ransomware detection
play

Ransomware detection with Bro Mike Stokkel 13 Sept 2016 - PowerPoint PPT Presentation

Sep 05, 2022 •684 likes •983 views

Ransomware detection with Bro Mike Stokkel 13 Sept 2016 Introduction Who am I? Mike Stokkel Security Analyst @ Fox-IT Internship at Fox-IT Bachelor July 2016 Introduction Agenda What am I going to talk about?

  1. Ransomware detection with Bro Mike Stokkel 13 Sept 2016

  2. Introduction • Who am I? – Mike Stokkel – Security Analyst @ Fox-IT – Internship at Fox-IT – Bachelor July 2016 Introduction

  3. Agenda • What am I going to talk about? – Fox-IT – Ransomware – Bro Policy – Results – Demo

  4. Fox-IT

  5. Company • Located: Delft, The Netherlands • IT security – Managed Security Services – Auditing – Cryptographic solutions Fox-IT

  6. Security Operation Center • Snort-based detection • Bro Fox-IT

  7. Ransomware

  8. Explanation • Malware – Encryption – Payment – Decryption • Rising concern Ransomware

  9. Encryption • Process – Master key (public and private key) – Generating a key for the victim – Encrypting the victim’s key Ransomware

  10. Impact • Personal Computer – Local files • Company – Network Share • To pay or not to pay? Ransomware

  11. Spreading Methods • Exploit Kits – Browser vulnerabilities • E-mail – Malicious document – Macros Ransomware

  12. Exploit Kit • Version check • IP check • Download ransomware payload • Run payload Ransomware

  13. Malicious document • Macro • VBS script • Download & execute payload Ransomware

  14. Remote desktop programs • TeamViewer hack • RDP brute force Ransomware

  15. Detection Methods • IDS – Snort rules • Problem Ransomware

  16. Bro Policy

  17. Approach • Ransomware behavior – SMB • Possible solutions – File extension listing – Threshold SMB commands – Command-and-Control communication Bro Policy

  18. Entropy • Randomness of data • 0 – 8 bits per character Bro policy

  19. What about …. • Compressed files • Images • PDF • Mime/Media type Bro policy

  20. Functions • SMB parser – Events • File over new connection • Chunk event • SumStat – Threshold • Notice.log Bro Policy

  21. File over new connection • Check for SMB traffic • Check for certain filenames • Check for Mime type • Check for SMB action • Check if SMB action equals Write • Add File analyzer Bro Policy

  22. Chunk event • Check if the offset equals 0 • Calculate entropy of data collected from SMB write command • Use SumStat to add +1 for the threshold • Write to log file • Write a Notice.log Bro Policy

  23. Results

  24. Live Testing • Two new kinds of Ransomware Bro Policy

  25. Live Testing • Two new kinds of Ransomware – Google Chrome & Mozilla Firefox • Encrypted cache • Encryption tools – TrueCrypt – VeraCrypt • Documents – Printing – Creating Bro Policy

  26. Demo

  27. Samples • Locky/Zepto • Cryptowall • CTBLocker • Jigsaw (and all families) • Mobef • Shade • Maktub • Cerber/Alpha • Teslacrypt • Rokku • Crysis • Cerber • Bandarchor Demo

  28. Thank you for having me!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

798 views • 54 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

772 views • 75 slides
What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary 1 Confidential & Proprietary Ransomware Overview Malware that blocks access to a system, device, or file until a ransom is paid

248 views • 11 slides
Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top Leaders-2019 www.vembu.com How to protect your business from a Ransomware attack? What is Ransomware? Types of Ransomware How it attacks? Stats for year

454 views • 16 slides
Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi with the help of many people from UCSD, NYU, and Chainalysis Only 37% of users backup their data g.co/research/protect Since 2016 ransomware

746 views • 62 slides
Seg3D Insights Architectural Need to Knows Versioning/Packaging of Seg3D Files with Welcome

Seg3D Insights Architectural Need to Knows Versioning/Packaging of Seg3D Files with Welcome

Seg3D Insights Architectural Need to Knows Versioning/Packaging of Seg3D Files with Welcome information and Program description (CPack) Main configuration file that controls Application name and Application version: We have used Apple

817 views • 54 slides
Package Vignette and Help Files Using MarkDoc E. F. Haghish February 2016 E. F. Haghish

Package Vignette and Help Files Using MarkDoc E. F. Haghish February 2016 E. F. Haghish

Package Vignette and Help Files Using MarkDoc E. F. Haghish February 2016 E. F. Haghish Package Vignette and Help Files Using MarkDoc February 2016 1 / 25 Difficulties in software documentation Writing package documentation is necessary in

511 views • 25 slides
Files and Exceptions Joan Boone jpboone@email.unc.edu Summer 2020 Slide 1 Topics Part 1

Files and Exceptions Joan Boone jpboone@email.unc.edu Summer 2020 Slide 1 Topics Part 1

INLS 560 Programming for Information Professionals Files and Exceptions Joan Boone jpboone@email.unc.edu Summer 2020 Slide 1 Topics Part 1 Opening and writing to files Part 2 Reading data from files Part 3 Errors and exceptions

721 views • 41 slides
CSE 120 File System Interface What the user/programmer sees File System Implementation

CSE 120 File System Interface What the user/programmer sees File System Implementation

Overview CSE 120 File System Interface What the user/programmer sees File System Implementation How it works Summer, 2006 Day 9 File Systems Instructor: Neil Rhodes 2 What is a File? Typical Filesystem Named collection of related

175 views • 5 slides
CS 241: Systems Programming Lecture 6. Shell Scripting 1 Fall 2019 Prof. Stephen Checkoway 1

CS 241: Systems Programming Lecture 6. Shell Scripting 1 Fall 2019 Prof. Stephen Checkoway 1

CS 241: Systems Programming Lecture 6. Shell Scripting 1 Fall 2019 Prof. Stephen Checkoway 1 Permissions Every user has an id (uid), a group id (gid) and belongs to a set of groups Every file has an owner, a group, and a set of permissions

700 views • 23 slides
Of Office fice of of Hou Housing sing Couns Counseling eling Overview of Procurement

Of Office fice of of Hou Housing sing Couns Counseling eling Overview of Procurement

U.S. .S. Depar Department of tment of Housing Housing and and Urban De Urban Development elopment Of Office fice of of Hou Housing sing Couns Counseling eling Overview of Procurement Facilitated by Booth Management Consulting

739 views • 40 slides
PD front-end electronics Josh Spitz, University of Michigan 30% DUNE Design Review, 11/12/2018

PD front-end electronics Josh Spitz, University of Michigan 30% DUNE Design Review, 11/12/2018

PD front-end electronics Josh Spitz, University of Michigan 30% DUNE Design Review, 11/12/2018 with: Dave Warner, Jon Ameel, Gustavo Cancelo, Rory Fitzpatrick, Chris Barnes, Matt Toups, Sten Hansen, Dante Totani, Joel Mousseau, Alex Himmel, and

652 views • 28 slides
PostgreSQL As Data Integration Tool PostgreSQL SQL-MED pgDay Paris 2019/03/12 Stefanie Janine

PostgreSQL As Data Integration Tool PostgreSQL SQL-MED pgDay Paris 2019/03/12 Stefanie Janine

PostgreSQL As Data Integration Tool PostgreSQL SQL-MED pgDay Paris 2019/03/12 Stefanie Janine Stlting @sjstoelting mail@stefanie-stoelting.de SQL/MED First defined in ISO/IEC 9075-9:2008, revised by ISO/IEC 9075-9:2016 Supported by DB2

694 views • 45 slides

More recommend