This document summarizes how ransomware works and has evolved over time. It discusses the results of a recent UK poll showing that 60% of victims had backups but 65% still paid ransoms averaging £540. It then outlines the evolution of ransomware from misleading applications in 2008-2014 to crypto-ransomware beginning in 2013. The document analyzes the social engineering techniques used by ransomware like Locky and CTB-Locker and how they evade filters and antivirus. It compares spam emails to exploit kits and discusses new evasion tricks being used. The document advocates for layered security approaches and outlines minimum protections organizations should implement.
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
Ransomware the clock is ticking
1. How ransomware works
Mark Loman
Director, Engineering
September, 2016
James Burchell
Senior Sales Engineer
2. Recent poll on ransomware in the UK
60% had backups
65% paid the ransom
Average ransom sum £540
Loss of business productivity comes on top,
exceeding ransom
44% of businesses infected
15. OS Disk Local Disk(s) Connected Device(s)
(USB)
(e.g. Backup Disk)
Mapped Network Drive(s)
(e.g. NAS / File Servers)
Other Accessible Folders /
Shared Local Network
(e.g. NAS / File Servers)
Dropbox OneDrive
Crypto-Ransomware (Targets)
16. Social Engineering Flow (Locky ransomware, .doc)
Attacker sends
weaponized e-mail
Spam Filter
failed
Inbox Invoice.doc
Anti-Virus
failed
Microsoft
Word
Enable Macros
Create and run
batch file
Run Windows
Script
Web Filter
failed
Download
binary
Anti-Virus
failed
Run Fail.exe
(ransomware)
Web Filter
failed
Negotiate
encryption (C&C)
Encrypt data
Delete Shadow
Copies
Display Ransom Note
Sender IP, reputation,
content not blocked
Malicious attachment
not detected
User opens malicious
attachment
User enables
macros
Lah.bat Cscript.exe Fail.exe Web address not
blocked
Binary is obfuscated
thus unknown
Continues as
svchost.exe
Communication is
not blocked
Removes local
backups of files
23. Social Engineering Flow (CTB-Locker ransomware)
Attacker sends
weaponized e-mail
Spam Filter
failed
Inbox
Download
invoice
Web Filter
failed
Web browser
Webpage shows
password
Password
protected ZIP
Open ZIP archive
Web Filter
failed
Enter password
Run binary
Negotiate
encryption (C&C)
Binary jumps into
trusted process
Web Filter
failed
Encryption of files
Sender IP, reputation,
content not blocked
Web address not
blocked
User clicks on
malicious link
Automatically
downloaded
User opens
malicious archive
User enters
password
Web address not
blocked
User runs malicious
binary in archive
Communication is
not blocked
Anti-Virus
failed
Binary is unknown
and obfuscated
Explorer.exe
Anti-Virus
failed
Archive is new and
password protected
28. New tricks
• Use of other accepted file extensions (e.g. .WSF, .WSH, .HTA, .PUB files)
o Bypasses filters that proactively block known dangerous (ZIP) attachments
(containing e.g. .EXE, .PDF.EXE, .JS, .DOCM as extension)
• Use of a .DLL file (payload) instead of an .EXE (e.g. Locky/Zepto)
o In-memory attack; exploit attack delivers no files on the disk
o Bypasses sandbox, signature and ‘math-based, next-gen’ products
• Use of other active content in weaponized documents (no macros)
o e.g. RAA Ransomware
• Use of only trusted binaries, part of the OS (no new code on machine)
o Bypasses application whitelisting, signature & ‘math-based, next-gen’ products
• Manipulate timestamp, create extension-less copy, encrypt copy and delete original
o Cripple / shake off behavior-based monitoring
• Multi-language support by attackers, to help victims pay the ransom
o Including chat support
When people first hear about ransomware, there is always this moment of stunned disbelief. It sounds like something from a bond movie, or dystopian fiction. You open your laptop to discover you have been locked out of all your files.
A ransom note hovers into view, written in bad english and a potpourri of fonts, explaining you have a week to pay £500 in bitcoins otherwise you will lose access to your data forever. Really. And no amount of genius bar-hopping will save you.
In the last few years, ransomware has risen seemingly out of nowhere to become one of the greatest cyber threats facing organisations around the world. Ransomware spams the globe, is indiscriminate about its victims, and there is no negotiating with it as it executes in a matter of seconds to leave organisations & their computers on lock down.
In recent years there has been a 600% increase in the number of ransomware families, and the top six countries impacted by all types of ransomware are the US, Japan, UK, Italy, Germany & Russia.
[[But what does the situation look like in the UK today?]]
A recent study found that
44% of UK businesses have been infected with ransomware in the last 2 years.
Only 60% could react with a good backup.
65% of confronted companies paid up hoping to get their data back.
The average sum was £540, but 20% reported ransoms of more than £1,000 and 57% were given just 24 hours to pay.
With this ransomware problem growing, most organisations are concerend about the loss of productivity over anything else, estimating that it takes 33 man hours, on average, to fix the problem.
Companies are also concerned about regulations and the fall out of potential data loss with fines from governing bodies, or the impact of the data protection act or upcoming GDPR.
The financial impact to any organisation is very much larger than the initial ransom.
[[Cybercriminals behind ransomware are constantly innovating – with more connected devices around, we can expect to see ransomware appear in new device categories than ever seen before]]
Also concern about regulations: Worry about fines as a result of lost data: Data Protection Act, Information Commissioner (ICO)
http://www.theregister.co.uk/2016/09/07/uk_ransomware_victim_survey/
Ransomware is designed for direct revenue generation. The 4 most prevalent direct revenue-generating risks include:
Misleading Applications (shows defects that aren’t real)
Rogue/Fake Antivirus (shows infections that aren’t real) (2008)
Locker Ransomware (locks you out of your browser or device) (2012)
Crypto-Ransomware (locks you out of your data) (2013)
Direct revenue-generating malware went through 4 major pivot points in the past decade. Each of these pivots indicates a shift from 1 type of malware to another, ultimately leading to ransomware.
This evolution of ransomware has been greatly influenced by a range of developments in technology, economics, security & our culture.
And like any real life ecosystem, this threat has evolved & adapted to its surroundings to survive, and even thrive! Those that can’t or don’t adopt may eventually dissapear. And this ransomware world is a great example of evolution in action, or darwinian-style evolution at work.
The first wave of misleading applications began to appear in 2005. Posing as fake spyware removal tools, or performance enhancement tools. Mainly affected windows but did also target OS X. Typically exaggerated the impact of issues, such as unused registry entries & corrupt files & would resolve them if the user paid between £20-£60 for a license.
In reality, many of the alerts didn’t need fixing.
The next pivot point happened between 2008 & 2009, when cybercriminals switched to using fake AV. A more aggressive sub-category of misleading applications. The tools mimicked the appearance & functionality of legitimate security software & performed lightning fast mock scans, claiming to find a large number of threats & issues on the computer.
The user was then asked to pay a fee between £20-£80 to fix the problems or pay for bogus multi-year support services.
A large number of victims chose simply to ignore the alerts, or removed the software. This resulted in a much lower ROI for the cybercriminals.
So to address the fundamental weaknesses of fake AV, cybercriminals looked for new ways to make the call-to-action stronger.
Such as attacking not just windows, but also OS X and other device categories, such as the mobile market place, particularly the Android ecosystem.
Then from 2011 to 2012 attackers transitioned from fake AV to a more disruptive form of extortion. This time the cybercriminals disabled access & control of the computer, effectively locking up the system from use.
In terms of ransom amounts, locker ransomware pushed up the benchmark compared to fake AV & misleading applications. A typical locker ransom came in at around £100-£200 payable through electronic cash tokens.
As locker ransomware was refined, it went from just reporting non-existent errors to actually beginning to introduce errors and problems. Eventually, it dropped any pretense of being a helpful tool to just displaying a blatant request for payment to restore access to the computer. This is because in the early days, attackers tricked victims into downloading fake tools to fix computer issues. Today, ransomware can be installed without any user interaction through drive-by-downloads.
Despite this, locker ransomware creators still continued to use social-engineering techniques to convince users to pay the ransom. The threats began to pose as law enforcement notices instead of AV software & system performance tools. They typically claimed that the user had broken the law by downloading copyrighted materials such as pirated music, movies or software, or viewing other illegal digital items such a pornographic material.
And once again, other ecosystems were targeted to increase the ROI for cybercriminals.
Android, being a much more open and permissive platform creates advantages and disadvantages for the user. The freedom to work the way you want also makes it easier for suspicious applications to spread.
Cybercriminals know how our digital lives are changing and so want to tap into this growing and potentially lucrative user base.
And these serious allegations, along with realistic-looking threats from law enforcement authorities, allowed the cybercriminals to evolve their ransom demands from being about a price for a service to a payment of a fine.
Judging by the number of law enforcement-themed ransomware that proliferated during these years, it was clearly an effective way to make victims pay. For example, there were reports of people handing themselves over to the police after seeing the charges of handling child porn appear on their screen because they believed the faced law enforcement to be real!
[[Deficiencies in all other extortion schemes ultimately led the cybercriminals back to the original type of ransomware…]]
And this is one of the weirdest things about ransomware – its not new at all!
The first ransomware virus pre-dates email, even the internet as we know it, and was distributed on 5 ¼ floppy disks via snail mail.
Contempory ransomware baits its victims using legitimate-looking email attachments. These disks however were masquerading as: AIDS education software.
The package that greeted victims abroad (never sent within the US) were stamped by PC Cyborg corporation. The disk included a program that measured a persons risk of contracting AIDS based on their responses to an interactive survey. It also contained the “AIDS” trojan, a virus that encrypted a victims files after they rebooted their computer a fixed number of times.
It was ultimately unsuccessful due to a number of factors. Back then, few people used PC’s & www was just an idea, plus the internet was just used by experts in science & technology.
In the years that followed, new versions of programs seeking to extort money from users were identified, but unlike the symmetric encryption used by PC Cyborg, these newer programs employed asymmetric algorithms with increasingly longer keys.
For example, in 2005 Gpcode came to light, followed by a series of variants which then led to what I like to call…..
THE CRYPTOLOCKER YEARS!
Three years ago, one strain of ransomware known as CryptoLocker dominated the demanding-money-with-menaces malware scene.
The US Department of Justice (DoJ) suggested that the crew behind CryptoLocker raked in $27,000,000 in September and October 2013 alone, in the first two months that the malware was widely reported.
And a 2014 survey by the University of Kent in England estimated that 1 in 30 British computer users had been hit by CryptoLocker, and that 40% of those coughed up, paying hundreds of dollars each in blackmail money to recover their data.
But in mid-2014, the DoJ co-ordinated a multi-country takedown of a notorious botnet called Gameover Zeus that targeted victims while they were doing online banking.
And, would you believe it: while the cops were raiding the Gameover servers, they came across the CryptoLocker infrastructure as well, and took down those servers at the same time, pulling off a neat double play.
But any celebration about the damage done to the ransomware scene as a whole was short-lived.
A new ransomware soon appeared to fill the multi-million-dollar void left by the demise of CryptoLocker.
CryptoWall, and its close derivative CryptoDefense, were early pretenders to CryptoLocker’s throne, but many others have appeared, too.
Today, over 200 families or variants exists, for both Windows, Android and even Mac OS
When you look at the flow of a typical Locky ransomware infection, security defenses have 7 opportunities to stop the malicious encryption of your data.
When you look at the flow of a typical Locky ransomware infection, security defenses have 7 opportunities to stop the malicious encryption of your data.
Attack surface exponentially larger – lowest hanging fruit
Laptops/Desktops
Phones/Tablets
Virtual servers/desktops
Cloud servers/storage
Threats more sophisticated
Attacks are more coordinated than defenses
Volume and sophistication
Vanishing security perimeters
The rise of BYOD and personal Cloud storage are eroding the network perimeter
Social engineering – There is no patch to human stupidity!
Like footprinting this is a very big aspect of hacking these days, its not something people can teach, but more of a ‘practice makes perfect’.
I love the phrase there is no patch to human stupidity, while I agree, this has zero to do with social engineering as it would make you think only stupid people are stupidly engineered….
Everybody at some point in their life has been socially engineered, we have it all the time, it is not a new concept.
It comes down to how humans are built, we have this very complex and rational side to us that works and does risk assessments to determine if we should do something or should we not do it….that works fine…..but we also have these very prehistoric very strong emotions that will sometimes flare up, and when they do, they outweight the rational and logical side of our brain.
The way social engineering works is I want you to think emotionally, not logically. Now this doesn’t mean I have to make you angry or mad or happy with me, I can use any emotion you have, and if I can make you think emotionally, I can socially engineer you….
For the guys…..how many when you were younger went to a bar and bought a drink for a girl who you knew you never knew you had zero chance with, but you bought her a drink anyway – you were socially engineerd.
Women, just like my wife, how many times do you go shopping and there is a sign for BOGOF, you had no plan on buying that to begin with but its such a good deal that you can’t pass it up – that’s social engineer.
They are just knee-jerk reactions……I’ve been socially engineered, everybody has been socially engineered, we will continue to be in the future. We just have to understand when our emotions are taking over and be aware of this when someone tries to socialy engineer us and try to think logically and not perform knee-jerk reactions.
What is social engineering?
It’s where someone will hack the human. Where we will get you, through interacting with you, grant us access or information or do what we ask you to do.
Different ways to do this. One of my favourite is to find a victim, lets say a bank, do the footprinting and during the footprinting find email addresses of their employees and also maybe a vendor or association they are part of, what we can do is figure out who the banking association is and if they are a member. If they are, I will send an email pretending to be from the vendor or banking association, what I’m going to do is send the email sending them information about a press release which I have just downloaded from their website. The email won’t contain links, files, attachments, it is a legitimate email that goes out to all of them.
Next, an hour or day later, I’ll send a 2nd email which will say something along the lines of that a hacker was sending fishing emails out via our email address and if you received any of the below emails, one being the title of the one I sent, with a message saying that if you opened the email it contained an attack that would give the hacker remote access, destroy the hard drive, etc, etc its not going to be technically realistic but they never usually are, we’ve been told its 100% undetectable however our tech support has found an onine scanner that can detect it. If you want to go there you can go there. What we do is setup a fishing site is an online scanner and when they click scan now it installs the trojan. What gets them there is the emotion of “oh crap, I just infected my machine, I don’t want to get caught or in trouble with IT, I’ll just clean this up and I won’t have anything to worry about”…….what we’ve done there is taken that emotion and got you to worry about it rather than logically think about it.
Social engineering is the art of convincing people to reveal confidential information.
Social engineers depend on the fact that people are unaware of the valuable information and are careless about protecting it.
On-site social engineering, people always assume that someone else is taking care of security, walking around knowing where you are, if you look like your meant to be there people generally tend to not question you.
Factors that make companies vulnerable attacks – people often think its just up to IT to enforce security and so lack appropriate security training and often have easy access of information.
Which one is real, which one is fake?
Which one is real, which one is fake?
But attackers also try to keep the malicious binary out of the weaponized e-mail. Instead, they include a malicious weblink to a webpage they have under control, so they can service any content they want. In this case, the attackers even went as far to include a password, so the
When trying to understand the reasons for this divergence, we must try to understand the relative merits of each main infection vector.
SPAM
Spray and pray
Campaigns generally cheap
relatively unsophisticated means of delivering malware.
Renting time on a spam botnet is inexpensive and social engineering must be used
Approach is remarkably effective, especially when the email lures are carefully crafted
benefit that a fully-patched machine can still be infected.
Social Engineering
Malicious e-mail attachment:
Executable in archive (e.g. invoice.zip)
Executable in password protected archive
Executable with double extension (e.g. invoice.pdf.exe in invoice.zip)
Microsoft Office document with malicious VBA macro (.doc, .docm, .xls, .pub) dropping .EXE
Windows Script in archive (e.g. invoice.JS) dropping .EXE, .DLL
Malicious link to download, or imitated (fake copy) of trusted website
https://www.sketchport.com/drawing/5007498863968256/angler-fish-s-smile
Russion Lurk Gang – Nutrino gang. – Alpha crypt doesn’t need c&c
Exploit kits
Do not require interaction from the victim
Requires vulnerable software to be installed.
More expensive if rented, or more complicated to setup and administer if hosted by the customer.
Angler: an all-too-well-known exploit kit
Grown in notoriety since mid 2014
Detects security products and virtual machines
Ability to spread many infections: banking Trojans, backdoor, rootkits, ransomware
Easy to use
Doesn’t require any particular technical competence
Available for a few thousand USD on the Dark Web
Exploits
Silent infection (no user-interaction) that abuse unpatched or 0day vulnerabilities:
through malvertising,
or compromised trusted website
Both mechanisms have their pros and cons but we can see through the prevalence of these ransomware families that both are highly successful.
We don’t live in a perfect world
Patch Tuesday vs exploit Wednesday
Tue = perfect world
Wed = what really happens
You can’t patch stupid
But what are the vulnerabilities?
Flaws
A flaw is unintended functionality. This may either be a result of poor design or through mistakes made during implementation. Flaws may go undetected for a significant period of time. The majority of common attacks we see today exploit these types of vulnerabilities. In the last twelve months nearly 8,000 unique and verified software vulnerabilities were disclosed in the US National Vulnerability Database (NVD).
Features
A feature is intended functionality which can be misused by an attacker to breach a system. Features may improve the user’s experience, help diagnose problems or improve management, but they can also be exploited by an attacker. When Microsoft introduced macros into their Office suite in the late 1990s, macros soon became the vulnerability of choice with the Melissa worm in 1999 being a prime example. Macros are still exploited today; the Dridex banking Trojan that was spreading in late 2014 relies on spam to deliver Microsoft Word documents containing malicious macro code, which then downloads Dridex onto the affected system. JavaScript, widely used in dynamic web content, continues to be used by attackers. This includes diverting the user’s browser to a malicious website and silently downloading malware, and hiding malicious code to pass through basic web filtering.
User error
A computer or system that has been carefully designed and implemented can minimise the vulnerabilities of exposure to the Internet. Unfortunately, such efforts can be easily undone (for example by an inexperienced system administrator who enables vulnerable features, fails to fix a known flaw, or leaves default passwords unchanged). More generally, users can be a significant source of vulnerabilities. They make mistakes, such as choosing a common or easily guessed password, or leave their laptop or mobile phone unattended. Even the most cyber aware users can be fooled into giving away their password, installing malware, or divulging information that may be useful to an attacker (such as who holds a particular role within an organisation, and their schedule). These details would allow an attacker to target and time an attack appropriately.
https://www.flickr.com/photos/thepreiserproject/12102280105/
Nowadays a combination of the above
Nowadays a combination of the above
Security Solution requirements
You can learn about these other security technologies in the other breakout sessions. Don’t miss the anti-ransomware presentation.
Best practices
Backup regularly and keep a recent backup copy off-site.
Don’t enable macros in document attachments received via email.
Be cautious about unsolicited attachments.
Don’t give yourself more login power than you need.
Consider installing the Microsoft Office viewers.
Patch early, patch often.
Configure your security products correctly.
Educate
Think before you click
Verify the call – check
Passphrases not Passwords – you don’t need to leet speak to have a good password.
Employee awareness & training
Sophos IT Security Dos and Don’ts
Sophos Threatsaurus
Encrypt company data
It doesn’t stop the ransomware but prevents damage caused by sensitive documents getting into the wrong hands
Use security analysis tools
If an infection does occur, it’s vital that the source is identified and contained ASAP.
Final Einstein Quote:
“Weak people revenge. Strong people forgive. Intelligent people ignore.” – Albert Einstein