3. Overview of Ransomware
•Infection vectors and Targeted Files
•New Techniques used by Ransomware
How Seqrite protects against WannaCry
Overview of WannaCry Ransomware
•How WannaCry Propagates
4. Digital extortion
Encrypts files with a password, stopping from opening them
• Lock screen
Uses a full-screen image or webpage to stop from accessing anything on
Overview of Ransomware
5. • Email attachments
• Phishing links
• Part of another malware's payload
• Delivered by an exploit kit
• Through Vulnerabilities found in:
• Plug-ins (like Adobe, Flash Player)
• Operating System
6. Office files PDF files Database files
Images & Drawings Games files
7. Payment Mechanisms
SMSs or phone calls
payment – Ukash,
My Cash Cards
Bitcoins – virtual
currency which makes
it difficult to trace the
actual recipient of the
8. New Techniques used by Ransomwares
• RDP (Remote Desktop) – Brute Force Attacks
• Exploiting Server Vulnerabilities
• Hooking to popular Third Party Software/Tools
10. WannaCry Ransomware
• The ransomware, WannaCry, uses an exploit named EternalBlue
Server Message Block (SMB) Vulnerability [MS17-010–Critical] to
infect computers running versions of Windows operating systems.
• EternalBlue was first made public in April 2017 after Shadow
Brokers released a bunch of exploits and hacking tools developed
by the US NSA.
• Microsoft released a patch for the EternalBlue exploit just a few
weeks before Shadow Brokers made the NSA-developed
vulnerability's existence public.
• In addition to ‘EternalBlue’, ‘EternalRomance’ and
‘EternalSynergy’ were also addressed by Microsoft as part of
security bulletin MS17-010.
11. How does WannaCry Propagate?
• What makes it lethal is the combination of a Worm with
• Generates list of:
• Internal IPs [Local Network]
• Random IPs [Internet/External Networks]
12. WannaCry Ransomware
• After successful exploitation, it adds the below files to the system:
• WannaCry adds below malicious registry entries to make persistence into
the system, so that it could launch the infection after each system reboot:
• WannaCry then encrypts all the data on the system by changing file
extension names to '.WNCRY'.
• The ransomware then displays a window informing users that their files
have been encrypted and that they can be recovered in lieu of a payment
made in bitcoins. The window is accompanied by two timers:
• one counting down to a certain time after which the ransom amount
will be doubled.
• other warns of the time after which users' files will be lost.
13. • Commonly used office file extensions (.ppt, .doc, .docx, .xlsx).
• Archives (.zip, .rar, .tar)
• Emails and email databases (.eml, .msg, .ost, .pst).
• Database files (.sql, .sqlitedb, .accdb, .mdb, .dbf, .odb, .myd).
• Media files like image, audio and video (.jpeg, .mp4.,mpeg)
• Graphic designers, artists and photographers files (.vsd, .odg, .raw,
.nef, .svg, .psd).
• Virtual machine files (.vmx, .vmdk, .vdi).
• Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg,
• Developers' sourcecode and project files (.php, .java, .cpp, .pas,
23. Key Highlights
The feature requires Seqrite product to be already installed and activated. It is
downloaded as part of updates and no specific user action is required.
Backup and Restore feature is lightweight and works seamlessly in the background
to back-up your data without any performance overheads.
It automatically and periodically (multiple times in a day), takes incremental
backup of all your important and well-known file formats - PDF, Microsoft Office ,
Open Office files.
Keeps a backup of your files on the local drive itself and at no point this data is
either shared or transferred to Seqrite cloud.
To restore data Seqrite Technical Support provides all assistance.
Backup and Restore
25. MS17-010 Security Updates
Apply Security Update for Microsoft Windows SMB Server :
# ‘Windows XP SP3’ ‘KB4012598’
# 'Windows Vista', 'KB4012598'
# 'Windows 7', 'KB4012212', 'KB4012215'
# 'Windows 8.1', 'KB4012213', 'KB4012216'
# 'Windows 10', 'KB4012606'
# 'Windows 10 Version 1511', 'KB4013198'
# 'Windows 10 Version 1607', 'KB4013429'
# 'Windows Server 2008', 'KB4012598'
# 'Windows Server 2008 R2', 'KB4012212', 'KB4012215'
# 'Windows Server 2012', 'KB4012214', 'KB4012217'
# 'Windows Server 2012 R2', 'KB4012213', 'KB4012216'
# 'Windows Server 2016', 'KB4013429'
26. • Apply the latest security updates released by Quick Heal/Seqrite.
• Disable SMB service (running on port 445) if not used.
• Use strong and unique passwords.
• Disable RDP or change the default RDP port number.
• 2-Factor Authentication for Remote Services
• Configure Account Lockout Policies
• Disable Macros in Microsoft Office via Group Policy
• Configure password protection for your security software
27. • Ensure that Windows Update is enabled to automatically download and
apply regular security updates. Also ensure that your system has the
latest Windows security patches installed. Also apply updates for
important software which is regularly targeted, such as:
• Microsoft Office
• Adobe Acrobat Reader
• Web browsers like Internet Explorer, Chrome, Firefox, Opera etc
• Adobe Flash Player
Applying important software updates
28. • It is very important to understand the need for data backup policies
for all your important data.
• It is highly recommended that you periodically backup your important
data using the right combination of ONLINE and OFFLINE backups.
• Do not keep offline backups connected to your system as this data
could be encrypted in case of an infection.
Regular backup of important data
29. 1. Keep strong passwords for login accounts and network shares.
2. Do not open and execute attachments received from unknown
senders. Cybercriminals use ‘Social Engineering’ techniques to allure
users to open attachments or to click on links containing malware.
3. Avoid downloading software from untrusted P2P or torrent sites. At
times, they are Trojanized with malicious software.
4. Do not download cracked software as they could propagate the
added risk of opening a backdoor entry for malware into your system.
5. Do not download pirated/free software from unknown and un-trusted
6. It is recommended to avoid mapping of network drives in the system.
7. Do not use untrusted plugins/add-ons/extensions on browsers.
8. Do not use important Servers for daily browsing/mailing activities.
9. Avoid browsing, downloading when you are logged-in with complete
Follow best Security Practices
Ransomware is a sophisticated malware. It hijacks the victim’s system and renders it nonfunctional. The malware prevents the user from using any applications or even accessing the operating system itself, until the victim agrees to pay a certain amount of money.
Encryption: The files are encrypted using complex encryption algorithms. Decryption is impossible without private keys. Some of the latest ransomwares use strong encryption (2,048-bit RSA key pair) for encrypting the data, it is highly effective because the encryption used is practically impossible to break.
As mentioned earlier since the techniques involve all the communication happening over anonymous network TOR and use of cyber currency Bitcoin.
Lock Screen: These kind of ransomwares lock the screen and prevent access to your computer.
MBR ransomware: infects the Master Boot Record (MBR), preventing the operating system from loading. Based on analysis, this malware copies the original MBR and overwrites it with its own malicious code.
Ransomware is propagated through various modes or infection vectors:
Email, Malvertising, and using exploit kits that search for system vulnerabilities and exploit them to plant malwares.
Email Attachments and Phishing Links:
Ransomware is propagated through spam email campaigns, these emails mostly appear to have important information which may draw the victim’s attention. Usually the victim performs one of the following three actions which results in the victim’s computer being compromised and ransomware being installed on the computer. Victim opens a malicious attachment with the mail, this action results in ransomware being installed directly on the victim’s computer. Victim opens an attachment which leads to a downloader being installed, the downloader then downloads the ransomware on the computer. Victim clicks an embedded phishing URL that points to a site with malicious code or an exploit kit which ultimately results in the ransomware being installed on the computer.
Part of another malware&apos;s payload
Delivered by an exploit kit
Exploit kits exploit vulnerabilities in software in order to install malware. The attackers compromise third-party web servers on the Internet and inject iframes into the web pages hosted on them. The iframes direct the victim’s browsers to the exploit kit servers which install the malwares on the unsuspecting victims.
Involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. The user clicks on the attractive ads to visit the advertised site, instead the user is directly infected or redirected to a malicious site. These sites fool users into copying viruses that are disguised as Flash files.
Through Vulnerabilities found in:
Plug-ins (like Adobe, Flash Player)
There have been various payment mechanisms used to collect the ransom but the one that has clearly emerged as the favorite tool to collect money by hackers is the digital currency – BitCoin.
When you pay something digitally, you use net banking, credit card or debit card. Now your information is attached to the card such as name, address, etc).
However, the case is different with bitcoin. The transactions you make using the currency are completely anonymous. Whenever customers trade in bitcoin, a private key associated with their wallet is used to generate a bit of code. That code is publicly associated with customer transaction but with no personal identifying information. Thus, every transaction is recorded and securely signed in an open ledger that anyone can read and double-check.
One of the probable reasons why hackers chose bitcoin as a form of payment is because - It protects identity.
Ransomwares are evolving and deploying new techniques to carry out cyber attacks.
We have observed that certain recent ransomwares use brute force to break into servers through Remote Desktop by exploiting the weak passwords. Once they have entry, they uninstall the Security products.
There is also another set of tactics that malware creators use to avoid antivirus detection. Cyber criminals equip malware strains with the ability to detect sandboxing mechanisms by checking for specific registry entries, running processes, certain ports and additional relevant information. When malware detects that it’s running in a sandbox environment, it stops its activity making the AV believe it’s a harmless file.
While some hook onto to popular 3rd party tools available for free.
Literally, all industries are exposed to the Ransomware attacks, which leads to massive disruption to Business productivity. The ransomware attacks have the potential to bring down businesses to it’s knees.
Individuals, educational institutions, government organizations, Corporates and Businesses and Hospitals; even law enforcement agencies have been victims.
While there is a rise observed in targeted attacks, but overall, the cyber criminals look for ways they can spread through easily.
Cyber criminals understand that systems are not often patched with latest security updates, effective data back strategies are still not widely used and practiced.
In case of WannaCry, the initial news and reports appeared on BBC about dozens of hospitals in England were affected by ransomware, denying physicians access to patient medical records and causing surgery and other treatments to be delayed. The malware spread quickly on Friday, 12th May, with medical staff in the UK reportedly seeing computers go down &quot;one by one&quot;.
You can very well visualize the kind of impact an attack like this can have and why it is so imperative to follow good security practices.
The ransomware, WannaCry, uses an exploit named EternalBlue Server Message Block (SMB) Vulnerability [MS17-010–Critical] to infect computers running versions of Windows operating systems. Affected Windows systems include everything from Windows XP, Windows Vista, Windows 7, Windows 8.x, Windows 10 and Windows Server OS 2003, 2008, 2016.
The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. Using the SMB protocol, an application (or the user of an application) can access (read, create, and update) files or other resources at a remote server.
Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities gains the ability to execute code on the target server. To exploit the vulnerability, in most situations, an unauthenticated attacker can send a specially crafted packet to a targeted SMBv1 server.
EternalBlue was first made public in April 2017 after Shadow Brokers released a bunch of exploits and hacking tools developed by the US NSA. The Shadow Brokers is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the NSA, including several zero-day exploits.
Interestingly, Microsoft released a patch for the EternalBlue exploit just a few weeks before Shadow Brokers made the NSA-developed vulnerability&apos;s existence public. However, it is possible that several computers around the world, most likely including the ones targeted in the cyberattack, had failed to update their systems with the Microsoft patch.
Most alarming, WannaCry did not spread across networks in the usual way, through people clicking on email attachments. Rather, once one Windows system was affected on a Windows network, WannaCry managed to propagate itself and infect other unpatched machines without any human interaction.
Worms are standalone software and do not require a host program or human help to propagate.
WannaCry is different from anything we&apos;ve ever seen before as for the first time we are seeing the combination of a worm and a ransomware – union of old and new and that’s exactly what makes it not only lethal but also the ability to spread across the Internet/globe – a borderless network - at lightning speed.
In many reports we’ve read that the malware generates a list of internal IPs. However, it has also been observed that the malware generates random IP addresses, just not limited to the local network. This gives it the ability to not only spread to other machines within the same network, but also across the Internet if sites allow NetBIOS packets from outside networks.
This particular behavior and ability attributes to the widespread propagation of WannaCry Ransomware across the globe impacting 100+ countries. Due to this people were unsure about the initial infection vector of the Ransomware.
Let us look at what WannaCry does once it reaches the system.
It drops the listed files in the specified path.
The Ransomware writes itself into a random character folder in the &apos;ProgramData&apos; folder with the file name &quot;tasksche.exe&quot; or in &apos;C:\Windows\&apos; folder with the file-name &quot;mssecsvc.exe&quot; and &quot;tasksche.exe&quot;.
It then displays the message to the user.
&quot;WannaCry&quot; - the ransomware, asked users to pay a $300 ransom in bitcoins. The ransom note indicates the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted. Security experts warn there is no guarantee that access will be granted after payment.
Here’s a list of targeted file extensions by WannaCry.
WannaCry offers free decryption for some random number of files in the folder C:\Intel\&lt;random folder name&gt;\f.wnry. We have seen 10 files decrypted for free.
Quick Heal and Seqrite users are protected from the vulnerabilities reported in security bulletin MS17-010.
Seqrite has been relentlessly working to keep its users secure and protected from ransomware attacks. Updates (signatures) are regularly released, heuristic solution – Behavior Detection System (BDS), Anti-Ransomware features are also enhanced to protect users from new emerging and complex ransomwares to protect the users from ransomware attacks.
Internet and Network security provides protection against web-based threats such as phishing URLS, malwares such as key loggers, and other intrusion attempts by rogue IPs from across the globe.
These threats are eliminated in real time and access to malicious sites, phishing URLS and IPs is blocked by Quick Heal and Seqrite products. The robust firewall also lets you control external traffic coming to your computer as per your requirements and rules can be set.
Here’s an information prompt displayed by the product when such an attack is blocked.
We started seeing the IPS hits based on the exploits.
Hits reported after May 09, 2017 shows a spike in the activity.
The Shadow Broker have leaded various Exploits. Quick Heal and Seqrite products provide the protection and coverage against the list exploits. The products block all detections specifically, listed in MS 17-019 Security Bulletin.
The indigenous DNAScan technology detects and eliminates new and unknown malicious threats and thereby, provides zero-day protection. DNAScan uses the below techniques:
1. Detection by Characteristics
2. Detection by Behavior
Behavior detection system is a dynamic, signature-less and advanced pro-active protection that helps to eliminate new and unknown malicious threats in the system. It monitors the activity on the system and if finds anything suspicious then takes immediate action by suspending the application/process from executing further. This feature also helps to protect against new and unknown ransomwares.
Quick Heal Total Security’s Anti-Ransomware feature is a robust and comprehensive solution specifically designed to detect/block ransomwares.
Based on the behavior-based detection technology, it protects your computer and data in two ways.
2. It detects ransomware and blocks it. The following prompt is displayed to the user when suspicious ransomware activity is detected.
Securely, automatically and transparently backs up your critical data, creating a secure digital locker on your computer, which is accessible only for the purpose of restoring your files.
The Anti-Ransomware feature successfully blocked WannaCry and provided Zero day protection.
Here are the detection prompts that are displayed when WannaCry Ransomware is detected by Advance DNAScan and Anti-Ransomware features. The users are recommended to take the BLOCK action on these prompts.
Signature Based Detection
On a daily basis, at least twice signatures are released to the clients running Quick Heal and Seqrite software through updates. As hundreds of new threats are identified daily, these new signatures help the products detect and block threats and keep your systems safe.
Virus Protection provides real-time protection and defense. It’s up and running all the time to keep your system secure from any potential threats.
Email Scan Protection is one of the first layer of protection. It is a known fact that vast majority of ransomwares are propagated through emails. The emails and attachments carrying the payload are not only carefully crafted but have an appealing subject line to lure the users into opening the malicious attachments. Email Scan has been successfully blocking a high percentage of ransomwares based on heuristics as well. While signature based detection is considered reactive, it’s important to note that the above features also block ransomwares based on heuristics, thereby providing zero day protection.
Though in case of WannaCry the security experts believe that this vector wasn’t used to propagate.
Does not support mapped/network and removable drives. Though, files cannot be restored on a network location however, removable drives can be used to restore the data.
Note that this feature will not be effective on a system in certain cases:
Where files are already encrypted by a ransomware prior to installation of the feature.
If system is affected by a full disk encrypting ransomware attack which is however rare.
Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats such as ransomware.
# ‘Windows XP SP3’ ‘KB4012598’
# (&apos;Windows Vista&apos;, &apos;KB4012598&apos;),
# (&apos;Windows Server 2008&apos;, &apos;KB4012598&apos;),
# (&apos;Windows 7&apos;, &apos;KB4012212&apos;, &apos;KB4012215&apos;),
# (&apos;Windows Server 2008 R2&apos;, &apos;KB4012212&apos;, &apos;KB4012215&apos;),
# (&apos;Windows 8.1&apos;, &apos;KB4012213&apos;, &apos;KB4012216&apos;),
# (&apos;Windows Server 2012&apos;, &apos;KB4012214&apos;, &apos;KB4012217&apos;),
# (&apos;Windows Server 2012 R2&apos;, &apos;KB4012213&apos;, &apos;KB4012216&apos;),
# (&apos;Windows 10&apos;, &apos;KB4012606&apos;),
# (&apos;Windows 10 Version 1511&apos;, &apos;KB4013198&apos;),
# (&apos;Windows 10 Version 1607&apos;, &apos;KB4013429&apos;),
# (&apos;Windows Server 2016&apos;, &apos;KB4013429&apos;)
Apply the latest security updates released by Quick Heal/Seqrite.
Disable SMB service (running on port 445) if not used.
– Use strong and unique passwords on user accounts that cannot be easily breached. Weak passwords like Admin, admin123, user, 123456, password, Pass@123, etc., can be easily brute-forced in the first few attempts itself.
– Change the default RDP port from ‘3389’ to something else. Although a complete port scan would still show the open ports, this would prevent attacks that are targeting only the port 3389 by default.
– 2-Factor Authentication for Remote Services
– Configuring Account Lockout Policies that automatically lock the account after a specific number of failed attempts. This feature is available in Windows and the threshold can be customized as per the administrator.
– Disable Macros in Microsoft Office via Group Policy
– Configure password protection for your security software. This would prevent any unauthorized users from disabling or uninstalling it. Users can enable this feature from the Settings =&gt; Password Protection.