SlideShare une entreprise Scribd logo

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows

A
Aaron ND Sawmadal
1  sur  6
Télécharger pour lire hors ligne
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows Author: Aaron ND Sawmadal, MSc. Digital Forensics Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows Author: Aaron ND Sawmadal, MSc. Digital Forensics
Contents Introduction ............................................................................................................................................3 How Does CryptoLocker Infect a Machine on a Network ......................................................................3 The Best Approach in Defending Against Cryptolocker in Corporate Network Resources ....................4 Machines and/or Software Resources that can Help Defend the Network ...........................................4 How to Eliminate CryptoLocker and the Strategy of Mitigation in a Post Incident Review ...................5 Conclusion...............................................................................................................................................5 References ..............................................................................................................................................6
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows Author name: Aaron ND Sawmadal – MSc. Digital Forensics Introduction The threats of CryptoLocker (ransomware) is real and this malware is frequently been used by malicious individuals to extort money from users both private and government agencies. If the user’s system is infected and the user refuses to pay the ransom they will lose their files on the affected systems and other subsequent devices connected to the same network. Unfortunately, the threat is increasing exponentially, ‘1 in 30 have been hit by CryptoLocker and 40% pay the ransom’; with 2014 been recorded the worst year for CryptoLocker attacks from https://nakedsecurity.sophos.com/2014/03/07/1-in-30-have-been-hit-by-cryptolocker-and-40- pay-the-ransom-says-study/ How Does CryptoLocker Infect a Machine on a Network CryptoLocker is a malicious encryption software which uses Trojan scramble to encrypt all files and folders on a computer network. The Trojan gets hold of the file systems on the network resources and redirects the victim to a payment system. This malicious method is referred to as ransomware. The victim’s network resources or devices will be under the control of the malicious codes. The CryptoLocker installs itself either by the faking the end user to install or execute codes. Once the codes have been executed on the user’s system (my documents, desktop, download folder, etc.); by using randomly generated names, it adds the names into the windows registry by random- looking server .biz, .co.uk, .com, .info, .net, .org.au, .ru (Destructive malware “CryptoLocker” on the loose – here’s what to do) from https://nakedsecurity.sophos.com/2013/10/12/destructive- malware-cryptolocker-on-the-loose/. The CryptoLocker uses the random-generated web server extensions installed on the user’s device to make connections to the intruder’s server(s) with the extensions that have been installed on the victim’s device; and once a successful respond is found, it uploads a small file called the “CryptoLocker ID”. Upon the successful upload of the ID the server generates public-private key unique to the user’s CryptoLocker ID and then send the “public key part” back to user’s device. At a successful reception of this public-private key back to the user’s device; the Trojan malware uses the public key to encrypt all the files it finds that matches the list of extensions on the victim’s device. Below are extensions with files that can be exploited on the victim’s device. From https://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/ Additionally, the malware searches and encrypt all files and all folders it can access on the victim’s device or network. Unfortunately, if the victim’s device is on a workgroup or domain environment, the malware will also encrypt all network resources with same extension as the victim’s. In most instances the malware will redirect the victim to a payment option, giving the victim a timeframe to pay the ransom, else lose all the data on the device.
The Best Approach in Defending Against Cryptolocker in Corporate Network Resources The first and foremost strategy to defend any network has been clearly stipulated by the Australian Signals Directorate from www.asd.gov.au. i. The first principle states do not allow end users to execute codes. This can be implemented by applications whitelisting. This prevent end users from installing any applications with extensions .dll, .exe, .msi, etc. ii. User or administrator whitelisting – Specify administrator users by level of privileges; not all administrators should have rights to install programs on all workstations and servers. iii. Implementation of AppLocker policy – this is a default setting called Application Identity which was first introduced in windows server 2008. This policy can be deployed to all Windows 7/8/10 workstations. Within the AppLocker policy all the extensions end users should not installed must be explicitly denied and also implement deny policy of any unknown extensions and configure the policy to send alert emails to the administrator of any unknown applications or extensions; with the details of the host – includes the hostname, IP address, user login to the host, date and time the unknown application was detected. iv. Devices running Windows XP and Vista implement group policy to block executable and payload packages. Apply the policy by: %appdata%*.exe; %appdata%**.exe; %localappdata%*.exe; %localappdata%**.exe. Implement via Group policy within a domain environment or add the policy to the standard operating environment (SOE) image for all devices. v. Install software by versioning and review board. Any new software to be introduced within the network must go through review and approval process. vi. Remove domain users from administrator user groups in computer management >> groups>> administrator settings. vii. Ensure all default administrator and guest accounts are disabled in workgroup or domain environment. Machines and/or Software Resources that can Help Defend the Network i. In a windows environment install Enhanced Mitigation Experience Toolkit (EMET). This utility helps prevent vulnerabilities in software from https://support.microsoft.com/en- au/kb/2458544 . EMET supports windows Vista service pack 1 and service pack 2, up to Windows 10. ii. Installed intrusion detection and prevention software like Sophos, Microsoft EndPoint Protections among other software. iii. Firewall (Intrusion detection System/Intrusion Prevention System); this will detect stateful connections of all applications and users on the network; checks against known databases to determine if the applications is free of malicious codes. The firewall will mitigate transmission of the malicious into the network.
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows Author name: Aaron ND Sawmadal – MSc. Digital Forensics How to Eliminate CryptoLocker and the Strategy of Mitigation in a Post Incident Review The threat to network resources are real and should never be under-estimated. There is no such thing as a small threat. Every threat can have significant impact if no adequate actions are taken. For this reason the Australian Information Security Advice Cyber Security Operation Centre highly recommends; ‘application whitelisting, patching of applications and operating systems, updated versions of the software in deployment, and minimising administrative privileges’; from http://asd.gov.au/publications/protect/top_4_mitigations.htm. Other technical mitigation strategies includes but not limited to Loggings, File tracing and auditing and or backups/restore server. In the event whereby the worst case of CryptoLocker has been observed; the host that is responsible for spreading vulnerability should be physically isolated from the network and ensure to restore from backup is available. However, it is important to know if there’s no backups do not to delay to respond to the intruder request. Another non-technical strategy is to create an effective user awareness training and security policy. From security perspective it is important to articulate in a document to indicate if there’s a CryptoLocker breach should there be ransom pay or not? Security lead must get approval of the executive managers and every incident must be dealt on a case by case basis. Conclusion In this day and age the best protection any security expert should adopt is an in-depth security policy which encompasses all the security protection and mitigation strategies. This should be adopted at all levels because legacy (antivirus and spyware) mitigation strategies cannot stop the current threat of CryptoLocker. Ransomware will continue to grow because this is a lucrative market. The bad guys always require users to execute their codes. With effective security strategies one can detect the bad guys beforehand. Security experts should implement logging, file tracing, auditing, patching rule and backup/restore server. With these in mind, do not give loopholes to the bad guys to infiltrate the network. Restriction of user privileges and the implementation of AppLocker policies will help to mitigate many of the CryptoLocker emerging.
References How CryptoLocker works and how it can be mitigated; https://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works- learn-about-prevention-cleanup-and-recovery/ Destructive malware “CryptoLocker” on the loose – here’s what to do; https://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the- loose/ Cryptolocker Mitigation Strategies Explained; http://www.windowsecurity.com/articles- tutorials/misc_network_security/cryptolocker-mitigation-strategies-explained.html Enhanced Mitigation Experience Toolkit (EMET); https://support.microsoft.com/en- au/kb/2458544 How to prevent user to install software on windows 10; https://www.youtube.com/watch?v=N5GoNzgkm14m Top 4 Mitigation Strategies to Protect Your ICT System; http://asd.gov.au/publications/protect/top_4_mitigations.htm Cryptolocker virus: Australians forced to pay as latest encryption virus is 'unbreakable', security expert says; http://www.abc.net.au/news/2015-08-09/australians-paying-thousands-after- ransomware-virus-infection/6683618

Recommandé

Network Security Risk
Network Security RiskNetwork Security Risk
Network Security Risk
Dedi Dwianto
 
NSA and PT
NSA and PTNSA and PT
NSA and PT
Rahmat Suhatman
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!
Roberto Martelloni
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
InnoTech
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
IRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical HackingIRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical Hacking
IRJET Journal
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCry
ITPG Secure Compliance and Certification Training
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
wajug
 

Recommandé

Network Security Risk
Network Security RiskNetwork Security Risk
Network Security Risk
Dedi Dwianto
 
NSA and PT
NSA and PTNSA and PT
NSA and PT
Rahmat Suhatman
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!
Roberto Martelloni
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
InnoTech
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
IRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical HackingIRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical Hacking
IRJET Journal
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCry
ITPG Secure Compliance and Certification Training
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
wajug
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
Savvius, Inc
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Quick Heal Technologies Ltd.
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
Condition Zebra (CONZebra)
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin Attack
Gavin Davey
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
Vijay Sarathy Rangayyan
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
Kunal Sharma
 
Network security
Network securityNetwork security
Network security
Akhilesh Jain
 
Evolution of ransomware
Evolution of ransomwareEvolution of ransomware
Evolution of ransomware
Charles Steve
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomware
Raghavendra P.V
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
Dan Gunter
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
Trend Micro
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
marketingunitrends
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
IRJET Journal
 
NetWitness
NetWitnessNetWitness
NetWitness
TechBiz Forense Digital
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Splunk
 
Dissecting Cryptowall
Dissecting CryptowallDissecting Cryptowall
Dissecting Cryptowall
Cyphort
 
How to recover from ransomware
How to recover from ransomwareHow to recover from ransomware
How to recover from ransomware
Databarracks
 

Contenu connexe

Tendances

Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
Savvius, Inc
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin Attack
Gavin Davey
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
Kunal Sharma
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 

Tendances (20)

Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Security Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network AttacksSecurity Attack Analysis for Finding and Stopping Network Attacks
Security Attack Analysis for Finding and Stopping Network Attacks
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin Attack
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
 
Network security
Network securityNetwork security
Network security
 
Evolution of ransomware
Evolution of ransomwareEvolution of ransomware
Evolution of ransomware
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomware
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from Patents
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 

En vedette

En vedette (11)

Dissecting Cryptowall
Dissecting CryptowallDissecting Cryptowall
Dissecting Cryptowall
 
How to recover from ransomware
How to recover from ransomwareHow to recover from ransomware
How to recover from ransomware
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through Preparation
 
What is Ransomware and How to Stay Away from it?
What is Ransomware and How to Stay Away from it?What is Ransomware and How to Stay Away from it?
What is Ransomware and How to Stay Away from it?
 
Ransomware - Mark Chimely
Ransomware - Mark ChimelyRansomware - Mark Chimely
Ransomware - Mark Chimely
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & MitigationNTXISSACSC4 - Ransomware: History Analysis & Mitigation
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
 
Ransomware
RansomwareRansomware
Ransomware
 
Ransomware
Ransomware Ransomware
Ransomware
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
 
Ransomware
RansomwareRansomware
Ransomware
 
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
 

Similaire à Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows

Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...
Lana Sorrels
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacob
Beji Jacob
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
185
185185
185
vivatechijri
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
IJERA Editor
 
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Jasmin Hami
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
dpd
 

Similaire à Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows (20)

ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 
Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacob
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
185
185185
185
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
 
Cyber Incident Response Proposed Strategies
Cyber Incident Response Proposed StrategiesCyber Incident Response Proposed Strategies
Cyber Incident Response Proposed Strategies
 
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
Iu report
Iu reportIu report
Iu report
 
SDK Whitepaper
SDK WhitepaperSDK Whitepaper
SDK Whitepaper
 
System and Enterprise Security Project - Penetration Testing
System and Enterprise Security Project - Penetration TestingSystem and Enterprise Security Project - Penetration Testing
System and Enterprise Security Project - Penetration Testing
 
UNIT-4.docx
UNIT-4.docxUNIT-4.docx
UNIT-4.docx
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
 
WithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaperWithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaper
 
IRJET- Security from Threats of Computer System
IRJET- Security from Threats of Computer SystemIRJET- Security from Threats of Computer System
IRJET- Security from Threats of Computer System
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows

  • 1. Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows Author: Aaron ND Sawmadal, MSc. Digital Forensics Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows Author: Aaron ND Sawmadal, MSc. Digital Forensics
  • 2. Contents Introduction ............................................................................................................................................3 How Does CryptoLocker Infect a Machine on a Network ......................................................................3 The Best Approach in Defending Against Cryptolocker in Corporate Network Resources ....................4 Machines and/or Software Resources that can Help Defend the Network ...........................................4 How to Eliminate CryptoLocker and the Strategy of Mitigation in a Post Incident Review ...................5 Conclusion...............................................................................................................................................5 References ..............................................................................................................................................6
  • 3. Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows Author name: Aaron ND Sawmadal – MSc. Digital Forensics Introduction The threats of CryptoLocker (ransomware) is real and this malware is frequently been used by malicious individuals to extort money from users both private and government agencies. If the user’s system is infected and the user refuses to pay the ransom they will lose their files on the affected systems and other subsequent devices connected to the same network. Unfortunately, the threat is increasing exponentially, ‘1 in 30 have been hit by CryptoLocker and 40% pay the ransom’; with 2014 been recorded the worst year for CryptoLocker attacks from https://nakedsecurity.sophos.com/2014/03/07/1-in-30-have-been-hit-by-cryptolocker-and-40- pay-the-ransom-says-study/ How Does CryptoLocker Infect a Machine on a Network CryptoLocker is a malicious encryption software which uses Trojan scramble to encrypt all files and folders on a computer network. The Trojan gets hold of the file systems on the network resources and redirects the victim to a payment system. This malicious method is referred to as ransomware. The victim’s network resources or devices will be under the control of the malicious codes. The CryptoLocker installs itself either by the faking the end user to install or execute codes. Once the codes have been executed on the user’s system (my documents, desktop, download folder, etc.); by using randomly generated names, it adds the names into the windows registry by random- looking server .biz, .co.uk, .com, .info, .net, .org.au, .ru (Destructive malware “CryptoLocker” on the loose – here’s what to do) from https://nakedsecurity.sophos.com/2013/10/12/destructive- malware-cryptolocker-on-the-loose/. The CryptoLocker uses the random-generated web server extensions installed on the user’s device to make connections to the intruder’s server(s) with the extensions that have been installed on the victim’s device; and once a successful respond is found, it uploads a small file called the “CryptoLocker ID”. Upon the successful upload of the ID the server generates public-private key unique to the user’s CryptoLocker ID and then send the “public key part” back to user’s device. At a successful reception of this public-private key back to the user’s device; the Trojan malware uses the public key to encrypt all the files it finds that matches the list of extensions on the victim’s device. Below are extensions with files that can be exploited on the victim’s device. From https://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/ Additionally, the malware searches and encrypt all files and all folders it can access on the victim’s device or network. Unfortunately, if the victim’s device is on a workgroup or domain environment, the malware will also encrypt all network resources with same extension as the victim’s. In most instances the malware will redirect the victim to a payment option, giving the victim a timeframe to pay the ransom, else lose all the data on the device.
  • 4. The Best Approach in Defending Against Cryptolocker in Corporate Network Resources The first and foremost strategy to defend any network has been clearly stipulated by the Australian Signals Directorate from www.asd.gov.au. i. The first principle states do not allow end users to execute codes. This can be implemented by applications whitelisting. This prevent end users from installing any applications with extensions .dll, .exe, .msi, etc. ii. User or administrator whitelisting – Specify administrator users by level of privileges; not all administrators should have rights to install programs on all workstations and servers. iii. Implementation of AppLocker policy – this is a default setting called Application Identity which was first introduced in windows server 2008. This policy can be deployed to all Windows 7/8/10 workstations. Within the AppLocker policy all the extensions end users should not installed must be explicitly denied and also implement deny policy of any unknown extensions and configure the policy to send alert emails to the administrator of any unknown applications or extensions; with the details of the host – includes the hostname, IP address, user login to the host, date and time the unknown application was detected. iv. Devices running Windows XP and Vista implement group policy to block executable and payload packages. Apply the policy by: %appdata%*.exe; %appdata%**.exe; %localappdata%*.exe; %localappdata%**.exe. Implement via Group policy within a domain environment or add the policy to the standard operating environment (SOE) image for all devices. v. Install software by versioning and review board. Any new software to be introduced within the network must go through review and approval process. vi. Remove domain users from administrator user groups in computer management >> groups>> administrator settings. vii. Ensure all default administrator and guest accounts are disabled in workgroup or domain environment. Machines and/or Software Resources that can Help Defend the Network i. In a windows environment install Enhanced Mitigation Experience Toolkit (EMET). This utility helps prevent vulnerabilities in software from https://support.microsoft.com/en- au/kb/2458544 . EMET supports windows Vista service pack 1 and service pack 2, up to Windows 10. ii. Installed intrusion detection and prevention software like Sophos, Microsoft EndPoint Protections among other software. iii. Firewall (Intrusion detection System/Intrusion Prevention System); this will detect stateful connections of all applications and users on the network; checks against known databases to determine if the applications is free of malicious codes. The firewall will mitigate transmission of the malicious into the network.
  • 5. Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows Author name: Aaron ND Sawmadal – MSc. Digital Forensics How to Eliminate CryptoLocker and the Strategy of Mitigation in a Post Incident Review The threat to network resources are real and should never be under-estimated. There is no such thing as a small threat. Every threat can have significant impact if no adequate actions are taken. For this reason the Australian Information Security Advice Cyber Security Operation Centre highly recommends; ‘application whitelisting, patching of applications and operating systems, updated versions of the software in deployment, and minimising administrative privileges’; from http://asd.gov.au/publications/protect/top_4_mitigations.htm. Other technical mitigation strategies includes but not limited to Loggings, File tracing and auditing and or backups/restore server. In the event whereby the worst case of CryptoLocker has been observed; the host that is responsible for spreading vulnerability should be physically isolated from the network and ensure to restore from backup is available. However, it is important to know if there’s no backups do not to delay to respond to the intruder request. Another non-technical strategy is to create an effective user awareness training and security policy. From security perspective it is important to articulate in a document to indicate if there’s a CryptoLocker breach should there be ransom pay or not? Security lead must get approval of the executive managers and every incident must be dealt on a case by case basis. Conclusion In this day and age the best protection any security expert should adopt is an in-depth security policy which encompasses all the security protection and mitigation strategies. This should be adopted at all levels because legacy (antivirus and spyware) mitigation strategies cannot stop the current threat of CryptoLocker. Ransomware will continue to grow because this is a lucrative market. The bad guys always require users to execute their codes. With effective security strategies one can detect the bad guys beforehand. Security experts should implement logging, file tracing, auditing, patching rule and backup/restore server. With these in mind, do not give loopholes to the bad guys to infiltrate the network. Restriction of user privileges and the implementation of AppLocker policies will help to mitigate many of the CryptoLocker emerging.
  • 6. References How CryptoLocker works and how it can be mitigated; https://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works- learn-about-prevention-cleanup-and-recovery/ Destructive malware “CryptoLocker” on the loose – here’s what to do; https://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the- loose/ Cryptolocker Mitigation Strategies Explained; http://www.windowsecurity.com/articles- tutorials/misc_network_security/cryptolocker-mitigation-strategies-explained.html Enhanced Mitigation Experience Toolkit (EMET); https://support.microsoft.com/en- au/kb/2458544 How to prevent user to install software on windows 10; https://www.youtube.com/watch?v=N5GoNzgkm14m Top 4 Mitigation Strategies to Protect Your ICT System; http://asd.gov.au/publications/protect/top_4_mitigations.htm Cryptolocker virus: Australians forced to pay as latest encryption virus is 'unbreakable', security expert says; http://www.abc.net.au/news/2015-08-09/australians-paying-thousands-after- ransomware-virus-infection/6683618