1
2
Recover from Ransomware in Minutes
Darren Swift
Principal System Engineer
www.virtuallyonit.com
@Difd_11
3
$209 Million Q1 2016Est $1 Billion FY 16
1month =56,000 infections
101+ Ransomware Families (62 new)
Email campaigns still dominate 6000% increase
Finance & healthcare most targeted
Understanding the Depth
4
$1,200 ransom & 70%
4 out of 5 recover from backup
Average 8 hours recovery
<50% Success rate
54% of organizations affected
Understanding the Depth
5
Recent Example
Attack vector SMB vulnerability “Eternal Blue” MS-17-010
200,000 attacks in 150 countries
Remote exploit kit automation
All connected computers files encrypted
$600 for each computer
VSS deleted & backup files deleted
7
• We cannot go any further without discussing the events on the 12th May
• 2 Standout points for me were:
• Delivery Mechanism
• Scale
#WannaCry
8
Cerber-6 – How it Works…
“The Hound of Hades”
9
• Cerber has been the most prolific and advanced ransomware family throughout 2016–2017 (first observed FEB 16)
• Thought to have originated in Russia
• Cerber ransomware available through a private affiliate program earning 60% of the profits
• Rapid development / customization
• Unique Bitcoin address generated for each victim along with a “Bitcoin Mixing Service”
RaaS Eco-System
10
• Configuration file is an encrypted JSON • Can be customized for each attack / campaign• Example is on GITHUB• Contains all customization parameters
• Folders & files to infect • Check for AntiV or VM• Language checks / Blacklist• Statistic checks / sending• Ransom note v
Cerber Design
11
• Attack vector 2 main methods • Email (example CV)
• 2 line emails .rtf
• Exploit kits (3 main ones)
• Magnitude, Neutrino & RIG
• Living on webservers as links .etc.
• Same output, Cerber payload is Initialized (js or .ps1)
• Creates a Mutex
• Persistence is gained %APPDATA% \ Roaming \ GUID
• Registry keys are added Computer\HKEY_Current_User\Printers\Defaults
• Multiple processes are spun up (division of work)
Cerber Attack
12
• Code is not readable, uses encrypted strings and only de-crypts just before the string is needed
• Configuration file is referenced (Blacklist and Language settings)
• Anti-VM
• Anti-Virus
• Anti-Sandbox
• Sends home Stat’s
• -Watchdog mode is started
• -Shadow mode removes VSS and edits bcdedit.exe
• UAC mode is bypassed (Default or lower = silent bypass)
Cerber Evasion Techniques
13
• Cerber-6 can encrypt in offline mode!
• Searches Config file for blacklists then encrypts:
• Local & shared drives
• Encryption process has a high entropy
• Content is different after every encryption
• RSA 2048 bit key embedded in program
• Creates 3 files displaying Ransom note
• Terminates –Watchdog
• Clears Registry keys
• Sends C&C server statistics File name = [0-9a-zA-Z_-]{10}.cerber
Cerber Encryption
14
Cerber Result “Quod me non necat me
fortiorem facit” or
“What doesn’t kill me, makes me stronger”
15
Stop Infections Today
16
Users, IT Dept, External
- Train users & IT
- Anti-virus/malware
- Restrict domain admins
- Disable content & auto-play
- Isolated external users
- Software restriction policies –
Applocker %AppData%
- Enable file extensions
- Audit file shares
- Audit permissions
- Apply read-only
- Firewall policies
- User VLANs
- Honey trap & alerting
- FSRM Policies
- Restrict SMB
access/ports 445
Disks, Network
- Secure entry points
- Filter web traffic
- Scan / block email attachments
- Block USB devices (Packet Fence)
- Isolated BYOD
- No web access on VMs
- Patching
- JS default open in notepad.exe
Web, Email, USB, BYOD
Stopping Infections
17
Day “0” It Can Still Happen
- Data Protection
- Secured infrastructure
- Isolated test networking
- Payment is never advised
Protect Respond
- Infection response
- Communication
- Isolate source
- Control spread
Restore
- Test data
- Decryption Key
- Restore
- Root cause analysis
18
We can Win!
19
BC/DR Site
Protected VM Changed-Block
Journal vDisk
ReplicavDisk
Configure Journal SLAs, max size, datastore, average 10% space
History min 1 hour max 4 weeks, recommended 96 hours+
Compressed write to journal, write-order maintained
Kept for journal history then write flushed to replica vDisk
Journaling for Point-in-Time Recovery
20
Multi-Site Protection
• Protect a VM in multiple VPGs
• Full replica, journal with RPO in seconds
• Per VPG SLAs, journal retention
• Recover applications to BC/DR site
• Restore files & VMs direct to production
• Powerful local data protection
• Protect to cloud, longer retention
• All-In-One SolutionProductionSite
Local Copy
BC/DRSite
21
Isolated Failover Testing
Isolated VLAN
Scratch vDisk
VM
VM
VM
Journal vDisk
Replica vDisk
VRA
Inline I/O Re-Direction
Writes to scratch, reads to anyVRA Automatically Re-Directs I/OInstant access, minimal overhead
No impact to productionAccess VM Console for VerificationReplication continues
No ability to re-infectVMs connected to Isolated Port GroupSecure test of point in time
Stop failover test, record resultScratch Disk & Writes Deleted
Checkpoint marked for further use
22
Single File / Folder Recovery
Select VM
Restore Request
File server data
Application files
SQL databases
Oracle databases
Exchange databases
Select Files & Folders
Browser download
Instant-access on ZVM
Mount network share
Data restored from seconds before
Restore Anywhere
Disks mounted
No impact or agent
Select point in time
23
Disrupting Data Protection
“Average 8 hours versus Minutes”
• Leverage replicated data• No more daily backup Windows • No performance impact • Remove admin overhead • Granularity of seconds • Minimize data loss • Meet 24/7 business
requirements
24
Test Your Readiness
25
26
Research Notes & Papers
https://zerto.box.com/s/vbct5316wry74iz7t81ft52gd0l2uf7p