Doesn't It make You WannaCry: Mitigating Ransomware on a Windows Network

this type of an issue at a very high level these are some of the the main characteristics or the way that ransomware behaves so one of the things is that one of the things that we're seeing now is the the use of ransomware to say look we found these these emails to your girlfriend or you know your wife doesn't know about and if you don't let us have our money we're gonna send them to your wife right that kind of thing we had these pictures that we'll send to everybody that you have on Facebook right so they're finding ways to leverage human weaknesses and human fear they do threaten to erase all your data and render your computers inoperable

vectors that they typically use or drive-by downloads email whether it's spam just kind of general or spearfishing unpatched internet server and apps so you guys heard about the the thing that happened down at right where the city of Atlanta got infested by Sam Sam and one of the things I thought was kind of interesting is that during the time that this was actually taking place where they were in the news every day and and they had was a Mandy infant and a couple other people come in and they were trying to troubleshoot this one of the reporters actually did a scan public facing IP addresses for city of Atlanta servers and they found four four four five open

to the internet on some of their public servers while this was still going on after poor Clyde had already been exploited and and they were world wide news they still had this humans kind of missed things when when the chips are down okay so that was a broad picture of ransomware was different we are seeing more usage of supply chain infections I'll talk about it use multiple attack techniques so it did use the eternal blue exploit but it also used some other things that we'll talk about it was very fast right we saw the the timeline there that happened within just a few hours it was destructive it destroyed the assets it didn't give the the organization's

any opportunity to recover the whole intent was just to destroy it did wipe event logs which is kind of interesting if your if your intent is just to destroy a system why bother take the time to wipe in a backlog maybe that was just a traditional way of cleaning up that was just part of the attackers yes and it was a very targeted attack so let's talk about how it actually happened so the first thing is is having to do with that supply chain that we're talking about so this isn't like many of the traditional viruses or attacks that we see where an email was sent to somebody and they clicked on a link what

actually happened here is that a threat actor that may or may not have been but absolutely positively was Russia wanted to attack Ukraine so rather than trying to penetrate each and every organization within Ukraine and dumping this malware onto those organizations what they decided to do was compromise this so things like TurboTax were quickly so a lot of organizations that use or they do business with the government in Ukraine use and not that's that's kind of the the tool that they use for their accounting so the threat actor infiltrated the ME doc financial application and what was interesting is that Emma dot pushes updates to their clients right just like many many custom any software vendors do today so they

they compromised any Doc inserted the the not petulant payload into the next update and then when the update gets delivered to all their customers essentially they've used Emma doc as their SMS right or SCCM and they they push that to all the customers and then it was today pretty much simultaneously across all so that's how it got in salt it was able to launch the delicious code on the devices from there it did use the external blue or the eternally exploit and so that was the the way that it initially made the attack how it got from machine to machine is credential fact so if if a user had the same credentials from one machine to the

other it just traversed from one machines and those things financials over and over again so that was where we were talking about multiple attack vectors it wasn't just using the term exploit some of the other things that were interesting about it were that what it would do to find other machines on the network it would look at the the network adapter figure out what subnet was on and understand okay I know how many machines roughly are on this subnet let me let me try to reach out to those guys in encrypted your master file table made the system completely unreadable fairly useless cleared the windows event logs and question is you know what are the things they did do before it just

made the system completely inoperable so it was a very destructive attack very sophisticated I wouldn't say very sophisticated but it was very coordinated in the way that they made this attack happen so from Microsoft's perspective some of the things that we saw that the attack was less widespread than wanna cry but it was much more severe so want to cry depending on which news report you believe or or subscribe to they say that it had about a four billion to a billion dollar impact worldwide not Petya just within that three hour time frame about ten billion dollars of impact on commercial organizations and so much more severe the second thing which again was something that the crane

had mentioned was the idea of backups and so the problem was most organizations take backups and plan for those backups to be used if a server goes down or two servers go down or ten servers go down but the problem is if all of your servers go down including the backup server then what's your story if your backups have been encrypted then what do you do so we'll talk about that in just a few minutes and actually what they ended up doing was was having to go to off-site backups taking those tapes rebuilding entire servers from just a bare metal using printed documentation if it even existed because how often do people update their than their printed

documentation it was very challenging fountain situation actually funny aside we're gonna say but mayor's if anything did you have a chance to read exactly exactly did any of you have a chance to read the wire comm article about not petya if you get a chance it is a fascinating read so just look up wire comm not Pat yeah what actually ended up happening with marishka's is a big global shipping company and they were just absolutely devastated so something like seventy thousand machines were just flattened and so they're scrambling around trying to figure out how do we recover how do we recover and they're looking at their domain controllers all the domain controllers are down except

for one so they said what what's going on here so they figured out that this one domain controller was sitting in Ghana in Africa and it had a power failure the day before and so it couldn't get back on the network so this one server sitting in Africa was the key to them restoring their entire global operation so they had the the guy that was the IT admin there in Ghana they said you've got to get this server back up to us you know she get on a plane as fast as you can I mean what it costs just get this thing up to us in Norway or as they were guy said I can't

do it so I said what do you have a visa to get to they said well I can go to Nigeria okay go to Nigeria and we'll meet you in Nigeria so they met him in Nigeria and this guy you know his hands shaking hands over the disk that is literally all that the company has left of their network and they were able to

this was another challenge so Microsoft obviously wants everybody to to be in the cloud once you use as much other office 365 and all the while the problem was in many of the larger organizations office 365 was still functional but if you have Active Directory Federation services configured or if you're doing Active Directory sink to maybe connect I should say if you're doing that and the servers that perform those functions getting cryptid then you're out of luck right servers or basically allowing you to authenticate against your domain controllers on-premise rather than in the cloud now there's ways around it you can you can change the authentication mechanism but for the time being they were stuck and so we saw global

organizations using text messaging what's at Twitter to communicate with each other to get their recovery process started there's a very very tumultuous time for most people so there were some

particularly like with Boeing right so it's a Boeing when they were hit it was a few machines that were still running Windows 7 but by and large Boeing was right and they had secure booths set up they had all the the security bells and whistles going they probably didn't know about your your compromise but that wasn't being exploited at that time and I mean they should be so if you think about it under what circumstances does Bob's computer sitting here need to talk to Sally's computer just a regular client to client communication how often does that actually happen should it happen it should right now you can say oh well what about Skype messaging that's that's appear here okay great

here here use IPSec use some kind of firewall rule that allows that communication but doesn't allow anything else because that that ability to hop from machine to machine the machine is what allowed this thing to move so quickly and this is what we're describing here I use multi channel propagation so even in some of the organizations where they had 97% of machines patched against the eternal blue exploit they still were devastated because they were using the same admin password and username on all these machines so you could be patched across most of your machines and if one of them was vulnerable then that machine could get compromised and then from there the credential theft happened and it didn't

even matter if you patched at that point

so if you need to have a VPN server mode access as they require you to confirm that your computer is free of virus yep so requires identity defenses as well as things like patches target attacks so I'll talk about a couple of the mitigations that Microsoft has available to you I'll tell you why some of them don't work ok so how do you defend a Microsoft network this is your adversaries business model if the value of the data is greater than the cost to breach then you're a target otherwise they're gonna target somewhere else now if you're talking about like not pet yet if a country is going against an adversary country money is probably not

even an object so it's not a business model at that point it's a political model but but by and large if you're dealing with a financial crime or some sort of attempt to compromise you from the financial state this model holds true of if it costs too much to attack you then they'll move on to someone else so there's a three-part strategy to this protection there's the idea of blocking the attacks at the front line talk about that the defense is once the the attackers have compromised somebody on your network of those you know your network how do you contain them and then things all go badly what's your what's your break glass solution so let's take a look at

the the idea of raising the attacker cost to compromise your entry points mm-hmm you know I forgot I I meant to do this in beginning under so during lunch I put an Amazon gift card under a couple of the chairs here I taped it to the bottom so if you want to check and see it should be like a blue envelope okay and that's why phishing works

that's why phishing works so so protections with personalized yeah so I'll actually show you something just a second it kind of ties in directly with what you're talking about there so so we have to have protections on our mail systems to prevent phishing to prevent spam from coming in you have fish so they're outside but within off the tree 65 there's also what we call the

obviously apply security updates user education yeah people don't listen they don't learn they don't remember but it's still tell you story about what happened within Microsoft so let me show you the the attack simulator first and then we'll we'll get into the other so how many of you are using office 365 okay so in office 365 depending on the licensing you've got you've got this thing called the attack simulator so within the attack simulator there's a couple things that you can do you can do spearfishing so any guesses what the common password complex password meaning capital lowercase numbers what the most popular one was early this year all right so that's probably gonna get caught my office you see finally or say

no like that that's not good enough any guesses move all no fall 2018 right so who won the Super Bowl 2018 exclamation point you can guarantee so within Microsoft our red team that attacks Microsoft constantly they ran the the original version of this tool back when Seattle when the Seahawks won the Super Bowl and so they they ran it and check for Seattle whatever year was twenty and they got a whole bunch of Microsoft people with that password that was pretty cool let me show you how this Tool Works so

so going to the fishing tool so what we can do here so there's two ways this can be run one way is roll your own and then there's another one where you can do a template so with the template there's two options you you know you want a prize click here to select your prize nice graphics what we're gonna do is run a customized one LinkedIn out of respect for you there so I'm gonna run it against the administrator count just because I've I'm logged in as him now and and because you're running it internally right okay so what I'm going to do is I'm gonna send it as this guy are off Sharra's I so he's one of

the users in my office 365 that's the email address that he has now one of the things that's listed here is a phishing URL so Microsoft maintains a list of phishing URLs there they're safe there's nothing wrong with them they're just there as kind of placeholders so I'm going to use payroll tooling net and then I'm gonna use me over here so I took this LinkedIn email from my own email and what I'm going to do is simulate somebody sending this myself and notice what I've done here so I'll right-click on it and you copy paste it in here it doesn't look perfect but that's kind of the that's kind of the point right so so like it's coming from

HR or exactly like it's coming from someone and somebody clicks on it can you blame them right so you want to give them some kind of a to them there's something wrong here and that will train them so in this one maybe what I'll do is I'll make the date too far ahead okay I'll send it so now what it's going to do is going to send an email to and what it's going to look like is that it came directly from RF and flick back and forth here all right should be there come on so when we when the red team ran this at Microsoft the way that they did it was they crafted an email and this was

before Xbox one came out put a picture of the new Xbox one and they said want to be the first one on your on your block to own an Xbox one register here for you know the opportunity to be a beta tester of Xbox one and take a guess how many people they got at Microsoft

thousands all right so now that you mail came in it looks for all the world like it came from somebody on my internal network the email looks good now out then really it didn't translate very well yeah but I don't have the link to click on anyway in a case if if it had been formatted correctly I would have that link and the things that view message I click on it it would send me to a page that said you know you've been fished go directly to HR for remedial training or something like that so so that's what the attack simulators for mm-hmm okay going back here

so one of the big big problems is people using default passwords whether you're talking about on network devices or on Windows or other alright so once if we assume breach right that's that's the position that microsoft itself faces we assume somebody bad is on our network now how do we how we limit their exposure so one of the big things that an organization can do is remove the excessive permissions on file shares on SharePoint instead of using full control and modify and giving it to everyone all authenticated users are the main users try to shrink it down to people that actually need access to these things so that it's security privileged access so have any of you looked at the security

privileged access road map and the spa roadmap it's a great style a bunch of guidance for for the higher privilege the management of higher privilege things like workstations so this is a very important concept pause so what we're talking about there is privileged access workstations what we mean is if if a machine is controlling access to a high value target you need to lock down that machine as well as the target right obviously so within Microsoft for managing Azure and office 365 and hotmail and Xbox we have something like 17,000 machines that are dedicated only to contacting a specific service that's all they do they don't have internet access they don't have you know they can't get their email

on it it's locked down they have IPSec rules to say you can only get to this service that's that's an important concept now it's not it's not cheap right it's not cheap to do it that way but if Microsoft could do it cheaper and still remain securely would the best way that we found to maintain security randomizing local admin password okay so as I mentioned tools that Microsoft has that are good and some that are not so big there's a tool called laps local admin password solution it's free from Microsoft and the idea behind it is that you can randomize your user user passwords on workstations and workstation passwords themselves the problems with laps number

one requires a schema extension so sometimes people get a little edgy about that kind of thing you can only change passwords on domain joined machines so if you've got machines that are standalone machines you can use laps against them it can only change the passwords on two accounts on each machine so if you have multiple admin or service accounts that you need to randomize the passwords different reasons why that's not necessarily the best solution it's better than nothing but it's not sort of the best solution so at the end of the deck what I've got is a link to a the guy that does the the sans Windows security class he has a better solution than lapsed and use a

certificate based communication it doesn't matter how many machines are using it doesn't matter if you're joined in the domain it's a pretty pretty nice

so that's that's stage one to secure your machines the next stage two and three are just another admin and just in time admin its multi-factor authentication using power back using things like shielded beyond admin forests using smart cards those are things are going to take a little more time a little more training but there are things that are going to secure your environment much more so this kind of illustrating the point that I was making if you've got a workstation here if this object controls this set of servers then object B is a dependent

just take a look at this one you get a chance I'm not gonna go into a whole lot of detail about how this actually works but this is based on how Microsoft envisions okay last resort so if we assume all the fences fail how do you protect your so obviously you have to protect all your business critical data which means you have to know what data is critical you have to validate your backups so funny story I was talking with a customer this was in London and they had been doing data centers on either side of the city so they will run backups in in this site and then that evening somebody from the IT department and get on the tube go

over to the other data center and off the tapes one day they had you know the server was lost or whatever and so they had to recover from backup so they sent the guy back over got the tapes back over they looked at it and I think was just blank let's go back and get another cake same thing so I start going back months and months they kept coming back with a blank page like what is happening here all our tapes of blank they finally figured out that what was happening was that when he got on the tube the tube is has gigantic magnets and was wiping the tapes as they were traveling back and

forth so validating your backups is pretty important you know don't wait until a disaster comes okay so backups have to be inaccessible to the attacker so either your backups need to be offline stored in some facility where that that my backup cannot be encrypted or after whatever or potentially store you're back up in a cloud service now we would love you to store in Azure but if you're gonna eat it yes that's fine the point is have some way of recovering from

mm-hmm okay as I mentioned before part of this has to do with understanding your data so so understanding what's critical on your network is important so that means understanding you know these are financial transactions is it personally sensitive data is it some sort of technology you know information that intellectual property that's it so understand where those are and how to protect them make sure you do things like audit and alert on backup failure and then ensure that hardware is available for restore in the event of a complete equipment failure so like with with mares they had all the backups but their Hardware was just there's nothing on it that was useful okay so that's that's that

what's my timing look like right now all right maybe I can get this done quickly so how many of you have been to us a sans course so anybody go to SEC 501 you went to it okay so you'll recognize this so the idea here is that I've got a Windows 10 machine and I'm gonna infect it with ransomware so this is a fairly stupid piece of ransomware it's called jigsaw but it'll be fun so I'm gonna run it it says congratulations your software's been registered because congratulations it says email us this code and you know we'll we'll activate your software so what's going to happen here is it's gonna pop up with this new

fee looking guy but the idea that I'm going to try to do here and hopefully it'll work is trying to identify the ransomware is trying to do and intercept the traffic and fool the ransomware into the leading that it's been paid so here's the ransomware it's running in real time and traditional host so you have traditionally the misspellings remember this

I don't know why you didn't just words up there why this alright so two minutes receiving everything

we're gonna try to trick the ransom wearing to believing that's been paid okay nine minutes of 58 seconds let's see if I can get it done in five okay so the first thing I'm going to try to do is just say I've made a payment Hank says nope you didn't so how can I make it believe that I own be PC blocker do what file can I change your host file so I've got this Kali Linux machine over here whoops so my Kali Linux machine is running okay so what I'm going to do over here is change my hosts file

and all right so I make a copy of it and back it up all right so I'm gonna change 10.10 10.4 to BTC blocker dot IO oops yeah so now effectively I'm telling the machine if you want to get to the Bitcoin site go to my Kali Linux box okay now I take this and dump it in here

okay I'm gonna try again okay now it says something different

what's on port 80 web server right looking for a web server okay let's give it a web server and simple HTTP server 480 okay now my Kali Linux server is a web server alright let's see if it likes it now Oh different so what does that mean so over here we see you would find the HTML page where the the Bitcoin is is registered and paid so I've already done that I've already captured that on on this this machine just to save time but what I'm gonna do now is say okay what I want to do is use burp suite come on right see if this will work got it let's see why is this not working

just failing doggone it alright so the point was if you use burps me what what it actually does is it serves as a proxy so your machine actually any any traffic that you send out will be sweet before it leaves your network adapter and then you can capture the response so it sends it out sends a response back you can look at the response and take an action on it what it does when it's working correctly is it'll send a response that says this is how much Bitcoin the person has paid and you can that sucks but it actually does work most of the time I'm not sure why this isn't working but for now I'm just I'm dead in the water so

thank goodness for VMware back to phase one I can try to if you guys want to stick around and wait for a few more minutes I'll try it again and see if it'll work but that was all I had there are these are the resources this is the password across your enterprise let's see if we can get this thing broken

did detective Taylor

okay there's that now I'm going to skip ahead and do the host file stuff just so that we're saving time

yeah yeah

so I'm just doing the same stuff that I did before and since I've already got the web server and everything running on the other machine I don't have to walk through that

still going

aha okay so I need changed my proxy settings so that I'm using myself as a proxy server okay then I just gotta wait for this thing to finish up now I know you know it was funny though when it started up just as it was starting up if I hit control

so again okay so this is going I made a payment let me get this started over here and I'm just doing the defaults okay so what I want to do is proxy look at the proxy and hopefully this will work so I say I made a payment now give me back my files value Linux machine I'm gonna say for the action intercept and give me the response to this request and forward okay so this gives me what to see what I'm up to okay then I forward and I want to intercept the response again okay now you notice here

to change that I'll give them ten thousand Bitcoin and then great job I'm decrypting your files allegedly it'll go away oh oh also Firefox as the process that's running so that's that's what will die here all right any questions it's fun stuff