Ransomware detection with Bro Mike Stokkel 13 Sept 2016 - - PowerPoint PPT Presentation

▶

Sep 05, 2022 684 likes •986 views

Ransomware detection with Bro Mike Stokkel 13 Sept 2016 Introduction Who am I? Mike Stokkel Security Analyst @ Fox-IT Internship at Fox-IT Bachelor July 2016 Introduction Agenda What am I going to talk about?

SLIDE 1

Ransomware detection

with Bro

Mike Stokkel 13 Sept 2016

SLIDE 2

Who am I?

– Mike Stokkel – Security Analyst @ Fox-IT – Internship at Fox-IT – Bachelor July 2016

Introduction

SLIDE 3

What am I going to talk about?

– Fox-IT – Ransomware – Bro Policy – Results – Demo

Agenda

SLIDE 4

Fox-IT

SLIDE 5

Located: Delft, The Netherlands
IT security

– Managed Security Services – Auditing – Cryptographic solutions

Company

Fox-IT

SLIDE 6

Snort-based detection
Bro

Security Operation Center

Fox-IT

SLIDE 7

Ransomware

SLIDE 8

Malware

– Encryption – Payment – Decryption

Rising concern

Explanation

Ransomware

SLIDE 9

Process

– Master key (public and private key) – Generating a key for the victim – Encrypting the victim’s key

Encryption

Ransomware

SLIDE 10

Personal Computer

– Local files

Company

– Network Share

To pay or not to pay?

Impact

Ransomware

SLIDE 11

Exploit Kits

– Browser vulnerabilities

E-mail

– Malicious document – Macros

Spreading Methods

Ransomware

SLIDE 12

Version check
IP check
Download ransomware payload
Run payload

Exploit Kit

Ransomware

SLIDE 13

Macro
VBS script
Download & execute payload

Malicious document

Ransomware

SLIDE 14

TeamViewer hack
RDP brute force

Remote desktop programs

Ransomware

SLIDE 15

– Snort rules

Problem

Detection Methods

Ransomware

SLIDE 16

Bro Policy

SLIDE 17

Ransomware behavior

– SMB

Possible solutions

– File extension listing – Threshold SMB commands – Command-and-Control communication

Approach

Bro Policy

SLIDE 18

Randomness of data
0 – 8 bits per character

Entropy

Bro policy

SLIDE 19

Compressed files
Images
PDF
Mime/Media type

What about ….

Bro policy

SLIDE 20

SMB parser

– Events

File over new connection
Chunk event
SumStat

– Threshold

Notice.log

Functions

Bro Policy

SLIDE 21

Check for SMB traffic
Check for certain filenames
Check for Mime type
Check for SMB action
Check if SMB action equals Write
Add File analyzer

File over new connection

Bro Policy

SLIDE 22

Check if the offset equals 0
Calculate entropy of data collected from SMB

write command

Use SumStat to add +1 for the threshold
Write to log file
Write a Notice.log

Chunk event

Bro Policy

SLIDE 23

Results

SLIDE 24

Two new kinds of Ransomware

Live Testing

Bro Policy

SLIDE 25

Two new kinds of Ransomware

– Google Chrome & Mozilla Firefox

Encrypted cache
Encryption tools

– TrueCrypt – VeraCrypt

Documents

– Printing – Creating

Live Testing

Bro Policy

SLIDE 26

Demo

SLIDE 27

Locky/Zepto
Cryptowall
CTBLocker
Jigsaw (and all families)
Mobef
Shade
Maktub
Cerber/Alpha
Teslacrypt
Rokku
Crysis
Cerber
Bandarchor

Samples

Demo

SLIDE 28

Ransomware detection

Introduction

Agenda

Fox-IT

– Managed Security Services – Auditing – Cryptographic solutions

Company

Security Operation Center

Ransomware

– Encryption – Payment – Decryption

Explanation

– Master key (public and private key) – Generating a key for the victim – Encrypting the victim’s key

Encryption

– Local files

– Network Share

Impact

– Browser vulnerabilities

– Malicious document – Macros

Spreading Methods

Exploit Kit

Malicious document

Remote desktop programs

– Snort rules

Detection Methods

Bro Policy

– SMB

– File extension listing – Threshold SMB commands – Command-and-Control communication

Approach

Entropy

What about ….

Functions

File over new connection

write command

Chunk event

Results

Live Testing

Live Testing

Demo

Samples

Thank you for having me!