Ransomware has become one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.
2. 2
What we’re going to cover
• A bit of Background
• Anatomy of a ransomware attack
• The latest ransomware to rear its ugly head – introducing Locky and its friends
• Why these attacks are so successful
• Practical steps to protect your organization from ransomware threats
• How Sophos can help
3. 3
A bit of background
Ransomware is a form of malware that encrypts private information and demands payment in order to
decrypt it.
History
• CryptoLocker first appeared in 2013
• New variants emerge all-too-regularly
• Current wave has roots in the early days of FakeAV
• Locky is one of the newest flavors to menace internet users
• Common ransom demands for USD 200 – 500.
• Technology used changes rapidly
• Office documents with macros
• CHM files
• JavaScript
• .bat files
4. 4
2 main vectors of attack
• SPAM (via social engineering)
○ Seemingly plausible sender
○ Has attachment e.g. invoice, parcel delivery note
○ The attachment contains an embedded macro
○ When the attachment is opened the macro downloads
and then executes the ransomware payload
○ Used by Locky, TorrentLocker, CTB-Locker
• Exploit kits
○ Black market tools used to easily create attacks that
exploit known or unknown vulnerabilities (zero-day)
○ Client side vulnerabilities usually target the Web browser
○ Used by CryptoWall, TeslaCrypt, CrypVault, ThreatFinder
6. 6
Anatomy of a ransomware attack
And gone
The ransomware will then delete itself leaving just the encrypted files and ransom notes behind.
Ransom demand
A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of e.g. 72 hours
to enable decryption of the data with the private key that only the attacker’s system has access to.
Encryption of assets
Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of the
Windows OS (shadow copies) are often deleted to prevent data recovery.
Contact with the command & control server of the attacker
The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer.
Installation via an exploit kit or spam with an infected attachment
Once installed the ransomware modifies the registry keys
8. 8
Paying ransoms
• Payment is made in Bitcoins
• Instructions are available via Tor
• The ransom increases the longer you take
to pay
• On payment of the ransom, the public
encryption key is provided so you can
decrypt your computer files
10. 10
Locky: the new kid on the block
• Nickname of a new strain of ransomware, so-called because it renames all your important files so that
they have the extension .locky
• Ransoms vary from BTC 0.5 to BTC 1.00 (1 BTC is worth about €380/$425/£300).
• Started hitting the headlines in early 2016
• Wreaking havoc with at least 400,000 machines affected worldwide
11. 11
A common Locky attack
• You receive an email containing an attached
document.
○ The document looks like gobbledegook.
○ The document advises you to enable macros “if the
data encoding is incorrect.”
○ The criminals want you to click on the 'Options'
button at the top of the page.
• Once you click Options, Locky will start to
execute on your computer.
• As soon as it is ready to ask you for the
ransom, it changes your desktop wallpaper.
• The format of the demand varies, but the
results are the same.
14. 14
TorrentLocker
• Almost exclusively distributed via sophisticated spam campaigns
○ High quality emails
○ Translated into multiple languages (Dutch, Japanese, Korean, Italian, Spanish …)
• Highly targeted geographically
• Peculiarity: Use of the victim machine’s address book to send the ransomware to
other machines
• Communicates with its C&C server in HTTPS (POST requests) to make detection more
difficult
15. 15
CTB-Locker
• Peculiarity: Business model based on affiliations
○ Infections are conducted by 'partners' who receive in return a portion of the takings
○ Enables faster spreading of malicious code
○ Approach notably used in the past by Fake-AV
• The cyber crooks offer the option of a monthly payment to host all of the code.
• Has also been widely distributed by the Rig and Nuclear exploit kits
• As with TorrentLocker, the majority of infections have started via spam campaigns
16. 16
CTB-Locker variant that attacks websites
• Same name as the ransomware that attacks Windows computers
• Written in PHP
• First attack in the UK on 12th February 2016
• Already many hundreds of sites have been attacked
• Attacks websites by encrypting all files in their repositories
• A password-protected ‘shell’ is installed on most of the affected sites, allowing attackers to connect to
the server(s) via a backdoor
17. 17
Angler: an all-too-well-known exploit kit
• Grown in notoriety since mid 2014
○ The payload is stored in memory and
the disk file is deleted
○ Detects security products and virtual
machines
○ Ability to spread many infections:
banking Trojans, backdoor, rootkits,
ransomware
• Easy to use
○ Doesn’t require any particular technical
competence
○ Available for a few thousand USD on the
Dark Web
19. 19
Chain of infection for Angler exploit kits
1. The victim accesses a compromised web server
through a vulnerable browser
2. The compromised web server redirects the
connection to an intermediary server
3. In turn, the intermediary server redirects the
connection to the attacker’s server which hosts
the destination page of the exploit kit
4. The destination page looks for vulnerable plug-ins
(Java, Flash, Silverlight) and their version numbers
5. If a vulnerable browser or plug in is detected the
exploit kit releases its payload and infects the
system.
21. 21
Whyare theseattacks sosuccessful?
Professional attack technology
• Highly professional approach e.g. usually provides the actual decryption key after
payment of the ransom
• Skillful social engineering
• Hide malicious code in technologies that are permitted in many companies e.g.
Microsoft Office macros, JavaScript, VBScript, Flash …
22. 22
Whyare theseattacks sosuccessful?
Security weaknesses in the affected companies
• Inadequate backup strategy
• Updates and patches are not implemented swiftly enough
• Dangerous user/ rights permissions – more than they need
• Lack of user security training
• Security systems are not implemented or used correctly
• Lack of IT security knowledge
• Conflicting priorities: security vs productivity concerns
24. 24
Best practices – do this NOW!
1. Backup regularly and keep a recent backup copy off-site.
2. Don’t enable macros in document attachments received via email.
3. Be cautious about unsolicited attachments.
4. Don’t give yourself more login power than you need.
5. Consider installing the Microsoft Office viewers.
6. Patch early, patch often.
7. Configure your security products correctly.
25. 25
Security solution requirements
As a minimum you should:
• Deploy anti malware protection
• Block spam
• Use a sandboxing solution
• Block risky file extensions (javascript, vbscript, chm etc…)
• Password protect archive files
• Use URL filtering (block access to C&C servers)
• Use HTTPS filtering
• Use HIPS (host intrusion prevention service)
• Activate your client firewalls
• Use a whitelisting solution
26. 26
Additional steps
• Employee awareness & training
○ Sophos IT Security Dos and Don’ts
○ Sophos Threatsaurus
• Segment the company network
○ NAC solutions ensure only known computers can access the network
○ Separate functional areas within a firewall e.g. client and server networks
• Encrypt company data
○ It doesn’t stop the ransomware but prevents damage caused by sensitive documents getting into
the wrong hands
• Use security analysis tools
○ If an infection does occur, it’s vital that the source is identified and contained ASAP.
28. 28
Complete protection: Enduser and Network
Sophos Central
Enduser
Network
Next-Gen
Firewall /UTM
Web
Security
Email
Security
Wireless
Security
SafeGuard
Encryption
Mobile
Control
Next-Gen
Endpoint
Protection
Server
Security
Secure the Endpoint
(PC/Mac)
Next Gen Endpoint security to
prevent, detect, investigate and
remediate
Secure the
Mobile Device
Secure smartphones
and tablets just like
any other endpoint
Secure the Servers
Protection optimized for server
environment (physical or virtual):
fast, effective, controlled
Protect the Data
Simple-to-use encryption for a
highly effective last line of
defense against data loss
Secure the Perimeter
Ultimate enterprise firewall
performance, security, and
control.
Secure the Web
Advanced protection, control,
and insights that’s effective,
affordable, and easy.
Secure the Email
Email threats and phishing attacks
don’t stand a chance.
Secure the Wireless
Simple, secure Wi-Fi
connection.
29. 29
Security as a System
Synchronized Security
Integrated, context-aware security where
Enduser and Network technology share
meaningful information to deliver better
protection
Security must be comprehensive
The capabilities required to fully satisfy customer
need
Security can be made simple
Platform, deployment, licensing, user experience
Security is more effective as a system
New possibilities through technology cooperation
Next Gen
Enduser Security
Next Gen
Network Security
Sophos Cloud
heartbeat
SOPHOS LABS
30. 30
Malicious Traffic Detection
SOPHOS SYSTEM
PROTECTOR
Application
Tracking
Threat
Engine
Application
Control
Emulator
Device
Control
Web
Protection
IoC
Collector
Live
Protection
Security
Heartbeat
HIPS/
Runtime
Protection
Reputation
Malicious
Traffic
Detection
SophosL
abs
URL
database
Malware
Identities HIPS rulesGenotypesFile look-up Reputation Apps SPAM
Data
Control
Peripheral
Types
Anon.
proxies
Patches/
VulnerabilitiesWhitelist
Administrator alerted
Application interrupted
i Compromise
User | System | File
MTD rules
Malicious traffic detected
Malicious
Traffic
Detection
31. 31
Sophos Sandstorm
How Sophos Sandstorm works
1. If the file has known malware
it’s blocked immediately. If it’s
otherwise suspicious, and hasn’t
been seen before, it will be sent
to the sandbox for further
analysis. When web browsing,
users see a patience message
while they wait.
2. The file is detonated in the safe
confines of the sandbox and
monitored for malicious
behaviour. A decision to allow or
block the file will be sent to the
security solution once the
analysis is complete.
3. A detailed report is provided for
each file analyzed.
Advanced Threat Defense Made Simple
Secure Web
Gateway
Secure Email
Gateway
Unified Threat
Management
Next-Gen
Firewall
33. 33
Anatomy of a Ransomware Attack
Exploit Kit or
Spam with
Infection
Command &
Control Established
Local Files are
Encrypted
Ransomware
deleted, Ransom
Instructions
delivered
34. 34
Ransomware
Cryptowall costs users $325M in 2015
○ 2 out of 3 infections driven by phishing attack
○ Delivered by drive by exploit kits
○ 100’s of thousands of victims world wide
More variants – Locky and Samas
○ Now for MAC and Windows users
Targeting bigger Phish
○ $17K payment from California hospital
CryptoGuard
• Simple and Comprehensive
• Universally prevents spontaneous
encryption of data
• Simple activation in Sophos Central
CRYPTOGUARD
CryptoGuard – Say Goodbye to Ransomware
35. 35
CryptoGuard
• 1. monitors file system activity
• 2. when file is opened-for-write, create just-in-time backup of the file
• 3. when the file is closed, compare contents
• 4. when file is no longer a document, mark as suspicious
• 5. if this happens on many files (3 or more), rollback files from above backup, revoke
write-access from process (or client IP) that did the changes
• 6. all modifications are tracked per process or per client-IP; so if a remote client
modifies files, they are tracked, rolled back and blocked if needed
36. 36
CryptoGuard
• Stops local ransomware from attacking local data
• Stops local ransomware from attacking remote data (incl. mapped or unmapped
shares)
• Stops remote ransomware from attacking local data
37. 37
More information
• Sophos whitepaper on how to stay protected from ransomware
https://www.sophos.com/en-
us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en
• Sophos technical whitepaper on ransomware
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-
ransomware.pdf?la=en
• Naked Security – regular stories on Locky and other ransomware attacks
https://nakedsecurity.sophos.com/
• IT Security DOs and DON'Ts
https://www.sophos.com/en-
us/medialibrary/PDFs/employeetraining/sophosdosanddontshandbook.pdf?la=en
• Threatsaurus
https://www.sophos.com/en-us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en
• Sophos free tools
https://www.sophos.com/fr-fr/products/free-tools.aspx
Welcome to our Session about Ransomware.
I you have questions please type in the chat windows. Then we can gather the questions an answer them at the end or come back to you with the answers.
What are we going to cover today.
a little bit of background of the Ransomware
How most ransomware attacks works.
Some types of ransomware Locky and friends.
Why the attacks work
Some things you can do to protect yourself and minimized the risk.
And last but not least, How can we, Sophos can help you.
First of all, at bit of background on the Ransomeware
As all of you know Ransomware is malware that encrypts your files and hold them Ransoms until you pay money to the bad guys to get to the key to decrypt the files.
It started in 2013 with CryptoLocker.
A lot of new types emerges.
One of the latest ones out there is Locky.
The ransom the bad guys ask is around 1 bitcoin. A bitcoin is about 380 euros or 430 USD about 300 pounds.
What we’’ve seen is that the technology is changing.
now it comes in office docs using macros
CHM files Compiled HTML files.
Javascript and bacht files.
The are finding new ways to infect the target PC.
We are seeing 2 main ways of attacks.
Spam and Exploit kits.
Spam :
Seems to be from a plausible sender
The emails are getting more sophisticated. The look very real.
The attachments contain embedded macro
Exploit Kits: Available in the black market
You can easily create an attack that uses known or unknown vulnerabilities.
They usually target the Webbrowser.
When we look at Ransom ware attacks, we see the following pattern.
Step 1 the Ransomware needs to be installed on the target computer. Usualy this is done through and Expoit kit or through a Spam campain.
Once installed it’s going to change some registry key on the target.
Step 2 When the Ransomware is active on the target, It’s going to connect to a command and control server and sends information about the infected computer and downloads a publickey for this computer.
Step 3 Now the Ransomware has the public key is going to Encrypt files on the local computer including the networks drives that are accessible from this computer.
Often the shadow copies on the Windows machine are deleted to prevent you to recover the encrypted files.
Step 4 When the Ransomware has finished messing with your files it will show the ransom note, with the instructions how to pay the Ransom, often this is in Bitoins.
Step 5 After the Ransom note is shown the Ransomware will delete itself and leaves you with the ransom note and the encrypted files.
Here are some examples of the Ransom notes used.
1 bitcoin
1 Bitcoin equals 376.30 Euro
1 Bitcoin equals 427.59 US Dollar
Second note.
It’s 500 USD but this is only valid for 167h 58m and 54s
After the key will cost you twice as much.
The payment is normally done in Bitcoins
The instructions on how to pay are availabe via Tor.
They even have an FAQ and support.
In this case you are seeing a countdown clock. If you do not pay before the countdown end the price to decrypt your file will be twice as much.
If you deside to pay, which we are not recommending you to do.
You will hopefully get the key to decrypt your files.
Now we are going to look at some of the common Ransomware that’s around.
One of the lastest onces Locky.
Named after the extension it uses for the files that are encrypted .locky
Ransoms are usually around 1 bitcoin is around 380 euro of 425 dollar or 300 pounds.
Locky has surfaced a couple of months ago, early 2016.
A Common Locky
The user is receiving an email with a document.
When they open the document they see all lot of characters, that doesn’t make sence.
The bad guys want you to enable macros.
It needs the macro to be executed.
When the Ransomware is finished it will change you wallpaper and replace it with the Ransom note.
Here is an example of a document.
They want you to enable macros.
But don’t do it.
Here are the different Ransomnotes and also the amount you need to pay.
TorrentLocker
TorrentLocker spread though spam campains.
High quality mails and different languages.
It uses the victims address book to spread the ransomware to other machines.
Communicates to the Command and Control Server using HTTPS,
This makes it more difficult to detect that traffic.
The authors of CTB-Locker are using an affiliate program to drive infections
by outsourcing the infection process to a network of affiliates or partners in exchange for a cut of the profits.
offering a hosted option where the operator pays a monthly fee and they will host all the code.
Has been spread by Rig and Nuclear Exploits kits but most of the infectecting were through spam campains.
They also has Ransom notes in different laguages.
CTB Locker
Same name as the previous ones. But this ones Attacks websites by Encrypting files in their repositories.
On most sites they install a password-protected shell to get to the servers via a backdoor
One of the Well known exploit kits is Angles
It is used to spead many infections.
Payload is stored in memory and the local file is deleted.
It is easy to use and you can buy it on the darkweb for few thousand Dollars.
In the picture you see the revenue
Angler is gained marketshare over the last few year.
Is we look at 2014 it had around 23%
Half a year later in januari of 2015 is was arount 39%
A couple of month after that it increased to over 82 %
Just last Sunday
According to Fox-IT Security Operations Center, at least 288 websites were affected,
and it is believed that a compromised ad network was responsible for so many sites being affected simultaneously.
A lot of the popular news site in The Netherlands were hit…
nu.nl
marktplaats.nl
sbs6.nl
rtlnieuws.nl
rtlz.nl
startpagina.nl
buienradar.nl
Angler was used in this case
They act like a normally company, have faqs, support and usully provide the decryption key after the payment.
Using social engineering
And hide the code in program/document that many companies uses every day
Like macros, javascripts.
Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop
or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.
Configure your security products correctly. To enable them to work effectively they need to be configured correctly. Sophos customers should check out the ‘How to stay protected against ransomware’ whitepaper which includes, amongst other good advice, optimal configuration settings for Sophos solutions.
Employee awareness/training
In addition to the immediate measures described above , it's important that all employees receive regular IT security training. The success of these measures should also be checked regularly.
Sophos provides a number of free tools to help educate employees on security threats, including IT Security DOs and DON'Ts and the Threatsaurus.
Segmentation of the company network
Security measures at the gateway are rendered useless if a computer that is introduced to the network without authorization (private notebook, computer belonging to the service provider, company notebook with outdated virus protection) is allowed to infiltrate these measures.
Network Access Control (NAC) solutions, for example, can help against the threat of an unauthorized device in the network by only allowing known computers access to the network. Therefore, in general, the principle that each system only has access to those resources that are necessary to fulfill the relevant tasks should also apply to the network design.
In the network area, this also means that you separate functional areas with a firewall, e.g. the client and server networks. The relevant target systems and services can only be accessed if this is really necessary. The backup servers can then only be accessed from the work stations, for example, via the port required by the backup solution, not via Windows file system access. As a result, you must also consider applying a client firewall to work stations or servers because there is usually no reason for work stations or servers to have communication with each other, unless it relates to known services. This method can also help to prevent waves of infection within a network.
Encrypting company data
Suitable encryption of company documents can help to prevent malware from obtaining unencrypted access to confidential documents. This prevents damage caused by the outflow of business-relevant documents.
Use security-analysis tools
Even if you implement all of the above measures, you can never guarantee with 100% certainty that security incidents/infections in company computers will be prevented in the future. However, if an incident does occur, it is vital that the source of the infection and any potential effects on other company systems are identified as quickly as possible and contained. This can help to reduce the time and effort required to identify and correct the affected systems and restore functionality to the IT infrastructure drastically. In addition, by identifying the source and the method of infection, potential vulnerabilities in the security concept can be highlighted and eliminated.
We have a complete security porfolio protection Enduser as well as the Network.
We offer security as a system.
With our Synchronized Security
We integrated our different solutions and information between our products.
So that we are able act inmediately on the thing happening in the network.
One of the first is the integration between our XG firewall and our Cloud EndPoint by using our Security Heartbeat.
We bring the Endpoint and the Firewall together and exchange information that can be used to pro actively block threats.
Malicious Traffic Detection.
Here we have infected device that is trying to communicate to a command and control server.
This is detect by the Malicious Traffic detection (MTD) on the client
The Administrator is Alerted and get the info on the user system en file that is responsible for the threat.
The application is automatically blocked.
Another Feature you can use is Sophos Sandstrom.
Sophos Sandstorm is cloudbased sandboxing.
We can the feature with our Web and Email Appliance and with the Sophos UTM v9.4
How does it work?
If we have suspicious file, we create a hash and check that hash with our sandstorm.
If we have seen the file before we know if the file is good of bad.
Is it a bad file it’s block immediately if it’s the, the user is receiving the file.
If it’s a new file the file is send to the sandbox and is detonated. Then the behaviour is monitored. And the decision Allow or block is send back.
There is also a detailed report for each file that is analyzed.
This is part of our Project Spectrum.
Spectrum will integrate the technics of Hitman Pro, that we acquired late last year.
To recap,
This is basically the way Ransomware is operating.
It needs to be delivered, using an exploit kit of spam infection.
Then it connects to a command an Control Server.
Local Files are getting Encrypted.
RansomWare is deleted and the Instructions for paying the Ransom is Shown.
CryptoGuard is the anti-ransomware component and it works independently to provide another layer of defense against your data being held hostage by the Locky/Cryptowall type of malware. I
t’s a driver in the file filter stack that monitors the behaviors of the applications and processes that access your documents.
If it detects that an application is encrypting a number of files it will automatically isolate that process from the file system such that it cannot do any more damage AND it will roll-back any files that have been impacted to their prior state.
CryptoGuard is the anti-ransomware component
and it works independently to provide another layer
of defense against your data being held hostage
by the Locky/Cryptowall type of malware.
It’s a driver in the file filter stack that monitors the behaviors of the applications and processes that access your documents.
If it detects that an application is encrypting a number of files it will automatically isolate that process from the file system such that it cannot do any more damage AND it will roll-back any files that have been impacted to their prior state.
Lightweight and effective CryptoGuard provides another later of defense for your endpoints and data.
It:
a. Stops local ransomware from attacking local data
b. Stops local ransomware from attacking remote data (incl. mapped or unmapped shares)
c. Stops remote ransomware from attacking local data
Since most ransomware inject/run from legitimate trusted processes, or even consist of or only use trusted binaries, CryptoGuard is not shy revoking write-access from legitimate/trusted processes (or client IP).