1 of 17

Ransomware Defense for Small Businesses

Tao Zimmerman, Colton Hulce, Louis Najdek, William Atwood

2 of 17

Information Disclaimer

The testing performed was done in a safe environment, with no connection to any network. We are not responsible for any damages caused by attempting the content depicted in this presentation.

3 of 17

Project Objectives

Create a training beneficial for all members of an organization to learn about ransomware
Create additional videos and written documentation that clients will also have access to
Demonstrate a real ransomware attack to show how it may look

4 of 17

End-User Guide - Sections

Attack Vectors

Identifying phishing emails
Suspicious downloads
Internal Attacks

Indicators of Compromise
Response to a Ransomware attack

5 of 17

End-User Guide - Learning Materials

6 of 17

End-User Guide - Learning Goals

Ensure the organization’s non IT staff is informed on the best practices for avoiding ransomware
Understanding their responsibility to their organization to remain vigilant for attacks
Be prepared to swiftly identify and respond to a Ransomware attack

7 of 17

System Administration Guide - Sections

Backups
End-User Training & Awareness
Maintaining Services & Utilizing Anti-Virus
Segmentation & Least Privilege
Penetration Testing
Response Plan

8 of 17

System Administrator Guide - Learning Goals

Understanding the importance of each section of the guide
Offer a clear explanation of the information to better benefit the client
Demonstrate how ransomware will impact a system

9 of 17

Ransomware Demonstration

10 of 17

Individual Research: Wannacry

Was used for the demonstration
Utilized Windows SMBv1 Vulnerability
Operated like a Worm, spreading over the local network, open ports, the internet, etc
Demanded $300 of Bitcoin within 3 Days, Upped to $600 of Bitcoin for 4 days before deleting files

Colton -

As you just saw, that was WannaCry. It was discovered in 2017, and is said to have caused $4 Billion in damages. It operates by exploiting a vulnerability in Windows SMBv1, allowing it to spread across the local network, open ports, as well as the internet, sending packets featuring the exploit and encrypted payload. When it spreads, it utilizes two hard coded IP addresses for communication, which sends the packets and then uses an RCE exploit on SMBv1 to execute the code within the packets. Once a machine is infected, all of their files are encrypted, and an executable file called WannaDecryptor is found on the desktop. This is the window that was seen in the demonstration. The user is able to test the decrypter, which will decrypt a couple of files (when I tested it decrypted 3). It states that if you want to decrypt everything, you must pay $300 in bitcoin, and if you don’t pay that within 3 days then the price is doubled to $600 in bitcoin. After 4 more days if you have not paid, they claim that they will delete your files.

11 of 17

Individual Research: BlackMatter

Utilizes PRE-COMPROMISED credentials.
Shuts down security programs and controls and changes their registry keys to stop them from starting on login.
Demands $5.9 million and after a week, demands $11.8 million.
Does an overall sweep of the device to find network shares via SMB to move laterally.

12 of 17

Individual Research: Cryptolocker

Targeted windows devices
Distributed through Spam emails targeting businesses, enticing them to open a file by describing a balance dispute
Additionally distributed through the Gameover Zeus Botnet
Creates a copy of itself in %AppData% and an autorun registry entry, then deletes the original file. Contacts the C2 server and begins encryption utilizing Microsoft’s CryptoAPI and an RSA keypair

Louis

Cryptolocker was active between 2013 and 2014, where it infected over 200,000 systems worldwide. Cryptolocker went after organizations across various sectors, targeting their windows devices. It was spread through phishing emails similar to the one shown earlier in the presentation, often trying to manipulate the user into opening the malware by making it appear to be a financial document. Once opened, the file creates a copy of its executable that it inserts into the AppData or local appdata directories, and creates an autorun registry entry on the device. It will delete the original file, and then contact the Command and Control server. Cryptolocker uses CryptoAPI as well as an RSA keypair for their encryption, which will continually check for new files to encrypt if possible. The ransom price will be either $100 or $300, and they experimented with multiple payment methods. Since then however, Cryptolocker has been solved, and the cybersecurity company Fireeye released tools for decrypting files that were affected by Cryptolocker. Researching Cryptolocker gave a lot of great insight about how organizations are targeted by Ransomware.

13 of 17

Individual Research: Babuk

Nwgen Ransomware
AES-256-CRT cryptographic algorithm
ChaCha8 Cipher
$150,000 - Monero
Infiltrate and steal large amounts of data
Exfiltrate data, threaten to do more
.nwgen

14 of 17

Project Outcomes

Created video guides for End-Users and Sys Admins
Created written documentation to go along with the videos
Created a training PowerPoint

15 of 17

Challenges

Determining what is and isn’t important to keep it time-conscious
Time Management
Organizing the project with a large group
Communication with client

Colton:

We definitely met a number of challenges along the way, as I’m sure we all did. One issue we faced was figuring out what information to keep in and what to remove from any of the deliverables to allow the trainings to be time-conscious for the clients while still being beneficial. Keeping with the theme of time, time management was hurdle that we ran into a number of times. Being this size of a group with varying schedules, it was difficult to keep everyone on the same page and moving forward. Organization was also an issue caused by group size. We found that having 4 people, as well as a client to keep in touch with, it was easy to get disorganized and have to pick everything back up quickly. We also found that making sure we were staying in contact with the client was at times difficult, especially for scheduling meetings. There was not much time during the week that we all consistently had available for meetings, making it difficult at times to meet with the client and even just as a group.

16 of 17

The future of the project

Will be used for internal and client training at the Leahy Center
Hopefully future students will be able to keep the guide up to date for continued usage
Could continue to grow if another student were to pick it up

17 of 17

Questions?