Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Blocking ransomware with Cisco AMP and Cisco Umbrella Jordan Gackowski Systems Engineering Your files are encrypted Encryption C&C Name DNS IP NO C&C Payment MSG TOR Payment Locky DNS SamSam DNS (TOR) TeslaCrypt DNS CryptoWall DNS TorrentLocker DNS PadCrypt DNS (TOR) CTB-Locker DNS FAKBEN DNS (TOR) PayCrypt DNS KeyRanger DNS Anatomy of a cyber attack Reconnaissance and infrastructure setup Patient zero hit Target expansion Wide-scale expansion Domain registration, IP, ASN Intel Monitor adaption based on results Defense signatures built Real world example blocking Locky Feeling Locky? Via email attachment in a phishing campaign Encrypts and renames files with .locky extension Appx 90,000 victims per day [1] Ransom ranges from 0.5 – 1.0 BTC (1 BTC ~ $601 US) Linked to Dridex operators Blocking ransomware: Locky domain example taddboxers.com (Detection Date: October 8, 2016) Blocking ransomware: Locky domain example taddboxers.com (Detection Date: October 8, 2016) Blocking ransomware: Locky domain example taddboxers.com (Detection Date: October 8, 2016) Blocking ransomware Locky: Real world example https://Cg3studio.com/87yg756f5.exe Malware download URL These domains co-occur Email address registered These domains to domain share the same infrastructure Cg3studio.com tadboxxers.com (100.00) Hash of the malicious Domains in red file downloaded are automatically from these domains blocked by Umbrella Blocking ransomware Expose the attacker’s infrastructure (Nameservers and IPs) to predict the next moves Locky: Real world example https://Cg3studio.com/87yg756f5.exe Infection point Current malware distribution point Next malware distribution points Combining Umbrella and AMP for endpoints The path of ransomware Encryption key infrastructure Web direct Exploit or phishing domains Compromised sites and malvertising C2 Malicious infrastructure File drop C2 Angler Web link Nuclear Rig Email attachment Phishing spam Blocked by Cisco Umbrella Blocked by Cisco AMP for Endpoints Ransomware payload Where does Umbrella fit? Malware C2 Callbacks Phishing Network and endpoint First line NGFW Network and endpoint Netflow Proxy Endpoint Sandbox AV AV HQ Router/UTM AV AV BRANCH AV ROAMING It all starts with DNS Precedes file execution and IP connection Used by all devices Port agnostic