1 Segurança é nosso DNA www.bidweb.com.br Fábio Costa

2 Diga NÃO ao Ransomware

3 Cenário evolutivo das ameaçasCRIMEWARE DANO CAUSADO Worms Spams Spywares Botnets Ameaças Web 2001 2003 2004 2005 2007 2010 2012 Ataques direcionados Ataques móveis 2015 Ataques destrutivos/ Crypto-ransomware 12/16/2017 The threat environment has evolved over the years. All of these threats still exists out there, but new and more damaging threats are being developed each year. Now, we are dealing with targeted attacks, advanced persistent threats and creative mobile attacks that take advantage of new vulnerabilities, social engineering and mobile proximity. They are stealthy and are designed to fly under the radar, undetected, and to steal your valuable data. And your data is everywhere--in the cloud, on virtualized servers, and on mobile devices. It needs to be protected, w/out slowing you down Street crime is down 20%. Why? It is becoming so much more profitable and lucrative to enter into the world of cybercrime. And it is getting easier. Cyber criminals use a seemingly endless array of techniques to compromise and infiltrate nearly every aspect of our electronic environment. As our lives, and for that matter, the entire global economy, have become increasingly dependent on Web-based systems and interconnectivity to operate smoothly, cyber-attacks have emerged to stalk us nearly every step of the way. In fact, they’ve grown so complex and varied that traditional IT system defenses such as antivirus (AV) software and intrusion prevention systems (IPSs) are not enough on their own. Cybercrime has become big business with commercialized exploit kits and cybercriminal counter intelligence available to the hackers. This has greatly accelerated the volume, variety and velocity of threats we are dealing with. There are specific emerging trends in cyber-attack: Professionalization and Commoditization of Exploit Kits. i.e. BlackHole Exploit Kit Modularization: We have also observed a high degree of modularization in more advanced malware like SpyEye and FLAME. Increased Sophistication with Traffic Direction Systems (TDS): Traffic Direction Systems (TDS) are used as initial landing pages, also known as “doorway pages”, which direct traffic to content. Ransomware New Exploitation Vectors Introduced via HTML5 •Evolution of Mobile Threats Continued Exploitation of Social Networks As these threats evolve, it is clear that traditional techniques won’t be able to prevent all threats. Additional layered security and specialized visibility into these attacks is needed. Confidential | Copyright 2012 Trend Micro Inc.

4

5 Ransomware É um tipo de malware que impede ou limita os usuários de acessar seus sistema/dados e obriga suas vítimas a pagar um “resgate” a fim de reestabelecer o acesso.

6 Evolução do Ransomware

7 Dois Tipos de RansomwareCrypto-Ransomware Rik – brief explanation of how ransomware has evolved and the 2 types we are facing today. Give a few high profile examples: OS X – Typically thought of as less vulnerable to viruses and malware, ransomware hackers are now successfully targeting OS X systems through sophisticated phishing s that use KeRanger malware to encrypt the data on a computer and render it inaccessible until a ransom is paid in bitcoins Hollywood Presbyterian Hospital – Using phishing to trick an unsuspecting employee, attackers seized the hospital’s entire IT system, stalled critical healthcare related communications and extorted $17,000 in ransom Plainfield, New Jersey – Using phishing s targeted at employees researching grants, hackers compromised three servers before city officials were able to pull them offline, effectively locking up the town’s files in order to receive a small sum until the officials turned to law enforcement for help Wendy – so how does ransomware get into organizations

8 Quão grande é o problema50 novas famílias de ransomware de Janeiro a Maio de 2016 49 famílias de ransomware em 2014 e 2015

9 Como Funciona

10 Nota de Resgate OU Paguo o resgate… DADO Decriptado – ??Múltiplos Vetores Ataque Dado Criptografado Restore do Backup Re-store from Back-up Are your backups current? Certain Ransomware variants such as SamSam goes out and looks for your backup and deletes them, so you have nothing to restore from! Back0up doesn’t always help – release data on internet, or

11 CryptoLocker Add AEGIS Policy ID RP001-004 Check launching svchos.exeAdd AEGIS Policy ID RP Check launching svchos.exe Confidential | Copyright 2015 Trend Micro Inc.

12 Ameaça de Exposição dos DadosAmeaça disponibilizar seus dados na internet, relacionado-os ao usuário, caso o resgate não seja pago em tempo hábil

13 Quão grande é o problema

14 Ransomware brasileiroEra apenas uma questão de tempo até que os cibercriminosos brasileiros criassem suas próprias versões deste malware.

15 HiddenTear – Versão brasileira

16

17 Os tempos mudaram...

18 Panorama de segurança no setor energético

19 Panorama de segurança no setor energético

20 Ransomwares – Janeiro de 2016DETECÇÕES CRYPRADAM CRYPNISCA CRYPRITU LECTOOL EMPER MEMEKAP CRYPJOKER MEMEKAP LECTOOL EMPER CRYPRADAM CRYPNISCA CRYPJOKER CRYPRITU VETOR DE INFECÇÃO SPAM SPAM SPAM SPAM SPAM DISGUISED AS PDF ATTACHMENT SPAM MODO DE PAGAMENTO 2 BTC 13 BTC 0.5 BTC need to malware author to get payment instructions 1 BTC 0.1 BTC NO RANSOM NOTE PERSONAL FILES PERSONAL FILES DADOS CRIPTOGRAFADOS DB FILES WEB PAGES DB FILES + DB FILES DB FILES DB FILES NO ADDITION TO PERSONAL FILES CRIPTOGRAFIA KEYS ARE GENERATED LOCALLY PRIVATE KEY IN THE SERVER KEYS ARE GENERATED LOCALLY ENCRYPTION KEY IN THE SERVER KEYS ARE GENERATED LOCALLY KEYS ARE GENERATED LOCALLY AND DELETED PUBLIC KEY FROM C&C AUTO-DESTRUIÇÃO NO NO NO NO NO NO NO

21 Ransomwares – Fevereiro de 2016DETECÇÕES LOCKY CRYPHYDRA CRYPDAP MADLOCKER CRYPGPCODE CRYPZUQUIT CRYPGPCODE CRYPHYDRA CRYPDAP CRYPZUQUIT MADLOCKER LOCKY VETOR DE INFECÇÃO INVOICE SPAM EXPLOIT KIT DISGUISED AS PDF ATTACHMENT SPAM SPAM MACRO OR JS ATTACHMENT MODO DE PAGAMENTO 400 DOLLARS with instruction from author how to pay 1 BTC 0.8 BTC $350 1.505 BTC 2 BTC 536 GBP BTC PERSONAL FILES PERSONAL FILES DADOS CRIPTOGRAFADOS DB FILES DB FILES CODES WALLET SYNC MANGER LOGGER WEB PAGES + NO ADDITION TO PERSONAL FILES NO ADDITION TO PERSONAL FILES CRIPTOGRAFIA KEYS ARE GENERATED LOCALLY KEYS ARE GENERATED LOCALLY PUBLIC KEY FROM C&C PUBLIC KEY FROM C&C KEYS ARE GENERATED LOCALLY ENCRYPTION KEY FROM C&C AUTO-DESTRUIÇÃO NO NO NO NO NO Copyright 2016 Trend Micro Inc.

22 + Copyright 2016 Trend Micro Inc. Ransomwares – Março de 2016Power shell script with customer case DETECÇÕES It speaks!! CERBER TESLA 4.0 CRYPAURA MAKTUB SURPRISE PETYA CRIPTOSO CRYPTOHASU KIMCIL KeRanger MRAWARE Powerware COVERTON CERBER CRYPTOSO KIMCIL KERANGER MAKTUB CRYPTOHASU Targets Magento eCommerce MIRAWARE SURPRISE CRYPAURA TESLA PETYA POWERWARE COVERTON VETOR DE INFECÇÃO EXPLOIT KIT MACRO OR JS ATTACHMENT EXPLOIT KIT + TERMS-OF_SERVICE (TOS) SPAM SPAM TEAM VIEWER JOB APPLICATION WITH DROPBOX LINK MACRO DOWNLOADER ATTACHMENT SPAM APPSTORE HACK MODO DE PAGAMENTO BTC 1 BTC 1.3 BTC 1.4 – 3.9 BTC $588 - $1638 0.5 to 25 BTC 0.99 – 1.98 BTC $431 - $862 1.18 – 2.37 BTC $500 - $1000 1 BTC then increases by 1 BTC daily 1 BTC 1 BTC $300 Increased /day 1 BTC $140 PERSONAL FILES PERSONAL FILES DADOS CRIPTOGRAFADOS Tax fraud DB FILES CODES ACCOUNTING/ FINANCE FILES MACOS FILES GAMES GAMES WALLET DB FILES OVERWRITES MBR & BSOD US TAX RETURN FILES DB FILES SCRIPTS & PROGRAMS Website files CRIPTOGRAFIA 5 KEY PAIRS GENERATED LOCALLY 1 KEY REQUIRES RSA KEY PUBLIC KEY FROM C&C PRIVATE KEY IS OBTAINED AFTER PAYMENT AES KEY GENERATED LOCALLY PRIVATE KEY IS OBTAINED AFTER PAYMENT PUBLIC KEY FROM C&C PRIVATE KEY IS OBTAINED AFTER PAYMENT PRIVATE KEY IS OBTAINED AFTER PAYMENT PRIVATE KEY IS OBTAINED AFTER PAYMENT PRIVATE KEY IS OBTAINED AFTER PAYMENT AUTO-DESTRUIÇÃO Added last 3: Cryptohasu – targets scripts & programs Kimcil – targets servers running magento ecommerce stores (internet retailers, cloud-based omnichannel solutions) Miraware – on-going NO NO NO NO NO NO NO NO NO NO Copyright 2016 Trend Micro Inc.

23 OS X – Typically thought of as less vulnerable to viruses and malware, ransomware hackers are now successfully targeting OS X systems through sophisticated phishing s that use KeRanger malware to encrypt the data on a computer and render it inaccessible until a ransom is paid in bitcoins Hollywood Presbyterian Hospital – Using phishing to trick an unsuspecting employee, attackers seized the hospital’s entire IT system, stalled critical healthcare related communications and extorted $17,000 in ransom Plainfield, New Jersey – Using phishing s targeted at employees researching grants, hackers compromised three servers before city officials were able to pull them offline, effectively locking up the town’s files in order to receive a small sum until the officials turned to law enforcement for help MedStar – News reports are now confirming that this is the latest in a series of phishing-related ransomware attacks on healthcare facilities; while it wasn’t known at the time of this release if a ransom had been paid, media has said the facility confirmed that systems critical to patient care for thousands were locked for a time

24 Como vencer o Ransomware?

25 Ou Você tem uma Maquina dessa... Ou...

26 Como ser eficiente no bloqueioA maioria dos ransomwares podem ser bloqueados no nível do Gateway Blocking 92,63% URL Blocking 06,84% File Detection 00,44% A última linha de defesa são features Anti-Ransomware para detecção e bloqueio proativo no endpoint. Behavior Monitoring for known threats 00,07% Behavior Monitoring for unknown threats 00,02%

27 Boas práticas Backup Em local isolado da rede Controle de AcessoLimitar o acesso a dados críticos e compartilhamentos de rede a usuários que realmente necessitem Manter patches atualizados Minimizar possibilidade de exploração de vulnerabilidades Não Pague Pagar o resgate encoraja a continuidade destes ataques e não garante a recuperação dos dados Educação dos usuários contra Phishing Educar os usuários em boas práticas de uso de e navegação na internet Aumentar postura de segurança Seguir as melhores práticas de segurança para suas atuais e futuras tecnologias

28 Reflexão e avaliação do risco atual:Backup regular e isolado da rede? Gateways com features especificas contra ransomare? Monitoramento e visibilidade de rede com sandboxing customizado? Controle de aplicativos, detecção comportamental e gerenciamento de patches de sistema/aplicações nos endpoints? Firewall de host, gerenciamento de patches de sistema/aplicações e regras de IPS específicas contra ransomware nos servidores ?

29 Reflexão e avaliação do risco atual:Backup regular e isolado da rede? Gateways com features especificas contra ransomare? Monitoramento e visibilidade de rede com sandboxing customizado? Controle de aplicativos, detecção comportamental e gerenciamento de patches de sistema/aplicações nos endpoints? Firewall de host, gerenciamento de patches de sistema/aplicações e regras de IPS específicas contra ransomware nos servidores ?

30 Reflexão e avaliação do risco atual:Backup regular e isolado da rede? Gateways com features especificas contra ransomare? Monitoramento e visibilidade de rede com sandboxing customizado? Controle de aplicativos, detecção comportamental e gerenciamento de patches de sistema/aplicações nos endpoints? Firewall de host, gerenciamento de patches de sistema/aplicações e regras de IPS específicas contra ransomware nos servidores ?

31 Reflexão e avaliação do risco atual:Backup regular e isolado da rede? Gateways com features especificas contra ransomare? Monitoramento e visibilidade de rede com sandboxing customizado? Controle de aplicativos, detecção comportamental e gerenciamento de patches de sistema/aplicações nos endpoints? Firewall de host, gerenciamento de patches de sistema/aplicações e regras de IPS específicas contra ransomware nos servidores ?

32 Bidweb Security IT | Segurança é nosso DNA