Ransomware Defense Technical Session

Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified Consulting Systems Engineer, Cyber Security, Denmark 6/2 - 2018 The Evolution of Ransomware Variants WannaCry The confluence of easy and effective encryption, the popularity of NotPetya exploit kits and phishing, and a willingness for victims to pay have caused an explosion of ransomware variants. Locky Cryptowall

73V3N Keranger CRYZIP First commercial TeslaCrypt Fake Petya PC Android phone Cryptolocker Teslacrypt 3.0 Cyborg Antivirus Redplus Teslacrypt 4.0 Virlock Teslacrypt 4.1 Lockdroid SamSam Reveton

1989 2001 2005 2006 2007 2008 2012 2013 2014 2015 2016 2017

Worm type Ransomware CryptoDefense / Koler Desstructionware GPCoder QiaoZhaz Reveton Kovter Tox Cerber Ransomlock Simplelock Cryptvault Radamant Cokri DMALock Hydracrypt Bitcoin CBT-Locker Chimera Rokku network launched TorrentLocker Hidden Tear Jigsaw Dirty Decrypt Virlock Lockscreen Powerware Cryptorbit CoinVault Teslacrypt 2.0 Cryptographic Locker Svpeng Urausy TALOS brings the intelligence – Smarter every day

Microsoft Shadow Brokers WannaCry vulnerability identified exploit leaked ransomware released Mar 14 Apr 14 May 12

2017

TALOS detects vulnerabilities TALOS detects exploits Customers with NGFW, IPS, Meraki MX already protected Customers with NGFW, IPS, Customers with NGFW, IPS, Meraki MX are protected Meraki MX are protected Plus AMP caught the payload and Umbrella blocked the callout Ransomware Defense Overview Cisco Ransomware Defense Solution Solution to Prevent, Detect and Contain ransomware attacks

Cisco Ransomware Defense Solution is not a silver bullet, and will not decrypt the already infected system. It does help to: • Prevent ransomware from getting into the network where possible • Stop it at the systems before it gains command and control • Detect when it is present in the network • Work to contain it from expanding to additional systems and network areas • Performs incident response to fix the vulnerabilities and areas that were attacked

This solution helps to keep business operations running with less ü fear of being taken hostage and losing control of critical systems Ransomware Kill Chain - Seven Stages of an Attack

TARGET COMPROMISE BREACH

RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST

ATTACKER INFRASTRUCTURE FILES/PAYLOADS USED BY ATTACKER USED BY ATTACKER Breaking the Ransomware KillChain Capabilities needed to break the kill chain

• Threat intelligence – Knowledge • Client Security – Inspect files of existing Ransomware and for Ransomware and Virus’s, communication vectors quarantine and remove • E-mail security – Block • Segment infrastructure – Ransomware attachments and Authenticate access, separate links traffic based on role and policy • Web Security – Block web • Intrusion Prevention - Block communication to infected sites attacks, exploitation and and files intelligence gathering

• DNS Security - Break the • Monitor Infrastructure DNS Command & Control call back communications – Identify and alert on abnormal traffic flows Capability Defense against the “Kill Chain”

TARGET COMPROMISE BREACH

RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST

Host DNS DNS End–to–End DNS Anti- DNS Security Security Infrastructure Malware Defense Network Email Anti- Threat Security Malware Intelligence

NGFW Web NGFW Web Security Security

Flow NGIPS NGIPS NGIPS NGIPS Analytics Defend against the entire “Kill Chain” AMP + TG (everywhere) to log pivots TARGET COMPROMISE BREACH

RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST

Umbrella on/off-net ODNS intel AMP + TG AMP + TG Umbrella Quick Defense TALOS (for content) (for endpoint) on/off-net With Cloud! research CES + TG on/off-net on/off-net all ports off-net TALOS intel

CWS/WSA CWS/WSA Advanced off-net & CTA WEB Defense proxy all on/off-net proxy all

FTD FTD FTD Rapid Defense FTD, ISE+ Investigate WSA/ESA FTD & on-net ISE+TrustSec TrustSec Internet-wide on-net AMP network all ports Stealthwatch Protect Me- on-net visibility TALOS on-net on-net Once10 They’re In! IP layer segmentation intel & netflow Simplified Solution Architecture view Prevent and Contain Ransomware with Cisco Email Security, Umbrella, and AMP

Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT KIT SITES AND C2 DOMAINS MALVERTISING C2 Web Angler Malicious link Infrastructure Nuclear PHISHING File RANSOMWARE SPAM NuTrino drop PAYLOAD

Email attachment

Blocked by Cisco Blocked by Cisco Blocked by Cisco Cloud Email Security Umbrella Roaming AMP for Endpoints with AMP (DNS Security) (Host Anti-Malware) Layers of Defense Quick Prevention Overview

CES – Phishing e-mail with ransomware malware link getting replaced on CES ODNS – Bad link getting blocked by ODNS AMP4E – Ransomware getting submitted to TG, TG Report, and Ransomware now blocked on different system. The outer most layer – Email security Prevent and Contain Ransomware with Cisco Cloud Email Security

Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT KIT SITES AND C2 DOMAINS MALVERTISING C2 Web Angler Malicious link Infrastructure Nuclear PHISHING File RANSOMWARE SPAM Rig drop PAYLOAD

Email attachment

Blocked by Cisco Cloud Email Security with AMP

When CES identifies an unknown URL that is potentially malicious, the URL is re-written using the Outbreak Filters feature and users can be re-directed to a confirmation page. This behavior is configurable. The CES policy in this example was set to strip Ransomware attachments, and send the remainder of the message so that our testing could be validated. Cisco recommends to configure the policy to drop the entire message, not just remove the attachment. Incoming Mail Policies Outbreak Filters Incoming Mail Policies Advanced Malware Protection Auto remediation of malicious file by CES AMP and Threatgrid integration by CES The second layer – DNS security Prevent and Contain Ransomware with Cisco Umbrella (formerly OpenDNS)

Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT KIT SITES AND C2 DOMAINS MALVERTISING C2 Web Angler Malicious link Infrastructure Nuclear PHISHING File RANSOMWARE SPAM Rig drop PAYLOAD

Email attachment

Blocked by Cisco Umbrella Roaming (DNS Security) OpenDNS blocks phishing

The last layer – Host Anti-Malware Prevent and Contain Ransomware with Cisco AMP for Endpoints

Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT KIT SITES AND C2 DOMAINS MALVERTISING C2 Web Angler Malicious link Infrastructure Nuclear PHISHING File RANSOMWARE SPAM Rig drop PAYLOAD

Email attachment

Blocked by Cisco AMP for Endpoints (Host Anti-Malware)

Prevent and Contain Ransomware with Cisco Email Security, Umbrella, and AMP

Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT KIT SITES AND C2 DOMAINS MALVERTISING C2 Web Angler Malicious link Infrastructure Nuclear PHISHING File RANSOMWARE SPAM NuTrino drop PAYLOAD

Email attachment

Blocked by Cisco Blocked by Cisco Blocked by Cisco Cloud Email Security Umbrella Roaming AMP for Endpoints with AMP (DNS Security) (Host Anti-Malware)