Hacks Weekly #5: Ransomware Protection – Top 3 Prevention Techniques to Use

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi I'm Paul I am cabbage or Paula J welcome to another seeker hacks weekly episode today we're going to be talking about ransomware pretty popular subject well before we start our episodes there was a little story behind it this was at our customer site one of our customers called me almost crying and because I was doing a pen test before over there I knew a couple of people working in this company and he was like do you know this lady named Veronique and I was like yes and I can tell you guys that this is the lady that literally clicks on everything that moves so she's very social and very active and what she did she's got an email by the way being a number one vehicle for run somewhere where there was a message saying that if she wants to listen to the voice message she should click on the link that's going to take her to a Dropbox who really sends a voice messages of through Dropbox but apparently she was interested in that so she click on the link and she eventually got the ransomware this was one of the variants of cryptolocker and not only her disk was encrypted but also the file server because she was managing documents for traders so quite a sad story especially because they got this message in the morning when everybody came to work so quite a serious situation so lesson learned what we need to do is to first of all learn what are the techniques used by ransomware and as long as we understand them we'll be able to protect ourselves protection is not very easy because really depends unfortunately on our budget but even though our company doesn't have a high budget to spend on the prevention technologies then we can still do a couple of things to make prevention to be effective in our organization in today's episode I will be showing you how run somewhere works because our team wrote one obviously not to earn money but to teach our customers how that kind of piece of code works and later on I will show you a couple of interesting techniques which you can use in your company in order to prevent it if you want to implement something right now of course we will also mention the solutions that are globally on the enterprise level working but I want you to understand at the end of this episode how and what kind of techniques run somewhere uses okay so let's dive in okay so you should see my screen right now and this is an email that user got from someone at whitehouse.gov well it's a typical fishing so we will discuss and start talking about run somewhere from that point so well someone clicks gets the details and this is a transaction receipt because you have just received $100 just a scenario just an example so when user lets go to download well get some information about what kind of this transaction receipt is this is what user sees of course we all work in IT and we can easily spot that this type of that particular file it's an application but because in Windows by default we have extensions being hidden user literally has no chance to differentiate in between if this is a real PDF or it is an application so what I want to show you it's of course and run somewhere and this is the run somewhere that we wrote for educational purpose don't get me wrong we don't earn any money on that so you will just see a sample but this is a situation where users data will be actually encrypted so let me get to the desktop here where I've got some documents and I got here secure text file it's just a regular text document and there's like a URL to the quiz if you didn't take it yet so go ahead well but besides that you can see this is just a clear text so that's good because when the user will simply speaking open up this transaction receipt this is an information that user gets of course that doesn't have to appear over here yes so it depends on the policies it depends on if the user pays attention to this because user user just wants to open a PDF so user will say run because I want to open a PDF and indeed this is the PDF that opens but additionally there is a run somewhere so what happened in the back is that this particular document got encrypted so as you see it's right now in the encrypted form and effectively well we will need to pay a ransom so this is how run somewhere can get into the enterprise and at that certain point of course we could be wondering what was wrong over here well first of all and this is one of the cases that we should definitely pay attention to is the configuration of the extensions in Windows as I already mentioned by default they are hidden so why don't we for example make them show and learn users to recognize malicious extensions as of course it can be a little bit challenging protest but if you implement security awareness trainings this could be one of them interesting projects to do a second thing that is worth paying attention here is that that particular PDF dot exe who it was possible to execute it just like that well that's the point with our team we've been talking for the past couple of years that implementing code execution prevention it's a crucial step for security within the enterprises but surprisingly I can tell you that a lot of cases that we see they didn't even started the project so this is quite disturbing because code execution prevention is the number one prevention for that kind of situations not to mention antivirus because here antivirus will not really help us because this is a piece of code that nobody knows so like a number one thing to pay attention to to implement the solution which is called execution prevention now what I would like to show you is a solution like this of course in Windows we've got a blocker but a poker is available only in the Enterprise Edition which for some of the companies might be just not reachable so for that we've got either first party solutions or we can for example try to implement software restriction policies in a good way yes so this is a pretty old solution but when implemented well it can do a pretty good job the general idea here is to focus on whitelisting rather than bloodletting because we don't want to skip anything that runs somewhere could potentially overuse so we will just by default say that we would like to deny everything and then on the top of that we will enable certain types of cases okay before we move on and I will show you the solution let me clean run somewhere here a little bit so that we are able to work with it later and at different different cases so I will just close all the stuff over here and we have also the crypto for the file so I'm going to decrypt them so that we are able to encrypt them again so let's do it and opera docks right now here as you see this is it again a text file okay so let me switch to a different machine so I'm right now on a different machine when we going to test all the possible solutions that we could implement besides the enterprise solutions so AppLocker of course we could cover it in a different video no problem but I would like to make some useful video for everybody else that doesn't have a blocker available so a software restriction policies it's something that we got in Windows but before we get there I got a little thing for you so there is a tool that is called crypto prevent and that particular tool you can download it from a certain well it's as you see it's now signed but okay let's have a look at it because it's worth to become familiar at least with the interesting software social policies rules that they offer yes so this is from a foolish IT well maybe not a very positive name of the website but okay yeah let's move forward and if we go to advanced show more options here we've got different types of options which we can use in order to prevent execution from this certain known locations so these are the statistically the mostly used locations for malware to execute it is this tool free well the distil is free but if you want to have maintenance you have to pay so on of course I'm sincerely saying we're having no interest in it it's just an interesting piece of code so what we're going to do we're going to apply the protection so let's do it and let's find out if our in this case PDF to the exists or the transaction receipt as you can see I got these ones these copies on the desktop here if they're going to execute and if yes then under what conditions so I'm applying the protection right now I'm using that default but pretty good settings for example one of the things that will be prevented is to execute executable from the user's profile so from AppData folder so in order to apply it we need to restart a PC in my case it is actually quite fast so we're going to do it so um let's restart this particular machine and in the moment we will be ready to move on so we are back here we go so I will log on as one of the users and let's see if the prevention was applied so we should have a message about successful application very good prevention successfully applied great and for now we can try and so transaction receipt dot PDF of course it's a PDF DXE so you've got a sound also and a message that this is not allowed because it's prevented by the administrator so this is software restriction policies a type of message okay so that that kind of makes sense question is is it possible for me if I rename it that say yes so we've got transaction receipt dot exe to execute it and as you see I am able to execute it so that's not very good on the other hand it was blocked from the roaming or up data in general roaming so the users profile folders so let's find out if this is blocked so normally what we see over here this is again transaction receipt dot exe because amongst the rules it's in general denied to execute anything that has PDF dot exe in a name so that's not too bad but if it's just an exe then if we execute it from the desktop you see it was possible so let's see if the blocking works also from the users profile so let's do it and as you see I'm blocked okay but question is how many levels down here are supported by the solution so I'm going to create a folder named one and then I will try to execute it again while it didn't work let's do it one more time and let's move it over here and as you see it opens so that solution is not perfect but it is actually pretty good for that from the statistics profile perspective like taking into consideration how malware works this is and these are the rules and this is the approach that works over here so of course if we will be writing right now our own ransomware we will take this into consideration and we're going to write up software that will maybe go and execute on the third level down here in the users profile so of course these solutions can be biased because we are black listing things not white listing things ok so knowing that this approach it's okay yes but is there anything that we can do better sure absolutely and let's do it but before we move on what I will quickly do I will at that stage disable the protection so Advanced Options under protection here we go and then we will reboot which is a very quick operation and after that what I will do I will show you how to configure software searching policies and if it if it of course makes sense so we will also leverage over here a very interesting solution where we will apply the well blacklisting approach where we will deny everything and on the top of that we will allow certain things to execute so thanks for windows folder things from Program Files so kind of normal locations for regular software to execute exam ok so we are almost ready but we need to get to the policy so SEC poll MSC and we've got here software restriction policies right kilig new software restriction policies and security levels where we specify that we want to disallow everything set as default that's great so for now anything that I try to execute let's see oh we've got the Sun and the message that about it because it was blocked well in this case it was blocked because of that interesting two reasons one reason is that because this particular software it's running from Program Files 32 bit which let me tell you something interesting about it in a moment and second is because it this is an LM k file which is just a shortcut so if we go into software restriction policies node and we go to that designated file types one of the things that is blocked its LM k so let's remove it from the list ok apply so at that stage let's try and again it's blocked again and that is because of that 32 bit so if we go to additional rules let me maybe enlarge it over here we've got here Program Files directory path rule so I will quickly create a similar rule by copying what is over here so new paths rule and specifying that anything that is in this case a program files 86 x86 is allowed to run so this is the third of the rule and let's see and as you see right now we have no message and that we are not allowed to run suffer because shortcut was okay and 32 bits folder was okay so we have just enabled LMK files but is this a save behavior and the answer to this question is not really and let me switch for that to a another regime another machine so right now I'm on the other machine and this is another type of fishing where user got an email saying that well there is this transaction receipt dot docx so you can probably guess that there's going to be some macro in it absolutely but I want to show you this macro in a very interesting form because if we double click on the word document we've got our protected view okay enable editing this is a security warning and then there is this juicy text warning in order to open this document click enable content well of course this is something that if you do not work in IT and if you do not have a security awareness in your mind and in your heart then people are just clicking on enable content but in this particular macro what I've got is a very interesting piece of code have a look so we are downloading that encrypt dot bin from my pupil services comm why not and over here we are taking this file and we are renaming it to an LNK file and that's kind of strange because how could we expect that LM cake file would be something that's going to execute well that's the whole point even though we could for example block all the executables and as you remember we have enabled Ln case in this particular case it can be a bit deadly for us let me show you but before we do it what is important for us is to see two things first Docs so this text file is still a text file so it's not encrypted and it's going to be encrypted second I'm going to run rockman here so let's do it so we got it and it starts monitoring pretty much immediately a couple of things that I don't need over here that can make a little bit of a mess so explore the dxz SVC host and someone's I will exclude all those things um absolutely and let's let's leave out a couple of processes that I could be interested in okay so um having this running let's just run this macro so any more content okay so what happens right now is that over here if we go to our dogs our document is encrypted so secure text file if we open it you can see that this is encrypted and what happened then yes so we've got proc Mon to tell us and this is quite interesting I will stop the monitoring so what we will be searching here for we could be going over here and then file summary for example my folder and we could check who and what was being written in two different types of folders yes so we were able to check a like for example here at Freddy's in this particular case Desktop yes so my file it was encrypted and in the docs yes I got the different types of I got to secure a text file secure text file encrypted and I can see that it this is the file that we've got to written to yes so question is what was happening I can of course filter by this by double-clicking and I can see over here and that's very interesting that this is a PowerShell script that was doing something and that's weird if we go to the properties of the powershell protest and if we go to the process we can see one of the actually my favorite techniques to execute the code remotely or if you are afraid that called the derby situation where all this special character years will not be processed properly and so on partial and coded command is the case so we are executing over here base64 a code so I'm going to copy that and for now in PowerShell powershell I see oh why not we can do that I will at that stage and I got this little script over here I am able to decode of course what what was in that base64 code so let me actually put that over here I got some I got already that that code over here but let me show you everything from the beginning so it's all nice and clear so I'm going to copy that and then basically let's enlarge it a little bit and this is something that we're going to simply speaking paste over here yeah so this is this is the stuff yeah and let's find out what that is so let's decode it so this is in a PowerShell written little base64 decoder yes so very useful maybe you can use it for something this is how I do it for example so let's execute it so it's going to be just line number one and what we see over here is our run somewhere but being written in the PowerShell so this is something that is the future it can be running as a user and it's allowed to run because it's a PowerShell so what should we think about when we are implementing a successful prevention against run somewhere r3 outside the most important things of course there is much much more but if we should pick three yes then what is going to be first disable macros especially in office 2016 microsoft offers a set of policies which allow us to block the macros so that's good of course it's not everything because it could be also JSO javascript file but this at least limits the scope of the attack second thing of course is to implement in general code execution prevention so of any kind yes whatever that's going to be to prevent running different kinds of executables and the third thing to pay attention to the most important one is within that code execution prevention have a special Luke lives pay special attention to all these files that look innocent like for example PowerShell or like common prompt and so on or in general scripts yes that are allowed to run that users should not be able to run them unless they have to do something specific and not to mention things like security awareness or being all the time up to date and implementing the good firewall rules that prevent outgoing traffic from the machines so that only certain application certain executables are allowed to communicate with that with that well internal network most of them I guess but to the outside the internet only capital dos so these are the principles for run somewhere prevention but unfortunately a reality lives a little bit set based on what we see on during our penetration tests is that a lot of companies are not ready but they are definitely they definitely start to think about these kind of solutions to be implemented so I hope this little video convinced you a little bit about what to do with run somewhere at the super end I get a little things for you a little geeky option so what we will do is to implement something that it is actually quite quite funny from the implementation perspective it's going to be a little geeky I think that can prevent a run somewhere a little bit so let me start the console as an administrator and I'm gonna move here to for any so users and of course Freddie's desktop and I will implement a something that our team was thinking about we were thinking like is there any the key option in Windows that we could use to make run somewhere to not execute proper Network properly yes but don't get me wrong it's more like a cherry on a dessert instead of having this as a professional social but have a look so I will create over here folder let's name it hush hush hush loop and let's get into it and I will create over here as symbolic links om clink and let's do tea and it's going to be named zero and it's going to be arm pointing to the loop and I will do the same but it's going to be just another one with a name not one one if we do deer a and then s and then B yes then what you can see is that it's looping well the reason why I use hash hash hash it's because it's a it's from the beginning of the ASCII table and this is quite interesting because you might be wondering okay but how long does it take for that particular run somewhere to be looping here well first of all if I open the transaction receipt that we know from before well the PDF opens it takes some time yes but our run somewhere will not go through why because it takes a long time now if we have a look into how many levels how many iterations we've got over here we've got approximately taking the maximo link length into into the consideration we've got approximately 60 levels to jump to so that means that we've got to ^ 60 iterations therefore uh and that's why we are we're naming the links with the 1 characters to make a lot of inter iterations because what matters here is an amount of levels here so effectively when we like wonder how many levels how many folders we go per second yes assuming that we've got 1,000 folders being read by four in a second then we need to ^ 50 seconds to go through the whole structure that I'm displaying over here by the way I will stop it because the view is horrible it ends effectively that means is that if a year it's what it's 2 to the power of 28 second you need for that 2 to the power of 22 years so that's 4 million years so ransomware will have something to do on your computer sooner or later you will notice that because of the input/output operations that are very expensive the CPU time it's definitely spent on that so this is like a little geeky thing that you can check out in your infrastructure if you if you have nothing implemented right now of course this might be something that you need to test with your antivirus solution it might be necessary to exclude it but this is something that you need to test by yourself so what we have learnt right now are the different kinds of options that are important from the run somewhere perspective ok guys so that's it I hope you like it and I'm really curious in your run somewhere stories if you had any situations like this or you know someone that had situations like this make sure that you will post that into the comment section below I will be responding to that because I really want organizations to stop being vulnerable to run somewhere which is such a simple solution and prevent it it's also not very difficult some thing keeping the fingers crossed for organizations to stay on the safe side and see you next week
Info
Channel: CQURE Academy
Views: 8,932
Rating: 5 out of 5
Keywords: cryptolocker, malware, ransomware, remowe malware
Id: S4RRNg-JnDw
Channel Id: undefined
Length: 28min 23sec (1703 seconds)
Published: Thu Sep 22 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.