Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Ransomware the clock is ticking
Similaire à Ransomware the clock is ticking (20)
Dernier
Dernier (20)
Ransomware the clock is ticking
- 1. How ransomware works Mark Loman Director, Engineering September, 2016 James Burchell Senior Sales Engineer
- 2. Recent poll on ransomware in the UK 60% had backups 65% paid the ransom Average ransom sum £540 Loss of business productivity comes on top, exceeding ransom 44% of businesses infected
- 11. Ransomware (AIDS / PC Cyborg) (1989)
- 14. .CryptoHasYou., 777, 7ev3n, 7h9r, 8lock8, Alfa Ransomware, Alma Ransomware, Alpha Ransomware, AMBA, Apocalypse, ApocalypseVM, AutoLocky, BadBlock, BaksoCrypt, Bandarchor, Bart, BitCryptor, BitStak, BlackShades Crypter, Blocatto, Booyah, Brazilian, BrLock, Browlock, Bucbi, BuyUnlockCode, Cerber, Chimera, CoinVault, Coverton, Cryaki, Crybola, CryFile, CryLocker, CrypMIC, Crypren, Crypt38, Cryptear, CryptFile2, CryptInfinite, CryptoBit, CryptoDefense, CryptoFinancial, CryptoFortress, CryptoGraphic Locker, CryptoHost, CryptoJoker, CryptoLocker, Cryptolocker 2.0, CryptoMix, CryptoRoger, CryptoShocker, CryptoTorLocker2015, CryptoWall 1, CryptoWall 2, CryptoWall 3, CryptoWall 4, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 3.1, CTB-Faker, CTB-Locker, CTB-Locker WEB, CuteRansomware, DeCrypt Protect, DEDCryptor, DetoxCrypto, DirtyDecrypt, DMALocker, DMALocker 3.0, Domino, EDA2 / HiddenTear, EduCrypt, El-Polocker, Enigma, FairWare, Fakben, Fantom, Fonco, Fsociety, Fury, GhostCrypt, Globe, GNL Locker, Gomasom, Goopic, Gopher, Harasom, Herbst, Hi Buddy!, Hitler, HolyCrypt, HydraCrypt, iLock, iLockLight, International Police Association, JagerDecryptor, Jeiphoos, Jigsaw, Job Crypter, KeRanger, KeyBTC, KEYHolder, KimcilWare, Korean, Kozy.Jozy, KratosCrypt, KryptoLocker, LeChiffre, Linux.Encoder, Locker, Locky, Lortok, LowLevel04, Mabouia, Magic, MaktubLocker, MIRCOP, MireWare, Mischa, MM Locker, Mobef, NanoLocker, Nemucod, NoobCrypt, Nullbyte, ODCODC, Offline ransomware, OMG! Ransomware, Operation Global III, PadCrypt, Pclock, Petya, PizzaCrypts, PokemonGO, PowerWare, PowerWorm, PRISM, R980, RAA encryptor, Radamant, Rakhni,, Rannoh, Ransom32, RansomLock, Rector, RektLocker, RemindMe, Rokku, Samas-Samsam, Sanction, Satana, Scraper, Serpico, Shark, ShinoLocker, Shujin, Simple_Encoder, SkidLocker / Pompous, Smrss32, SNSLocker, Sport, Stampado, Strictor, Surprise, SynoLocker, SZFLocker, TeslaCrypt 0.x - 2.2.0, TeslaCrypt 3.0+, TeslaCrypt 4.1A, TeslaCrypt 4.2, Threat Finder, TorrentLocker, TowerWeb, Toxcrypt, Troldesh, TrueCrypter, Turkish Ransom, UmbreCrypt, Ungluk, Unlock92, VaultCrypt, VenusLocker, Virlock, Virus-Encoder, WildFire Locker, Xorist, XRTN, Zcrypt, Zepto, Zimbra, Zlader / Russian, Zyklon 200 Crypto-Ransomware Families
- 15. OS Disk Local Disk(s) Connected Device(s) (USB) (e.g. Backup Disk) Mapped Network Drive(s) (e.g. NAS / File Servers) Other Accessible Folders / Shared Local Network (e.g. NAS / File Servers) Dropbox OneDrive Crypto-Ransomware (Targets)
- 16. Social Engineering Flow (Locky ransomware, .doc) Attacker sends weaponized e-mail Spam Filter failed Inbox Invoice.doc Anti-Virus failed Microsoft Word Enable Macros Create and run batch file Run Windows Script Web Filter failed Download binary Anti-Virus failed Run Fail.exe (ransomware) Web Filter failed Negotiate encryption (C&C) Encrypt data Delete Shadow Copies Display Ransom Note Sender IP, reputation, content not blocked Malicious attachment not detected User opens malicious attachment User enables macros Lah.bat Cscript.exe Fail.exe Web address not blocked Binary is obfuscated thus unknown Continues as svchost.exe Communication is not blocked Removes local backups of files
- 17. Social Engineering Flow (Locky ransomware, .docm)
- 18. ”The State of the Nation” Security Overview Today’s approach to IT Security is Falling Behind.
- 19. “Two things are infinite: The universe and human stupidity, and I’m not so sure about the former.” - Albert Einstein
- 20. What is social engineering?
- 23. Social Engineering Flow (CTB-Locker ransomware) Attacker sends weaponized e-mail Spam Filter failed Inbox Download invoice Web Filter failed Web browser Webpage shows password Password protected ZIP Open ZIP archive Web Filter failed Enter password Run binary Negotiate encryption (C&C) Binary jumps into trusted process Web Filter failed Encryption of files Sender IP, reputation, content not blocked Web address not blocked User clicks on malicious link Automatically downloaded User opens malicious archive User enters password Web address not blocked User runs malicious binary in archive Communication is not blocked Anti-Virus failed Binary is unknown and obfuscated Explorer.exe Anti-Virus failed Archive is new and password protected
- 24. Comparison: Spam vs Exploit Kits Why email?
- 25. © 2014 Rebeccarawrr. Licensed under CC-BY Comparison: Spam vs Exploit Kits Angler revenue in a day 90,000 victims 9,000 served exploits 40% success rate 62% of infections delivered Ransomware
- 26. Understanding vulnerabilities User error Flaws Features © The Preiser Project, Licensed under CC-BY
- 27. DEMO
- 28. New tricks • Use of other accepted file extensions (e.g. .WSF, .WSH, .HTA, .PUB files) o Bypasses filters that proactively block known dangerous (ZIP) attachments (containing e.g. .EXE, .PDF.EXE, .JS, .DOCM as extension) • Use of a .DLL file (payload) instead of an .EXE (e.g. Locky/Zepto) o In-memory attack; exploit attack delivers no files on the disk o Bypasses sandbox, signature and ‘math-based, next-gen’ products • Use of other active content in weaponized documents (no macros) o e.g. RAA Ransomware • Use of only trusted binaries, part of the OS (no new code on machine) o Bypasses application whitelisting, signature & ‘math-based, next-gen’ products • Manipulate timestamp, create extension-less copy, encrypt copy and delete original o Cripple / shake off behavior-based monitoring • Multi-language support by attackers, to help victims pay the ransom o Including chat support
- 29. Cerber crypto-ransomware • Ransomware-as-a-service • Localized e-mail and chat support • Audio warning
- 30. Enhancing layered security Synchronized Security As a minimum you should: • Deploy antivirus protection • Block spam • Use a sandboxing solution • Block risky file extensions (javascript, vbscript, chm etc…) • Password protect archive files • Use URL filtering (block access to C&C servers) • Use HTTPS filtering • Use HIPS (host intrusion prevention service) & other signature-less technologies • Activate your client firewalls • Use a whitelisting solution
- 31. ”Additional Steps” Reducing the threat Use Security Analysis Tools Education Encrypt Company Data
- 32. 32
Notes de l'éditeur
- When people first hear about ransomware, there is always this moment of stunned disbelief. It sounds like something from a bond movie, or dystopian fiction. You open your laptop to discover you have been locked out of all your files. A ransom note hovers into view, written in bad english and a potpourri of fonts, explaining you have a week to pay £500 in bitcoins otherwise you will lose access to your data forever. Really. And no amount of genius bar-hopping will save you. In the last few years, ransomware has risen seemingly out of nowhere to become one of the greatest cyber threats facing organisations around the world. Ransomware spams the globe, is indiscriminate about its victims, and there is no negotiating with it as it executes in a matter of seconds to leave organisations & their computers on lock down. In recent years there has been a 600% increase in the number of ransomware families, and the top six countries impacted by all types of ransomware are the US, Japan, UK, Italy, Germany & Russia. [[But what does the situation look like in the UK today?]]
- A recent study found that 44% of UK businesses have been infected with ransomware in the last 2 years. Only 60% could react with a good backup. 65% of confronted companies paid up hoping to get their data back. The average sum was £540, but 20% reported ransoms of more than £1,000 and 57% were given just 24 hours to pay. With this ransomware problem growing, most organisations are concerend about the loss of productivity over anything else, estimating that it takes 33 man hours, on average, to fix the problem. Companies are also concerned about regulations and the fall out of potential data loss with fines from governing bodies, or the impact of the data protection act or upcoming GDPR. The financial impact to any organisation is very much larger than the initial ransom. [[Cybercriminals behind ransomware are constantly innovating – with more connected devices around, we can expect to see ransomware appear in new device categories than ever seen before]] Also concern about regulations: Worry about fines as a result of lost data: Data Protection Act, Information Commissioner (ICO) http://www.theregister.co.uk/2016/09/07/uk_ransomware_victim_survey/
- Ransomware is designed for direct revenue generation. The 4 most prevalent direct revenue-generating risks include: Misleading Applications (shows defects that aren’t real) Rogue/Fake Antivirus (shows infections that aren’t real) (2008) Locker Ransomware (locks you out of your browser or device) (2012) Crypto-Ransomware (locks you out of your data) (2013) Direct revenue-generating malware went through 4 major pivot points in the past decade. Each of these pivots indicates a shift from 1 type of malware to another, ultimately leading to ransomware. This evolution of ransomware has been greatly influenced by a range of developments in technology, economics, security & our culture. And like any real life ecosystem, this threat has evolved & adapted to its surroundings to survive, and even thrive! Those that can’t or don’t adopt may eventually dissapear. And this ransomware world is a great example of evolution in action, or darwinian-style evolution at work.
- The first wave of misleading applications began to appear in 2005. Posing as fake spyware removal tools, or performance enhancement tools. Mainly affected windows but did also target OS X. Typically exaggerated the impact of issues, such as unused registry entries & corrupt files & would resolve them if the user paid between £20-£60 for a license. In reality, many of the alerts didn’t need fixing.
- The next pivot point happened between 2008 & 2009, when cybercriminals switched to using fake AV. A more aggressive sub-category of misleading applications. The tools mimicked the appearance & functionality of legitimate security software & performed lightning fast mock scans, claiming to find a large number of threats & issues on the computer. The user was then asked to pay a fee between £20-£80 to fix the problems or pay for bogus multi-year support services.
- A large number of victims chose simply to ignore the alerts, or removed the software. This resulted in a much lower ROI for the cybercriminals. So to address the fundamental weaknesses of fake AV, cybercriminals looked for new ways to make the call-to-action stronger.
- Such as attacking not just windows, but also OS X and other device categories, such as the mobile market place, particularly the Android ecosystem.
- Then from 2011 to 2012 attackers transitioned from fake AV to a more disruptive form of extortion. This time the cybercriminals disabled access & control of the computer, effectively locking up the system from use. In terms of ransom amounts, locker ransomware pushed up the benchmark compared to fake AV & misleading applications. A typical locker ransom came in at around £100-£200 payable through electronic cash tokens.
- As locker ransomware was refined, it went from just reporting non-existent errors to actually beginning to introduce errors and problems. Eventually, it dropped any pretense of being a helpful tool to just displaying a blatant request for payment to restore access to the computer. This is because in the early days, attackers tricked victims into downloading fake tools to fix computer issues. Today, ransomware can be installed without any user interaction through drive-by-downloads. Despite this, locker ransomware creators still continued to use social-engineering techniques to convince users to pay the ransom. The threats began to pose as law enforcement notices instead of AV software & system performance tools. They typically claimed that the user had broken the law by downloading copyrighted materials such as pirated music, movies or software, or viewing other illegal digital items such a pornographic material.
- And once again, other ecosystems were targeted to increase the ROI for cybercriminals. Android, being a much more open and permissive platform creates advantages and disadvantages for the user. The freedom to work the way you want also makes it easier for suspicious applications to spread. Cybercriminals know how our digital lives are changing and so want to tap into this growing and potentially lucrative user base. And these serious allegations, along with realistic-looking threats from law enforcement authorities, allowed the cybercriminals to evolve their ransom demands from being about a price for a service to a payment of a fine. Judging by the number of law enforcement-themed ransomware that proliferated during these years, it was clearly an effective way to make victims pay. For example, there were reports of people handing themselves over to the police after seeing the charges of handling child porn appear on their screen because they believed the faced law enforcement to be real! [[Deficiencies in all other extortion schemes ultimately led the cybercriminals back to the original type of ransomware…]]
- And this is one of the weirdest things about ransomware – its not new at all! The first ransomware virus pre-dates email, even the internet as we know it, and was distributed on 5 ¼ floppy disks via snail mail. Contempory ransomware baits its victims using legitimate-looking email attachments. These disks however were masquerading as: AIDS education software. The package that greeted victims abroad (never sent within the US) were stamped by PC Cyborg corporation. The disk included a program that measured a persons risk of contracting AIDS based on their responses to an interactive survey. It also contained the “AIDS” trojan, a virus that encrypted a victims files after they rebooted their computer a fixed number of times. It was ultimately unsuccessful due to a number of factors. Back then, few people used PC’s & www was just an idea, plus the internet was just used by experts in science & technology.
- In the years that followed, new versions of programs seeking to extort money from users were identified, but unlike the symmetric encryption used by PC Cyborg, these newer programs employed asymmetric algorithms with increasingly longer keys. For example, in 2005 Gpcode came to light, followed by a series of variants which then led to what I like to call…..
- THE CRYPTOLOCKER YEARS! Three years ago, one strain of ransomware known as CryptoLocker dominated the demanding-money-with-menaces malware scene. The US Department of Justice (DoJ) suggested that the crew behind CryptoLocker raked in $27,000,000 in September and October 2013 alone, in the first two months that the malware was widely reported. And a 2014 survey by the University of Kent in England estimated that 1 in 30 British computer users had been hit by CryptoLocker, and that 40% of those coughed up, paying hundreds of dollars each in blackmail money to recover their data. But in mid-2014, the DoJ co-ordinated a multi-country takedown of a notorious botnet called Gameover Zeus that targeted victims while they were doing online banking. And, would you believe it: while the cops were raiding the Gameover servers, they came across the CryptoLocker infrastructure as well, and took down those servers at the same time, pulling off a neat double play. But any celebration about the damage done to the ransomware scene as a whole was short-lived. A new ransomware soon appeared to fill the multi-million-dollar void left by the demise of CryptoLocker. CryptoWall, and its close derivative CryptoDefense, were early pretenders to CryptoLocker’s throne, but many others have appeared, too.
- Today, over 200 families or variants exists, for both Windows, Android and even Mac OS
- When you look at the flow of a typical Locky ransomware infection, security defenses have 7 opportunities to stop the malicious encryption of your data.
- When you look at the flow of a typical Locky ransomware infection, security defenses have 7 opportunities to stop the malicious encryption of your data.
- Attack surface exponentially larger – lowest hanging fruit Laptops/Desktops Phones/Tablets Virtual servers/desktops Cloud servers/storage Threats more sophisticated Attacks are more coordinated than defenses Volume and sophistication Vanishing security perimeters The rise of BYOD and personal Cloud storage are eroding the network perimeter
- Social engineering – There is no patch to human stupidity! Like footprinting this is a very big aspect of hacking these days, its not something people can teach, but more of a ‘practice makes perfect’. I love the phrase there is no patch to human stupidity, while I agree, this has zero to do with social engineering as it would make you think only stupid people are stupidly engineered…. Everybody at some point in their life has been socially engineered, we have it all the time, it is not a new concept. It comes down to how humans are built, we have this very complex and rational side to us that works and does risk assessments to determine if we should do something or should we not do it….that works fine…..but we also have these very prehistoric very strong emotions that will sometimes flare up, and when they do, they outweight the rational and logical side of our brain. The way social engineering works is I want you to think emotionally, not logically. Now this doesn’t mean I have to make you angry or mad or happy with me, I can use any emotion you have, and if I can make you think emotionally, I can socially engineer you…. For the guys…..how many when you were younger went to a bar and bought a drink for a girl who you knew you never knew you had zero chance with, but you bought her a drink anyway – you were socially engineerd. Women, just like my wife, how many times do you go shopping and there is a sign for BOGOF, you had no plan on buying that to begin with but its such a good deal that you can’t pass it up – that’s social engineer. They are just knee-jerk reactions……I’ve been socially engineered, everybody has been socially engineered, we will continue to be in the future. We just have to understand when our emotions are taking over and be aware of this when someone tries to socialy engineer us and try to think logically and not perform knee-jerk reactions.
- What is social engineering? It’s where someone will hack the human. Where we will get you, through interacting with you, grant us access or information or do what we ask you to do. Different ways to do this. One of my favourite is to find a victim, lets say a bank, do the footprinting and during the footprinting find email addresses of their employees and also maybe a vendor or association they are part of, what we can do is figure out who the banking association is and if they are a member. If they are, I will send an email pretending to be from the vendor or banking association, what I’m going to do is send the email sending them information about a press release which I have just downloaded from their website. The email won’t contain links, files, attachments, it is a legitimate email that goes out to all of them. Next, an hour or day later, I’ll send a 2nd email which will say something along the lines of that a hacker was sending fishing emails out via our email address and if you received any of the below emails, one being the title of the one I sent, with a message saying that if you opened the email it contained an attack that would give the hacker remote access, destroy the hard drive, etc, etc its not going to be technically realistic but they never usually are, we’ve been told its 100% undetectable however our tech support has found an onine scanner that can detect it. If you want to go there you can go there. What we do is setup a fishing site is an online scanner and when they click scan now it installs the trojan. What gets them there is the emotion of “oh crap, I just infected my machine, I don’t want to get caught or in trouble with IT, I’ll just clean this up and I won’t have anything to worry about”…….what we’ve done there is taken that emotion and got you to worry about it rather than logically think about it. Social engineering is the art of convincing people to reveal confidential information. Social engineers depend on the fact that people are unaware of the valuable information and are careless about protecting it. On-site social engineering, people always assume that someone else is taking care of security, walking around knowing where you are, if you look like your meant to be there people generally tend to not question you. Factors that make companies vulnerable attacks – people often think its just up to IT to enforce security and so lack appropriate security training and often have easy access of information.
- Which one is real, which one is fake?
- Which one is real, which one is fake?
- But attackers also try to keep the malicious binary out of the weaponized e-mail. Instead, they include a malicious weblink to a webpage they have under control, so they can service any content they want. In this case, the attackers even went as far to include a password, so the
- When trying to understand the reasons for this divergence, we must try to understand the relative merits of each main infection vector. SPAM Spray and pray Campaigns generally cheap relatively unsophisticated means of delivering malware. Renting time on a spam botnet is inexpensive and social engineering must be used Approach is remarkably effective, especially when the email lures are carefully crafted benefit that a fully-patched machine can still be infected. Social Engineering Malicious e-mail attachment: Executable in archive (e.g. invoice.zip) Executable in password protected archive Executable with double extension (e.g. invoice.pdf.exe in invoice.zip) Microsoft Office document with malicious VBA macro (.doc, .docm, .xls, .pub) dropping .EXE Windows Script in archive (e.g. invoice.JS) dropping .EXE, .DLL Malicious link to download, or imitated (fake copy) of trusted website
- https://www.sketchport.com/drawing/5007498863968256/angler-fish-s-smile Russion Lurk Gang – Nutrino gang. – Alpha crypt doesn’t need c&c Exploit kits Do not require interaction from the victim Requires vulnerable software to be installed. More expensive if rented, or more complicated to setup and administer if hosted by the customer. Angler: an all-too-well-known exploit kit Grown in notoriety since mid 2014 Detects security products and virtual machines Ability to spread many infections: banking Trojans, backdoor, rootkits, ransomware Easy to use Doesn’t require any particular technical competence Available for a few thousand USD on the Dark Web Exploits Silent infection (no user-interaction) that abuse unpatched or 0day vulnerabilities: through malvertising, or compromised trusted website Both mechanisms have their pros and cons but we can see through the prevalence of these ransomware families that both are highly successful.
- We don’t live in a perfect world Patch Tuesday vs exploit Wednesday Tue = perfect world Wed = what really happens You can’t patch stupid But what are the vulnerabilities? Flaws A flaw is unintended functionality. This may either be a result of poor design or through mistakes made during implementation. Flaws may go undetected for a significant period of time. The majority of common attacks we see today exploit these types of vulnerabilities. In the last twelve months nearly 8,000 unique and verified software vulnerabilities were disclosed in the US National Vulnerability Database (NVD). Features A feature is intended functionality which can be misused by an attacker to breach a system. Features may improve the user’s experience, help diagnose problems or improve management, but they can also be exploited by an attacker. When Microsoft introduced macros into their Office suite in the late 1990s, macros soon became the vulnerability of choice with the Melissa worm in 1999 being a prime example. Macros are still exploited today; the Dridex banking Trojan that was spreading in late 2014 relies on spam to deliver Microsoft Word documents containing malicious macro code, which then downloads Dridex onto the affected system. JavaScript, widely used in dynamic web content, continues to be used by attackers. This includes diverting the user’s browser to a malicious website and silently downloading malware, and hiding malicious code to pass through basic web filtering. User error A computer or system that has been carefully designed and implemented can minimise the vulnerabilities of exposure to the Internet. Unfortunately, such efforts can be easily undone (for example by an inexperienced system administrator who enables vulnerable features, fails to fix a known flaw, or leaves default passwords unchanged). More generally, users can be a significant source of vulnerabilities. They make mistakes, such as choosing a common or easily guessed password, or leave their laptop or mobile phone unattended. Even the most cyber aware users can be fooled into giving away their password, installing malware, or divulging information that may be useful to an attacker (such as who holds a particular role within an organisation, and their schedule). These details would allow an attacker to target and time an attack appropriately. https://www.flickr.com/photos/thepreiserproject/12102280105/
- Nowadays a combination of the above
- Nowadays a combination of the above
- Security Solution requirements You can learn about these other security technologies in the other breakout sessions. Don’t miss the anti-ransomware presentation. Best practices Backup regularly and keep a recent backup copy off-site. Don’t enable macros in document attachments received via email. Be cautious about unsolicited attachments. Don’t give yourself more login power than you need. Consider installing the Microsoft Office viewers. Patch early, patch often. Configure your security products correctly.
- Educate Think before you click Verify the call – check Passphrases not Passwords – you don’t need to leet speak to have a good password. Employee awareness & training Sophos IT Security Dos and Don’ts Sophos Threatsaurus Encrypt company data It doesn’t stop the ransomware but prevents damage caused by sensitive documents getting into the wrong hands Use security analysis tools If an infection does occur, it’s vital that the source is identified and contained ASAP. Final Einstein Quote: “Weak people revenge. Strong people forgive. Intelligent people ignore.” – Albert Einstein