EFFECTIVE RANSOMWARE RESPONSES UNDERSTANDING RANSOMWARE AND HOW TO SUCCESSFULLY COMBAT IT

WHITE PAPER CONTENTS

Preface 3

About Ransomware 4

Damage by Ransomware 4

Encryption of corporate and personal documents and data 4

Secondary and tertiary damage 5

Disclosure of confidential or proprietary information during restoration attempts 5

Severity of Ransomware 5

Ransomware Response Strategy 1: Identify Attack Mechanisms 6

Infection via email 8

Ransomware Response Strategy 2: Implement Advanced Security Solutions 7

Email security is the first line of defense 7

Why FireEye Works 8

Conclusion 8

WHITE PAPER / EFFECTIVE RANSOMWARE RESPONSES 2 PREFACE

The M-Trends 2017 Annual Threat Report1 indicates that Mandiant investigators observed increased risk awareness from media coverage of ransomware. In a particularly high-profile case, a widespread ransomware worm, aka WannaCrypt or Wcry, exploded across 74 countries. Parts of Britain’s National Health Service (NHS) Spain’s Telefonica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide.

Most ransomware attacks target either the confidentiality or availability of data. Targeted organizations are threatened with the public release of sensitive data while targets of opportunity are typically infected with commodity ransomware such as Cerber or Locky.

Ransomware operators have infected victims worldwide using their native languages. This type of malware has primarily afected Windows operating systems, but in recent years, ransomware has been developed to afect other operating systems, such as Android (Simplocker)3 and Mac OS X (KeRanger).4 Organizations have a pressing reason to exercise caution against ransomware due to its expanding and widespread distribution and popularity5 among malicious actors.

1 Mandiant, a FireEye company. “M-Trends 2017.” March 2017 2 The Register. “74 countries hit by NSA-powered WannaCrypt ransomware backdoor.” May 13, 2017. 3 WeLiveSecurity.com. “ESET Analyzes Simplocker – First Android File-Encrypting, TOR-enabled Ransomware.” June 4, 2014. 4 WeLiveSecurity.com. “New Mac ransomware appears: KeRanger, spread via Transmission app.” March 7, 2016. 5 PCMag.com. “The Growing Threat of Ransomware.” April 13, 2016.

WHITE PAPER / EFFECTIVE RANSOMWARE RESPONSES 3 The impact of ransomware is immediate, compared to stealthier malware used in advanced attacks.

About Ransomware virtual currencies such as PayPal and Bitcoin are preferred Ransomware is a type of malware that renders the methods of payment because they are not easily traceable. victim’s computer or specific files unusable or unreadable, and demands a ransom from the victim in return for The impact of ransomware is immediate, compared to a cryptographic key which can be used to restore the stealthier malware. There is growing concern about the computer or decrypt the encrypted files. complex efects of ransomware on organizations, which include monetary damage and business downtime. Once it infects a target system, modern ransomware encrypts a targeted group of critical files, making them unavailable to the user. It then displays instructions for Damage by Ransomware payment required to restore access to the files. Online There are three main types of damage caused by ransomware.

Encryption of corporate and personal Secondary and tertiary damage Disclosure of information during documents and data (encryption of file servers) restoration attempts

Shared PC Web exploit Spam mail Internet Competitor

Primary File server victim’s PC

Corporate shared server File restoration service • Ransomware is introduced via routes • File servers / shared PCs are exposed • Confidential documents could get including email and web, and encrypts to secondary/tertiary damage via leaked via file decryption service corporate/personal documents/data network drives, etc. providers

Figure 1. Types of damage caused by ransomware.

Encryption of corporate and personal documents and data encrypt files after receiving a response or public RSA key from Ransomware encrypts important documents and data on the attacker’s command-and-control server. This trend means a system to render them inaccessible to an organization or that blocking control server trafc may prevent encryption. individual. Since the encrypted files cannot be restored with of-the-shelf security solutions, the victim must either pay the In many cases, complete recovery is nearly impossible without ransom to the attacker or use pre-existing backups to restore the attacker’s decryption key. Once a computer gets infected the files. In limited cases, flaws in ransomware encryption with ransomware, damage is almost always instantaneous implementation can also be identified and used to recover and unavoidable because data on that computer is, at least data. However, many popular ransomware families only temporarily, unusable.

4 Secondary and tertiary damage Ransomware can cause secondary or tertiary damage through equipment such as Five examples of file servers or network share devices. If the initial victim’s computer is connected to such devices, the ransomware will often encrypt the entire shared resource. ransomware variations FireEye detects In ransomware campaigns, malicious actors can spread ransomware to new victims Cerber: In June 2016, a campaign within infected organizations. Popular tools used to download ransomware also was detected that distributed steal email credentials, and attackers use compromised email accounts to further emails with a malicious Microsoft distribute ransomware. Word document attached.

Through these two proliferation mechanisms, a single infected PC can introduce Locky: Began spreading in ransomware to an entire enterprise and cause significant damage. early 2016 using the same mass distribution channels as the Disclosure of confidential or proprietary information during restoration attempts Dridex credential theft malware. In August 2017, massive email Malicious actors may try to steal data from (or otherwise abuse) systems that campaigns afected numerous have been afected by ransomware. In multiple cases, threat actors have been industries with healthcare being observed deploying ransomware alongside capabilities that steal data. Infections the hardest hit. with fraud-enabling malware often serve as a foothold for the attacker to perform a variety of monetization actions. WannaCrypt: A well- coordinated ransomware attack wreaked havoc in 2017 using a Severity of Ransomware piece of malware. Also known The volume and variety of ransomware is growing and causing more damage. as WannaCry, it exploits a Attackers are also becoming more flagrant, threatening to corrupt confidential files vulnerability in Microsoft’s Server or publish them online if the ransom is not paid by a specified time. Message Block (SMB) protocol.

Jaf: Ransomware that burst onto FireEye regularly identifies and announces the discovery of new variations of the scene in May 2017, flooding ransomware. FireEye Threat Intelligence observed a highly prolific WannaCry networks with high-volume email ransomware campaign impacting organizations globally. In 2016, CryptXXX was spam campaigns via the Necurs one of the top five ransomware variants. Cerber and Locky ransomware infections botnet. The spam includes a PDF spread both via email and exploit kits but the majority, especially Locky, are attachment with an embedded distributed via email. Word document containing a malicious VBA macro that CryptoWall generated illegal gains of $1 million over a six-month period in 2015. downloads the payload from one FireEye estimated that the TeslaCrypt hackers took home $76,522 USD between of multiple domains. February 7 and April 28, 2015. TeslaCrypt: First discovered in February 2015, this ransomware Cyber attacks that use ransomware are expected to increase in the next few years. encrypts various types of files, They are fairly easy to deploy even for novice computer users worldwide. including online games. The malware uses multiple tactics to reduce victims’ chances of blocking or easily remediating infections. These include encrypting files regardless of whether a connection to the control server can be established, and deleting local “shadow copies” that can be used for data or system recovery.

WHITE PAPER / EFFECTIVE RANSOMWARE RESPONSES 5 Ransomware Response Strategy 1: Organizations should intensify eforts to identify the exact Identify Attack Mechanisms intrusion mechanisms of ransomware and implement email There is no single solution to the increasing threat of security with advanced threat protection that could protect ransomware. The victim typically either pays the ransom and critical corporate information from ransomware attacks. A hopes the problem stops there or risks significant business sound security strategy must thoroughly analyze the attack disruption while they attempt to self-recover. mechanisms of ransomware and assess security measures that could mitigate ransomware damage. Paying attackers for decryption is not a real solution. Paying them not only creates a financial burden on the victim Infection via email organization, but also directly rewards attackers with money Ransomware infects systems via email. In fact, most and motivation for further attacks. Further, paying a ransom reported ransomware infections were introduced via doesn’t guarantee the attacker will provide the key needed email. According to a report by the Cyber Threat Alliance to restore the computer or decrypt the encrypted files. Law (CTA),7 CryptoWall 3.0, which caused $325 million damage enforcement agencies make no recommendations when it worldwide, was distributed through phishing attacks via comes to dealing with a ransomware demand. Instead, their email (67.3%) and exploit kits (30.7%). advice emphasizes prevention and contingency planning.6 When introduced via email, ransomware is delivered Generally speaking, preventing ransomware infections through attachments such as compressed files, document requires updating the OS and application programs to the files and html files or through links in the email message or latest versions and exercising caution when accessing news, a document attachment. Attackers often get the user to advertisement and other websites with security loopholes. execute the file or click on the link through social engineering techniques rather than system vulnerabilities. Enhancing email security to block phishing emails can stop many attacks before they occur. In the event of an infection, Behavior-based analysis is efective against email-delivered regular backups can help mitigate damage and accelerate ransomware. Behavior analysis makes it possible to proactively recovery time. block avenues of attack to minimize damage or infection.

Ransomware distributor Callback server

Activated malicious code triggers callback INFECTION USING EMAIL • Infection attempts using file attachments, malicious links, etc.

• Infection attempts using various file types

• Getting user to activate code using social engineering techniques

User

Figure 2. How ransomware infects victims via email.

6 Cyber Threat Alliance. “Lucrative Ransomware Attacks: Analysis of the Cryptowall Verion 3 Threat.” October 2015. 7 Techworld. “The 7 best ransomware removal tools – how to clean up Cryptolocker, CryptoWall and extortion malware.” October 8, 2015.

WHITE PAPER / EFFECTIVE RANSOMWARE RESPONSES 6 Ransomware Response Strategy 2: The majority of ransomware enters an organization using Implement Advanced Security Solutions email as a vehicle, usually in the form of spear phishing. Spear Security firms are quickly launching solutions designed to phishing is one of the preferred attack strategies because it’s fight the increasing impact of ransomware. However, many difcult to detect. It’s reliance on social engineering gives it a “best of” solutions8 focus on file backups or detecting high rate of success — it can fool even security professionals specific strains of ransomware. They generally do not and high-level technology managers. All it takes is one email provide clear information on how attacks find their way to a to activate ransomware and lock valuable assets. target’s computer, or how to efectively block the attacks. FireEye Email Security can block these malicious emails by FireEye Email Security provides visibility over the ransomware executing and analyzing suspicious email file attachments attack process. It presents a security strategy for efective and inline URLs. It can be implemented either on-premises response based on the ransomware’s intrusion path. with EX Series appliances, or via the cloud with Email Threat Protection Cloud (ETP). When FireEye Email Security is Email security is the first line of defense deployed inline to SMTP trafc, it can automatically detect and block ransomware before it reaches the end user, An email security solution detects and blocks ransomware preventing malicious data encryption. (Fig. 3) that is distributed through email attachments and embedded malicious links.

Ransomware distributor Callback server

Anti-spam

Preventing further command and control access by blocking ransomware introduction

FireEye Email Security appliance (MTA mode)

User

Figure 3. How FireEye Email Security detects and blocks email-based ransomware attacks.

WHITE PAPER / EFFECTIVE RANSOMWARE RESPONSES 7 Why FireEye Works Conclusion At the core of FireEye Email Security is the FireEye Multi- The threat of ransomware attacks is more real than ever. Vector Virtual Execution™ (MVX) engine which executes and Incidents involving ransomware continue to grow, along with analyzes files in a virtual environment. It operates far beyond ransomware caused damage such as significant financial the capabilities of common sandboxing technology. The MVX cost and business downtime. Ransomware creators continue engine uses a proprietary, custom-built hypervisor for multi- to pursue new tactics and develop new variations of their level detection to analyze suspicious code within multiple malicious code. And the countless variations of ransomware combinations of operating systems, application programs, often go undetected by antivirus software. web browsers and plug-ins to detect and block cyber threats in real time. The technology provides efective and impactful Once infected with ransomware, organizations should expect analysis and detection even for previously unknown patterns, significant damage. Advanced detection and prevention or zero-day threats. In fact, FireEye has discovered two times are the best defense. You have an advantage in the battle more zero-day threats than other security companies. if you know yourself and know your enemy. This is also true for cybersecurity. To reduce the chance of a ransomware With real-time visibility over virtually the entire lifecycle of attack, organizations need visibility into their internal system a ransomware attack, from intrusion to infection, the MVX security levels and a strong understanding of the attacker engine allows the user to establish fast, efective responses. tools, tactics and procedures.

Damage from ransomware attacks is rapidly increasing For information about FireEye protection and because it is difcult to identify distribution sites. FireEye response solutions used by thousands of government combines its technology and decades of security expertise to agencies and enterprises of all sizes around the world, reliably identify harmful websites and gives customers the visit www.phoenixdatacom.com/etp. information and support needed to deter email-based attacks that use these sites.

For more information on FireEye, visit: www.phoenixdatacom.com/etp

Sold & supported in the UK & Ireland by Phoenix Datacom Tel: 01296 397711 | Email: [email protected] | Web: www.phoenixdatacom.com

ABOUT FIREEYE, INC. FireEye is the leader in intelligence-led security-as-a-service. Working as a seamless, scalable extension of customer security operations, FireEye offers a single platform that blends innovative security technologies, nation-state grade threat intelligence and world-renowned Mandiant® consulting. With this approach, FireEye eliminates the complexity and burden of cyber security for organizations struggling to prepare for, prevent and respond to cyber attacks. FireEye has over 5,000 customers across 67 countries, including more than 940 of the Forbes Global 2000.

FireEye, Inc. 1440 McCarthy Blvd. Milpitas, CA 95035 408.321.6300 / 877.FIREEYE (347.3393) / [email protected] www.FireEye.com

© 2017 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. WP.ERR.EN-US.062017