 So I didn't plan to do this. He just asked me before the meeting. So if you've been to some of these meetups in the last few months, the speakers were asked to have a few slides about ransomware, what it is. And so we've probably seen all those before. But that was all very theoretically. And some of it was not quite correct. So I thought about doing actually a presentation with a demo. But then the dates didn't work out, and I forgot about it. But two weeks ago, one of the companies I worked with, it's a software company. And the boss there asked me what I'm doing. And I thought, I said, I'm maybe doing a presentation on ransomware. And he had no idea what that was. So he was the technical lead of that company. So Wednesday, I went back into that company. And suddenly, he had heard about ransomware, because it was everywhere. Last weekend, WannaCry happened. And so now he was interested. So yesterday, and also first day, I spent some time on putting on this presentation together, just to show who did the 20 people in his company. So I just found this on my phone, so I can talk a little bit about this. So I think the first two things are maybe we're tech vectors, then ransomware especially compared to other ones, then what is WannaCry, and what we can do to protect ourselves. The problem with the demos are that I don't have my digital machines where I prepare the demos. But I can talk a little bit about what I've done and what I've shown, and you have to believe me. So in general, I think most of these things are, do you know about anyway? So how does malware get onto our PCs? Usually through the person who sits in front of the screen. So while in the back, in the past, people tried to attack our networks from the outside, get through, and it was more easy now, the hackers get to people inside, usually through email or through any messenger service to send attachments and trick them into opening them. So they open a link, and then I don't know how stupid you can be to download OK, but if it's an executable, actually double-click on it to open it. But we have to understand that a lot of people are not technical, and there's a lot of people who are not technical working with computers. So people do that, and it happens all the time. And we've seen that last weekend. The thing about finding this USB stick outside, or people give you USB sticks at conferences as a freebie, so you put that in, and then you're owned by everybody. So you know. Don't do that. I don't know whether we heard about the Microsoft essential, security essential, slash defender problem that came out like two weeks ago, where there was a vulnerability in the engine, in all the modern Microsoft systems, where if a file was opened that was specially crafted, it took over your machine, which is bad enough on a client. But on Server 2016, which may run on Azure, whatever, at least in the future, if anybody uploads this file, the first thing before your website actually downloads it like uses it, the antivirus engine kicks in and looks at the file, and then your server's already owned. So that's pretty bad. And if you run 2016, make sure that we have the latest version of that. And other antivirus software also introduces new problems in your system. So I usually don't use any additional products, but now that they come in Windows, I keep them on as well. So this one I stole from a Microsoft one. So it just visualized a little bit what happened. So they attack. They usually go in through the user, phishing attacks whatsoever. As soon as they get onto the device, they download additional things. So they make sure that they can stay on the device. And then they try to spread through the network. And then usually they own you. So that means your business is disrupted. People have to deal with this thing. So you lost productivity. They can steal data. They can do this billionage. And in some cases, they do ransom, which brings us to the next one. What's special about ransomware? How is it different compared to normal malware? What normal malware, a lot of times they put ads on your machine. They are used to take over your machine to attack other machines, like botnets who attack websites or whatever. Ransomware is different as rather than sitting on the back and doing, well, maybe do something, they look at all the important files and encrypt them. Usually you lose very strong encryption, AES 256, which is something that we at the moment cannot break. So if it's encrypted and you don't have the key, you're kind of stuck out there. And depends on how smart they are, it turns out that WannaCry wasn't actually that smart. Apparently it only looked at my documents and certain things. But the first thing you would do, you go through all the drives on the computer, find all the important files, and then later on go on to the network. In terms of developers, they could find your source code. If they are really smart, I would do getting into your repositories on Git or whatever and connect them. And then ideally delete things that are already in your repository. So I don't think that happens yet. So I've never actually looked at the code for one of them. But the one I wrote, spoiler alert, I just looked at specific extensions. But I mean, they are obviously the extension that everybody knows. But you could also be more smart and actually look at the content and see is this worth encrypting. But there's lots of different versions that do different things. So usually the only way you can get your files back is pay the ransom in Bitcoins usually. It turned out for WannaCry, it wasn't very well written ransomware. Because the encryption key was still in memory until you rebooted your machine. So recently it came out that they have freeware programs now that look into that specific part of memory to get the encryption key and then get your files back. So these were actually amateurs. They're just really lucky that they got out very widely distributed. 40 or 50,000? Well, that's not very much considering 200,000 machines. Most people didn't pay. So quickly, whoops, something missed. How do I go back on the back of this one? Oh, there it is. So I didn't know the first ransomware was in 1989. You knew that? Yes. Did you write it? It's a portion. OK. So I kind of heard about it in 2013 when CryptoLocker came out and took over. Well, so that was, I think, the first bit more widespread one that people got affected with. Even if they encrypted things, but they didn't get the ransom, because the problem with ransom is nowadays we have Bitcoin. How would you actually get your money out of them? So send me something into my bank account. That doesn't work so well. So you can deposit this bag of notes over there, that corner, so that doesn't work either. So now with Bitcoin, it makes it actually possible on a wide scale to get money out. So there's different versions. And it was kind of clear when this happened that we will have a problem in the future. And so when a crime happened last week, this is what that looks like. And I see one problem is, I think, even though now there is Bitcoin, a lot of people who are not keeping their computers up to date don't know what that is and don't know how to get them. And it's actually not that easy, I think. I never bothered to get my own. So I may actually look into that a little bit. But to get the money, so what they do is, if you don't pay in three days, we double the ransom. And if you don't pay in seven days, that's it. We don't give you any decryption files. I think yesterday they actually sent additional messages to the people who are affected to really, really please them to pay, because so far they didn't get so much money, even though they got a lot of publicity. So this is what this one looks like. So a little bit about the history. So the ransomware itself that they use is not so smart, and it's been around for a while. But as you may know, let me go through. So the NSA developed a whole bunch of attacks to spy on people. And then last summer, they got hacked by this hackers group, the Shadow Brokers. And they stole a lot of the stuff. And they tried to sell it to other hackers, but nobody actually offered them money. So eventually, I think in March or February or April, March or February, they just released all the NSA stuff to the public internet. So Microsoft then in March patched some of the things, most of the things. But people now got the code from the NSA, including this thing called internal blue, which is using an SMB 1.0 problem that has been around for a long time. And I think in modern Windows versions, that's turned off because we have SMB 3.0, but all the versions of Windows still have that. And that's the reason why most computers that were infected were XP computers, because they haven't been patched, and they were still running the same SMB 1.0 they ran in 2002 or whatever. And a lot of these were things that, let me see, vendor machines, ATMs in hospital equipments, manufacturing machines. So not like your typical PC on your desktop, but things in the industry, that it's also not so easy to replace them. So if you have an ATM running, you don't ever here replace it with a new one. And some of the hospital machines that run complex software, apparently some of the vendors who did the software out of business, so they're very happy that things still runs, and it costs like millions to port it onto a new system, mobile new systems. So you cannot really blame them for still running XP. And the problem is. That's the irony, right? Imagine like this. See, you have a live-stream device that's running on a Windows XP. You have a desktop that runs on Windows 10. So the real irony is that the manufacturer will actually have an adaptation on the technology part because no one can write a fantastic code in 20 years before, or 10 years before no one even knows that these threads exist when they work the code. So when someone finds a vulnerability, it's better to share, but it's not shared for obvious political reasons. The industry should adapt. Provider, say, Microsoft has to ask you to, there's no support for XP anymore. So that's the reason why it was done like that, because there's no more money being spent on fixing Windows XP, or because it's already old. We are already having newer OS. So the manufacturer should have a much more aligned approach. Maybe I ask a question. Obviously, I'm not affected by this, but how did one not quite get into the system in the first place? OK, I think in most cases, as I see on the next slide, again, can we talk about that? I just follow up. I don't know. So a lot of people say, if you use XP, put it in the VM. Don't put it on the network. But the problem is, if it runs your ATM or your machine or so, you cannot do that. You have to have special hardware interfaces that connect with all your other equipment. So the main problem is, why are these machines connected to some other parts of the network that were connected to the internet, or connected to normal users? Get into the network. That network is a separate network. Only people know what they do. That network is a really, really close network. So you won't have a user clicking on a clickbait. It's monthly paradigm. Why would the link come into the email inbox first thing? Because your barcode or your anti-slump should actually fill it up. So I think it's a very complex situation. And one thing we really realize is that it's feeling much, much more complex than a few years ago. So you have to follow not only just the patching and everything, you actually need to see into all your entry points and look for mitigative tasks right from your group policies. You have to work a whole lot of things to increase or so to decrease your attack surface. So there's nothing like, oh, I can build a firewall for 100% proof. No one even can log in. And I can write a, we can give a variable firewall that no one can log in. No one can break it. But what is the purpose of it? So I think it's going to be complex for the information security professionals going forward and a fantastic wake up call. Some of the main example was the hospitals in the UK. There was the German railway system. All the big railway stations have display monitors to show all the trains leaving and arriving. And they all had that red ransomware thing. So these are running XP. All they do is show a browser window, like in the kiosk mode, to show these things. And why were they connected to someone who clicked on an email? So that's the question. But on the other hand, you just re-image that computer and then you don't pay the ransom, because there were no data on there. So let me see what's next. OK, so Windows 10 itself was not affected by this eternal blue problem, because it's new and it has been patched anyway. But if you download WannaCry onto Windows 10, it still decrypts your data. It just means, because Windows, like Microsoft says, people say, oh, Windows 10, you're safe. But if you click on that email on the attachment and download and execute it, you're still owned. It's just that this particular thing that went through the network layer to get onto your machine wouldn't get to your machine. But so Windows 10 is not completely safe. On a Mac, right now you are OK, because nobody has written a Mac version of it. But if you download your email and some executable and double-click it on a Mac, you still get your files encrypted. So just because you're using a Mac doesn't mean you're safe. On a phone, we haven't seen many things like that, because most of the time, people don't store a lot of files on their phone. And if that, they have a copy somewhere else. So I think it's not the purpose or the value you can get out of phones at the moment. I don't think it's that as big as on our PC. So look at the same thing in terms of WannaCry. So they still get in through email, usually some sort of attachment, and targeting attacks certain people. I don't know why they would target people in hospitals. I think there was more random luck or unlucky to get there. So as soon as they got out there, they put the eternal blue, and then there's another thing that came from the NSA called the double-pulsar backdoor. So they got into their system and from there, then they attacked other things through the SMB vulnerability on other computers. So they only needed one entry point to get in there. So at this point, I think I did a demo where I used the Windows 10 machine to try to download some, so I cannot show the demo now. So I looked around and I found some ransomware. There's some ransomware. I'm good help. You can look at. So I tried to download that. So an edge, the smart screen, technology wouldn't even let me download it. You can turn that off. Then it behaves in the same way as Google and Chrome or Firefox. But as soon as you save it onto your drive, the defender that is in Windows 10 deleted it straight away. So I couldn't even look at things. So for a demo, I wanted to show how it works. So I wrote my own. It's just something I didn't see sharp. Because it's using the .NET security classes in the framework, so I used the AES-256 to load a file and encrypt it and save it back. So my version is just a simple command line tool. I give it a directory and a certain extension wildcard. So it encrypts only certain files that I know. I want it to be safe. And then it goes through and recursively direct loops through all the directories and files and encrypts them all. And then there's no way to get them back. So and then at the end there's a message showing what it does. And Windows 10 let it go all what I want to do. So that shows that even now with the latest OSs and the latest patches, if you get that thing onto your system and it's new, you're still affected. That's a scenario with every two-in-one line on it. Unless someone learns a new antivirus pattern or new virus signature, no one's going to be like, this is not like Linux, this is not like Apple, this is not like Minecraft. Well, the one thing you could do as an antivirus is that if there's a program that loops for all your files and then does something with all these files, there's some cases that that's legit, but actually does that. Actually does your signature well, the first time that you do, if you have an ATP subscription, whatever you did, you will not be able to do the second time. So Windows ATP is already having the same one. I think it's just going to set a context. Anyone, I'm a guy who actually tried to write the first one, for example, I write a very sneaky one and I want to pass it to you using an SD card, for example, how do you use it? Put an SD card in there and it works, hey, some of the pictures I want to share with you, and you open the back door with me. The first time it actually does, and no one can stop the first time. It was because of the OS, it was because of Windows or anything. Until it learns, until your antivirus program or anti-malware learns what it is, that's the way it works and plays well. So, I guess someone, the signature is getting picked up by the engine as soon as possible. Once it is done, try to protect others. But that's a premium level security. So, at this point of time, Microsoft gives ADP, which is actually a price, it's not a free web, it runs on top of the Windows Defender. I tried to apply for the trial and that wouldn't let me. Yeah, there is some restriction, even I didn't get it. Because it has a signature captured in the can sum. Windows Defender has an auto submission of the signature, you can toggle, you can enable, you can disable in the Windows Defender itself, you can submit the signature, select an anonymous signature. My software has a good share of my data, it's my genius program, and malware is also doing the same thing. How ADP works, which are signatures? Yeah, based on signature, based on the metadata of your file and the spreading capability, or does it have any other signature of your file somewhere else? So, my software will have a strong signature. So, in the slides that I used to show here at the meetings, there was one entry saying, turn on file history in Windows 10. So, if I do that in my demo, and then update my files, and then I run my ransomware game, the whole file encryption, the file history folder was completely encrypted as well. So, that didn't help at all, because the problem is that the file history folder on a different drive is accessible to the current user with right permissions. So, my ransomware can also just go there and encrypt everything. So, that's not, if you want to do backups, always have backups anyway. And ideally, you want to have backups that are not accessible to your current locked-in user. Be careful what you click always, just because an email comes from someone that you know, that doesn't mean that that person sent you something. So, if you don't expect anything, if you give him a call or chat back to him and say, is this from you? What do I do with it? And do not pay. So, talk to friends and family, even though they wouldn't understand. Now they know they've heard about it, because it wasn't in the news. And there was a guy who actually enabled a two-factor authentication on the storage of the backup. So he was able to restore it back from the storage. Another guy who actually had a backup, but still that storage was vulnerable, because he was mapped into his local server, and they got the encrypted as well. So, it's better to secure your storage also. Some of the ransomware waits a few days. Well, so it starts encrypting. Then it waits a few days before it shows the pop-up to pay me money. So that means that the encrypted files are remated into your last night's and previous night's backup. So, on my personal systems, I made sure that I have, even if I have external hard drives, and I have internal hard drives that copy every hour, but that my normal user has no right access to those backup files. I can still read from it, but I can never write to it. So this is a little bit more what admins do. So, obviously, backups are even more important. So one thing you could do is, because right now in Windows, at least, a user can only write into his or her own directory, no more Windows, no more program files like in the past. So if you also say that we're using anti-Vest permissions, the home directory, except I can give one person who answers for it, what is the, can you name one application that runs from the home drive, like home directory? I can do it, because I tried that, and then I figured out all the things that won't run anymore. If I do this, there's a certain things that don't run. But, well, especially if you use Windows 10 apps, like modern apps, UWP, but, okay, so is someone else who can think of something? Yeah, I've just started removing admin access for users. So when the developers found a way to circumvent, okay, let's put everything on home directory where they have a full access, and then start running everything from there. And that is where you get most of your infection start from. I like almost 99% of the infected start from the home directory, because that's an easy place to store any malware or anything, because you already have a full access. I don't have to do an escalation privilege. So I just need to exploit you. I might have to click you one link or something, and then I use your home drive. Do you like the file sharing thing? No. See user app data, local. Yeah, and when you use a directory, you can write, and you can execute. Where's the Chrome? Where's the Chrome if you had one of the local privilege? It actually goes into your home directory. So it installs the whole Chrome in there. And if you have 100 users on the machine, you have 100 Chrome, but there's lots of other things. So you can only do this with users. Okay, these are like three programs. They're all installed in program files, and they're only safe. So the virus can go here and save itself into your home directory, but it cannot execute. And I forgot about what I meant by this, but there's always risks we should look at. Is there anything in particular that you can look at? Patch everything, and educate users. The last two, not specifically for ransomware, but a good way anyway, never run as admin and use always the lowest privileges you can get away with. Let's see. So the second, let me think. OK, this is a little bit what I already talked about. So I looked into some things that the enterprise version of Windows can give us to prevent running executables. So there's AppLocker, there's Device Guard in Windows 10. And they kind of redefine these other free applications that can run on this machine. And there's different levels of strengths or restrictions that you can apply to it. But it's not super easy to set up. And so I think what I did, we talked about setting just five permissions of this. So I did all this, and then I wrote a PowerShell version of my ransomware. And around that, because PowerShell was still enabled for every user, the script ran and encrypted everything again. So what you also have to do, if you can, disable PowerShell and the scripting host for all the users, that is the problem if you want to run some scripts. So there's always like, you can lock it down completely, but then you're safer, but then you cannot do anything. So I did that, these are demos, which I crossed them out because yesterday I didn't want to show them. And I showed away how I do my backups to make sure that they cannot be affected. And we already talked about this, to make sure that any location on your hard drive you can either write into or you can run things from, never both. So if you want to install new software, then use a different account to write into it. So Windows got a lot better about that, but the home directory is still the last bit where you can do both. So what I do, macros, PDFs, it's a different problem. So I, three things I can remember. Do I have them here? OK, so Chrome, the way I'm using it to browse, is I have a separate user on my system that can not execute anywhere on my hard drives. It can write files. So I use a command line to start Chrome under this account, and then, even though Chrome has to write temporary files somewhere, it can never execute anything. So this is the Chrome browser I use for browsing to sites where I don't know, I don't know what happens. PDFs is, every time I download a PDF, I run it through a Python script that goes through the whole PDF code, and disables any Java and action script that may be in there. So if there's anything in there, then after that, it wouldn't run anymore. But it leaves the actual content alone. And then I showed how to disable PowerShell for certain users, but not others. OK, that's what I had. The problem is, if you run PowerShell.exe slash bypass, you can set the execution policy on the call on PowerShell. So I know you can do that, but if you just run the script, it wouldn't work. But if you run the PowerShell with the slash bypass execution policy, you can still run unsigned. So it's a nice thing to have, but it's only a little step, so it's not enough. Anything else? So if you have a OneDrive sync client, I'm not actually sure about OneDrive, whether they keep separate versions of documents. I mean, Google does. No, sir, what was the question? All of our stories have a version, then you have a support to help you with the story of the version, then you can see it back. The first thing is definitely in all, syncing Google in OneDrive. I think if you have a repository like Git, usually as soon as you submit it and commit it and push into the repository, they're kind of safe. But I think there are even commands to delete things back into history. So I never, one time I had to try it, but so I don't know, these people will get smarter and smarter. So if you think you're safe because you're using something like that, I mean, having a file history in the cloud should be OK, but it may also be tricky to actually get thousands of files back. Because I don't know whether, maybe you can right click on the file and say, I want a previous version, but if I have a thousand of them, I don't know whether the API support doing that. So having local backups, I mean, it depends how dependable on the cloud you are in your company. So if you have all the documents in SharePoint, I'm actually not sure. I haven't worked in a SharePoint in a while, but I can imagine that it's probably safer in the cloud than having your local SharePoint server, if that would be affected and don't have good backups. Yeah, but in all my questions, you don't have a server component sitting for you, so it might be here. So one thing I tried when I looked at my backups and make sure that my local backups cannot be affected by ransomware. I thought about my backup process is actually copying files using Robocopy or something from one drive to another. In that process, making sure that the files that are copied are not encrypted. So for example, if I have a .x or Word document, I can make sure that's a zip file that I can open as part of my backup process. And if it's not a zip file anymore, then I know it has been encrypted. So I'm not copying that into my backup. So I think that commercial backup solutions will come up with things that I'm not. You can use Azure Storage to have it encrypted, the storage itself, and you can enable it to factor out an indication on Azure currently that it's general availability storage is already available. But you're not using Azure as your backup? Yeah, Azure agent as your backup. And then make sure that the file is not encrypted. How would they know that? The container is already encrypted. But it doesn't matter. So if the ransomware encrypts your file. No, it doesn't matter. I don't want to care, it's my. Yeah, but now you're on your local machine, the ransomware encrypted to your file. So the. You're talking about the backup, right? Yeah, but. You're getting the backup. I understand that it's encrypted on the Azure side. But what I'm saying is the backup software, before it copies it, the agent looks at the file and makes sure that it's not affected by ransomware. Before it actually copies it's over, then it's encrypted on the other side. It doesn't matter how safe it is on the other side. I don't think the ransomware goes into the backup process. Of course, if the file is already, let's say for example, my C drive desktop is already encrypted. Yeah. What I already encrypted. The backup process will actually migrate the encrypted data only. Before that, it won't be encrypting. It won't be sending encryption data. That is a different layer that we're talking about. What are we talking about? The security on the storage, the backup that I. Yeah, I don't. I talk about the process within the backup software to say, OK, I'm not copying this file anywhere because it has been affected by ransomware. And I don't think that it's this yet, but that's something that I will see coming. Anything else? It's not turned on in Windows 10 or server. That's just the way that they spread so much. Because they stole the NSA tool, and then they knew, OK, it can affect a lot of old people, like old computers. But that's until I'm laminated to version one, different from S&P anyway. So we need to move on, I guess. That was it.