Ransomware and Recent Variants My Experience with Ransomware
Total Page:16
File Type:pdf, Size:1020Kb
Ransomware and Recent Variants My experience with Ransomware First cryptolocker, then cryptowall3.0. I have found the software to be elegant, simple and effective. Uses Strong encryption and fairly untraceable method of payment. Why is Ransomware on the increase? The why is, money. It is also known as crimeware-as-a-service. (By James Wyke, Senior Threat Reasercher. Sophos) https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos- vawtrak-international-crimeware-as-a-service-tpna.pdf Ransomware For All No computer skills darkweb to the rescue. A researcher at mcAfee located Tox: https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us/ Salient Points: Tox is free. You just have to register on the site. Tox is dependent on TOR and Bitcoin. That allows for some degree of anonymity. The malware works as advertised. Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this. Once you register for the product, you can create your malware in three simple steps. Enter the ransom amount. (The site takes 20% of the ransom.) Enter your “cause.” Submit the captcha. Ransomware knows no boundaries. Viruses used to be exclusively on PCs. Now ransomware can be deployed to PCs, windows environment, Tablets, phones, Android, Iphone. Now Macs feel the pinch Researchers at security firm Palo Alto Networks first detected the ransomware, dubbed KeRanger, on March 4. The malicious software was found in a corrupted download for popular Mac BitTorrent client Transmission. http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware- keranger-infected-transmission-bittorrent-client-installer/ Variants As of April 4 2016 Variants cont. Torrentlocker and Cerber TeslaCrypt clone cryptofortess. The use of audio files as part of a TeslaCrypt ransomware has ransomware attack isn’t evolved quickly. In just over a particularly new, Tobfy was doing year, malware creators have it way back in 2014, but the rise of been able to release four versions New variant that can encrypt TTS through the popularity of of the ransomware, each more open drives via SMB without being Cortana, Siri, and Android Now sophisticated than the last version. mapped. might see a new (easier) way for If any weaknesses are found in ransomware authors to annoy TeslaCrypt 4.0, look for malware their victims into paying, if only to creators to move quickly in quiet the constant TTS creating a new version addressing announcement at every logon. those weaknesses. Next Level Drive by ransomware where attack is initiated by visiting a website and software installs. Usually by unpatched flash or Java. http://www.reuters.com/article/us-adobe-systems-cyber-ransomware- idUSKCN0X502K Ability to transmit data. Databases Contacts My recent experience Current environment: Windows 7. Symantec end point protection 12. WSUS for windows updates, and manual for rest of software. Watchguard and Sonicwall for firewall with IDT and web blocker. The Phone Call Infection vector was via e-mail. First thing it does is disable AV. I am fortunate our users were aware and contacted me immediately. The machine was unplugged from network. There was a network share was infected but only about 1000 files, in less than 3 minutes. The files were deleted and restored from backups. The Outcome I was able to keep the computer and I used it as test bed for different firewalls and antivirus products. Sonicwall with intrusion detection was able to stop the request for the key so encryption failed. Barracuda web filter was able to stop the key request as well. Now some are coming with the key attached. Malwarebytes seemed to be able to shut down faster that other Anti-virus software. One interesting thing I have found that it only encrypts mapped drive so if you can use shortcuts to shares, which may be a better option. **most antivirus within a week was able to stop my variant. So what can we do? USER EDUCATION It all starts with communication. Your user start and could stop spread of infection. Keep users informed of new threats for work as well as their home. Restrict user permissions. Do not give write access on shares unless needed. Layered security Most common infection vector is by e-mail. Block all webmail and outside mail access. I have outside service first check e-mail. I use mxtoolbox but there are several services, mailroute, appriver. Outside engine has 2 part feature. Checks for spam and virus. If office connectivity is lost it can spool e-mail. Next layer I use Barracuda spam virus filter. It only receives e-mail from my mail service, not other mailservers. Exchange only talks to barracuda no outside connections. Outbound mail is via smarthost to mxtoolbox. This checks out outbound e-mail for spam and virus, if one did get it. This will stop us from being put on blacklists. Restrict web access. No social media, streaming no shopping. We have recently locked it down further with barracuda web filter. In Fairfield office you can only goto few sites. Court website, Pacer, own website and fastsupport. We still do provide open internet for those who need it. We recycled 2 pcs and put on DMZ, outside of production network. You can do whatever you want on those PCs. BACKUPS I did mention BACKUPS. Back up everything consistently. Test backups. Multiple days and points. Backups will save your Bacon. Patch, Patch, Patch Does not matter if you use WSUS for windows. Use software (2016 patch management review) http://www.capterra.com/patch-management-software/ Or do it manual JUST DO IT Software Protection Anti-virus Anti-Malware Intrusion Detection System with suspicious activity monitor 3rd party review of security Resources: https://www.us-cert.gov/ https://www.us-cert.gov/ncas/alerts/TA16-091A https://nakedsecurity.sophos.com/ https://blog.knowbe4.com/ http://www.cert.org/ http://www.bleepingcomputer.com/ https://blogs.technet.microsoft.com/mmpc/2016/03/09/the-three-heads-of- the-cerberus-like-cerber-ransomware/ https://blogs.technet.microsoft.com/mmpc/2016/02/24/locky-malware-lucky- to-avoid-it/ https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCU MENTATION/26000/PD26383/en_US/McAfee_Labs_Threat_Advisory- Ransomware-Locky.pdf.