All right. Let's get started here. Thanks everyone for coming to part two of the- what was is it? The official thing, Cybersecurity event. Yeah. Something like that. Best practices. Can you open the presentation? Yeah, wait. So I am the white hat. I'm Dr. Drive-by, and we have the gray hat here so we'll be. I've been to Vegas, I couldn't find a hat. John. There's a problem. I think I just encrypted the drive. I think that powerpoint- We're going to need the backup. Does anyone have a back up? That's bad. That's bad. Anyone's seen five bucks like this before? Welcome to Ransomware. We now have a fully encrypted drive, so we're not going to be able to present. Maybe one of you would like to come up stage? Maybe not. No one's laughing. Okay that's not something that is laughable, we just encrypted our entire presentation we can't continue. Yeah. it's unfortunate. Maybe we can switch over to the presentation though and we'll get started here. Presentation there we go. So we changed the name of the presentation. This is part two, we're going to be focusing on Ransomware and Exploit Kit. So I'm John Harrison. I am the WhiteHat here, I couldn't find a Hat here in Las Vegas so I went with the white coat. I am Dr. Drive-by and Eric you want to introduce yourself? My name is Eric Yunghans. I am a consulting engineer for Palo Alto Networks. I work on a threat prevention feature set. We should get a selfie with the audience again for part two, and again take pictures and let's make this the most tweeted picture of Ignite this entire session. Come on, take pictures of us while we're getting the selfies. Come on we are not-. Of our rears. The middle? Okay. Reset the clock also please? Come on, the audience get into this too. Come on it's the last session. Thank you. That don't even sound like they're that excited. No. Not at all. So tell you what, so we talked about targeted attack documents. In this part we're going to talk Ransomware and Exploit Kit. The key thing for you because Ransomware is such a big thing, we want to make sure that you fully understand how they're created, how they're delivered, so that you can make sure you have the best steps in place to mitigate these possible attacks. These are complex attacks, and so there is no one magical security solution that's going to solve them. It's going to be a number of different steps and the more you can understand from our demos here, the better you're going to be able to understand that. No, no, absolutely. The real issue and something about Ransomware as a whole, if you look at the change that's happened over time, everyone here knows about Cryptowall, Cryptolocker, now you know about Locky. Absolutely 100 percent there's going to be new families in the future. It'd be stupid of us not think that's going to happen. So, in terms of these best practices we're going to show you, really cover the wide breadth of what we've seen for delivery mechanisms and that would be the most important part of it. Can I get a show of hands, how many of you have been hit with Ransomware? Okay. Ransomware is also just really really noisy malware. The nice thing is unfortunately, you know you're infected. Your drive's encrypted. The scary part is all the other stuff you don't know that you've been infected. So, as we're going through these, we're going to talk to Ransomware but any other malware or remote access Trojan or other things could be dropped from this. And again it is a big big deal. The FBI says this threat is going to continue to grow. We've seen campaigns going where they're trying to target entire companies. Now they're moving into the websites and so, it is continued to change. The other part is really understanding how you got infected. There's a couple of key things. The first step is really exploit kits. An exploit kit's silently infecting users doing what they normally do every single day, and the other part are things attached in email or possibly coming over the web. Part two and three really combined together. So we're go going to go in detail here to really cover most of these. Yes there's lots of other different vectors but if you sum it up, these are probably two of the biggest. Since we're talking about Ransomware, let's understand exploit kits really really well. So with exploit kits. What is an exploit kit? It's a sophisticated toolkit that's made it really really simple for attackers to silently infect users that are doing their normal things on a website. These toolkits we're going to go we're actually going to step through those and actually see them and drop any malicious payload they want. So, one of the other delivery mechanisms is malicious advertisements or malvertisements are often used as well. So it may not be the website itself that's been compromised, but actually the attacker paying to host an ad or getting an ad to redirect on the website. From here, how big a problem are exploit kits? How many of you saw this blog post from our Unit tour to folks back in February? Ninety thousand websites compromised with Angler. If you want a great reading piece that really understand the details of exploit kits, the Unit 42 blog posts up there. Revamped rig infects one million PCs. This is from a PC Magazine last year. Again, malicious advertisements being able to deliver that to all those normal websites that your users are visiting every single day. For me a top website served out Angler exploit kit and then Rig exploit when Angular was on vacation. So it's a big thing continuing to evolve. These are the names you should really know and understand. I did want to name one of these after my marketing managers, Kate Taylor and Princh Open, but these are the big ones right now that are being targeted. Angler, Rig, and so you'll hear these day in and day out. From here, let's talk about delivery. So, user visits compromise websites. So again, the website itself may be compromised, maybe it's a malicious advertisement, it's then going to redirect you to the exploit kit where it exploits a client-side vulnerability. So you're going to see the different vulnerabilities that can be chosen. It could be a mainstream website. How many web Wordpress vulnerabilities have you seen? We've seen a lot on a blog site and all of a sudden it's a Wordpress vulnerability that then redirects you to where the exploit kit is serving, it then pretty much drops anything it wants. In this case it's Ransomware, the drive-by payload and from there game over. The worst part about it this is the end user has no idea they're infected, except in the case of Ransomware unfortunately. So, let's go ahead, we're going to go through the steps, we're going to create the payload, we're going to obfuscate it. We're going to check it against AV signatures to make sure we have a fully undetectable payload. Then we're actually going to rent the slot on the exploit kit, prepared for delivery and then actually insert it possibly pay for an ad and then focus on the delivery. Anything else to add? No. I think it's interesting to understand though, especially the renting of the slots. In most cases, the attackers actually leverage essentially a slot on an exploit kit. There may be other people on the next blicket delivering other pieces of malware. So, stop thinking about this in terms of this let's say Angler always delivers X or Angler always delivers Y. Angular is a mechanism for delivery. Whether it delivers Ransomware today or let say some other type of Trojan tomorrow, it really is completely up to the person who actually pays the actual upfront fee. We actually have an advertisement will show for nuclear, which specifically shows what they're selling and how they're selling it, which is kind of interesting as well. There's a lot of different nuances if you read into our blog post about. They'll serve up at only different certain times of day, only at certain regions and again, so that's what makes a protection of these and really incredible tool for delivery. Absolutely. Absolutely. So, let's go ahead. We're going to talk- this is the Nuclear exploit kit. Yes. This is actually an advertisement that I received over a secure instant messaging service. So the interesting part about this is there's two different levels. So, two different levels you can pay for. One gives you certain functionality the other gives you another. So, to John's point, specifically speaking to Angler's capability of actually delivering during certain periods of time or certain periods of day, [inaudible] matters in terms of the attackers mindset, if I were to be successful at delivering Ransomware, who's most likely to pay the actual ransomware when the files are encrypted. It's not going to be someone who's in a third world country, it's going to be someone in the first-world country set, unfortunately. So thusly, you have filtering and statistics. So I can filter out your user agent strings and see where you're coming from, and then decide what payload I'm gonna give you. Okay? So if I see you're coming from the US, I see you're matching a certain user agent string let's say in terms of i.e. I'll deliver you certain exploits themselves alongside certain payloads. Initially enough, if you look at this as accommodation on a dedicated server, so it's hosted for you, so it's a SaaS model. You pay a rental fee, it's hosted for you, redirect users over to where your landing URLs are, that's it. In the actual private version, the one unique item that you see at the bottom there, is FLASH Banners for advertising. So pardon the bad Google Translate here, but I decided to do a direct translation for you guys so you can see exactly they're offering here. So again, accommodation dedicated server, but you get FLASH Banners at the very bottom, which then allow you to get inserted into Ad rotation services which would net you much more infections. So again, same concept, I would infect 10,000 people in the US with my new ransomware, I'm going to go this route, it's going to be easier for me if I pay the extra cash. The version in here, to give you an idea about the pricing model, it was $800 a week or $2,000 a month for the VIP version, not the private version. I didn't ask how much the private version was, but interesting. A couple of caveats, I think we did in the first session, the second session, again, do not visit any of these URLs, that you may see up on the screen, do not not also go look for some of these toolkit that we will be doing, that we're going to be showing, of course these could be infected or have backdoors in them. These are being shown for demonstration purposes only, okay? Is that good? So why don't we go ahead, let's do a attack for the exploit kit vector. Sounds great. Okay, switch the video. There we go, perfect. So this is Hunter, which was listed on the list you guys probably saw. This is an exploit kit. This is actually not a SasS based model. They deliver you the entire kit for yourself. The way this actually is marketed, is they give you a certain bandwidth limitation. So when they give you the actual kit, you'll see this when I actually login. You are going to see a bandwidth limit at the very top. So I'm logging into the exploit kit itself. You see the exploit statistics with the bandwidth limit at the very top of server bandwidth and how much I've used. If you look here, this is actually them listing out what's been added, so it has an auto update feature. So I can update with new exploits being delivered down to the actual exploit kit itself. So there's 12 different client-side exploits, there's a bunch of different web app, mobile, all sorts of fun stuff. What's interesting about this is that, really what this is, it's a delivery mechanisms. Remember this, when I actually do the next piece, what I'm doing is I'm telling the exploit kit, "These are the actual exploits I want you to have available and to be run on the end-user's PC." So notice here, I'll pause it for a second. Multiple different Adobe Flash, IE, Office Word, which we'll get into a little bit with the actual more exploit driven or other types of attacks, Mozilla Firefox, et cetera. So think of this as literally, it's going to daisy chain these all together to figure out how I can actually work. Let's say the attack is going to be successful in user's PC, these will figure out what actual vulnerable versions are install on your PC, and then deliver it based upon this actual structure. That's a lot of FLASH vulnerabilities up there, probably a really good reason that we should not be running FLASH within the enterprise, right? Yeah, good point, and you notice on the far right-hand side is giving you exactly how it's doing memory-based bypass for anti-exploitation. If you have, let's say, Emmet or something like that, it's telling you exactly how it's going to bypass UAC, et cetera. In the middle, where you see the good rating, that gives you the efficiency. How efficient it is actually delivering actual payload. So in this context, what I'm going to do is I'm actually to create what's called a new task. Let's think about this in the exploit kit terms, I'm telling the exploit kit, "Here's a new URL to create, which is going to be the portion of where we redirected in the exploit kit to infect a user." So when I create a new task, I'm going to choose all of the exploits I want to run. So I'm just going to select all, so basically I'm saying, "Throw everything you can, the kitchen sink, at the user." When you hit next, upload my actual sample. So now I'm actually pushing the actual malicious binary into the exploit kit itself. I'll submit and now, this is the best part. This is Locky, so this is a ransomware variant. You see on the far right it says, all exploit's been selected, success in uploading the actual file to the actual host. It generates the specific shell code, which is the download shell code. Because remember, when the end-user gets infected, it has to then deliver the executable right afterwards, so it's generating this on the fly inside the exploit kit. All the exploit's been generated, it's automatically done tests, since 100 percent successful. So we're guaranteeing that this specific binary is going to be successively delivered to the end-user. So now this is done when I actually see the current tasks. It should be counting down. Now, I have a direct URL that shows me specifically what my new URLs are for the redirects. So you'd see obfuscated versions of it or at the top, just generic versions of it. So at this point, all I need to do is get users to pass by, so that could be me compromising a website, that could be me leveraging a vulnerable or mostly advertisement. This is an end-user's PC. They're fully up-to-date with Symantec, I'm not going to pick on Symantec. I'm not here to pick on them. I'm just showing you how this all works. So fully updated, when the user, I'm going to show you what it would look like if you are not seeing this in terms of an iframe or some type of hidden view. So we're going to see here is, lots of iframe is going to pop up all of a sudden with PowerShell scripts and all things, it'll jump away, and this is Luna, the exploit kit, figuring out what exploits are available in my PC, and delivering the payload. So this point right now, this user's infected. I visited a website and I'm thoroughly infected. I didn't have to really do anything. No, no, I just showed you the way it looks on the other side of things, so you can actually see some of the details what's happening. So that's the actual binary upload to the exploit kit. So it's now in the process of encrypting the drive and it's going to end with a full Locky screens that are going to pop up, so you're going to see lots of BMPs and everything else in a few minutes. So it takes a little bit of time because it's actually machine has a few more things going on, on it too. So there you go. So that's done. So again, since we leveraged a memory based technique, we bypass local AV because we injected ourselves directly to memory, execute within memory and now this point, this user's encrypted. Anybody here who've seen this in your organization? Or seen something like this? Yeah, hands. I see some hands go. This is how it all works. Now, what is this basically, it's all underpinning one specific thing and you have vulnerable versions of specific software installed, and that's the underpinnings of what you see in the exploit kit. The exploit kit, all it does is daisy chain the exploits to the file. I can replace this file with something fully different, doesn't make a difference. Again, the ransomware is really noisy, you know you're infected, the remote access Trojan we demoed in the previous session. Nice and silent, the user has no idea. Yeah, no idea what's going on. What's going on. No, yeah. Absolutely. Yeah. So there, I mean that pays testament to, if I wasn't running FLASH or wasn't running Java, or didn't have a PDF, or old versions of Java, thank God, that would reduce my deck surface? Yeah, absolutely. Great, let's switched back to the slides. Back to the slides please. So let's talk about some of the best practices that again, exploit kits are not simple. This is one of the things where you need to leverage the entire platform. We've given you a really, really powerful platform and Lee Clara 20 started yesterday, start with application visibility. You need to have an idea what is running in your organization. So I'm assuming every one of you already has a fully based app ID policy. So I'm going to get in to pick a few of the other security best practices, but there's multiple things you need to do to be able to mitigate exploit kits. The first is an unknown URL policy. So we were actually doing an investigation of the magnitude exploit kit. Did anyone know there's a new TLD for.accountant? It's good timing. Yeah. Here comes the tax season. So we found 500 different domains, they all were.accountant that we're serving up the magnitude exploit kit, and then the guy switched it over to.top. So here's just an example. I took a look and the nice thing is, they actually show up in PAN-DB as unknown. This is a great reason why you want to block unknown categories of URLs because these guys, how many of you saw Paul Vixie's DNS session? Yeah, these guys are just rotating through new domains that are out there. So being able to mitigate against unknown domains is one of the key things that's really, really going to help you reduce the attack surface and not allow that interaction. So I pulled up autofocus and I started taking a look, and these were just of the example. I just saw badness domain, domain, domain, all of these.accountant was, and again, think of IRS, targeted attacks, and things like that. You're looking at your logs are.accountant. Everyone's just doing their taxes or whatever. The top one up there's interesting, networklogin.accountant-login.microsoft. So definitely a phishing thing. There's a lot of bad things that happened after 11:00 PM, and with unknown URLs, right? So from here, let's go ahead. Again, how many of you were in my previous session? Okay, love it, the best practices are exactly the same. Sorry, we didn't change these. Again, block malware category domains, these come from wildfire, they come with the interaction with the exploit kit. There's a reason why these are malware category domains. Every single one of you should have a PAN-DB URL filtering subscription. If you're not, then you're missing a key part of our protection of just how simply, I don't care if you have any other solution. The malware category, unknown category how simple it is to create a policy based on users, based on applications, based on domains to be able to say, "Do not allow employees to go visit your unknown categorized domains within PAN-DB." Again, combining the file blocking together with URL filtering is a really, really powerful step here. From here again, the continue page is a really really great example. From unknown URL, let's go to IPS signatures. Again the strict IPS policy these are a lot- this is different. There's a lot of key things my team has been doing to add IPS protection against exploit kits. We've got hundreds of different IPS signatures that are updating multiple times a week and so we're having a lot of updates, but there's a lot of other things that are indicative of say a Malware XOR, go to payload or the Microsoft Word vulnerability that was actually being used with the hundred exploit kit, Malicious PE Detection and then there's some more medium severity things that again, could have false positives, but it could also be indicative of the same types of obfuscation that are being used by the exploit kits. So this is really, really powerful. The key thing is we need you to have an inline policy, have it inline and blocking. Prevention is absolutely key here because these things are occurring, think of the malware advertisement on your favorite news, websites or search engine sites that are popping up to be able to deliver these. There are two built-in policies, one is called default, one is called strict, the strict blocks medium high and critical severity signatures. The next thing here is looking for more content updates for the IPS thread content. We're doing almost like twice a week updates for thread content and if you're not taking advantage of that, you may miss some of the protection that we're delivering. So two to three times, I think we delivered three updates last week and we're continuing to really crank out things. I'm excited to really- we've really built one of the best threat prevention teams besides having a great engine. It's the group of engineers, part of my threat research team, part of my global security response team and unit 42 all pulled together. How many of you read the SANS Internet Storm Center? How many of you know the website malware traffic analysis? So Brad Duncan, I'm excited to announce joined Palo Alto Networks couple weeks ago. It's one of the preeminent exploit kit experts as well as we've been building up the exploit kit expertise from a number of other companies as well to be able to make sure we have everything focused on protecting you as much as possible upstream and again, as one key part of this. From here, we've also added a couple of new features under the hood. So this is a sub category so you can make sure that you actually have the exploit kits signatures and the fishing kit signatures. So now you have a sub category you can actually go in panelists and be able to select those and that should be all panelists versions. Then the next thing we added is here you can actually take a look at within the threat logs. So maybe you may going, "I've got tons of threat log." now you can do category of thread ID equals exploit kits, you can actually see what does exploit kit's signatures are triggering, grab the related session, take a look at the entire session and make sure that URL has the right category. So some customers are actually creating a new, the new external dynamic list and creating a dynamic URL list to make sure that that is blocked within the category because this changed so much. So from exploit kit, the next part is the C2 communication. Again I talked about there's payload based C2 communication and DNS C2 communication and this is where we're delivering 25,000 DNS C2 signatures a day. So, you want to make sure you have the strict profile setup, the DNS sinkhole and again, the reason is if you don't have DNS sinkhole, the source IP of the infected system will be your DNS server and you're going to go, "Great, what do I do?" So now you're going to have user ID already setup, you're going to have DNS sinkhole which is going to take you 30 minutes. There's two great YouTube videos on the Palo Alto Network's channel to be able to set up and configure it. So tomorrow by noon you should have that done and be able to set that up and then that's going to essentially forged the DNS response. No changes are needed to be made on your DNS server, no changes are need to be made on the endpoint, it's really simple to do. Then enable passive DNS monitoring. What's a good reason to unable passive DNS monitoring? Yes. So first of all, they didn't see Jamie Frucheryl's presentation earlier, it's still around our correlation objects or things within actual panelists itself than autofocus. It helps us get a good or better sense of exactly what bad IPs are associated with and what bad names. The thing about re-usage here, I can keep reusing same IPs but rotate through lots of top level domains.accountant and.top, etc.. So if we start to build that list historically, we can start to predict actually in front of let's say what maybe the next domains being registered by that specific attack or for the next day. Let's say it's based on a DGL algorithm or something similar. So we're mining that that's actually how we were doing the research of the.accountant domain we're like, Okay, we'll see where this is going and so we're able to go ahead and prematurely, go ahead and change these to malware verdict, create the DNS C2 signature, deliver it within five minutes worldwide to you which is why you also want to have a wildfire subscriptions you can receive those within five minutes. The next part is wildfire and file blocking. So in the last session, I think I hammered home you all need to look at blocking PE files. This is what gets delivered often with the exploit kits, delivered with any malware delivery and so start somewhere within your organization. Again the example I gave earlier is there any reason why anyone in payroll needs to download executable's. The screensaver file, the SCR file is the example we delivered earlier. Is there any reason anyone in your company needs screensaver files? Answer? Let's say it again what's the answer? No. Alright this is good. So another one takeaway. So I also from last year I also added a few new and CHN, BAT, VBS files are a couple of the other file types that are related to this. Encrypted file types look to see whether encrypted zip, encrypted rar especially for exfiltration and doing segmentation based on that and then alert on all other file types and then the continue option. Make sure you're forwarding everything possible to wildfire and then the continue page. Continue page actually works great for exploit kits because it's more of an automated delivery. Hey I was on- am I allowed to say a company's name? I'm on my favorite news site reading the news and it says, "Do you want to download this executable?" Let's pray the user, actually says, No. Instead of, what do you like to install them? Yes. It's like I'm all about end-user education of we can convince one user not install them out, we will have a much better day. So, from there, we've got correlation objects, did everyone of you see the new correlation objects in Jamie's session? So, correlation object can help us find in potentially infected systems. So within Panorama 7 0. Again, great reason to move to Panorama 7 0 is because they take the events from your traffic logs, your threat logs, and your URL logs, to be able to correlate information based on the indicators or the malicious sample that's been seen in Wildfire. So, the beacon detection, the exploit kit, and the compromise activity sequence. These can be indicators of where you want to start with the investigation instead of tons and tons of logs. We introduced the scarlet mimic correlation object, which again, took 10 pages of indicators out of the report that unit 42 put together, we said," let's deliver this down to your firewall so you can start actually looking in your environment to see if they're similar indicators together." So, correlation objects against this is a view here, will show that host likely impacted by exploit kit, a triggered a vulnerability signature, this C2 signature, and an anti-virus signatures. So again, it's taken multiple things, we will be delivering more correlation objects that are taking more lower severity or benign indicators, and finding other things as well. So, look for more of those. So, let's go ahead, and we're going to turn over to the demo. Yeah. So, let's take a look at this. So, this is actually when my user passed by the exploit kit. So, obviously, I allowed everything on alert mode here, so you guys could see this. But the first thing you see, and you see the timing here. This happened all within a second, because all those different I-Frames at loaded, we're all different portions the exploit kit trying to figure out the vulnerable versions on end-users PC. The first thing we see is the Hunter exploit kit detection. That is literally, these specific explicate landing page detection within the product itself with an IPS. So, if I was blocking that with IBS the message will be boring rest of the demo. It would be a boring rest of the demo, which is why everything's on alert. Okay. But not in your environment. Yes. It should be in full blocking mode in your environment. So, what you're seeing here, is it rotating through and trying to figure out how to deliver this particular file. Now, in the context of the successful delivery, so we have the user deliver the file. This is now URL filtering and picking up the callback. So, remember the Locky example, the user started getting the pop-up messages of infection. Well, that's actually post-communication with the C in C. So, in this case, we already had the actual URL as part of URL filtering, marked as malicious and then hand DB. So, here's your second chance to pick up the fact that something is happening, one happening on the user's PC, and also stop the encryption process. Yeah. One thing that we didn't see in the previous session, with the iPS vulnerability, the exploit kits triggers. If you pull up the event and then wait long enough for the related logs to come up, and you have PAN-DB and URL filtering, you'll see the URL related logs, and see what that is, and make sure that's the URL that you definitely want to block. Absolutely. So, second to this is where you see the wildfire submission, which of course is going to give us some malicious verdict as well. So, obviously, this is the file we actually pass the end-user. The Hunter exploit kit doesn't have any obfuscation capability with inside of it. So literally, we're seeing the direct delivery of the actual file itself. Now, secondarily to that we can see the delivery of the PY file as well. So, it has no name, inside the exploit kit, it's non-executable. Let's say, directly with.exc, because data change with the exploit itself. So, in this context, the firewall saw that's a PY file being delivered from, in this case it would be an unknown now categorized malicious URL. Wait. So, if I'm blocking PY files. Yes, you would actually get the secondary payload unfortunately. Again, great combination. Now, secondarily to that, if we look at fast-forwarding to actual correlation objects. Now, we're going to see is all of this information rolled up into one. So, think about this in separate instances, we have IPS blocking one function, we have let's say Wildfire getting us in middle, we now see URL filtering entries as well. Now, this all gets rolled up into one single actual event, which shows me all of the associated details of the threat logs alongside the thread IDs et cetera. So, here, we've taken all this information and compiled together which gives you a critical event, it says, "this user is most likely impacted by an exploit kit.". Yeah there's some of those that are put together with the XOR encrypted payload, so that could be an indication that possibly, something went through. Yes. Absolutely, which in that case you have Traps to stop it at the end point. Yeah. Absolutely. All right. Back to the slides. So, again, this is just partially way through, there's lots of other best practices that hopefully you've picked up SSL decryption. Really great example, why you want to have SSL decryption. So, I think we did file blocking, block the EK payloads for PY files, visibility SSL decryption, URL filtering. The zone protection is another thing we didn't cover, the blocking the exploit kit with threat prevention the C2 the DNS then Wildfire Traps. The one thing we don't have up here is global project, and it actually should have been up there. We were trying to demo the exploit kit, being protected by Traps. Yeah. So, funny enough, we have obviously the Traps clients who were like, we should pass by the Traps client onto the exploit kit and see what kinds of triggers. So, we're actually had Traps engineer with us, who was actually using Gold protect, and all of a sudden we're like, "Why is the exploit kit work, like it works perfectly fine on my other machine like? What's going on here?" I was actually, even before Traps, the exploit kit actual delivery or those specific payloads were being dropped by IPS on our corporate firewalls, which we hoped that it was. Sorry. Yes, but the corporate firewall is doing what it was supposed to, and ignore what you saw behind the curtain. Yeah. But definitely a testament to global protect doing exactly, you're off premise in the Las Vegas or at Starbucks and cafe. Reading the news, we would have been infected, luckily we had Traps on the endpoint also, but that's one of the key mitigation, why you need global protect as well, all the time to protect your users. So, tell you what, let's switch over now to ransomware. So ransomware is attachments and again, this could be an email, could be also a link to go download them. So, again, we're going to start off with the PY file, and so in this demo we're going to open an email, and have it send with a CR file, again, the screensaver, the thing that should not be allowed within the enterprise. The end user is going to open it up, what looks to be a PDF, and then, ransomware encrypts. So, let's switch over to the demo. So, in this demo over doing here, this is actually I demonstrated this in the previous session, but this is a a packer slash cyptor. So essentially, it's going to take any non-executable, pack it up and I can repackage it in different ways. So, I'm going here, is kind of a little bit longer of what I showed in the previous session where I'm taking your existing Locky binaries. So, one that's already been known, obviously it's ransomware. I'm actually can add in different functions. So, I can say whether to install, I can add an anti-noise features. The primary thing I'm going to do actually, is clone resources from Adobe Acrobat. So, literally, I'm doing here is, I'm cloning the icon in the version information from Adobe Acrobat to apply on that file. So, think about this from a user's perspective. When they receive this file, it's going to look specifically just like normal Adobe Acrobat PDF, from the icon perspective. Okay? I'm also going to set an execution delay. So now, if you guys are familiar with the ransomware attack, that Boseons OSX that we discovered with 42 where delayed three days. Well. Here, I can just set as long as I want to delay. So, you open up that Adobe Acrobat file, nothing seems wrong. Let's say, I set a delay of 60 minutes and I wait to execute that law. Well, then you're like well, this PDF just isn't correct, and whatever I'll just throw it away or delete it. Again hopefully, nothing will seem suspicious to the end-user. Yeah. That's one of the reason, where you may be interrogating the user, how did you get ransomware, and they're going to be, I don't know, I didn't do anything. Yeah. We're going to click Build, we're going to dump this back out, and this is going to be now, the newly created file which looks specifically just like a PDF. In this context, I'm going to do, is I'm going to do an email based campaign. I'm going to actually email this into the organization. First, I want to make sure I can check to ensure that it's actually not being detected by any known AV vendor. Here, what I'm doing is I'm taking the same file, uploading it to a site that allows me to check against known AV vendors to see if it's being found as malicious. The reason why I use this site is specifically the way this works is that they do not share any of the files with AV vendors. Unlike VirusTotal which shares everything with AV vendors, this is basically the carbon copy opposite. Does not share anything. I pay a certain fee upfront in Bitcoin, but essentially they guarantee they'll never share anything with AV vendors. Why? Because as soon as you end up in VirusTotal, the quicker AV vendors will deliver signatures and the quicker the general population would be protected. Actually, the terms of service of a lot of these tools say, if you upload it to VirusTotal, we're going to terminate your software [inaudible]. That's true, it's pretty funny. Integrate to know hackers have Terms of Service. We're going to see here is that this is all being marked as clean, so essentially, no AV detection whatsoever. Again, one crypt, one pack and now we're bypassing traditional AV. Now, this point it's all about delivery. User receives said file. I'm going to show this because I think it's essentially to see how actual Windows behaves with this. You see how you notice that it actually has.PDF but says screensaver at the bottom. In this case, this user's got the standard Windows 7 PC, fully updated, but literally it's got the file extensions turned off. It says PDF and when you save it to the desktop you'll see that actually it looks like a PDF file on the desktop even though it really is a screensaver file. I'll minimize and to them right there it just says.PDF. There's nothing that would signify that's a screensaver file. When this executes, we're going to see the inevitable result which will be encryption. Again, another simple way to bypass. Again, that's why blocking these upstream is going to be crucial because end-user education is going to be really, really hard. Look for the screensaver file type when you save it. It's like that's hard enough, that's going to be hard one. Especially, if you look at that example of what I was able to do, take cloned information from existing executables. I can make it look like anything I want to the end-user will [inaudible] Can it look like a PowerPoint file? Yeah, I can make it look like a PowerPoint file. I can make it look like anything else. It's really about the capabilities of attackers to start extracting information out from legitimate piece of software and dropping it on, let's say, what would be, let's say, ransomware or any other piece of malware. It's a very common technique because, again, from that point, now, we're presenting it to you like it looks completely legitimate, and this is how people do click on files. Combined with a bit of social engineering there, or saying it's an IRS tax due notice, again, further enforces them that they should open the file, and that's obviously what we can do upstream, and help them not execute on an end-user's PC. If it gets on the end-user's PC, you've always got traps that will send the file up to the cloud for wildfire and wait for analysis to take place, then your firewalls automatically get, obviously, all the protections in place at the file level and URL, DNS, etc. It's a self-learning mechanism. Okay. I think, we're back to the slide deck. Okay, back to the slide deck. Let's go ahead. We're going to cover the Word document next and for this, we're going to talk about Locky. Locky's been big in the news. What it is? Well, let's actually go on auto-focus when we could take a look at what auto-focus says it is. Ransomware dropped by Dridex actors uses this type of encryption and file payment. Again, auto-focus is really helpful. If you haven't looked in auto-focus and seen all the tags of all the different Tesla crypt, cryptolocker, cryptowall, Locky, it's really fantastic. Locky, 800,000 sessions we've seen and part of what Eric was talking about, it continues to change, half of which are targeting the US there. For this demo, you want to walk through what we're going to walk what in the demo a little bit more about Locky. Yeah. This is going to be a bit different. If you think about this in terms of a Word-based macro or an Excel-based macro, the Adobe PDF is a nice trick and it'll trick a lot of people, but if I'm looking to really be successful and really get my malware onto the world, I'm probably going to go probably the macro driven route. These macros typically, one, you're always going to allow as a true document file. For that, in that sense, it's literally a standard Word document. From their point, all I really need to do is get a user to enable macros in some way, shape, or form. In that case, a little bit more social engineering, but it'll net me the same results. In this case, what I'm actually going to use in the demonstration is a tool that lets me build custom macros. Think of this as a tool I use it the previous demonstration as well, but go little bit deeper into it. It lets me take any configuration I want whether it be Word or Excel, actually populate in where I want the secondary payload to come from. Let's jump over to demo, and I'll explain this as executing. Here, this is the office exploit builder, what I'm doing here is I'm saying, one, this is going to be specially for Word. One, when that user clicks enable macros, I want the secondary payload to be this URL and this will be the secondary file is being ingested into the environment that specifically, in this case, I've replaced it now with ransomware. I can state exactly how I want the file to be saved on the end-user's PC. Here, if you think about this what I'm doing is I'm saying here's the URL to pull the payload from, here's I want it to be saved on the end-user's PC and then here's when just executes directly from the macro itself so it's completely done. When I click build, what it actually does is it takes all the variables I've put in place and creates a Word macro, which we'll see in a moment, which is highly obfuscated. This Word macro, skip back here for a second, I was going to show it here, nowhere does it say the URL that's being pulled from. Because it's actually taken all the routines and all the information I've put in, and basically turn it into a fully obfuscated VB macro. Now, all I need to do is do the next step, which is actually inserting it into a Word document. As I mentioned earlier, there's a really nice tutorial this guy's made to go alongside a software that explains exactly how to do this, but it's all pretty straightforward. We're creating literally simple addition to the enable macro side, we're going to save it, we're going to combine it with a little social engineering technique by just adding in this context we're going to be specially targeting people's fears about tax season. We're going to be pushing in some verbiage it says it's a notice from the IRS, which you'll see in a moment. Which then, basically says, "Hey, you've got an overdue tax notice, click enable macros to actually see the secure message, which would be how much you owe. In this context, when the user executes this, when they click that enable macros, you have to think of what's happening in the background, all it's happening, the document stays the same, nothing in the document changes. The actual user, PC is going out grabbing the secondary payload, which again, is going to be another Locky variant. It's going to ingest in and actually then execute it locally. This is what's happening. User opens up Word, they see enable content, absolutely. I would know how much I owe, nothing happens, nothing looks bad, you still Semantic running, and within a few moments, well, actually maybe a few minutes in this case. We're going to see the encryption process complete. Again, straightforward, but you're combining social engineering alongside what would be typically allowed within an organization to skirt by what would be traditional security controls. This isn't a context from you guys side is very hard because you can't necessarily block every single Word file coming in with macros as an attachment. Maybe, you could depending on the organization, but for the most part you need to allow this type of traffic. These days I wouldn't open an Office document or a PDF without having wildfire or traps as additional mitigation, it shirks that dangerous. Sure, absolutely. What we're going to do one more demo. We're going to do the JS file attachment and again a JS file just to the end-user to do pretty much the same thing. Let's keep the video on. Yes. So, in this example, and if you guys have seen this, it's a variation on theme.js files, basically, are interpreted by the browser. So, in this context, this is what you've seen in terms of an attack structure. Open up the attachment, it's a.js. I like this, it actually does tell you shouldn't do this, but right now as your user is like, "I want to see what's happening". So, you hit "Open". Literally, this point it's going out, grabbing the executable, again remotely, ingesting into user's PC and executing. So, there isn't anything inherently malicious in the JS, it's just going out and getting it? Is exactly the same as the VBA Macro, within Word. Yeah. It's a highly obfuscated basic script inside of the JS. Oh, man, our hard drive is encrypted again? Yeah. These guys must love me because I've literally sent 10,000. Now, I guess, a fake encrypted user's PCs at this point. So, let's switch over the ransomware best practices and just, we're going to follow up. There's a lot of key things again, reduce the attack surface, focus on known production, focus on unknown. Again, I've got a lot more different tips in here. So, physically URL filtering, we've talked about that, I don't want to cover that again, but that exactly the same thing here, the file blocking. One of the key things. Again, we've talked about the file types here, encrypted file types. We actually added VBS, again, is one new file type to look at blocking. The last couple of things. The IPS protection, we actually introduced a bunch of new IPS signatures in here and these are informational signatures. Again, a JS sent an email, a JS inside a zip, the HTML MIME. Then, we've also added the Windows Script File, WSF, yesterday and yesterday's content update. These are informational signatures look at enabling these selectively. I have some customers that enabled them and blocking mode already because. But again, the JS itself is not inherently malicious. With WildFire, again, WildFire does really well at detecting ransomware and the files associated with that. So, that's where Traps and WildFire, absolutely essential for being able to mitigate ransomware attacks that are out there. The C2 protection also is absolutely paramount. Then, Auto-Focus. So, we're actually going to roll through the protection here. You're going to see all that come together, that it's a really powerful story. Again, ransomware is not simple, you've got to leverage every bit of the entire platform. So, this demo is going to show that. Yeah. So, first off as to John put or John spoke to you, the new JavaScript sent an email. So, this is detecting the JavaScript inside of the zip file. So, we're seeing it automatic detected that now. In this use case, in this in MyEnvironment, I could block on this. I'm just choosing to show you this an informational set. Now, the secondary PDF which I sent up. Remember, that was the Word-based macro download. You got to think of this two stages. User executes Word document, they click on the macro, the macro then goes out and grabs the other payload, that's your chance of detecting the actual secondary piece of ransomware or whatever it maybe, it doesn't actually need to be ransomware as well. So, this is WildFire's analysis saying, "Hey, this file is bad." I know this file is bad, even though says is the PDF, I know it's a py file. So, again, identifying in a different way, not relying upon what the actual file type is but arming the file naming convention is relying upon other file types identified by the firewall itself. So, we see the WildFire analysis report, we can then close this. Now, think about this from a larger scale. If you think about how delivery mechanisms are, we showed multiple different delivery mechanism. So, this is actually a view from this morning that I recorded right before our presentation, of Locky. Now, I want to explain what I'm doing here. I'm looking at every single Locky variant we've ever seen within the entire world, okay? Now, I want you to notice here, based upon its behavior, not about what its AV signatures are, etcetera. Based upon the way it behaves, if you notice a pattern here, the first one was in 3:45 this morning. So, the first new Locky sample we saw was from today. How many samples are from tomorrow or from yesterday? I'm sorry. There's one, two, three, four, five, six, it keeps going on, do you see the time differential between sample releases? Some are seconds, some are minutes, some are hours. So, we think about this in terms of the gain of bypassing AV, then you start seeing what's on the right. Virus still are not found. Some detections, load detection and some hard detection, it really depends on the sample itself. So, think of this from the-. We're going back to time you list this all from a single data, maybe 20 or so samples they're released. This one from this morning, we'll click and see, it is completely unknown to VT as of yet. If we jump in and see the actual HTTP request, it's only calling out to host that's only ever been associated with malware. So, see the BMG, little icons there? The malware, this URL has only ever been associated with malware in 21 times, is that something you should block? Yes. Yeah. I think, one of the interesting things from the previous slide was, it was OPE files, try downloaded over the web. So, you've done a great job blocking PE files coming over email. So, will let the guy do included a URL to then allow your users to download it and over the web into the organization. Yep. So, this is actually finishing part to see about Locky as a family. So, first off, the first time we ever saw Locky, in general, was on 2015. So, 2004, 2015 was the first time we ever saw a Lockey sample pass by Wildfire as well as our customer base. Obviously, you're seeing the last one was from this morning. Now, you see that giant spike at the very end, that is Locky coming into popularity. So, basically, when it started to be distributed widely. Now, look at this from the application distribution. You see, SMTP being the number one distribution method for Locky. Now, when we look at this, actually, from the true autofocus results for this, what do you notice is that Lockey was delivered via Word-based macros for a period of time. So, it was delivered via Word-based macros for about a month. You can see it's all in the 18th and then one on 318. You notice, again, varying detection rates within actual traditional AV. So, what happens today may be very different for what happens tomorrow, whether I choose to deliver via macro or choose deliver via exploit kit or JS files. It's all a vehicle for delivering what I'm looking for. So, in the context of one particular family, now you're seeing, the attackers understanding start to shift tactics based upon what they have access to or what they can be successful at for that short period of time. So, it makes sense? Yeah. I mean, this is really a testament, again, to how good WildFire is, also at the protection side of it and also learning as much as you can out of all autofocus as well. Even if you do not submit any files to WildFire within five minutes, you will have the protection derived based on what someone else will have received. So, this is one of the key benefits of why having WildFire subscription is essential. Absolutely, one percent. Is that the end of your demo? Okay. So, let's go back over the slides and wrap up. Again, there's a lot of things there, ransomware is not simple. We've giving you a very powerful tool within our platform. Application visibility is one of the key thing. Reducing the attack surface, preventing known threat and then detecting preventing the unknown threats. You've seen the unknown, the aspect of what WildFire can do in each one of these things. There's other thing we talked about exploit kits. Uninstall it, there's things up here like uninstalling software, not having Java, not having Flash. I turned off Flash on my end system, the web works beautiful. All those Flash vulnerability you saw, not an issue. Again, Silverlight, Java, old versions of Internet Explorer, there's a lot of things that we can do that, again, are outside of that. One of the other things it's not up here. Office 2016 is actually added a module to be able to prevent macro running as well. In the slides we send out, will actually have a list of other articles and tips. The Unit 42 blog posts are absolutely essential. Each one of these things. Again, we know it isn't simple, there is no magical solution. I want you all, next year when I ask, how many of you have enabled each one of these things? The whole room is up there, standing there and raising their hands. So, we'll be around to answer questions here. I think, our time is up or we-. So, we'll be up here at the front to answer questions and be up here. Thank you all very much. Anything else to add, Eric? Not at all. Thanks a lot. Awesome. Thank you.
