SlideShare uma empresa Scribd logo

What can you do about ransomware

Michael Gough
Michael Gough

LOG-MD Malware Archaeology What can you really do about ransomware? And how do i check my system for anything malicious.

Tecnologia
1 de 40
Baixar para ler offline
Ransomware and commodity malware, What can I do really to prevent it? And how do I look to see if my system has anything odd or malicious? Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
RansomeWare MalwareArchaeology.com
Ransomware • It sucks • You probably know someone or YOU have had it • It dominated the 2016 malware landscape • 500% increase the last 2 years • Estimated $1BILLION dollars ransom paid • Targets consumers • Targets business • Even targets TV’s !!! MalwareArchaeology.com
Ransomware MalwareArchaeology.com
Ransomware • Anti-Virus is failing us because it is too easy to bypass • Ransomware heavily uses scripts • AV doesn’t do scripts • Even Next Gen Endpoint solutions have had issues due to script usage • So what can we do to prevent Ransomware? MalwareArchaeology.com
Ransomware Let’s look at the flavors of Ransomware 1. Infected Attachments 2. Links to infected websites MalwareArchaeology.com
Ransomware • Malicious Attachment MalwareArchaeology.com
Ransomware • Malicious link in email or just surfing MalwareArchaeology.com
Ransomware Types • Source: Proofpoint MalwareArchaeology.com
Ransomware MalwareArchaeology.com
Ransomware • Home user rules ! They don’t backup ;-( MalwareArchaeology.com
Ransomware MalwareArchaeology.com
Ransomware • Attachments in SPAM/Phishing emails – Office Docs (.Doc, .XLS, .PPT) – PDF’s – contain links – .js, .jse, .hta, .wsf, .wsh, .PS1 – Zip files with the above attachments inside – Password protected attachments • Password is in the body (obvious indicator of BAD) MalwareArchaeology.com
Ransomware • URLs in SPAM/Phishing emails – Javascript auto downloads and executes malware • .js, .jse, .hta, .wsf, .wsh – Downloads an Office Doc (.Doc, .XLS) – Downloads a PDF – Downloads a Zip files with the above inside – Downloads a password protected attachment • Password is in the body (obvious indicator of BAD) MalwareArchaeology.com
Ransomware • Drive-by downloads – Javascript auto downloads and executes malware • All scripts • .js, .jse, .hta, .wsf, .wsh • Can download and call binary .EXE MalwareArchaeology.com
Preventing RansoWare MalwareArchaeology.com
Ransomware • Believe it or not you already have what you need to stop ransomware dead cold – For Windows • And its FREE !!!! • So how can we take the RANSOM out of Ransomware? MalwareArchaeology.com
Prevention • Don’t enable Macro’s or Content EVER!!!! In any Office Documents • Actually let’s assume you do enable content, because we can still stop ransomware • We will go after what the payload actually is and does and how Windows handles it • The file extension that is executed when the content is enabled is the key MalwareArchaeology.com
Default Programs MalwareArchaeology.com
File Type MalwareArchaeology.com
Change to Notepad • .js, .jse, .hta, .wsf, .wsh MalwareArchaeology.com
Windows Based Script Host • Get rid of it, they use it to execute crypto • Consider .vbe, .vbs, .ps1 and .ps1xml too, but this is used in corporate environments • This only affects double-clicking the file, not using the file properly (cscript bad_file.vbs) MalwareArchaeology.com
Corporate email • Drop these file types at the email gateway and you will block 90% or more of what users see that gives them ransomware • .js, .jse, .hta, .wsf, .wsh, .vbe, .vbs • No reason these will be emailed to you, if so just encrypt with a password, and do NOT include the password in the body of the message. MalwareArchaeology.com
Gaps • We are starting to see more encrypted documents, but they have the password in the body so obviously NOT secure • If a user opens the fake email and opens the file inside, then scripting can be used properly – cscript some_bad.vbs • Most will be Office documents and the Macro and/or Content must be enabled • Office 2013 and 2016 can break this FINALLY MalwareArchaeology.com
Macro Malware MalwareArchaeology.com
Group Policy for the WIN • For corporate users MalwareArchaeology.com
Or tweak the registry Office 2016 • HKCUSOFTWAREPoliciesMicrosoftoffice16.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 Office 2013 • HKCUSOFTWAREPoliciesMicrosoftoffice15.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 MalwareArchaeology.com
#WINNING • After adding these tweaks you will see this when you try and enable a macro and/or content • You can unblock if truly need and trusted MalwareArchaeology.com
Ransomware Prevented • If you do these simple things, which are all FREE, you will curb ransomware infections by 90-95% or more • This does not address malicious binaries .EXE files or .DLL files • Whitelisting with Software Restriction Policies or AppBlocker will be needed for this MalwareArchaeology.com
Whitelisting MalwareArchaeology.com
Software Restriction Policies • Block all executions from “C:Users*” • Block all USB executions from “E:*” MalwareArchaeology.com
Software Restriction Policies • If you set to block like I do, then when you try to launch, install or an update runs, it will fail • Generates an Event ID 866 in the Application Log • Copy the path that failed and create an exception • Be careful of over trusting generic paths • Use a * to genericize an entry C:Users* MalwareArchaeology.com
AppLocker • ONLY works in Windows Enterprise versions • Screw you Microsoft ;-( • Has an Audit only mode so can detect what would be blocked to allow you to tweak the policy before enforcing • Does Dlls • Does Scripts MalwareArchaeology.com
How to inspect a system and improve logging MalwareArchaeology.com
• The Log and Malicious Discovery tool • Audits your system and produces a report • Also shows failed items on the console • Helps you configure proper audit logging • ALL VERSIONS OF WINDOWS (Win 7 & up) • Helps you enable what is valuable • Compares to many industry standards • CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
Free Edition • Collect 1-7 days of logs • Over 20 reports • Full filesystem Hash Baseline • Full filesystem compare to Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery MalwareArchaeology.com
• Over 25 reports • Interesting Artifacts report • WhoIS resolution of IPs • SRUM (netflow from/to a binary) • AutoRuns report with whitelist and MD • More Whitelisting • Master-Digest to exclude hashes and files MalwareArchaeology.com
Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program MalwareArchaeology.com
Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net MalwareArchaeology.com

Recomendados

Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 

Recomendados

Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 

Mais conteúdo relacionado

Mais procurados

Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 

Mais procurados (20)

Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 

Destaque

Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
2 introduccion al direccionamiento
2 introduccion al direccionamiento2 introduccion al direccionamiento
2 introduccion al direccionamientoAlexander Hernandez
 
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandboxTécnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandboxJuan Salas Santillana
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014Stratesys
 
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Ryan G. Murphy
 
Où sont mes données ? | Résowest
Où sont mes données ? | RésowestOù sont mes données ? | Résowest
Où sont mes données ? | Résowestresowest
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?ATN Groupe
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareSymantec
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
 

Destaque (13)

Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
2 introduccion al direccionamiento
2 introduccion al direccionamiento2 introduccion al direccionamiento
2 introduccion al direccionamiento
 
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandboxTécnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Tipos de malware
Tipos de malwareTipos de malware
Tipos de malware
 
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
 
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
 
Où sont mes données ? | Résowest
Où sont mes données ? | RésowestOù sont mes données ? | Résowest
Où sont mes données ? | Résowest
 
Risque cyber
Risque cyberRisque cyber
Risque cyber
 
Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?Comment se protéger contre les menaces de CTB Locker (ransomware)?
Comment se protéger contre les menaces de CTB Locker (ransomware)?
 
WHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of RansomwareWHITE PAPER▶ The Evolution of Ransomware
WHITE PAPER▶ The Evolution of Ransomware
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 

Semelhante a What can you do about ransomware

Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itJoAnna Cheshire
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 

Semelhante a What can you do about ransomware (16)

Defending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about itDefending against Ransomware and what you can do about it
Defending against Ransomware and what you can do about it
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 

Último

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Último (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

What can you do about ransomware

  • 1. Ransomware and commodity malware, What can I do really to prevent it? And how do I look to see if my system has anything odd or malicious? Michael Gough – Founder MalwareArchaeology.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet” “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet” “Windows PowerShell Logging Cheat Sheet” “Windows Splunk Logging Cheat Sheet” “Malware Management Framework” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 4. Ransomware • It sucks • You probably know someone or YOU have had it • It dominated the 2016 malware landscape • 500% increase the last 2 years • Estimated $1BILLION dollars ransom paid • Targets consumers • Targets business • Even targets TV’s !!! MalwareArchaeology.com
  • 6. Ransomware • Anti-Virus is failing us because it is too easy to bypass • Ransomware heavily uses scripts • AV doesn’t do scripts • Even Next Gen Endpoint solutions have had issues due to script usage • So what can we do to prevent Ransomware? MalwareArchaeology.com
  • 7. Ransomware Let’s look at the flavors of Ransomware 1. Infected Attachments 2. Links to infected websites MalwareArchaeology.com
  • 9. Ransomware • Malicious link in email or just surfing MalwareArchaeology.com
  • 10. Ransomware Types • Source: Proofpoint MalwareArchaeology.com
  • 12. Ransomware • Home user rules ! They don’t backup ;-( MalwareArchaeology.com
  • 14. Ransomware • Attachments in SPAM/Phishing emails – Office Docs (.Doc, .XLS, .PPT) – PDF’s – contain links – .js, .jse, .hta, .wsf, .wsh, .PS1 – Zip files with the above attachments inside – Password protected attachments • Password is in the body (obvious indicator of BAD) MalwareArchaeology.com
  • 15. Ransomware • URLs in SPAM/Phishing emails – Javascript auto downloads and executes malware • .js, .jse, .hta, .wsf, .wsh – Downloads an Office Doc (.Doc, .XLS) – Downloads a PDF – Downloads a Zip files with the above inside – Downloads a password protected attachment • Password is in the body (obvious indicator of BAD) MalwareArchaeology.com
  • 16. Ransomware • Drive-by downloads – Javascript auto downloads and executes malware • All scripts • .js, .jse, .hta, .wsf, .wsh • Can download and call binary .EXE MalwareArchaeology.com
  • 18. Ransomware • Believe it or not you already have what you need to stop ransomware dead cold – For Windows • And its FREE !!!! • So how can we take the RANSOM out of Ransomware? MalwareArchaeology.com
  • 19. Prevention • Don’t enable Macro’s or Content EVER!!!! In any Office Documents • Actually let’s assume you do enable content, because we can still stop ransomware • We will go after what the payload actually is and does and how Windows handles it • The file extension that is executed when the content is enabled is the key MalwareArchaeology.com
  • 22. Change to Notepad • .js, .jse, .hta, .wsf, .wsh MalwareArchaeology.com
  • 23. Windows Based Script Host • Get rid of it, they use it to execute crypto • Consider .vbe, .vbs, .ps1 and .ps1xml too, but this is used in corporate environments • This only affects double-clicking the file, not using the file properly (cscript bad_file.vbs) MalwareArchaeology.com
  • 24. Corporate email • Drop these file types at the email gateway and you will block 90% or more of what users see that gives them ransomware • .js, .jse, .hta, .wsf, .wsh, .vbe, .vbs • No reason these will be emailed to you, if so just encrypt with a password, and do NOT include the password in the body of the message. MalwareArchaeology.com
  • 25. Gaps • We are starting to see more encrypted documents, but they have the password in the body so obviously NOT secure • If a user opens the fake email and opens the file inside, then scripting can be used properly – cscript some_bad.vbs • Most will be Office documents and the Macro and/or Content must be enabled • Office 2013 and 2016 can break this FINALLY MalwareArchaeology.com
  • 27. Group Policy for the WIN • For corporate users MalwareArchaeology.com
  • 28. Or tweak the registry Office 2016 • HKCUSOFTWAREPoliciesMicrosoftoffice16.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice16.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 Office 2013 • HKCUSOFTWAREPoliciesMicrosoftoffice15.0wordsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0excelsecurity HKCUSOFTWAREPoliciesMicrosoftoffice15.0powerpointsecur ity – In each key listed above, create this value: DWORD: blockcontentexecutionfrominternet Value = 1 MalwareArchaeology.com
  • 29. #WINNING • After adding these tweaks you will see this when you try and enable a macro and/or content • You can unblock if truly need and trusted MalwareArchaeology.com
  • 30. Ransomware Prevented • If you do these simple things, which are all FREE, you will curb ransomware infections by 90-95% or more • This does not address malicious binaries .EXE files or .DLL files • Whitelisting with Software Restriction Policies or AppBlocker will be needed for this MalwareArchaeology.com
  • 32. Software Restriction Policies • Block all executions from “C:Users*” • Block all USB executions from “E:*” MalwareArchaeology.com
  • 33. Software Restriction Policies • If you set to block like I do, then when you try to launch, install or an update runs, it will fail • Generates an Event ID 866 in the Application Log • Copy the path that failed and create an exception • Be careful of over trusting generic paths • Use a * to genericize an entry C:Users* MalwareArchaeology.com
  • 34. AppLocker • ONLY works in Windows Enterprise versions • Screw you Microsoft ;-( • Has an Audit only mode so can detect what would be blocked to allow you to tweak the policy before enforcing • Does Dlls • Does Scripts MalwareArchaeology.com
  • 35. How to inspect a system and improve logging MalwareArchaeology.com
  • 36. • The Log and Malicious Discovery tool • Audits your system and produces a report • Also shows failed items on the console • Helps you configure proper audit logging • ALL VERSIONS OF WINDOWS (Win 7 & up) • Helps you enable what is valuable • Compares to many industry standards • CIS, USGCB and AU standards and “Windows Logging Cheat Sheet” MalwareArchaeology.com
  • 37. Free Edition • Collect 1-7 days of logs • Over 20 reports • Full filesystem Hash Baseline • Full filesystem compare to Hash Baseline • Full system Registry Baseline • Full system compare to Registry Baseline • Large Registry Key discovery MalwareArchaeology.com
  • 38. • Over 25 reports • Interesting Artifacts report • WhoIS resolution of IPs • SRUM (netflow from/to a binary) • AutoRuns report with whitelist and MD • More Whitelisting • Master-Digest to exclude hashes and files MalwareArchaeology.com
  • 39. Resources • Websites – MalwareArchaeology.com – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program MalwareArchaeology.com
  • 40. Questions? • You can find us at: • @HackerHurricane • @Boettcherpwned • Log-MD.com • MalwareArchaeology.com • HackerHurricane.com (blog) • http://www.slideshare.net MalwareArchaeology.com