Ransomware is just getting started both in terms of their business model and technology. One Ransomware attacker recently started offering to unlock computers if the victim would assist in infecting other people they know! Talk about cynical. I’m not sure how well that worked but I do know that they are using technology effectively.
But even as profit-driven ransomware grows in technical sophistication and strategy. Other actors are using ransomware as a cover for the furtherance of less obvious goals. The global hue and cry after WannaCry and NotPetya has focused the attention of the C-suite on ransomware but it turns out those 2 attacks, especially NotPetya, wasn’t really ransomware after all but possibly a state-sponsored attack on another country’s economy.
As one line of defense, next-gen firewall vendors in cooperation with threat-intelligence feeds are able to exploit one of these malwares’ weakness which is their need to phone home to their command and control servers. The solution? Block connections to such identified C&C servers soon after being identified. The problem with this? Too slow to react, the horse has already bolted.
Another part of the puzzle is to detect and block domains used by malware. These domain names are often generated using an algorithm by the malware and so security vendors attempt to predict and detect such patters and block the traffic. So of course, attackers locked in the eternal arms race, have resorted to publishing coded messages in social networking posts that Ransomware agents can query to find the current address of their ever moving C&C server. I’ll show you how a Russian group called Turla has been using Britney Spears' Instagram account for this purpose.
Classic signature based AV is focused on files so the Ransomware guys are increasingly going file-less and especially exploiting PowerShell which is available on all Windows endpoints. But how to deliver Ransomware PowerShell script undetected to the endpoint from the C&C server? I’ll show you how the bad guys are delivering file-less PowerShell ransomware via DNS TXT record queries.
We’ll also look at
- Methods for evading Gmail’s checking for EXEs inside password protected zip files
- Use of custom device drivers to execute malicious code in kernel mode
- Word-macros that are the initial step in a completely file-less attack
How does an attacker go from sending an email to an intended victim to the point of gaining full control of their computer and beyond? In this real training for free webinar we’ll look at 3 different real world attacks in detail:
We’ll analyze these attack methods with the goal of answering 2 different questions:
- How does the attack work at a technical level?
- How can we use this information to detect different attacks in the future?
#2 is especially important and particularly the point about different attacks. While we’re interested in file hashes, file names or other hard-coded signatures, these are known to attackers and can be combatted. Can we lay traps to catch the behavior and techniques? That’s what we’re looking for. Push attackers up the pyramid of pain.
This is important because at the end of the day, since Ransomware is an endpoint problem we need to know what’s happening on the endpoint if we are really going to catch these attacks before they get far. EventTracker is our sponsor for this real-training-for-free event and Ananth, their CEO will briefly show you what they have built-in to EventTracker to help you do just that.