Top Banner
Ransomware detection with Bro Mike Stokkel 13 Sept 2016
28

Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Apr 16, 2018

Download

Documents

buiminh
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Ransomware detectionwith Bro

Mike Stokkel

13 Sept 2016

Page 2: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Who am I?

– Mike Stokkel

– Security Analyst @ Fox-IT

– Internship at Fox-IT

– Bachelor July 2016

Introduction

Introduction

Page 3: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• What am I going to talk about?

– Fox-IT

– Ransomware

– Bro Policy

– Results

– Demo

Agenda

Page 4: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Fox-IT

Page 5: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Located: Delft, The Netherlands

• IT security

– Managed Security Services

– Auditing

– Cryptographic solutions

Company

Fox-IT

Page 6: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Snort-based detection

• Bro

Security Operation Center

Fox-IT

Page 7: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Ransomware

Page 8: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Malware

– Encryption

– Payment

– Decryption

• Rising concern

Explanation

Ransomware

Page 9: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Process

– Master key (public and private key)

– Generating a key for the victim

– Encrypting the victim’s key

Encryption

Ransomware

Page 10: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Personal Computer

– Local files

• Company

– Network Share

• To pay or not to pay?

Impact

Ransomware

Page 11: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Exploit Kits

– Browser vulnerabilities

• E-mail

– Malicious document

– Macros

Spreading Methods

Ransomware

Page 12: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Version check

• IP check

• Download ransomware payload

• Run payload

Exploit Kit

Ransomware

Page 13: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Macro

• VBS script

• Download & execute payload

Malicious document

Ransomware

Page 14: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• TeamViewer hack

• RDP brute force

Remote desktop programs

Ransomware

Page 15: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• IDS

– Snort rules

• Problem

Detection Methods

Ransomware

Page 16: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Bro Policy

Page 17: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Ransomware behavior

– SMB

• Possible solutions

– File extension listing

– Threshold SMB commands

– Command-and-Control communication

Approach

Bro Policy

Page 18: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Randomness of data

• 0 – 8 bits per character

Entropy

Bro policy

Page 19: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Compressed files

• Images

• PDF

• Mime/Media type

What about ….

Bro policy

Page 20: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• SMB parser

– Events

• File over new connection

• Chunk event

• SumStat

– Threshold

• Notice.log

Functions

Bro Policy

Page 21: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Check for SMB traffic

• Check for certain filenames

• Check for Mime type

• Check for SMB action

• Check if SMB action equals Write

• Add File analyzer

File over new connection

Bro Policy

Page 22: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Check if the offset equals 0

• Calculate entropy of data collected from SMB

write command

• Use SumStat to add +1 for the threshold

• Write to log file

• Write a Notice.log

Chunk event

Bro Policy

Page 23: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Results

Page 24: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Two new kinds of Ransomware

Live Testing

Bro Policy

Page 25: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Two new kinds of Ransomware

– Google Chrome & Mozilla Firefox

• Encrypted cache

• Encryption tools

– TrueCrypt

– VeraCrypt

• Documents

– Printing

– Creating

Live Testing

Bro Policy

Page 26: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Demo

Page 27: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

• Locky/Zepto

• Cryptowall

• CTBLocker

• Jigsaw (and all families)

• Mobef

• Shade

• Maktub

• Cerber/Alpha

• Teslacrypt

• Rokku

• Crysis

• Cerber

• Bandarchor

Samples

Demo

Page 28: Ransomware detection - Bro€¢Ransomware behavior –SMB ... •Check for SMB traffic ... •Check if SMB action equals Write •Add File analyzer File over new connection

Thank you for having me!


Related Documents
ANIMAL - gravograph.no · 12041 12049. 12073. 12033. 12065. smb 12081 .smb 2089. smb 12097.smb 2074. 12091 _ 12068.smb 12092_smb 12029smb 12069.smb 12093_smb 12030 smb

ANIMAL - gravograph.no · 12041 12049. 12073. 12033. 12065....

Category: Documents
Ransomware Characteristics

Ransomware Characteristics

Category: Technology
Ransomware: Wannacry

Ransomware: Wannacry

Category: Technology
RANSOMWARE - Technology Management · 2018-10-03 · Protect your data How to identify Ransomware What will happen if you’re infected Check your emails carefully How to protect

RANSOMWARE - Technology Management · 2018-10-03 ·...

Category: Documents
Understanding Ransomware: Impact, Evolution and Defensive ...€¦ · 14/07/2014  · 3 Evolution of Ransomware 3.1 Historic Examples of Ransomware Ransomware trojans appeared as

Understanding Ransomware: Impact, Evolution and Defensive...

Category: Documents
Smb 22052014 corina kuiper health venture check

Smb 22052014 corina kuiper health venture check

Category: Economy & Finance
Easy way to uninstall PadCrypt ransomware: Remove PadCrypt ransomware

Easy way to uninstall PadCrypt ransomware: Remove PadCrypt.....

Category: Technology
Kaspersky Security for Small and Medium Business · Kaspersky Security for SMB Advantages of cloud-based endpoint protection management ... ransomware and other attacks. We do this

Kaspersky Security for Small and Medium Business ·...

Category: Documents
Ransomware and tips to prevent ransomware attacks

Ransomware and tips to prevent ransomware attacks

Category: Technology
MalwareBytes - Ransomware

MalwareBytes - Ransomware

Category: Technology
RANSOMWARE - healthyagingcore.ca

RANSOMWARE - healthyagingcore.ca

Category: Documents
Malwarebytes Anti-Ransomware Administrator Guide · Malwarebytes Anti-Ransomware Administrator Guide 1 What is Ransomware? In the simplest terms, the name ransomware says it all.

Malwarebytes Anti-Ransomware Administrator Guide ·...

Category: Documents