How to Effectively Prevent Ransomware Infections

Nattapon Palviriyachot

System Engineer, Palo Alto Networks (Thailand) What is a Ransomware?

• “Ransomware” is a type of malware attack which is a able to block access to sensitive files until the victim pays the attacker, often in anonymous currency. • Target File Types: • *.jpg, *.jpeg, *.raw, *.tif, *.gif, *.png, *.bmp, *.3dm, *.max, *.accdb, *.db, *.dbf, *.mdb, *.pdb, *.sql, *.*sav*, *.*spv*, *.*grle*, *.*mlx*, *.*sv5*, *.*game*, *.*slot*, *.dwg, *.dxf, *.c, *.cpp, *.cs, *.h, *.php, *.asp, *.rb, *.java, *.jar, *.class, *.aaf, *.aep, *.aepx, *.plb, *.prel, *.prproj, *.aet, *.ppj, *.psd, *.indd, *.indl, *.indt, *.indb, *.inx, *.idml, *.pmd, *.xqx, *.xqx, *.ai, *.eps, *.ps, *.svg, *.swf, *.fla, *.as3, *.as, *.txt, *.doc, *.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd, *.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx, *.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps, *.pptx, *.pptm, *.potx, *.potm, *.ppam, *.ppsx, *.ppsm, *.sldx, *.sldm, *.wav, *.mp3, *.aif, *.iff, *.m3u, *.m4u, *.mid, *.mpa, *.wma, *.ra, *.avi, *.mov, *.mp4, *.3gp, *.mpeg, *.3g2, *.asf, *.asx, *.flv, *.mpg, *.wmv, *.vob, *.m3u8, *.csv, *.efx, *.sdf, *.vcf, *.xml, *.ses, *.dat • Corporate Important documents, source code, product design diagrams, transaction records, product formulas, customer contacts, videos, pictures, etc. 30 active malware families 2016 KeRanger ® 2014 Locky TorrentLocker ® CTB-Locker word documents Uses Tor for command-and-control Simplocker

Android® devices 2012 2015 Reveton Appears to be PClock a ﬁne from law Copycat enforcement ransomware, 2005 pretending to 2013 be CryptoLocker GPCoder THE REVOLUTION The return of Anonymous online TeslaCrypt payments with BitCoin malware gaming save ﬁles 2010 CryptoWall WinLock First demanding Leveraging Bitcoin for payment premium SMS AndroidDefender 1989 AIDS malware First known ransomware Ransomware today (1) Impact

> 30 Families WanaCrypt0r ransomware emerged May 12, 2017 Please be prepared:

http://thehackernews.com/2017/05/smb-windows-hacking-tools.html

Wanacrypt Exploit MS17-010 Wanacrypt WanacryptWanacrypt Exploit Exploit MS17-010 Cloud & Virtualization

Wanacrypt Wanacrypt Exploit MS17-010 Malware Exploit MS17-010 Wanacrypt Wanacrypt Wanacrypt Wanacrypt

Wanacrypt Scans for DoublePulsar backdoor and EternalBlue vulnerability on Microsoft Windows

systems MS17-010 Patch DoublePulsar is an NSA backdoor payload, used to spread the worm from one affected computers to the other vulnerable machines across the same network.

DoublePulsar/ EternalBlue

The EternalBlue vulnerability (SMB Exploit) a. Scan the internal LAN for SMB targets. was publicly disclosed by the Shadow Brokers b. Generate random public IP address and scan them group in April 2017, for SMB targets. This may have led to create a big exponential effect. MS17-010 c. For every machine found, exploit and compromise Patch via EternalBlue / DoublePulsar. Automatically spreads via Windows Server Message Block v1 (SMBv1) protocol MS17-010 Patch The “worm” contains inside a dropper binary, which is ransomware sample part of a WanaCrypt family,

SMBv1 Protocol WanaCrypt0r encryption

d. Propagates itself over SMB vector, behaving like a worm. MS17-010 Patch Once the infected computer discovers another computer with the DoublePulsar/EternalBlue vulnerability Widespread reach enabled by automated ransomware and outdated computer systems

SMBv1 SMBv1 SMBv1

SMBv1 SMBv1

• Automated ransomware i.e., lack of human interaction required to spread infection to other computers • Outdated computer systems / unpatched Windows systems 169 38 Current Million Percent Solutions Fail Personal Records Increase in to Prevent Exposed in 2015 Security Incidents Security 50% Increase in 2015 * Over 2014* From 2014 Breaches

* ITRC Data Breach Reports – * PwC The Global State of Information Security 2015 Year-End Totals Survey 2016

Conduct Compromise Establish Steal nata/ Reconnaissance Endpoint Control Channel Achieve Objective

The Right Time to Prevent a Security Breach is Before an Attacker Compromises an Endpoint to Gain a Foothold in Your Environment.

Conduct Weaponized nata Reconnaissanc Files/Content e Exploit Subvert Existing Compromise Software Endpoint Vulnerabilities Applications Attack Sequence Attack Establish Control Channel Self-Contained, Malicious Program Targeted

Pursue Execute Objectives Malicious Contain Necessary Programs Executable Code

• So many agents…compatibility issues, CPU/memory/IO consumption, operations, etc.

• Enterprises don’t want yet another endpoint agent

• But they know they need to replace their legacy AV/HIPS

Traps replaces traditional antivirus with Multi-Method Prevention that protects your endpoints from known and unknown threats

16 | © 2015, Palo Alto Networks. Confidential and Proprietary. Palo Alto Networks endpoint focus VPN Exploit Firewall Antivirus Data Loss Loss Data Encryption Prevention Prevention Management Forensics & IR

GlobalProtect Traps

Conduct Reconnaissanc e Traps prevents both known and unknown malware from infecting endpoints. Compromise Execute Malicious Endpoint Programs Online On-Prem Offline Off-Prem Attack Sequence Attack Establish Control Channel Traps prevents both

Targeted known and unknown exploits, including zero-day exploits. Pursue Exploit Software Objectives Vulnerabilities

18 | © 2016, Palo Alto Networks. Confidential and Proprietary. Exploits = Malware Weaponized nata Executable Programs Files & Content Carry Out Malicious Subvert Normal Activity Applications Understanding the Threat

Exploit Malware § Malformed data file that § Malicious code that comes is processed by a in an executable file form legitimate app § Does not rely on any § Takes advantage of a vulnerability application vulnerability in the legitimate app which allows § Already executes code – aims to control the attacker to run code the machine § ‘Tricks’ the legitimate application into § Large payload running the attacker’s code § Small payload

Exploit vs. Malware – What’s the nifference? Traps Multi-Method Malware Prevention

Quarantine Program

× Block

Restricted Malicious Malicious

Check Hash No Match No Match Unknown Submit Check Against Against Check Hash Conduct Local Program to User Attempts to List of Trusted Override with WildFire Analysis WildFire for Execute a Publishers Policies Analysis Program

Allowed Trusted Benign Benign

Restricted × Block Check Execution Restrictions Allowed ✓ Run Child Process, Folder Restricted, Removable nrive

User Tries to Open Executable File Override? or Revoke?

Execution Malicious Malicious Malicious Stopped Ñ

Benign Benign Benign

EXE Changed Hash ? Unknown ? Unknown ? Unknown Verdict Saved Safe to ESM Server

WildFire Unknown Local Cache Server Cache File Upload Endpoint Security Manager WildFire Detects Malware Using Multiple Methods & Techniques

Static Analysis nynamic Analysis

File Anomaly Detection Full Execution Analysis

Multi-version Static Signatures Execution Environment

String & Code Block Detection Multi-dimensional Scoring

Machine Learning & Network Static Analysis Traffic Analysis

WildFire Turns the Unknown into the Known in About 5 Minutes

Requires Prior Knowledge, Patching Proactive Application Total Number

Signature / Requires Prior Knowledge Behavior of Weaponized Exploits

To aim at the root of the exploitation attempts Requires No Patching, No Prior Knowledge of Traps Vulnerabilities, and No Signatures Time

• Traps modules inject into user process and prevent use of exploit Traps Modules techniques

Traps • Upon exploitation, process is frozen, Modules User Process notification sent and forensic data Exploitation Attempt captured

Injection ESM Traps Console Traps Agent Drivers Policy & Reporting Service Block the Core Techniques – Not the Individual Attacks

Number of New Variants Each Year

Individual Attacks Core Techniques 1,000s 2-4 Software Vulnerability Exploits Exploitation Techniques Thousands of new vulnerabilities and exploits Only two to four new exploit techniques 1,000,000s ~10s Malware Malware Techniques Millions of new malware variations Tens of new malware sub-techniques Traps Multi-Method Exploit Prevention

Exploit manipulates the operating system’s normal memory management mechanisms - “Heap spray” - “return-oriented programming” (ROP) Memory Corruption Exploit manipulates the operating Prevention1 system’s normal processes by modify the location where dynamic link libraries (DLLs) are loaded Traps Every end goal of every exploit is - “DLL hijacking.” Multi-Method “execute some arbitrary code” Exploit The attacker’s commands that are Prevention embedded in the exploit data file Logic Code Flaw Execution Prevention2 Prevention3

ROP Vulnerabilities

Vendor Patches Begin Malicious Activity

Heap Utilizing Spray OS Function

Authorized § Download malware Application § Steal critical data § Encrypt hard drive § Destroy data § More…

ROP

Begin Malicious Activity

Heap Utilizing Spray OS Function

Authorized § Activate key logger Application § Steal critical data § Encrypt hard drive § Destroy data § More… Traps Blocks Exploit Techniques

No Malicious Activity

Heap Spray

Authorized Application Traps EPM

ROP No Malicious Activity

Unknown Exploit Technique

Authorized Application Traps EPM

Traps

Forensic Data is Collected Process is Terminated

User/Admin PnF is Notified

Unsuspecting user opens Traps injects itself Exploit technique is attempted Traps reports the event infected document seamlessly into the and blocked by Traps before and collects detailed (Exploit evades Anti-Virus) process any malicious activity is initiated forensics

Traps is Transparent to the User Until an Exploitation Attempt is Made

Memory ROP Utilizing Heap Spray Limit Heap ROP Mitigation/ DLL Security OS Function Spray Check UASLR CVE-2013-38931

Memory Limit Heap Spray DEP Utilizing DLL Heap Spray Check / UASLR Circumvention OS Function Security Shellcode CVE-2013-33462 Preallocation

ROP JIT Utilizing DLL ROP JIT Spray DLL Mitigation Mitigation SecurityOS Function Security CVE-2015-30103

Preventing One Technique in the Chain will Block the Entire Attack

1 Operation Deputy Dog (CVE-2013-3893) 2 Turla/Snake Campaign (CVE-2013-3346) 3 Forbes Cyber-Espionage Campaign (CVE-2015-0310/0311)

Ongoing Attack-Related Recording Forensic nata

Exploit or Malware Hits a Trap and Triggers Real-Time Prevention

Traps Collects Ongoing Forensics and Attack-Triggered nata

Ongoing Recording Attack-Related Forensic nata

§ Time stamp and full memory dump For Execution of Any File: § Triggering file (non-executable) § Time of execution § File source, names and paths § File name including parents grandparents and § File HASH child processes § Prevented exploitation technique § User name § IP address § Computer name § OS version § IP address § Version of attempted vulnerable § OS version software § File’s malicious history § Components loaded to memory under attacked process § Indications of further memory corruption activity Exploit or Malware Hits § User name and computer name a Trap and Triggers § Accessed URIs; Java applets source Real-Time Prevention URIs § Relevant DLL retrievals with their path § Relevant files from temp internet folders § Traps Automated Dump Analysis

§ Scalability A. Architecture § Ease of security administration

§ Footprint B. Operational Capabilities § Performance Impact

§ Physical systems C. Platform Coverage § Virtual systems

§ Integrated threat intelligence D. Threat Intelligence § Threat data sharing

Endpoint Security Manager (ESM)

@ 3-Tier Management Structure SMTP Alerting

§ ESM Console

SIEM / § Database External Logging WildFire § Threat Intelligence ESM Servers Cloud (each supports 10,000 endpoints & Forensic Folder(s) ESM Server(s) scales horizontally)

Off On Premise Premise

Endpoints Running Traps

§ 0.1% CPU Load § Out-of-the-Box protection for § 50 MB RAM§ Not Signature-based § Prevention of Known common applications& Unknown Exploits § 250 MB§ HDNo Scanning

Footprint Required § Extensible§ Protectionto any application upon § No scanning Applications § No Impact on Shared Instantiation Resources § Patching- § Physical & Virtual § On-Demand § Central policyIndependent management

§ All major WindowsScalability editions Protection Prevention

Performance § Full SIEM integration support § Protects§ systemsBuilt-in License after end- § Integrated Threat Platform § Role BasedIntelligence Access Control

of-supportElasticity Management

Workstations Servers

* * § Windows XP (32-bit, SP3 or later) § Windows Server 2003 (32-bit, SP2 or later) § Windows Vista (32-bit, 64-bit, SP1 or later; FIPS mode) § Windows Server 2003 R2 (32-bit, SP2 or later) § Windows 7 (32-bit, 64-bit, RTM and SP1; FIPS mode; all § Windows Server 2008 (32-bit, 64-bit; FIPS mode) editions except Home) § Windows Server 2008 R2 (32-bit, 64-bit; FIPS mode) § Windows Embedded 7 (Standard and POSReady) § Windows Server 2012 (all editions; FIPS mode) * § Windows 8 (32-bit, 64-bit) § Windows Server 2012 R2 (all editions; FIPS mode) § Windows 8.1 (32-bit, 64-bit; FIPS mode) Windows Embedded 8.1 Pro § Virtual Environments § Windows 10 Pro (32-bit and 64-bit) § Windows 10 Enterprise LTSB § VMware ESX § Citrix XenServer § Oracle Virtualbox § Microsoft Hyper-V * Microsoft no longer supports this operating system.

>10,000 WildFire customers >30,000 sensors Global analysis & Threat knowledgeWildFire

Malware/APT Feeds Threat Intelligence Cloud ~30,000 Malware C&C/nNS URL Customers Signature Signature Signature protected

5 minutes

WildFire: Vulnerability exploit blocked • Identifies and Prevents new Content release 688-2964 malware and exploits with 2:30 am : WildFire protections deployed continuous analysis CVE-2017-0144 (TID 32422) Traps prevents the execution of ransomware • Provides protection feeds Threat every 5 mins Prevention MS17-010 (TID 32494, 32424, 32427, 32393, 32716, 32422) 2:34 am: AutoFocus tag created Threat analytics and hunting enabled AutoFocus: • View into WildFire data for latest analytics and hunting • Extraction of relevant IoCs WanaCry 2.0 3:01 am: AV Name: Trojan-Ransom/Win32.wanna.a Customer don’t have WF to deploy automated preventive measures Spreads Unique Threat ID: 179222880 3:52 am: AV Name: Trojan-Ransom/Win32.wanna.b Threat Prevention Traps Local Analysis prevention Unique Threat ID: 179224458 • Threat Prevention for Prior to attack vulnerability exploit and known malware protection

Ongoing Protection for Endpoints via local analysis and Traps continuous WildFire updates • Preemptively blocks known and unknown malware and exploits • Automates prevention by reprogramming itself using threat Intelligence from WildFire August April 18 May 12 2017 May 13 2017 2016 2017 12:00am 12:00am

Palo Alto Networks Customer Protection For more information, click here. Traps Multi-Method Prevention Blocks WanaCrypt0r

WildFire Threat Intelligence Check payload

◉ Automatically blocks all previously-seen samples of WanaCrypt0r malware

◉ Enabled by default Traps Multi-Method Prevention Blocks WanaCrypt0r

WildFire Traps Local Analysis Threat Intelligence (via Machine Learning)

◉ Automatically blocks new and never-before-seen samples of WanaCrypt0r malware ◉ Protected Traps customers since before the first report of WanaCrypt0r surfaced ◉ Enabled by default Traps Multi-Method Prevention Blocks WanaCrypt0r

WildFire Traps Local Analysis WildFire Threat Intelligence (via Machine Learning) Analysis

◉ Traps automatically submits unknown samples of WanaCrypt0r to WildFire for analysis ◉ Enabled by default ◉ Taps can easily be configured to prevent execution of unknown programs until a WildFire verdict is available Traps Multi-Method Prevention Blocks WanaCrypt0r

WildFire Traps Local Analysis WildFire Traps Malicious Threat Intelligence (via Machine Learning) Analysis Process Control

◉ Automatically prevents WanaCrypt0r malware from launching new executables to propagate itself ◉ New Content Update automatically applies the protection policies Traps Multi-Method Prevention Blocks WanaCrypt0r

WildFire Traps Local Analysis WildFire Traps Malicious Threat Intelligence (via Machine Learning) Analysis Process Control

Automatically Blocks Blocks New and Submits Unknown Controls Launching of All Previously-Seen Never-Before-Seen Executables to Executables That Samples of Variants of WildFire for Rapid WanaCrypt0r Uses to WanaCrypt0r WanaCrypt0r Detection and Propagate Itself Malware Malware Prevention Complete security delivered as a platform THREAT INTELLIGENCE CLOUD

WildFire

Threat Prevention AutoFocus URL Filtering

AUTOMATED

CLOUD

N T E

T N I W O O P R D K N E NATIVELY EXTENSIBLE Traps INTEGRATED Aperture

VM-Series GlobalProtect NEXT-GENERATION ADVANCED ENDPOINT FIREWALL PROTECTION

50 | © 2017, Palo Alto Networks. All Rights Reserved. Additional tips to protect against WanaCrypt0r • Always install the latest security updates and patches (Prevent Ethernalblue) • Patch SMB vulnerability • Consider disabling SMBv1 or segmenting and minimizing internal SMB traffic (Reduce Attack Surface) • Block 445 to Internet (prevent propagation) • Block 445 in the perimeter • Deploy IPS signatures • Enable DNS sinkholes • Use an endpoint protection solution with multi-method preventions • Backup your files on an external drive or other appropriate medium • Practice security basics and maintain security awareness Anti-Spyware Signature for DoublePulsar The spyware signature to prevent DoublePulsar was published on 2nd of May, and this would have prevented this C2 channel on existing customer networks.

An example of a triggering rule during the exploit: