The rise of ransomware

Hello!I am Tharindu Edirisinghe

You can find me at ….

tharindue.blogspot.com @thariyarox https://lk.linkedin.com/in/ediri ediri@live.com

What are we looking at ?

The FBI reported that cyber criminals used ransomware to extort $209 million from enterprise organizations in the first three months of 2016 alone.

Source : http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/

ransomwareThe name “ransomware” refers to a type of malware that is designed to infect machines, encrypt as many files as possible and hold the decryption key for ransom until the victim submits the required payment.

While documented complaints of modern ransomware date back to 2005, the malware has recently gained a new popularity. In 2015 alone, there were nearly 407,000 attempted ransomware infections and over $325 million extorted from victims.

Souce : https://www.cyberark.com/resource/cyberark-labs-ransomware/

Ransomware: continuedThere is another variant of ransomware that blocks the usage of the device with the same goal of extracting payment from the victim. This behavior includes spawning multiple messages across the screen disrupting user application usage or inhibiting the normal boot process of the operating system with displaying a ransom message instead of a user login screen.

Source : http://cyberthreatalliance.org/cryptowall-report.pdf

encryptionIn cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can access it.

Source : https://en.wikipedia.org/wiki/Encryption Image Source : http://kryptophone.kryptotel.net/faq/encryption/index.html

Symmetric key encryption

Image Source: http://www.sqlservercentral.com/blogs/zoras-sql-tips/2014/09/11/understanding-the-core-of-cryptography-in-sql-server/print/

asymmetric key encryption

Image Source: http://www.sqlservercentral.com/blogs/zoras-sql-tips/2014/09/11/understanding-the-core-of-cryptography-in-sql-server/print/

demo

Scary ???

Cyberarc labs researchOnce the ransomware was triggered to execute, 90% of the samples analyzed first attempted to communicate back to an attacker-managed key server, which held the unique public key used to encrypt files on the machine. In 20% of all cases, if the connection could not be established, the ransomware would fail. Yet, a full 70% of ransomware samples were able to execute using a default public key, even if a unique key could not be retrieved from the key server. Notably, this approach can be less effective for the attacker, as a victim can potentially use a single default decryption key that has already been purchased to decrypt all files that were encrypted using the same key. The remaining 10% of samples included a unique key generator within the ransomware file itself, thus eliminating the need for an outside connection. Based on this observation, the research team noted that if organizations could limit the ransomware’s ability to establish an outside connection, organizations could typically either prevent the ransomware from executing or force the attackers to use a default key, thus minimizing the financial impact of the attack.

Souce : https://www.cyberark.com/resource/cyberark-labs-ransomware/

Common Findings on Ransomware ~ CyberArc labs1. Ransomware is Evolving by the Hour

Unlike traditional malware, which is frequently reused across a wide range of targets, ransomware strains are typically mutated for each new victim. Traditional anti-virus solutions that rely on blacklists are typically ineffective in preventing ransomware because they simply can’t keep up with the thousands of new samples produced each day. To effectively protect against ransomware risks, organizations can’t just protect against known malware; they also need to protect against unknown malicious applications.

Common Findings on Ransomware: CONTINUED2. A Common Path to Encryption

The team observed what actions were executed by different ransomware samples, and learned the samples across different families all followed similar subsequent processes. Typically, the malware first attempted to communicate back to an attacker-managed key server, which held the unique public key used to encrypt files on the machine. Second, the ransomware began to scan the infected machines to locate specific files types. Third, upon locating the files, the ransomware began the encryption process, while working to maximize the number of impacted machines.

Common Findings on Ransomware: CONTINUED3. Ransom Payment Method of Choice

To receive the key needed to decrypt the impacted files, users were required to submit payment – the ransom – to the attackers. Payment was typically demanded in Bitcoin, and for Bitcoin novices, some attackers went so far as to set up “help desks” to help victims purchase Bitcoin and complete the funds transfer.

Common Findings on Ransomware: CONTINUED4. Ransomware Seeks Admin Rights

In 70% of tested cases, ransomware attempted to gain local administrator rights once activated. But interestingly, only 10% of the tested files failed if these rights could not be attained. This shows that even though the removal of local administrator rights from standard users is a best practice and certainly could have prevented some of the ransomware, this measure must be layered with application control to reliably protect against file encryption.

Common Findings on Ransomware: CONTINUED5. A Common Denominator

Testing by CyberArk Labs demonstrated that a highly effective way to mitigate the risk of ransomware attacks is to prevent unknown applications, including unknown ransomware, from gaining the read, write and edit permissions needed to encrypt files. When tested by CyberArk Labs, a combined approach of removing local admin rights and application control, including greylisting, which restricts read, write and modify permissions from unknown applications was 100 percent effective in preventing ransomware from encrypting files.

https://www.cyberark.com/blog/new-cyberark-labs-research-analyzing-ransomware-potential-mitigation-strategies/

‘Shade’ RansomwareShade is a ransomware-type Trojan that emerged in late 2014. The malware is spread via malicious websites and infected email attachments. After getting into the user’s system, Shade encrypts files stored on the machine and creates a .txt file containing the ransom note and instructions from cybercriminals on what to do to get user’s personal files back. Shade use strong decryption algorithm for each encrypted file, with two random 256-bit AES keys generated: one is used to encrypt the file’s contents, while the other is used to encrypt the file name.

Since 2014, Kaspersky Lab and Intel Security prevented more than 27 000 attempts to attack users with Shade Trojan. Most of the infections occurred in Russia, Ukraine, Germany, Austria and Kazakhstan. Shade activity was also registered in France, Czech Republic, Italy, and the US.Source : https://www.helpnetsecurity.com/2016/07/25/no-more-ransom/

‘LeChiffre’ Ransomware Hits Indian Banks, Pharma CompanyRansomware is often spread via spam campaigns or exploit kits, but LeChiffre takes a different approach. LeChiffre developers scan networks for poorly secured, vulnerable Remote Desktops, log in remotely after cracking them, and then manually run an instance of the malware to encrypt files and append the extension “.LeChiffre” to them.

Security researchers at Emsisoft already managed to come up with a LeChiffre decrypter, after discovering that the malware encrypts only the first 8192 bytes of a file and if the file is bigger than 16999 bytes, and also the last 8192 of the file, using Blowfish

Source : http://www.securityweek.com/lechiffre-ransomware-hits-indian-banks-pharma-company

Ransomware on androidRansomware is a very successful model of attack and its mobile variant is not much different from its desktop counterpart. Usually, the user is tricked into installing a useful app—for example, an app that pretends to be Adobe Flash player. Once installed and executed, the malicious application attempts to encrypt all accessible documents, images, and multimedia files on the device. When this process is finished, the ransomware application displays a text, a warning that often seems to come from law enforcement agencies such as the FBI and instructs the user how to pay to restore files and access to the device.

Some of the most successful Android ransomware families are Simplocker and Koler. The recently discovered Locker family actually sets a PIN for the device and makes the restore almost impossible if theuser is not willing to pay the attackers for recovery instructions.

Souce : https://www.thehaguesecuritydelta.com/media/com_hsd/report/57/document/4aa6-3786enw.pdf

Mitigation strategies1. Have a Backup Solution in Place

Access and storage of your data is mission-critical to your business, especially when dealing with a ransomware attack. If you backup your data routinely, ransom Trojans are easy to remove. Recover the files from a backup and hope the person at fault learns their lesson.

2. Keep Software up to Date

Some ransom Trojans target user carelessness (“click this link,” or “open this attachment”). Others exploit vulnerabilities in software. Keep all your software patched, especially the most common and popular off-the-shelf products – they are the first ones a hacker will target.

Mitigation strategies: continued3. Filter Executables

Disguised as an invoice, an “urgent” document, or a notification that you’ve missed a delivery -- these are often hidden in ZIP archives. Make sure to filter those and executables in general.

4. Show File Extensions

By allowing Windows to show file extensions, it makes it difficult for hackers to keep thier intentions hidden. For example, if a file is really called “Invoice.doc.exe,” then you shouldn’t allow it to present itself to the user as “Invoice.doc.”

Mitigation strategies: continued5. Restrict User Privileges

Keep incidents isolated by making sure one infected user does not bring down your entire network. By limiting machine access to only what it needs it can save your business significantly in downtime, allowing unaffected users/departments to continue working productively.

6. Disable Remote Desktop Protocol

Hackers love to use Windows’ native remote access feature and third-party software to get malicious code onto computers. Although the remote desktop protocol is very useful, it does not need to be switched on all the time.

Mitigation strategies: continued7. Get a Security Audit from a Reputable IT Consultant

A credible and experienced IT Consultant, like Lantium, can assess your organization’s information systems, business processes, and overall cyber presence to help you identify methods to keep your business protected. By being proactive, you can ensure your business stays safe in 2017!

Source: http://blog.lantium.com/seven-things-to-protect-your-business-from-ransomware

No More Ransom Initiative

The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Source : https://www.nomoreransom.org/about-the-project.html

referencesRansomware Families and Types http://avien.net/blog/ransomware-resources/ransomware-families-and-types Analysis of the CryptoWall Version 4 Threathttp://cyberthreatalliance.org/cryptowall-report.pdf Even the best antivirus likely can't save your files from a ransomware infectionhttp://www.businessinsider.com/fighting-ransomware-with-antivirus-2016-1 Hewlett Packard Enterprise - Cyber Risk Report 2016https://www.thehaguesecuritydelta.com/media/com_hsd/report/57/document/4aa6-3786enw.pdf Shoddy Programming causes new Ransomware to destroy your Datahttps://www.bleepingcomputer.com/news/security/shoddy-programming-causes-new-ransomware-to-destroy-your-data

THANKS!Any questions?You can find me at ….

tharindue.blogspot.com @thariyarox https://lk.linkedin.com/in/ediri ediri@live.com