ESSENTIAL FAQS TO COMBATING

S e p t e m b e r 2016

www.ensilo.com RESEARCH PAPER

TABLE OF CONTENTS

What is Ransomware? 3

Does Ransomware Only Encrypt Files? 4

What Are the Common Types of Ransomware In-the-Wild? 4

How are Victims Infected? 4

At What Stage Does the Ransomware Encrypt the Data? 5

How Long Does it Take for Ransomware to Encrypt Files? 5

How are the Threat Actors Paid? 6

What Platforms does Ransomware Target? 6

Don’t the Operating System Vendors, such as Microsoft, Place 7 Protections to Prevent Ransomware from Running?

Have You Seen Any Ransomware Cases? 7

Is Ransomware a Periodic Fad or a Trending Issue? 8

What Strategy Should Businesses Adopt to Combat Ransomware? 9

Samples of ransomware notes 10

About enSilo 11 RESEARCH PAPER

Ransomware isn’t new. But the tactics are. Ransomware has gone from a nickel & dime operation targeting individual computers to a multimillion dollar criminal operation targeting organizations that can afford to pay enterprise-level payments. Research1 showed that a single threat actor was “making more than $30M USD annually from ransomware infections alone”. Clearly, with such a strong financial motivation behind ransomware, the threat criminals behind these types of attacks are not going to stop anytime soon.

To help combat against the threat of ransomware, we’ve put together this FAQ. If you see any question you’d like to add, or just want to be heard, feel free to email us: [email protected]

WHAT IS RANSOMWARE?

Ransomware is an increasingly popular tactic used to steal data and disrupt a system’s operations. Essentially, ransomware is used by attackers to infect a device, hijack files on that device and lock them, via encryption. These maliciously encrypted files can no longer be accessed by users, and are held hostage by the attacker until a ransom is paid. The ransom can range from hundreds of dollars to hundreds of thousands, depending on the type of file and victim. Usually, the extortionists set a deadline for paying up and when that deadline is not met, a new deadline is set and the ransom rate increases. In 2013, the criminals responsible for CryptoLocker, a prolific type of ransomware, purportedly earned between $3 million and $27 million from victims. Only two years later, it was estimated that a gang of criminals who had built an infrastructure for ransomware infections, were able to earn about $30MUSD annually.

1 | http://talosintel.com/angler-exposed/?f_l=s 2 / 11 RESEARCH PAPER

DOES RANSOMWARE ONLY ENCRYPT FILES?

Ransomware usually comes in two flavors: one that encrypts files or one that locks out the user from their files. For example, the MBR locker family extorts victims by replacing the basic files of the operating system. Only upon payment do the original files come back up.

No matter the type of ransomware, they are almost always effective in disrupting the business.

W H A T A R E T H E COMMON TYPES OF RANSOMWARE IN - THE - WILD?

Unfortunately, the list of ransomware is too long to name all. Here are a few of the more common ones:

777 CryptoHasYou Jigsaw PadCrypt 7ev3n CryptoJoker JobCrypter Rokku Alpha CryptoShocker KeRanger Samas AxCrypter CryptoWall LeChiffre SNSLocker BadBlock CryptXXX Locky Surprise BlackShades CrySiS Mischa TeslaCrypt Cerber CTB-Locker Mobef ToxCrypt Chimera DMA Locker NanoLocker Troldesh CoinVault Encryptor RaaS Nemucod TrueCrypter Crypt0L0cker Enigma Nemucod-7z zCrypt CryptoDefense HydraCrypt ODCODC Zyklon

HOW ARE VICTIMS INFECTED?

A user can be infected in a variety of manners, such as actively installing the ransomware (say, when it is appears as an innocuous program), opening a malicious file in an email (aka, a phishing attack) or surfing to a compromised website (aka, a drive-by-download attack).

While in certain scenarios the victim had to be active and click on the malicious program, in most cases, the infection is actually seamless to the user. For instance, in a drive-by-download attack, the ransomware typically exploits a browser vulnerability enabling the automatic download and execution of the malicious file. In the case of a phishing email, a PDF vulnerability enables the attacker to hide malicious code within the PDF, so that it automatically executes upon opening.

4 / 11 RESEARCH PAPER

AT WHAT STAGE DOES THE RANSOMWARE ENCRYPT THE DATA?

Some ransomware is considered “online”, in which case once the ransomware is installed, it communicates with its Command & Control (C&C) server to receive the public key used for the encryption as well as to receive the TOR configuration. The TOR configuration is used as the discreet payment channel with the goal of keeping the transaction , blocking the ability to trace back the extortionist. Ransomware such as CryptoWall and Locky are online ransomware.

Other ransomware are considered “offline” in which case the key is embedded within the ransom file itself. Offline ransomware are typically MBR lockers, such as .

HOW LONG DOES IT TAKE FOR RANSOMWARE TO ENCRYPT FILES?

Encryption time depends on the file extensions existing on the victim’s machine, as well as how many files of these extensions exist.

For example, if the ransomware just encrypts text files, the encryption process will be quick – even just a few seconds for small text files - while a file server will take longer to encrypt.

Additionally, each ransomware uses its own preferable encryption algorithm. Some use “heftier” algorithms such as RSA and AES, in which case their encryption takes longer. RESEARCH PAPER

HOW ARE THE THREAT ACTORS PAID?

If a victim decides to pay up, payment is sometimes performed through BitCoin, and similar crypto- currencies, since BitCoin enables easy money laundering as well as does not leave an audit trail that can lead back to the threat actor.

The transaction itself is performed using TOR services which anonymizes the users as well, so there is also no digital trail of the threat actor’s identity.

WHAT PLATFORMS D O E S RANSOMWARE T A R G E T ?

Ransomware targets users of all platforms – from Windows servers and desktop to Mac ransomware and those targeting Linux.

While people are less aware of Mac ransomware, it is certainly on the rise with various ransomware families such as KeRanger and the Mabouia released as a Proof-of-Concept. Common ransomware targeting Linux is FileCoder.

6 / 11 RESEARCH PAPER

But not only are desktops and servers hit with ransomware. Also mobile devices are being hit. For example, researchers recently2 discovered an Android-based ransomware where the malicious app locked users out of their device by changing the device PIN. Users were able to regain control of their device only through a factory reset.

DON’T THE OPERATING SYSTEM VENDORS, SUCH AS MICROSOFT, PLACE PROTECTIONS TO PREVENT RANSOMWARE FROM RUNNING?

Microsoft does attempt to fight ransomware. For example, since ransomware traditionally used Macros to infect devices, Microsoft added a new feature to Office 2016 which disables Macros. However, these mitigations do not stop the extortionists, rather they are simply a continuum of the cat and mouse chase, requiring the ransomware developers to release new strains that bypass protections. For instance, Locky or CryptXXX use Javascript within a zip file to infect a system, not Macros.

HAVE YOU SEEN ANY RANSOMWARE CASES?

Unfortunately, we witness ransomware infections in the wild. Interestingly, infections aren’t dependent on company size – as we’ve seen them across all organizational size, nor are they dependent on the security maturity and awareness at a company.

The following case represents the kind of cases that we witness.

At one of our customer deployments we came across the Jigsaw ransomware. An employee at the customer site received a Word document with an embedded macro. When the macro executed, it downloaded its payload – the actual Jigsaw ransomware – from a Command and Control server. Jigsaw then attempted to encrypt the files on the infected PC using a public key. enSilo, however, prevented the malicious encryption and alerted on the attempt:

2 | http://arstechnica.com/security/2015/09/new-android-ransomware-locks-out-victims-by-changing-lock-screen-pin/ 7 / 11 RESEARCH PAPER

IS RANSOMWARE A PERIODIC FAD OR A TRENDING ISSUE?

The proliferation of ransomware is predicted to only get worse.

The success rates of these malicious campaigns continue to encourage cyber-criminals and entice more extortionists to join the ransomware bandwagon. In fact, ransomware is becoming more sophisticated and we’re now seeing a couple of new development trends:

1. Ransomware combining “stealer” capabilities, such as the theft of FTP passwords or the like, which allows an attacker to move around the organization. The idea is that it is not enough for the threat actors just to infiltrate the organization, but then to also infect the whole enterprise, and they do this through lateral movement. By infecting more machines, they do not just infect more people (equating to more ransom payments) but also cause greater impact.

This lateral movement behavior takes on a similar characteristic to the worms that were in abundance 15 years ago. The ransomware and worms use the same techniques – some spread via USB and others perform lateral movement through networks. In terms of lateral movement, in the past the worms searched for hard-coded passwords to spread, and although hard-coded passwords have changed since, the idea of stealing passwords in order to spread has not. There are 3 ways in which ransomware can perform lateral movement: a. Implementing the lateral movement capability on their own. As part of the ransomware code, the authors developed their own modules that look for passwords, etc.

8 / 11 RESEARCH PAPER

b. Using other Trojans that are considered “Stealers” by design. For example, Pony Stealer, is considered the most powerful Stealer today, and as its name suggests, it steals all passwords and credentials. Pony Stealer now comes as a hybrid ransomware – there is the Pony plugin, together with a ransom core. With all the network passwords on hand, the ransomware spreads throughout the network. c. Finding vulnerabilities that allows them to propagate. The ransomware exploits known server vulnerabilities or unpatched servers. Some ransomware even come with a vulnerability scanner. Once the ransomware finds the exploit, it infiltrates and propagates within the organization. This technique was used by the infamous SamSam3.

2. Ransomware infecting Web servers. Here, the ransomware exploits Web vulnerabilities, infects the web servers and consequently, encrypts the whole web site. There are several strains of such ransomware.

WHAT STRATEGY SHOULD BUSINESSES ADOPT TO COMBAT RANSOMWARE?

Before diving into the security strategy businesses should take, it’s important to first note that when dealing with ransomware, businesses should never pay the ransom.

A successful ransomware attack points to a security vulnerability that needs to be effectively remediated. Additionally, when dealing with , there are no guarantees the data will actually be released; in fact, it will likely lead to another attack that is nastier and more expensive than the first. Worse, paying up motivates the threat actors to continue with the practice.

Businesses should adopt the following strategy:

1. Stay vigilant for cyber-threats. Ransomware typically infects employees through sophisticated methods of social engineering, enticing a victim to open a file or click on a link. Ensuring that everyone in the organization is aware of the threats targeting their organization through education and training is a key component to any cyber-security program. However, it is important to note that awareness only reduces the risk; a sophisticated threat actor will eventually find a way to dupe a user and get into the network.

2. Backup data regularly. This best practice ensures that users can go back and retrieve information stored in other locations. This is not a remedy, but it will buy a little time. Nevertheless, beware that

3 | http://www.infoworld.com/article/3058254/security/patch-jboss-now-to-prevent-samsam-ransomware-attacks.html 9 / 11 RESEARCH PAPER

when using network-enabled backups like a common share or cloud, it won’t take a sophisticated attacker long to find and infect those backups (remember, if you are already managing an attack, it means the threat actors are already in the network).

3. Share information on cyberattacks and best practices. Organizations have been calling their industry peers to be more open about attacks and share their attack data. As a result, we are starting to see various forums sprouting up facilitating information sharing in order to educate peers about best practices. Alliances like the one formed by leading law firms in New York and London, and between Wall Street banks and law firms, as well as industry specific Information Sharing and Analysis Centers (ISAC) initiatives such as FS-ISAC for financials, and R-CISC for retail, increase information available regarding attacks, which can lead to better defenses.

4. Deploy technologies that can proactively protect against ransomware. Organizations should have in their arsenal means to prevent the consequences of these malicious intrusions, namely the ransoming of their data. Ensuring that the malicious encryption of data is prevented enables organizations to continue to work, even in a compromised environment.

SAMPLES OF RANSOMWARE NOTES

10/ 11 RESEARCH PAPER

ENSILO PREVENTS THE LOCKING OF DATA CAUSED BY RANSOMWARE enSilo stops ransomware’s malicious activities, before they even begin. enSilo works at the operating system level so it doesn’t let file tampering start. There are only a few ways to encrypt files and they all require the operating systems. So when the malicious modify file request comes through the enSilo platform, the enSilo security policies prevent the malicious request from being carried out.

Ransomware comes in through the endpoint, which runs an operating system of usually Windows or macOS. enSilo operates in that operating system in real-time. The enSilo platform watches the operating system, in a way that does not affect the user experience, to look for outbound communications, file tampering and encryption.

ENSILO BENEFITS enSilo buys organizations the time and peace of mind they need to protect and remediate their sensitive information.

www.ensilo.com company/enSilo

[email protected] @enSiloSec