis
Benefits: Integrate into an Enterprise Security Platform
38 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Architecture§ Scalability
§ Ease of security administration
Operational Capabilities§ Footprint
§ Performance Impact
Platform Coverage§ Physical systems
§ Virtual systems
Threat Intelligence§ Integrated threat intelligence
§ Threat data sharing
A.
B.
C.
D.
A. Scalable ArchitectureTraps Architecture Leverages a Scalable Endpoint Security Manager (ESM)
Endpoint Security Manager (ESM)
SIEM /
External Logging
ESM Server(s)
Endpoints Running Traps
Forensic Folder(s)
WildFire
Threat Intelligence
Cloud
@
SMTP Alerting3-Tier Management Structure
§ ESM Console
§ Database
§ ESM Servers(each supports 10,000 endpoints &
scales horizontally)
On
Premise
Off
Premise
39 | © 2016, Palo Alto Networks. Confidential and Proprietary.
B. Flexible, Scalable, with Minimal FootprintTraps Endpoint use minimal resources with multi-method prevention
40 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Fo
otp
rin
t § 0.1% CPU Load
§ 50 MB RAM
§ 250 MB HD
§ No scanning
Pla
tfo
rm
§ Physical & Virtual
§ All major Windows editions
§ Protects systems after end-of-support
Ap
plic
ati
on
s
§ Out-of-the-Box protection for common applications
§ Extensible to any application
Ma
na
ge
me
nt
§ Central policy management
§ Full SIEM integration support
§ Role Based Access Control
Perf
orm
an
ce
§ Not Signature-based
§ No Scanning
Required
§ No Impact on Shared
Resources
§ On-Demand
Scalability
§ Built-in License
Elasticity
Pro
tecti
on
§ Prevention of Known
& Unknown Exploits
§ Protection upon
Instantiation
§ Patching-
Independent
Prevention
§ Integrated Threat
Intelligence
C. Flexible Platform Coverage
41 | © 2016, Palo Alto Networks. Confidential and Proprietary.
§ WindowsXP* (32-bit,SP3orlater)
§ WindowsVista(32-bit,64-bit,SP1orlater;FIPSmode)
§ Windows7(32-bit,64-bit,RTMandSP1;FIPSmode;all
editionsexceptHome)
§ WindowsEmbedded7(StandardandPOSReady)
§ Windows8* (32-bit,64-bit)
§ Windows8.1(32-bit,64-bit;FIPSmode)
§ WindowsEmbedded8.1Pro
§ Windows10Pro(32-bitand64-bit)
§ Windows10EnterpriseLTSB
§ WindowsServer2003* (32-bit,SP2orlater)
§ WindowsServer2003R2(32-bit,SP2orlater)
§ WindowsServer2008(32-bit,64-bit;FIPSmode)
§ WindowsServer2008R2(32-bit,64-bit;FIPSmode)
§ WindowsServer2012(alleditions;FIPSmode)
§ WindowsServer2012R2(alleditions;FIPSmode)
Workstations Servers
* Microsoft no longer supports this operating system.
Virtual Environments
§ VMwareESX
§ CitrixXenServer
§ OracleVirtualbox
§ MicrosoftHyper-V
D. Threat Intelligence CloudTraps Endpoint use minimal resources with multi-method prevention
42 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Malware
SignatureC&C/nNS
Signature
Threat Intelligence Cloud
WildFire
URL
Signature
Malware/APT Feeds
>10,000
WildFire customers
>30,000 sensors
5 minutes
~30,000
Customers
protected
Globalanalysis&Threatknowledge
WanaCrypt0r:How Palo Alto Networks Protects You
May122017
12:00am
April18
2017
2:30am:WildFire protectionsdeployed
Trapspreventstheexecutionofransomware
2:34am:AutoFocus tagcreated
Threatanalyticsandhuntingenabled
Vulnerabilityexploitblocked
Contentrelease688-2964
CVE-2017-0144(TID32422)
MS17-010(TID32494, 32424,
32427,32393,32716,32422)
3:52am:AVName:Trojan-Ransom/Win32.wanna.b
UniqueThreatID:179224458
3:01am:AVName:Trojan-Ransom/Win32.wanna.a
UniqueThreatID:179222880
PaloAltoNetworksCustomerProtection
Formoreinformation,clickhere.
May132017
12:00am
WanaCry 2.0
Spreads
Alerts to 3rd party
solutions
WildFire:• IdentifiesandPreventsnew
malwareandexploitswith
continuousanalysis
• Providesprotectionfeeds
every5mins
AutoFocus:• ViewintoWildFire datafor
latestanalyticsandhunting
• ExtractionofrelevantIoCs
todeployautomated
preventivemeasures
ThreatPrevention• ThreatPreventionfor
vulnerabilityexploitand
knownmalwareprotection
Traps• Preemptivelyblocksknown
andunknownmalwareand
exploits
• Automatespreventionby
reprogrammingitselfusing
threatIntelligencefrom
WildFireAugust
2016
TrapsLocalAnalysisprevention
Priortoattack
OngoingProtectionforEndpointsvialocalanalysisand
continuousWildFire updates
Protection Timeline
Threat
Prevention
Shadow Broker
Customer don’t have WF
WildFire
Threat Intelligence
◉ Automatically blocks all previously-seen
samples of WanaCrypt0r malware
◉ Enabled by default
Traps Multi-Method Prevention Blocks WanaCrypt0r
Check payload
WildFire
Threat IntelligenceTraps Local Analysis
(via Machine Learning)
◉ Automatically blocks new and never-before-seen samples of WanaCrypt0r malware
◉ Protected Traps customers since before the first report of WanaCrypt0r surfaced
◉ Enabled by default
Traps Multi-Method Prevention Blocks WanaCrypt0r
WildFire
Threat IntelligenceTraps Local Analysis
(via Machine Learning)
WildFire
Analysis
◉ Traps automatically submits unknown samples of WanaCrypt0r to WildFire for analysis
◉ Enabled by default
◉ Taps can easily be configured to prevent execution of unknown programs until a WildFire verdict is available
Traps Multi-Method Prevention Blocks WanaCrypt0r
WildFire
Threat IntelligenceTraps Local Analysis
(via Machine Learning)
WildFire
Analysis
Traps Malicious
Process Control
◉ Automatically prevents WanaCrypt0r malware from launching new executables to propagate itself
◉ New Content Update automatically applies the protection policies
Traps Multi-Method Prevention Blocks WanaCrypt0r
AutomaticallyBlocks
AllPreviously-Seen
Samplesof
WanaCrypt0r
Malware
WildFire
Threat Intelligence
BlocksNewand
Never-Before-Seen
Variantsof
WanaCrypt0r
Malware
Traps Local Analysis
(via Machine Learning)
SubmitsUnknown
Executablesto
WildFireforRapid
Detectionand
Prevention
WildFire
Analysis
ControlsLaunchingof
ExecutablesThat
WanaCrypt0rUsesto
PropagateItself
Traps Malicious
Process Control
Traps Multi-Method Prevention Blocks WanaCrypt0r
50 | © 2017, Palo Alto Networks. All Rights Reserved.
AutoFocus
Traps
Aperture
VM-Series
NEXT-GENERATION
FIREWALL
THREAT INTELLIGENCE
CLOUD
AUTOMATED
EXTENSIBLENATIVELY
INTEGRATED
ADVANCED ENDPOINT
PROTECTION
CLOUD
NE
TW
O
RK
EN
DP
OIN
T
WildFire
Threat Prevention
URL Filtering
GlobalProtect
Complete security delivered as a platform
• Always install the latest security updates and patches (Prevent Ethernalblue)
• Patch SMB vulnerability
• Consider disabling SMBv1 or segmenting and minimizing internal SMB traffic (Reduce Attack Surface)
• Block 445 to Internet (prevent propagation)
• Block 445 in the perimeter
• Deploy IPS signatures
• Enable DNS sinkholes
• Use an endpoint protection solution with multi-method preventions
• Backup your files on an external drive or other appropriate medium
• Practice security basics and maintain security awareness
Additional tips to protect against WanaCrypt0r
52 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Anti-Spyware Signature for DoublePulsar
The spyware signature to prevent DoublePulsar was published on 2nd of May, and
this would have prevented this C2 channel on existing customer networks.
An example of a triggering rule during the exploit:
53 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Traps Content UpdateOn 15th May, a Content Update was created for Traps users as a reactive measure
to the behavior of the samples
Questions?
54 | ©2017, Palo Alto Networks. Confidential and Proprietary.
16 | ©2017, Palo Alto Networks. Confidential and Proprietary.