OWASP RansomwareHoneypots - Early Detection: Using Honeypots to Detect Ransomware Infections, Aaron Goldstein April 27

Download this Presentation


Presentation Transcript

  • 1.Early Detection: Using Honeypots to Detect Ransomware Infections Aaron Goldstein April 27, 2016
  • 2.Ransomware Trends Lots of Macro-enabled document malware Getting trickier to detect (for end users) Detect unmapped shares for further destruction
  • 3.Common Execution Chain Once Executed, most ransomware will: Create a manifest of files to encrypt Usually based on file extension / path Encrypt the data Often with the file names becoming scrambled as well Delete original files Delete Volume Shadow Copies Present Users with a Ransom Note
  • 4.Honeypots to the rescue What if we could know when critical files have been altered? By creating a honeypot, it’s possible to set “traps” While this can be effective, it is not guaranteed to work
  • 5.Monitoring Shares with FSRM File Server Resource Manager is a tool for screening and monitoring data shares File Screening Option can be used to set actions based on user activity on a file share
  • 6.Testing FSRM active screening Create a new file group and set it to active screening (monitor all activity on share) In “command” tab, set it to run powershell from your local path In the arguments tab enter -ExecutionPolicy Unrestricted -NoLogo -Command “& { Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name $_.Name -AccountName ‘[Source Io Owner]’ -Force } }” This specific example will block access to all shares on the server once a write / modification is observed that matches the file screen pattern
  • 7.Creating a HoneyPot Create a new share Create a readme file within share to explain what this is for, so other users that might stumble upon the share Setup FSM to monitor “*.*” within the share, since no one should be writing to the folder
  • 8.Keys to a successful honeypot Create the new share, and give access to all “Authenticated Users” Place a file within the share, instructing users not to open / alter the files within. Note: It isn’t proven, but naming the share $ should put it near the top of file share listings. Hopefully that will make it one of the first to be encrypted Once it’s working, consider updating file path “*.*” to common ransomware files / extensions (see references)
  • 9.References https://community.spiceworks.com/how_to/100368-cryptolocker-canary-detect-it-early https://raw.githubusercontent.com/thephoton/ransomware/master/filescreendecryptreadme.txt http://blog.netwrix.com/2016/04/11/ransomware-protection-using-fsrm-and-powershell/