EFFECTIVE RANSOMWARE RESPONSES UNDERSTANDING RANSOMWARE AND HOW TO SUCCESSFULLY COMBAT IT WHITE PAPER CONTENTS Preface 3 About Ransomware 4 Damage by Ransomware 4 Encryption of corporate and personal documents and data 4 Secondary and tertiary damage 5 Disclosure of confidential or proprietary information during restoration attempts 5 Severity of Ransomware 5 Ransomware Response Strategy 1: Identify Attack Mechanisms 6 Infection via email 8 Ransomware Response Strategy 2: Implement Advanced Security Solutions 7 Email security is the first line of defense 7 Why FireEye Works 8 Conclusion 8 WHITE PAPER / EFFECTIVE RANSOMWARE RESPONSES 2 PREFACE The M-Trends 2017 Annual Threat Report1 indicates that Mandiant investigators observed increased risk awareness from media coverage of ransomware. In a particularly high-profile case, a widespread ransomware worm, aka WannaCrypt or Wcry, exploded across 74 countries. Parts of Britain’s National Health Service (NHS) Spain’s Telefonica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide. Most ransomware attacks target either the confidentiality or availability of data. Targeted organizations are threatened with the public release of sensitive data while targets of opportunity are typically infected with commodity ransomware such as Cerber or Locky. Ransomware operators have infected victims worldwide using their native languages. This type of malware has primarily afected Windows operating systems, but in recent years, ransomware has been developed to afect other operating systems, such as Android (Simplocker)3 and Mac OS X (KeRanger).4 Organizations have a pressing reason to exercise caution against ransomware due to its expanding and widespread distribution and popularity5 among malicious actors. 1 Mandiant, a FireEye company. “M-Trends 2017.” March 2017 2 The Register. “74 countries hit by NSA-powered WannaCrypt ransomware backdoor.” May 13, 2017. 3 WeLiveSecurity.com. “ESET Analyzes Simplocker – First Android File-Encrypting, TOR-enabled Ransomware.” June 4, 2014. 4 WeLiveSecurity.com. “New Mac ransomware appears: KeRanger, spread via Transmission app.” March 7, 2016. 5 PCMag.com. “The Growing Threat of Ransomware.” April 13, 2016. WHITE PAPER / EFFECTIVE RANSOMWARE RESPONSES 3 The impact of ransomware is immediate, compared to stealthier malware used in advanced attacks. About Ransomware virtual currencies such as PayPal and Bitcoin are preferred Ransomware is a type of malware that renders the methods of payment because they are not easily traceable. victim’s computer or specific files unusable or unreadable, and demands a ransom from the victim in return for The impact of ransomware is immediate, compared to a cryptographic key which can be used to restore the stealthier malware. There is growing concern about the computer or decrypt the encrypted files. complex efects of ransomware on organizations, which include monetary damage and business downtime. Once it infects a target system, modern ransomware encrypts a targeted group of critical files, making them unavailable to the user. It then displays instructions for Damage by Ransomware payment required to restore access to the files. Online There are three main types of damage caused by ransomware. Encryption of corporate and personal Secondary and tertiary damage Disclosure of information during documents and data (encryption of file servers) restoration attempts Shared PC Web exploit Spam mail Internet Competitor Primary File server victim’s PC Corporate shared server File restoration service • Ransomware is introduced via routes • File servers / shared PCs are exposed • Confidential documents could get including email and web, and encrypts to secondary/tertiary damage via leaked via file decryption service corporate/personal documents/data network drives, etc. providers Figure 1. Types of damage caused by ransomware. Encryption of corporate and personal documents and data encrypt files after receiving a response or public RSA key from Ransomware encrypts important documents and data on the attacker’s command-and-control server. This trend means a system to render them inaccessible to an organization or that blocking control server trafc may prevent encryption. individual. Since the encrypted files cannot be restored with of-the-shelf security solutions, the victim must either pay the In many cases, complete recovery is nearly impossible without ransom to the attacker or use pre-existing backups to restore the attacker’s decryption key. Once a computer gets infected the files. In limited cases, flaws in ransomware encryption with ransomware, damage is almost always instantaneous implementation can also be identified and used to recover and unavoidable because data on that computer is, at least data. However, many popular ransomware families only temporarily, unusable. 4 Secondary and tertiary damage Ransomware can cause secondary or tertiary damage through equipment such as Five examples of file servers or network share devices. If the initial victim’s computer is connected to such devices, the ransomware will often encrypt the entire shared resource. ransomware variations FireEye detects In ransomware campaigns, malicious actors can spread ransomware to new victims Cerber: In June 2016, a campaign within infected organizations. Popular tools used to download ransomware also was detected that distributed steal email credentials, and attackers use compromised email accounts to further emails with a malicious Microsoft distribute ransomware. Word document attached. Through these two proliferation mechanisms, a single infected PC can introduce Locky: Began spreading in ransomware to an entire enterprise and cause significant damage. early 2016 using the same mass distribution channels as the Disclosure of confidential or proprietary information during restoration attempts Dridex credential theft malware. In August 2017, massive email Malicious actors may try to steal data from (or otherwise abuse) systems that campaigns afected numerous have been afected by ransomware. In multiple cases, threat actors have been industries with healthcare being observed deploying ransomware alongside capabilities that steal data. Infections the hardest hit. with fraud-enabling malware often serve as a foothold for the attacker to perform a variety of monetization actions. WannaCrypt: A well- coordinated ransomware attack wreaked havoc in 2017 using a Severity of Ransomware piece of malware. Also known The volume and variety of ransomware is growing and causing more damage. as WannaCry, it exploits a Attackers are also becoming more flagrant, threatening to corrupt confidential files vulnerability in Microsoft’s Server or publish them online if the ransom is not paid by a specified time. Message Block (SMB) protocol. Jaf: Ransomware that burst onto FireEye regularly identifies and announces the discovery of new variations of the scene in May 2017, flooding ransomware. FireEye Threat Intelligence observed a highly prolific WannaCry networks with high-volume email ransomware campaign impacting organizations globally. In 2016, CryptXXX was spam campaigns via the Necurs one of the top five ransomware variants. Cerber and Locky ransomware infections botnet. The spam includes a PDF spread both via email and exploit kits but the majority, especially Locky, are attachment with an embedded distributed via email. Word document containing a malicious VBA macro that CryptoWall generated illegal gains of $1 million over a six-month period in 2015. downloads the payload from one FireEye estimated that the TeslaCrypt hackers took home $76,522 USD between of multiple domains. February 7 and April 28, 2015. TeslaCrypt: First discovered in February 2015, this ransomware Cyber attacks that use ransomware are expected to increase in the next few years. encrypts various types of files, They are fairly easy to deploy even for novice computer users worldwide. including online games. The malware uses multiple tactics to reduce victims’ chances of blocking or easily remediating infections. These include encrypting files regardless of whether a connection to the control server can be established, and deleting local “shadow copies” that can be used for data or system recovery. WHITE PAPER / EFFECTIVE RANSOMWARE RESPONSES 5 Ransomware Response Strategy 1: Organizations should intensify eforts to identify the exact Identify Attack Mechanisms intrusion mechanisms of ransomware and implement email There is no single solution to the increasing threat of security with advanced threat protection that could protect ransomware. The victim typically either pays the ransom and critical corporate information from ransomware attacks. A hopes the problem stops there or risks significant business sound security strategy must thoroughly analyze the attack disruption while they attempt to self-recover. mechanisms of ransomware and assess security measures that could mitigate ransomware damage. Paying attackers for decryption is not a real solution. Paying them not only creates a financial burden on the victim Infection via email organization, but also directly rewards attackers with money Ransomware infects systems via email. In fact, most and motivation for further attacks. Further, paying a ransom reported ransomware infections were introduced via doesn’t guarantee the attacker will provide the key needed email. According to a report by the Cyber Threat Alliance to restore the computer or decrypt the encrypted files. Law (CTA),7 CryptoWall 3.0, which caused $325 million damage enforcement