Forcepoint Security Labs: Ransomware and Other Malware Threats Are Aimed at Manipulating Or Imitating User Behaviour, Through Whatever Source of Technology They Can

Are You Prepared for Ransomware?

One of the most frustrating threat innovations of the last decade has been ‘ransomware’ malware. Initially considered just a consumer threat, both government and commercial enterprise networks can now be listed among its victims. This report examines the technical and business threats that ransomware continues to pose to organizations for which IT security teams must be prepared to address and overcome.

Definition Ransomware refers to malware that demands a payment for ‘a service.’ Typically, that service is the safe return of data or user access to a device. A visible notification informs the user that access to their data or device is restricted and is accompanied by a payment demand. Upon payment, the ransomware grants the user access to their data or system. Ransomware’s simple solution of a payment in exchange for returning control and access to the victim appeals to the targeted individual or organization’s desire to “get back to normal as soon as possible.”

A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm. While data-wiping malware, and indeed, crypto-malware are not new (with a history going back 20 years), crypto-ransomware has become highly disruptive in recent years.

Types of Ransomware There are 3 primary types of ransomware: 1. Scareware: a demand for payment is made based on the threat of a future action using intimidation tactics. User’s files or system access are not affected. 2. Lockers: the promise of regaining access to the user’s screen or system is met with a demand for payment of a fee. 3. Crypto-ransomware: having encrypted the user’s files, crypto-ransomware offers to sell the victim the decryption key for a fee. Crypto-ransomware can affect local files and those hosted on network shares. Encrypted files that cannot be retrieved result in a “data destruction” incident.

1 What Has Driven the Rise in Ransomware? Ransomware works as a revenue generator for cybercriminals only when their victims pay the ransom. An increasing realization from businesses of the importance of their data has encouraged more individuals and organizations to pay the ransom demand.

The monetization aspect of ransomware is now workable due to the Bitcoin payment system, the preferred crypto-currency of ransomware authors. Funds processed using crypto-currencies are easy to transfer and hard to track, which works in the cybercriminals’ favour and against that of law enforcement.

Cybercriminals are clearly profiting from their lucrative illegal activity. Experts have estimated that the total amount paid to ransomware authors could be as much as $325 million (USD) for some variants of ransomware. As that income stream continues to grow, so will the frequency of ransomware attacks.

Ransomware is a truly global phenomenon, affecting users from Australia to Sweden. However, for maximum impact, the lures are adjusted to the local language of their targets, or the ransomware purposely avoids affecting users in particular geographies. Furthermore, ransomware notices have been observed to be tailored to the user’s own language to smooth the payment process. And the number of ransomware authors is growing. The availability of Ransomware-as-a-Service, and before that ransomware kits, have both lowered the barriers to entry for motivated cybercriminals.

Delivery Methods Crypto-ransomware spreads through email attachments (Microsoft Office documents are particularly popular), infected programs, drive-by infections on compromised websites and even direct network connections that exploit operating system vulnerabilities. Social engineering techniques are often used by ransomware authors to encourage end-users to run, download or click on malicious content. In addition, some ransomware is starting to use automated techniques to jump from machine to machine without any user interaction at all. Once the ransomware gets on a machine, it usually will search for particular file types and start encrypting files as soon as possible.

Guidance from Forcepoint Security Labs: Ransomware and other malware threats are aimed at manipulating or imitating user behaviour, through whatever source of technology they can. Implement multi-layered security technologies to defend from attacks across relevant attack vectors - in this case, web, email and network attack vectors. Next generation firewalls (NGFWs) placed at the internal and external edges of your network can protect against automated propagation. Deploy monitoring and reporting tools, including cloud-based Advanced Malware Detection services, to detect and defeat incoming threats across multiple paths into an organization.

2 The Role of Social Engineering The human point of interaction between people, critical data and intellectual property—where technology is most enabling and security is most vulnerable—can undermine even the most comprehensively- designed cybersecurity systems in a single malicious or unintentional act. Ransomware takes advantage of this point of interaction, utilizing social engineering as a key component of the ransomware tactics, techniques and procedures (TTP.) Put simply, it is convincing an end-user to perform an action in a highly interactive way. This social engineering is performed during the initial lure (a malicious email or compromised website) phase of the threat lifecycle as well as during the payment demand phase (scaring the user into paying or giving them an incentive to do so such as promising safe return of their now encrypted files).

Guidance from Forcepoint Security Labs: implement a continuous user education program. Alert your employees to the dangers of ransomware and have them report incidents into a tested and well- established security incident process.

3 To Pay or Not to Pay? It’s in the interest of cybercriminals to make payment easy and affordable. In order to maintain their revenue stream, ransomware authors have typically kept ransom fees low (a handful of Bitcoins). The price per coin in Bitcoin (a digital payment system) varies, but ransomware fees are typically calculated to be less than $1,000 USD per demand.

However, it has also been known for targeted ransomware to demand payment of tens of thousands of US dollars from some organizations. Regrettably but understandably, some businesses are paying those demands.

Giving in to ransomware demands may achieve short-term relief from a data destruction and business disruption incident, but this may well set the stage for more attacks globally. Alternatively, victims could choose not to pay the ransom and accept the damage (or recover from it), which is better from an ecosystem perspective. Better still, if victims could defend their data and systems, and therefore could avoid paying the ransom without consequence, ransomware attacks would quickly fade away.

The decision to pay, or not, must take into account a balanced view, as we explain below.

Guidance from Forcepoint Security Labs: the United States Federal Bureau of Investigation (FBI) initially suggested that ransomware victims should not pay the ransom demand. Guidance was later adjusted, suggesting that ransom payment is an option. We agree that making a payment is always an option, but it doesn’t guarantee successful return of encrypted files, nor does it guarantee that the ransomware author will not return. Factors such as the availability of the command and control servers on which the decryption key is hosted, the absence of mistakes in the decryption routine and the cybercriminals’ honesty all influence the successful retrieval of locked files.

WE RECOMMEND THE FOLLOWING ACTIONS: 1. Establish a tried, trusted and tested (preferably offline) data backup process across your organization. This may allow retrieval of your files without payment.

2. Educate your users to not open unexpected or unfamiliar attachments in email messages or click on unknown hyperlinks. Provide end users with a ransomware incident reporting process.

3. Determine if there are weaknesses in your infrastructure or processes that can be exploited by ransomware tactics and seek to strengthen those gaps. For instance, ensure that you keep up with operating system updates and patches across the IT and security infrastructure.

4. Consider whether a ransom payment to retrieve data would be better spent on investment in more effective security measures to prevent similar incidents in the future (such as user education and sandboxing for URLs and files).

4 EXAMPLES

Screenshot of WannaCry’s ransom demand:

Screenshot of Locky’s ransom demand:

5 Ransomware Variants Analysed by Forcepoint Security Labs The development of ransomware families is relentless with enhancements or new families discovered in the wild on a continuous basis.

A small selection of the many ransomware families analysed by Forcepoint Security Labs includes:

Cerber - previously distributed via exploit kits and malicious email attachments, Cerber was spread via Windows Script Files (WSFs) inside double zipped attachments in the first half of 2016.

CryptoLocker - considered the “original” ransomware variant that spawned many variants, CryptoLocker first appeared in 2013. The efforts of law enforcement shut down the campaign one year later.

CryptoWall - Our 2015 study found that the healthcare sector is 4.5 times more likely to be affected by CryptoWall than other industries. The latest version of CryptoWall randomises filenames and encrypts most documents found on the machine.

CTB-Locker – this variant stands out as not needing to connect to a command and control server to encrypt files.

CryptXXX - as is becoming typical, CryptXXX provides payment instructions accessible via the TOR network.

Jaff – ransomware spread by a major malicious global email campaign from the Necurs botnet. An attached PDF is embedded with a DOCM file that downloads a malicious Macro script that claims data is ‘encrypted’ and demanding payment via Bitcoin.

Jigsaw - Jigsaw makes references to horror movies to intimidate end-users into paying the ransom.

Locky - Encrypted files have their file extension replaced with .locky. A Domain Generation Algorithm (DGA) is used to vary the command and control URLs accessed on a given day.

Teslacrypt - this variant increases resilience by terminating any process an end-user may use when trying to disable the ransomware.

TorrentLocker - TorrentLocker hosted malicious lures on compromised legitimate websites.

WannaCry/WannaCryptor– this ransomware spread by using exploits such as EternalBlue to attack unpatched vulnerabilities in the Windows operating system SMB protocol. Once the WannaCry payload is executed it encrypts files and demands a $300 ransom.

6 Forcepoint Security Labs Fights Back Against Ransomware WANNACRY The WannaCry ransomware is one of the most significant malware outbreaks the world has seen in years. Our Forcepoint Security Labs, tech support and product security teams monitored and investigated the ransomware upon its initial propagation. From the start of the WannaCry campaign, Forcepoint customers were protected--immediately by our NGFW and then across our product portfolio soon afterward. Enterprise and government organizations need to have a human-centric security approach that protects employees, critical business data and intellectual property from being targets.

The best defence starts with an understanding that ransomware and other malware threats are aimed at manipulating or imitating user behaviour, through whatever source of technology they can. IT and security teams should make sure to keep up with software patch levels across their infrastructure, especially the Microsoft patch MS17-010. They should also have a strategy for observing risks and behaviours, a program of education, training and awareness and multi-layered cybersecurity products that defend against the entire threat lifecycle.

Guidance from Forcepoint Security Labs: Check our Security Labs blog for the most up-to-date research on WannaCry. Ensure that the MS17-010 security update is installed on all Windows machines within the organization. Consult the Knowledge Base Article on our support site to identify the most suitable course of action.

LOCKY The Special Investigations team within Forcepoint Security Labs investigated how to prevent the encryption of files and to share that knowledge with the wider community.

While not all ransomware needs to connect to a command and control server to encrypt files (for example, CTB-Locker), the Locky ransomware family does. We used Locky as a case study and reverse-engineered its DGA. The DGA calculates which domains Locky will connect to each day. After making the DGA publicly available, the malware authors adjusted the DGA in 4.5 days. We reverse- engineered the second DGA and made that available to the public, too. It took the malware authors a further 18 days to update their algorithm for the second time.

We chose this approach so that we could study the working patterns of the malware authors and allow organizations to accurately predict, and therefore block, the file encryption process. This had the net effect of disrupting the malware authors’ revenue stream.

Guidance from Forcepoint Security Labs: further detail on our analysis of the Domain Generation Algorithm is available below:

Locky Ransomware - Encrypts Documents, Databases, Code, Bitcoin Wallets and More…

Locky New DGA Seeding New Domains

7 Protection Options To combat ransomware it’s important to take advantage of the many clues that may be revealed across the threat lifecycle and apply the appropriate defense technologies to each stage.

In most cases, ransomware is delivered via malicious attachments over email, compromised websites and websites serving up malicious advertisements (malvertisements). Though as we explored with WannaCry, this is not always the case. However, opportunities exist to defeat ransomware at the early stages of the threat lifecycle, before end-users are exposed to the initial delivery mechanism and before files are encrypted.

Forcepoint Security Labs maps threats, including ransomware, to the 7-Stages of the threat lifecycle:

Reconnaissance – Ransomware follows a shotgun approach, being distributed by botnets and compromised websites. On occasion, an attacker will identify an organization they believe has high- value data and will subsequently target them.

Lure – Combining threat knowledge across the web, email, and network attack vectors can reduce the exposure to malware-laden malicious emails, malvertising, phishing and other threat types.

Redirect – Redirects are used to point end-users to other areas of the web, via iframes, for example. Intercepting an attack at this stage can prevent an exploit from running.

Exploit Kit – Forcepoint Security Labs track exploit kits and their delivery tactics to mitigate attacks at this stage.

Dropper File – Forcepoint applies our layered anti-malware solutions and behavioural sandboxing to identify the malicious nature of ransomware variants.

Call Home – Intercepting the call home transmission can prevent some ransomware variants from encrypting the user’s files.

Data Theft – A crypto-ransomware incident is a “data destruction” incident. Stopping the threat in the earlier stages reduces the likelihood of encryption. Guidance from Forcepoint Security Labs: your security portfolio and analysis methods should combine email, web, and network information for better situational awareness. Furthermore, visibility and protection across the complete threat lifecycle, including the internal and external edges in your networks, will help enhance the roadblocks that the malware authors must get past, while improving your resiliency against an attack.

8 Reducing Your Ransomware Risk In light of the risk posed by ransomware, we would encourage you to consider the following recommendations:

1. Ensure that your existing incident response plan is able to address a ransomware incident. 2. Implement a continuous security awareness program for employees, with best practice guidance. 3. Enforce tried and tested backup and recovery processes. 4. Keep up with software patches and updates across the IT and security infrastructure. 5. Remove the use of administration rights where possible. 6. Institute a privilege management program to eliminate unnecessary data access privileges to minimize the data at risk. 7. Implement controls at network egress points.  Firewall rules to block command and control traffic as well as counter evasion techniques that may be used to deliver malicious payloads.  Advanced threat protection controls, including sandboxing, to defend against zero-day and other highly evasive malware techniques.  Web security solutions to block unknown/uncategorized destinations and perform real- time analysis of web content.  Email security solutions to block incoming email-borne threats. 8. Implement endpoint controls, particularly for remote and roaming users.  Keep antivirus current.  Deploy an endpoint tool to block bad applications.  Implement web security for off-network endpoints.  Consider user behavior analytics (UBA) to identify and shut down suspicious activity on key endpoints, even when operating off-network. 9. While success is not guaranteed, research third-party decryptor tools/services which may be needed in case of the failure of other controls.

As more organizations get smarter with their protection mechanisms, the profitability of ransomware will decline, so share your ‘best practices’ and ‘lessons learned’ with your professional network. Conclusions For as long as ransomware remains profitable, attackers will continue to frustrate and damage organizations around the world. And, organizations will continue paying the ransom for their threatened data in order to avoid data destruction and business disruption incidents. Ultimately, a good backup strategy is the safety net that underpins a more complete mitigation strategy coupling data, network, web and email attack vectors. Synthesizing the information across the attack vectors used by ransomware is critical to long term success for defenders against this and many other attacks.

9 Forcepoint Threat Protection Technologies We offer ransomware protection to our customers through our web, email, and network security products. The first two use Forcepoint Advanced Classification Engine (ACE), a comprehensive threat detection engine. The eight threat assessment areas within Forcepoint ACE improve your threat defenses by identifying and classifying information crossing your network to deliver real-time security ratings to all products built on the Forcepoint TRITON Architecture. ACE’s eight threat assessment areas and unique composite scoring process enable Forcepoint solutions to protect against emerging threats — including the most advanced zero-day attacks and advanced targeted attacks — while improving productivity and compliance through strong outbound content visibility and containment controls.

Behavioral file sandboxing, such as Forcepoint Advanced Malware Detection, is one such technology used by Forcepoint ACE to provide protection controls and visibility into the behavior of the ransomware. The analysis reports from the sandbox can support an incident response program as well as a user education program.

In addition, Forcepoint next generation firewalls (NGFW) also incorporate built-in reputation and malware scanning as well as Forcepoint Advanced Malware Detection to block attacks and prevent the theft of data and intellectual property. Our firewalls also provide a wide range of security capabilities, including VPNs, IPS, application proxies and encrypted inspection that are all managed from a single console.

Combined, Forcepoint NGFW and ACE are why no one stops more threats than Forcepoint. Both take advantage of Forcepoint ThreatSeeker Intelligence to dynamically classify websites and content. It and Forcepoint ACE are maintained by Forcepoint Security Labs researchers and are the power behind our integrated Web, Email and Data Security solutions.

Every second of every day, the Forcepoint ThreatSeeker Intelligence scours the vast expanse of online content for potential threats. It receives global input from over 155 countries and, working in parallel with Forcepoint ACE, analyzes up to 5 billion requests per day. Forcepoint ThreatSeeker Intelligence also serves to distribute threat intelligence to Forcepoint solutions around the world, which last year generated an average rate of 3.2 pieces of threat intelligence every second.

To take advantage of further research on ransomware and other threats, read our Forcepoint Security Labs Blog here: https://blogs.forcepoint.com/