DOCSLIB.ORG

Ransomware How to Prevent a Crypto Crisis at Your IT Business

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Ransomware How to Prevent a Crypto Crisis at Your IT Business MARCH 2015 SPECIAL REPORT Ransomware How to prevent a crypto crisis at your IT business © 2015 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930 INTRODUCTION What is Ransomware? Imagine you get to work and flip on your computer. You see a black screen that says all of your files are locked. Your documents, images, spreadsheets – you can’t open anything. The screen says you have 48 hours to pay $600 or you will never see your files again. Sound like a sensational movie plot? Unfortunately, this is real. This is ransomware. Ransomware is a type of malware that extorts money from victims. It does this by blocking access to an infected computer system and demanding a ransom payment to restore access. Ransomware recently became national news but it has been around for decades. Malware of this type dates back to 1989 with the AIDS trojan. AIDS hid file folders, encrypted file names, and claimed a software license on the victim’s machine had expired. A fee of $189 was required to “renew” the license and unlock the computer. This fee was paid by sending money to a post office box in Panama. Today, the main type of ransomware is called “crypto” ransomware. This threat restricts access to a computer system by encrypting victims’ files with strong, public key cryptography. A ransom is demanded to decrypt (i.e. unlock) the files. One of the most widely known variants of crypto-ransomware is Cryptolocker. After it rose to prominence in late 2013, Cryptolocker grabbed headlines by attacking government © 2015 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930 What is Ransomware? (cont.) agencies, businesses, and private homes. Even local police departments, such as the one in Swansea, MA, had to pay a ransom to unlock their files. The original Cryptolocker is gone. It was isolated in a joint effort by law enforcement and the security community. Victims can even download decryption keys for free from www.decryptolocker. com. However, Cryptolocker has since been updated and replaced by newer and stronger variations. The popularity and effectiveness of Cryptolocker inspired criminals to launch hundreds of thousands – perhaps even millions – of similar types of ransomware. Today, new threats such as CryptoWall, CryptoForgress, TorrentLocker, CTB-locker, and many others continue to strong-arm money from victims. In this report you will learn: • How ransomware spreads • How infection progresses • Ransomware trends to come • How to prevent ransomware from harming you Note: This report was published in March 2015. Due to the raplidly evolving nature of malware, some of this information is subject to change. © 2015 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930 How does ransomware spread? Malicious email attachments Email is the most common means of ransomware infection. The messages often arrive as notices for an invoice, voicemail, shipment, or other important, time-sensitive information. Infection typically begins when the user downloads and opens the email’s attachment. This affects both corporate email accounts and free personal accounts such as those offered by Gmail and Yahoo! Mail. Drive-by downloads Some ransomware variants are forced onto victims’ machines by drive-by downloads. This occurs when a victim visits a malicious website. Exploits are used to attack unpatched software on the victim’s machine and install the malware onto the system. Malvertising More recent ransomware variants have been found connected to advertisements on popular websites such as Yahoo!, AOL, The Atlantic, and Match.com. These ads sneak onto the sites through legitimate ad networks. Infection typically requires the victim to click on the ad. However, silent infections have occurred that required no interaction from the user. Removable drives Though less common, USB drives are another vector for some ransomware. The malware enters a machine once an infected drive is connected. In this case, the “drive” can also be a connected mobile device. © 2015 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930 A typical infection scenario It is difficult to speak generally about ransomware. The number of variants and their constant change make it difficult to describe them as a whole. One cannot say, “this is how all ransomware works,” because the threat is not that simple. With that caveat, here is how infection typically progresses: • Infection begins with a “dropper” being installed on the victim’s machine. • The dropper downloads and installs the full malware package • The malware searches the local machine and all mapped drives to find targeted files (such a images, PDFs, word processor documents, and other important files types) • Communicating with a command-and-control server, often via the TOR anonymity network, the files are encrypted using strong public-key cryptography. • Victims are then notified that their files are locked. • A ransom is demanded, often from $100 to $600, to be paid in Bitcoins. • Instructions are provided on how to acquire Bitcoins and pay. • A deadline for the ransom payment is given, often from 48 to 96 hours. • If the ransom is not paid, the ransom will increase or the decryption key will be destroyed. If the key is destroyed, the files are all but impossible to unlock without restoring from backup. © 2015 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930 Decryption is impossible Today’s ransomware typically locks files with 2048-bit RSA cryptography. The files can only be unlocked with a key that is stored on the ransomware’s control servers. Unlocking the files without the key is, for all practical purposes, impossible. Once infected, a victim’s only hope of restoring access to the locked files is to pay the ransom or restore files from backup. Paying the ransom is not advised. First, it only encourages criminal organizations to continue extorting people with malware. Second, it does not guarantee the files will be unlocked. The only responsible way to respond to a ransomware infection is to clean the system and restore files from backup. Backing up files and taking preventive measures are the best ways to combat this threat. Note: Some people were able to unlock files encrypted by Cryptolocker, the well-known strain of ransomware that was isolated in June 2014. This occurred because law enforcement and security professionals were able to seize the malware’s servers. Though a fortunate turn of events, this is not expected to happen with other ransomware variants and is not something one should count on. Prevention is a far better choice. © 2015 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930 The threat is evolving Ransomware tactics continue to shift and improve as the months pass. Some variants allow victims to decrypt up to five files to “prove” that the malware can restore access. Others have increased ransoms from the equivalent of $24 to about $600. On the more technical side, they constantly improve their means of infecting systems and avoiding detection. The number of ransomware variants and infections is on an upward trend, showing no signs of slowing. How might the threat evolve in the coming months and years? Professor Alan Woodward of University of Surrey Department of Computing told Forbes that today’s criminal organizations may take a page out of an old playbook: “The next step might well be the modern equivalent of protection rackets – threatening companies with being either taken offline or having their databases frozen unless they pay a regular fee.” © 2015 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930 How to avoid a crypto crisis Complete avoidance of malware is impossible. However, with the precautions listed in this section, organizations can greatly reduce their chances of infection and reduce the impact of an infection should one occur. Educate users The criminals who create ransomware and other malware are clever at thwarting security systems. They constantly refine their malicious emails and exploit kits to circumvent the latest means of stopping their crimes. Relying on technology alone to stop these actors is not enough. User education must be part of any program meant to prevent ransomware. A few areas to focus on: • Highlight the warning signs of suspicious emails and suspicious websites • Teach the importance of software and network hygiene. Demonstrate the need for regular patching and policy review. • Encourage users to separate their personal web use from their professional web use. Personal web browsing should not be conducted at work. • To encourage compliance and support, explain why business networks and systems must be restricted. Not having administrative rights to one’s computer can be irritating, but if the person understands why this is necessary then it’s much easier to support the effort and follow along. © 2015 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930 How to avoid a crypto crisis (cont.) Patch, patch, patch Malware exploits weaknesses found in systems and software. The vendors of these systems eventually release patches to fix the vulnerabilities. However, the patches often have to be applied manually. So it is essential to regularly check for updates and apply them to stay secure. Always maintain the latest versions of your firewall, antivirus, operating systems, applications, and other systems. Routinely update as new patches become available, and update automatically if possible. Filter malicious email As mentioned earlier, ransomware primarily spreads through malicious email attachments. Some infections begin with a “.scr” file that arrives in a “.zip” or “.cab” email attachment, according to Société Générale CERT. Be sure to filter all incoming emails for content and attachments before they reach the end user.
Load more

Recommended publications
  • The Evolution of Ransomware
    The evolution of ransomware SECURITY RESPONSE The evolution of ransomware Kevin Savage, Peter Coogan, Hon Lau Version 1.0 – August 6, 2015 Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today. CONTENTS OVERVIEW ..............................................................................3 Key information ......................................................................5 Types of ransomware .............................................................5 How ransomware has evolved ...............................................7 Targets for ransomware .......................................................13 Systems impacted by ransomware ......................................14 Ransomware: How it works ..................................................18 Ransom techniques ..............................................................27 How widespread is the problem of ransomware .................33 What does the future hold for ransomware? .......................37 Conclusion ............................................................................45 Appendix ..............................................................................47 Mitigation strategies ............................................................51 Symantec detections for common ransomware families 54 Resources .............................................................................56 OVERVIEW Never before in the history of human kind have people across the world been
    [Show full text]
  • ESET Observed That the Focus of Android Ransomware Operators Cybercriminals, Even Though It Had Been Around for Many Years Before
    TRENDS IN ANDROID RANSOMWARE Authors Robert Lipovský – Senior Malware Researcher Lukáš Štefanko – Detection Engineer Gabriel Braniša – Malware Researcher The Rise of Android Ransomware Contents SUMMARY 2 RANSOMWARE ON ANDROID 2 Common infection vectors 3 Malware c&c communication 3 Malware self-protection 4 ANDROID RANSOMWARE CHRONOLOGY 5 Android defender 5 Ransomware meets fake av, meets…porn 7 Police ransomware 8 Simplocker 9 Simplocker distribution vectors 9 Simplocker in English 10 Lockerpin 11 Lockerpin’s aggressive self–defense 12 Jisut 13 Charger 15 HOW TO KEEP YOUR ANDROID PROTECTED 15 – 1 – The Rise of Android Ransomware SUMMARY RANSOMWARE ON ANDROID 2016 brought some interesting developments to the Android ransomware Ransomware, as the name suggests, is any type of malware that demands scene Ransomware is currently one of the most pressing cybersecurity a sum of money from the infected user while promising to “release” issues across all platforms, including the most popular mobile one a hijacked resource in exchange There are two general categories of malware that fall under the “ransomware” label: Authors of lock-screen types as well as file-encrypting “crypto-ransomware” have used the past 12 months to copycat effective techniques from desktop • Lock-screen ransomware malware, as well as develop their own sophisticated methods specialized • Crypto-ransomware for targets running Android devices In lock-screen types of ransomware, the hijacked resource is access to the In addition to the most prevalent scare tactics used by lock-screen
    [Show full text]
  • A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics
    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics PH.D THESIS Platon Pantelis Kotzias Copyright c 2019 by Platon Pantelis Kotzias iv DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor of Philosophy in Software, Systems and Computing Author: Platon Pantelis Kotzias Advisor: Dr. Juan Caballero April 2019 Chair/Presidente: Marc Dasier, Professor and Department Head, EURECOM, France Secretary/Secretario: Dario Fiore, Assistant Research Professor, IMDEA Software Institute, Spain Member/Vocal: Narseo Vallina-Rodriguez, Assistant Research Professor, IMDEA Networks Institute, Spain Member/Vocal: Juan Tapiador, Associate Professor, Universidad Carlos III, Spain Member/Vocal: Igor Santos, Associate Research Professor, Universidad de Deusto, Spain Abstract of the Dissertation Potentially unwanted programs (PUP) are a category of undesirable software that, while not outright malicious, can pose significant risks to users’ security and privacy. There exist indications that PUP prominence has quickly increased over the last years, but the prevalence of PUP on both consumer and enterprise hosts remains unknown. Moreover, many important aspects of PUP such as distribution vectors, code signing abuse, and economics also remain unknown. In this thesis, we empirically and sys- tematically analyze in both breadth and depth PUP abuse, prevalence, distribution, and economics. We make the following four contributions. First, we perform a systematic study on the abuse of Windows Authenticode code signing by PUP and malware.
    [Show full text]
  • Solution Brief Recovering from Ransomware with Barracuda Backup
    Solution Brief Recovering from Ransomware with Barracuda Backup Ransomware is a malware variant that locks an end user’s computer or encrypts their files, then demands a sum of money to allow access or decryption. What’s worse, if an organization hands over the cash, there are often times when the attacker doesn’t play nice and still withholds the key even after payment. Ransomware is problematic for businesses because it not only results in financial loss, but also tainted credibility and lost productivity. However, this situation can be avoided if your organization has taken the steps to implement a ransomware prevention plan. In this solution brief, we will discuss some of the steps you can take to prevent ransomware attacks, as well as how to quickly recover from them using Barracuda Backup. Introduction Due to the sophistication of today’s threat landscape, ransomware can be difficult to catch right at the door. Once this malicious malware crosses the threshold, a business user is hit by a daunting message, informing the user that their computer and files have been seized, and payment is required. What’s equally perturbing is that ransomware doesn’t discriminate—it can happen to the mom and pop shops to large enterprises. It’s not a matter of if a business will get hit, but when. Protecting Your Organization from Ransomware Attackers have created many different variations of ransomware over the past few years, such as CryptoLocker, CryptoWall, TorrentLocker, TeslaCrypt, Locky, Petya, WannaCry, Bad Rabbit, and Samas. Each of these variations use new methods of infecting their victims’ computers, thereby compromising the data and network of many organizations worldwide.
    [Show full text]
  • Detecting Malware in TLS Traffic
    IMPERIAL COLLEGE LONDON DEPARTMENT OF COMPUTING Detecting Malware in TLS Traffic Project Report Supervisor: Author: Sergio Maffeis Olivier Roques Co-Supervisor: Marco Cova Submitted in partial fulfillment of the requirements for the MSc degree in Computing Science / Security and Reliability of Imperial College London September 2019 Abstract The use of encryption on the Internet has spread rapidly these last years, a trend encouraged by the growing concerns about online privacy. TLS (Transport Layer Security), the standard protocol for packet encryption, is now implemented by every major websites to protect users’ messages, transactions and credentials. However cybercriminals have started to incorporate TLS into their activities. An increasing number of malware leverage TLS encryption to hide their communications and to exfiltrate data to their command server, effectively bypassing traditional detection platforms. The goal of this project is to design and implement an effective alternative to the unpractical method of decrypting TLS packets’ payload before looking for signs of malware activity. This work presents a highly accurate supervised classifier that can detect malicious TLS flows in a company’s network traffic based on a set of features related to TLS, certificates and flow metadata. The classifier was trained on curated datasets of benign and malware observations, which were extracted from capture files thanks to a set of tools specially developed for this purpose. We detail in this report the complete development process, from data collection and feature extraction to model selection and performance analysis. ii Acknowledgments I would like to particularly thank Marco Cova and Sergio Maffeis, my project su- pervisors, for their valuable and continuous suggestions and for their constructive feedbacks on this project.
    [Show full text]
  • Ransomware and Cyber Risk Management
    Ransomware and Cyber Risk Management By Randy Werner Ransomware and cyber extortion represent one of the more malicious types of hacker attacks making the rounds today. It sneaks into computer systems, encrypts files, and demands a ransom before decrypting the files. A major problem is that ransomware does not always decrypt files even after the ransom is paid. Being prepared and taking precautions against cyber risk exposures such as ransomware is therefore essential. Otherwise, if not prepared, you are at the mercy of criminals who prey on unprepared and unsuspecting businesses and individuals. Ransom demands range from a few hundred dollars to several thousand, depending on the size of the victim. Not all ransomware attacks are reported to authorities, so estimates of the total amount paid over the past few years vary widely, ranging up to $300 million. The more notorious names among ransomware are CryptoLocker, CryptoWall, TorrentLocker and Locky, among others. Some attacks rely on software that now has known fixes, so a solution might be found online. However, other ransomware is technically advanced and has no known fix, except for the victim to rely on current backup files. The primary defense is to institute frequent backups of the files you do not want to lose. Some ransomware even seeks out backup copies of files, so best practices include creating multiple backups in different locations. Cloud services, or remote backup services, and external or USB hard drives are options to consider for multiple backups. Even with backup files in place, a firm may still spend many hours gathering, re-entering and reconstructing data.
    [Show full text]
  • English for It Students
    УКРАЇНА НАЦІОНАЛЬНИЙ УНІВЕРСИТЕТ БІОРЕСУРСІВ І ПРИРОДОКОРИСТУВАННЯ УКРАЇНИ Кафедра англійської філології Ямнич Н. Ю., Данькевич Л. Р. ENGLISH FOR IT STUDENTS 1 УДК: 811.111(072) Навчальний посібник з англійської мови розрахований на студентів вищих навчальних закладів зі спеціальностей «Комп”ютерні науки» та «Програмна інженерія». Мета видання – сприяти розвитку і вдосконаленню у студентів комунікативних навичок з фаху, навичок читання та письма і закріплення навичок з граматики, а також активізувати навички автономного навчання. Посібник охоплює теми актуальні у сучасному інформаційному середовищі, що подаються на основі автентичних професійно спрямованих текстів, метою яких є розвиток у студентів мовленнєвої фахової компетенції, що сприятиме розвитку логічного мислення. Добір навчального матеріалу відповідає вимогам навчальної програми з англійської мови. Укладачі: Л.Р. Данькевич, Н.Ю. Ямнич, Рецензенти: В. В. Коломійцева, к. філол. н., доцент кафедри сучасної української мови інституту філології Київського національного університету імені Тараса Шевченка В.І. Ковальчук, д. пед. наук, професор,завідувач кафедри методики навчання та управління навчальними закладами НУБіП України Кравченко Н. К., д. філ. наук, професор кафедри англійської філології і філософії мови ім. професора О. М. Мороховського, КНЛУ Навчальний посібник з англійської мови для студентів факультету інформаційних технологій. – К.: «Компринт», 2017. – 608 с. ISBN Видання здійснено за авторським редагуванням Відповідальний за випуск: Н.Ю.Ямнич ISBN © Н. Ю. Ямнич, Л.Д. Данькевич, 2017 2 CONTENTS Unit 1 Higher Education 5 Language practice. Overview of verb tenses 18 Unit 2 Jobs and careers 25 Language practice. Basic sentence structures 89 Unit 3 Tied to technology 103 Language practice. Modal verbs 115 Unit 4 Computers 135 Language practice. Passive 153 Unit 5 Communication. E –commerce 167 Language practice.
    [Show full text]
  • Manual De Buenas Practicas De Seguridad Informática En Redes Domesticas
    MANUAL DE BUENAS PRACTICAS DE SEGURIDAD INFORMÁTICA EN REDES DOMESTICAS DIDIER FERNANDO HURTADO VALERO UNIVERSIDAD NACIONAL ABIERTA Y A DISTANCIA - UNAD ESCUELA DE CIENCIAS BÁSICAS, TECNOLOGÍA E INGENIERÍA - ECBTI. ESPECIALIZACIÓN EN SEGURIDAD INFORMÁTICA BOGOTÁ 2021 MANUAL DE BUENAS PRACTICAS DE SEGURIDAD INFORMÁTICA EN REDES DOMESTICAS DIDIER FERNANDO HURTADO VALERO Proyecto de Grado - Monografía presentada para optar por el título de ESPECIALISTA EN SEGURIDAD INFORMÁTICA Asesor: Miguel Andrés Ávila Gualdrón Magister en Ciberdefensa UNIVERSIDAD NACIONAL ABIERTA Y A DISTANCIA - UNAD ESCUELA DE CIENCIA BÁSICAS, TECNOLOGÍA E INGENIERÍA - ECBTI ESPECIALIZACIÓN EN SEGURIDAD INFORMÁTICA BOGOTÁ 2021 NOTA DE ACEPTACIÓN _________________________ Firma del presidente del Jurado _________________________ Firma del jurado _________________________ Firma del jurado Bogotá, Fecha de sustentación DEDICATORIA A Dios, que me regala esta experiencia de vida, a mi amada hija que ha sido el motor que mueve esta etapa de mi vida, a mis padres que han sido el fuerte soporte del esfuerzo, sacrificio y trabajo que representa este trabajo y a todos quienes han hecho parte de esta experiencia. AGRADECIMIENTOS Con el más grande y sincero sentimiento de agradecimiento a Dios y a mi familia quienes hacen posible la realización de este trabajo, adicionalmente a la Universidad Nacional Abierta y a Distancia UNAD por brindarme la mediación y el conocimiento para la realización como especialista. CONTENIDO INTRODUCCIÓN ..................................................................................................
    [Show full text]
  • Ransomware Data Recovery for the Enterprise October 2019 Executive Summary Ransomware Incursions Have Reached Epidemic Proportions
    Ransomware Data Recovery for the Enterprise October 2019 Executive summary Ransomware incursions have reached epidemic proportions. According to some surveys, as many as 28% of organisations were hit with a ransomware attack last year. And the consequences can be dire: From being locked out of enterprise data for weeks, to deletion of entire databases and massive reputational damage and loss of customer trust. The FBI received 1,493 complaints about ransomware in 2018 with victims incurring losses of $3,621,857. But that only counts the actual ransom payments, not the fallout. The City of Atlanta, for example, spent According to about $2.6 million on its recovery efforts from a ransomware demand for about $52,000. Symantec, According to Symantec, enterprise ransomware attacks are rising at 12% per year. This is a big reason enterprise for renewed emphasis on comprehensive and up-to-date backups. Oftentimes, however, backup files ransomware are incomplete, neglected or in some cases, infected with the same ransomware that attacked primary attacks are systems. rising at 12% If backups fail to provide adequate recovery, further response mechanisms include data recovery per year. techniques such as decryption tools, recovery of logical data directly from storage media and sending media to a lab where technicians attempt to extract as much information as possible. Unfortunately, the ransomware epidemic has given rise to some questionable practices in the data recovery field. Some companies falsely claim they possess special technology to recover data. They charge a large fee. But all they are really doing is paying the ransom. A few have even been found to have secret relationships with cybercriminals.
    [Show full text]
  • Malware Detection and Analysis: Challenges and Research Opportunities
    1 Malware Detection and Analysis: Challenges and Research Opportunities Zahid Akhtar Department of Network and Computer Security, State University of New York Polytechnic Institute, USA. Email: [email protected] Malwares are continuously growing in sophistication and hobbyists and cyber-offenders trying to show their ability numbers. Over the last decade, remarkable progress has been by causing havoc and to steal information potentially for achieved in anti-malware mechanisms. However, several pressing monetary gains, respectively. They are popularly known as issues (e.g., unknown malware samples detection) still need to be addressed adequately. This article first presents a concise hackers, black hats and crackers, and could be external/internal overview of malware along with anti-malware and then sum- menace, industrial spies or foreign governments. Malwares marizes various research challenges. This is a theoretical and can be used to change or erase data from victim computers, perspective article that is hoped to complement earlier articles to collect confidential information, or to hijack systems in and works. order to attack other devices, send spams, host and share illicit contents, bring down servers, penetrate networks, and cripple critical infrastructures. I. INTRODUCTION Consequently, a broad range of tools and schemes have Use of personal computers and mobile devices coupled been devised to detect and mitigate malware attacks [1]. Anti- with internet has now become integral part of everyday life. malware systems thwart malwares by determining whether This ubiquity of high interconnectivity has prompted many given program has malign intent or not [4]. Despite great serious privacy and security menaces as well as different advancement of malware defense techniques and their inces- other malicious activities.
    [Show full text]
  • Detect Ransomware Before It's Too Late with Alienvault
    Live Demo: Detect Ransomware Before it’s Too Late with AlienVault USM Introductions Garrett Gross Mark Allen Sr. Technical Product Marketing Mgr Technical Sales Engineer Resources for USM Customers Customer Support Portal: https://alienvaultsupport.force.com/Customer/login Don’t have an account? E-mail [email protected] AlienVault Forums: Weekly Threat Intelligence Update Summaries Product Update Notifications & Release Notes Product Feedback User Discussions AlienVault Blog – Analysis from the AlienVault Labs research team, practical tips to secure your environment & industry trends Agenda • Ransomware 101 • Tips to mitigate these threats • Demo: Using USM to Detect Ransomware • Correlation directives • Detecting communications with the C&C server • Incident investigation @AlienVault Ransomware 101 • Malicious payload restricts access to files and demands ransom paid to recover them • First known example (“AIDS/PC Cyborg” trojan) seen in 1989 • Ransomware sightings picked back up in 2005 (Gpcode(.AG, .AK), Archiveus, etc. • Using more and more complicated encryption schemes • 2013 – CryptoLocker puts ransomware “on the map” • 10/15/2013 – 12/18/2013 – estimated $27m extorted • 6/2014 - ZeuS botnet eventually seized by US DOJ • Still seeing variants today (CL v2.0, CryptoLocker.F, TorrentLocker…) Ransomware in 4 Easy Steps 1. Malware delivered via email or drive-by 2. File executes & compromises system 3. Trojan connects with C&C server 4. Encryption & notification of user begins Mitigation Especially with today’s variants, you will not be able to decrypt your data via conventional means. Here are some steps to take to thwart these attacks: • Backup your data… OFTEN • Educate your users about malicious emails/attachments • Keep operating systems and applications updated • Keep endpoint protection up to date Firewalls/Antivirus are not enough • Firewalls are usually not the target – too difficult to effectively penetrate • Endpoints are the target, usually via email, url redirects, misc malicious files, etc.
    [Show full text]
  • Ransomware Destructive Attack
    Ransomware Destructive Attack Jay Spreitzer, Vice President, Cyber Threat Management Wells Fargo Bank About - Jay Spreitzer Has over 18 years information security experience. Over the last 10 years as a senior member of a cyber intelligence team at Wells Fargo. Prior to joining Wells Fargo Jay retired from the US Army, after 23 years of service working in various technology and information security roles. He holds a Masters in Information Assurance and Security as well as multiple computer security certifications. 53 What is ransomware? Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system's hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying. 54 What is ransomware? Ransomware wreaking havoc in American and Canadian hospitals Tech & Science March 23, 2016 Spike in ransomware spam prompts warnings Technology, March 10, 2015 Ransomware alert issued by US and Canada following recent attacks April 4, 2016, Big paydays force hospitals to prepare for ransomware attacks Tech, April 23, 2016 55 The first known ransomwares and its evolution § AIDS Diskette ransomware discovered in 1989. § Contained a warning message in the letter regarding licensing fee and penalty. § Users were supposed to send a license fee to a PO box in Panama for "PC Cyborg Corporation.” 56 The first known ransomwares and its evolution Creates the file ATTENTION!!!.txt in every folder in which § Gpcoder was ransomware it encoded a file.
    [Show full text]