the Presentation
Download
Report
Transcript the Presentation
Blocking ransomware
with Cisco AMP and Cisco Umbrella
Jordan Gackowski
Systems Engineering
Your files are encrypted
Encryption C&C
Name
DNS
IP
NO C&C
Payment MSG
TOR
Payment
Locky
DNS
SamSam
DNS (TOR)
TeslaCrypt
DNS
CryptoWall
DNS
TorrentLocker
DNS
PadCrypt
DNS (TOR)
CTB-Locker
DNS
FAKBEN
DNS (TOR)
PayCrypt
DNS
KeyRanger
DNS
Anatomy of a cyber attack
Reconnaissance and
infrastructure setup
Patient zero hit
Target expansion
Wide-scale expansion
Domain registration,
IP, ASN Intel
Monitor adaption
based on results
Defense signatures built
Real world example
blocking Locky
Feeling Locky?
Via email attachment in
a phishing campaign
Encrypts and renames files
with .locky extension
Appx 90,000 victims per day [1]
Ransom ranges from 0.5 – 1.0
BTC (1 BTC ~ $601 US)
Linked to Dridex operators
Blocking ransomware: Locky domain example
taddboxers.com (Detection Date: October 8, 2016)
Blocking ransomware: Locky domain example
taddboxers.com (Detection Date: October 8, 2016)
Blocking ransomware: Locky domain example
taddboxers.com (Detection Date: October 8, 2016)
Blocking ransomware
Locky: Real world example
https://Cg3studio.com/87yg756f5.exe
Malware
download
URL
These
domains
co-occur
Email address
registered
These
domains
to domain
share
the same
infrastructure
Cg3studio.com
tadboxxers.com (100.00)
Hash of the malicious
Domains in red
file downloaded
are automatically
from these domains
blocked by Umbrella
Blocking ransomware
Expose the attacker’s infrastructure
(Nameservers and IPs) to predict
the next moves
Locky: Real world example
https://Cg3studio.com/87yg756f5.exe
Infection
point
Current malware
distribution point
Next malware
distribution points
Combining Umbrella
and AMP for endpoints
The path of ransomware
Encryption key
infrastructure
Web direct
Exploit or
phishing
domains
Compromised
sites and
malvertising
C2
Malicious
infrastructure
File drop
C2
Angler
Web link
Nuclear
Rig
Email attachment
Phishing spam
Blocked by
Cisco Umbrella
Blocked by
Cisco AMP for Endpoints
Ransomware
payload
Where does Umbrella fit?
Malware
C2 Callbacks
Phishing
Network and endpoint
First line
NGFW
Network and endpoint
Netflow
Proxy
Endpoint
Sandbox
AV
AV
HQ
Router/UTM
AV
AV
BRANCH
AV
ROAMING
It all starts with DNS
Precedes file execution
and IP connection
Used by all devices
Port agnostic