1 - Sophos Ransomware Budapest Apr2016 - TMSI · ￮ Used by Locky, TorrentLocker , CTB-Locker • Exploit kits ￮ Black market tools used to easily create attacks that exploit known

1

JoannaWziątek-ŁadoszSalesEngineer,Sophos

Ransomware:isthereanywayyoucanprotectyourself?

2

Whatwe’regoingtocover

• Ransomwareorigins• Anatomyofaransomwareattack• Thelatestransomware – introducingLocky anditsfriends• Whytheseattacksaresosuccessful• Practicalstepstoprotectyourorganizationfromransomwarethreats• HowSophoscanhelp

3

HistoryofRansomware

• Thefirstknownransomwarewasfoundin1989

• AIDSTrojan/PCBorgmalware.

• Aninfectedcomputerwoulddisplayamessagetotheuserthatoneoftheirprogramshadexpiredandtheyneededtopay$189tohaveitrestored.

• Thecreatorwaseventuallycaughtandtheransomwaregenrewentundergroundforseveralyears,thoughitreappearedbrieflyin2005and2006.

4

5

6

7

8

Cryptolocker

• WiththeriseofCryptoLocker in2013,acriminalgangfirstdemonstratedtheabilitytoreliablycombineremoteencryptionwithremoteextortiononamassscale.

• CryptoLocker wastakendownbylawenforcementauthoritiesinMay2014,andforthenextseveralmonths,therewasasignificantreductionintheprevalenceofransomware.

• Itnotonlyshowedhowencryptingransomwarecouldbemadetowork:italsoshowedjusthowlucrativethismalwarebusinesscouldbe.

• AccordingtoUSDepartmentofJusticefilings,CryptoLocker earned$27,000,000foritsownersinjusttwomonths.

9

10

11

Growth

Howmanypercenthas ransomwareincreasedbetween2014and2015?

Answer:About170%Thereasonfortheriseissimple–ransomwareworks.

Datasofarshowsthatthisfigurefor2016willatleastdouble.

12

Facts about encyption• Cryptolockernormally uses AES256-bitencryption.But inlaterversionsthey havechanged this toAES128-bitencryption.

Filetypesthatusuallyareencrypted:

*.3fr,*.accdb,*.ai,*.arw,*.bay,*.cdr,*.cer,*.cr2,*.crt,*.crw,*.h,*.dbf,*.dcr,*.der,*.dng,*.doc,*.docm,*.docx,*.dwg,*.dxf,*.dxg,*.eps,*.erf,*.indd,*.jpe,*.jpg,*.kdc,*.mdb,*.mdf,*.mef,*.mrw,*.nef,*.nrw,*.odb,*.odm,*.odp,*.ods,*.odt,*.orf,*.p12,*.p7b,*.p7c,*.pdd,*.pef,*.pem,*.pfx,*.ppt,*.pptm,*.pptx,*.psd,*.pst,*.ptx,*.r3d,*.raf,*.raw,*.rtf,*.rw2,*.rwl,*.srf,*.srw,*.wb2,*.wpd,*.wps,*.xlk,*.xls,*.xlsb,*.xlsm,*.xlsx

13

2mainvectorsofattack

• SPAM (viasocialengineering)￮ Seeminglyplausiblesender￮ Hasattachmente.g.invoice,parceldeliverynote￮ Theattachmentcontainsanembeddedmacro￮ Whentheattachmentisopenedthemacrodownloads

andthenexecutestheransomwarepayload￮ UsedbyLocky,TorrentLocker,CTB-Locker

• Exploitkits￮ Blackmarkettoolsusedtoeasilycreateattacksthat

exploitknownorunknownvulnerabilities(zero-day)￮ ClientsidevulnerabilitiesusuallytargettheWebbrowser￮ UsedbyAngler,CryptoWall,TeslaCrypt,CrypVault,

ThreatFinder

1414

Anatomyofaransomwareattack

15

Anatomyofaransomwareattack

Andgone

Theransomwarewillthendeleteitselfleavingjusttheencryptedfilesandransomnotesbehind.

Ransomdemand

Amessage appearsontheuser’sdesktop,explaininghowaransom(oftenintheformofbitcoins)canbepaidwithinatimeframeofe.g.72hourstoenabledecryptionofthedatawiththeprivatekeythatonlytheattacker’ssystemhasaccessto.

Encryptionofassets

Certainfilesarethenencryptedonthelocalcomputerandonallaccessiblenetworkdriveswiththispublickey.AutomaticbackupsoftheWindowsOS(shadowcopies)areoftendeletedtopreventdatarecovery.

Contactwiththecommand&controlserveroftheattacker

TheransomwaresendsinformationabouttheinfectedcomputertotheC&Cserveranddownloadsanindividualpublickeyforthiscomputer.

Installationviaanexploitkitorspamwithaninfectedattachment

Onceinstalledtheransomwaremodifiestheregistrykeys

16

Ransomdemands

17

Payingransoms

• PaymentismadeinBitcoins• InstructionsareavailableviaTor• Theransomincreasesthelongeryoutaketopay

• Onpaymentoftheransom,thepublicencryptionkeyisprovidedsoyoucandecryptyourcomputerfiles

1818

Commonransomware:Locky andfriends

19

Locky:thenewkidontheblock

• Nicknameofanewstrainofransomware,so-calledbecauseitrenamesallyourimportantfilessothattheyhavetheextension .locky

• RansomsvaryfromBTC 0.5toBTC 1.00(1BTCisworthabout$400/£280).• Startedhittingtheheadlinesinearly2016• Wreakinghavocwithatleast400,000machinesaffectedworldwide

20

AcommonLocky attack

• Youreceiveanemailcontaininganattacheddocument.￮ Thedocumentlookslikegobbledegook.￮ Thedocumentadvisesyoutoenablemacros“ifthedataencodingisincorrect.”

￮ Thecriminalswantyoutoclickonthe'Options'buttonatthetopofthepage.

• OnceyouclickOptions,Lockywillstarttoexecuteonyourcomputer.

• Assoonasitisreadytoaskyoufortheransom,itchangesyourdesktopwallpaper.

• Theformatofthedemandvaries,buttheresultsarethesame.

21

CTB-Locker

• Peculiarity:Businessmodelbasedonaffiliations￮ Infectionsareconductedby'partners'whoreceiveinreturnaportionofthetakings￮ Enablesfasterspreadingofmaliciouscode￮ ApproachnotablyusedinthepastbyFake-AV

• Thecybercrooksoffer theoptionofamonthlypayment• HasalsobeenwidelydistributedbytheRigandNuclearexploitkits• AswithTorrentLocker, themajorityofinfectionshavestartedviaspamcampaigns

22

CTB-Lockervariantthatattackswebsites

• SamenameastheransomwarethatattacksWindowscomputers• WritteninPHP• FirstattackintheUKon12thFebruary2016• Alreadymanyhundredsofsiteshavebeenattacked• Attackswebsitesbyencryptingallfilesintheirrepositories• Apassword-protected‘shell’isinstalledonmostoftheaffectedsites,allowingattackerstoconnecttotheserver(s) viaabackdoor

23

Angler:anall-too-well-knownexploitkit

• Growninnotorietysincemid2014￮ Thepayloadisstoredinmemoryand

thediskfileisdeleted￮ Detectssecurityproductsandvirtual

machines￮ Abilitytospreadmanyinfections:

bankingTrojans,backdoor,rootkits,ransomware

• Easytouse￮ Doesn’trequireanyparticulartechnical

competence￮ AvailableforafewthousandUSDonthe

DarkWeb

24

Angler’sevolutionintothedominantexploitkit

Sep2014 Jan2015 May 2015

25

ChainofinfectionforAnglerexploitkits1. Thevictimaccesses acompromisedwebserver

throughavulnerablebrowser2. Thecompromisedwebserverredirectsthe

connectiontoanintermediaryserver3. Inturn,theintermediaryserverredirectsthe

connectiontotheattacker’sserverwhichhoststhedestinationpageoftheexploitkit

4. Thedestinationpagelooksforvulnerableplug-ins(Java,Flash,Silverlight)andtheirversionnumbers

5. Ifavulnerablebrowserorpluginisdetectedtheexploitkitreleases itspayloadandinfectsthesystem.

26

2727

Whytheseattacksaresosuccessful

28

Whyaretheseattackssosuccessful?Professionalattacktechnology• Highlyprofessionalapproache.g.usuallyprovidestheactualdecryptionkeyafterpaymentoftheransom

• Skillfulsocialengineering• Hidemaliciouscodeintechnologiesthatarepermittedinmanycompaniese.g.MicrosoftOfficemacros,JavaScript,VBScript,Flash…

29

Whyaretheseattackssosuccessful?Securityweaknessesintheaffectedcompanies• Inadequatebackupstrategy• Updatesandpatchesarenotimplementedswiftlyenough• Dangeroususer/rightspermissions– morethantheyneed• Lackofusersecuritytraining• Securitysystemsarenotimplementedorusedcorrectly• LackofITsecurityknowledge• Conflictingpriorities:securityvsproductivityconcerns

3030

Practicalstepstoprotectagainstransomware

31

Bestpractices– dothisNOW!

1. Backupregularlyandkeeparecentbackupcopyoff-site.2. Don’tenablemacrosindocumentattachmentsreceivedviaemail.3. Becautiousaboutunsolicitedattachments.4. Don’tgiveyourselfmoreloginpowerthanyouneed.5. ConsiderinstallingtheMicrosoftOfficeviewers.6. Patchearly,patchoften.7. Configureyoursecurityproductscorrectly.

32

Securitysolutionrequirements

Asaminimumyoushould:• Deployantivirusprotection• Blockspam• Useasandboxingsolution• Blockriskyfileextensions(javascript,vbscript,chmetc…)• Passwordprotectarchivefiles• UseURLfiltering(blockaccesstoC&Cservers)• UseHTTPSfiltering• UseHIPS(hostintrusionpreventionservice)• Activateyourclientfirewalls• Useawhitelistingsolution

33

Additionalsteps

• Employeeawareness&training￮ SophosITSecurityDosandDon’ts￮ SophosThreatsaurus

• Segmentthecompanynetwork￮ NACsolutionsensureonlyknowncomputerscanaccessthenetwork￮ Separatefunctionalareaswithinafirewalle.g.clientandservernetworks

• Encryptcompanydata￮ Itdoesn’tstoptheransomwarebutpreventsdamagecausedbysensitivedocumentsgettingintothewronghands

• Usesecurityanalysistools￮ Ifaninfectiondoesoccur,it’svitalthatthesourceisidentifiedandcontainedASAP.

3434

HowSophoscanhelp

35

Complete protection:EnduserandNetwork

SophosCentral

EnduserNetwork

Next-GenFirewall/UTM

WebSecurity

EmailSecurity

WirelessSecurity

SafeGuardEncryption

MobileControl

Next-GenEndpointProtection

ServerSecurity

SecuretheEndpoint(PC/Mac)

NextGenEndpoint securitytoprevent,detect,investigateand

remediate

SecuretheMobileDeviceSecuresmartphonesandtabletsjustlikeanyotherendpoint

SecuretheServersProtectionoptimizedforserverenvironment(physicalorvirtual):

fast,effective,controlled

ProtecttheDataSimple-to-useencryptionforahighlyeffectivelastlineofdefenseagainstdataloss

SecurethePerimeterUltimateenterprisefirewallperformance,security,and

control.

SecuretheWebAdvancedprotection,control,andinsightsthat’seffective,

affordable,andeasy.

SecuretheEmailEmailthreatsandphishingattacks

don’t standachance.

SecuretheWirelessSimple,secureWi-Fi

connection.

36

SecurityasaSystem

SynchronizedSecurityIntegrated,context-awaresecuritywhereEnduser andNetworktechnology sharemeaningful informationtodeliverbetterprotection

SecuritymustbecomprehensiveThecapabilities requiredtofully satisfy customerneed

SecuritycanbemadesimplePlatform,deployment,licensing, userexperience

SecurityismoreeffectiveasasystemNewpossibilities throughtechnologycooperation

NextGenEnduserSecurity

NextGenNetworkSecurity

SophosCloud

heartbeat

SOPHOSLABS

37

MaliciousTrafficDetection

SOPHOSSYSTEMPROTECTOR

ApplicationTracking

ThreatEngine

ApplicationControl

Emulator DeviceControl

WebProtection

IoCCollector

LiveProtection

SecurityHeartbeat

HIPS/RuntimeProtection

Reputation

MaliciousTraffic

Detection

Soph

osL

abs

URLdatabase

MalwareIdentities HIPSrulesGenotypesFilelook-up Reputation Apps SPAM

DataControl

PeripheralTypes

Anon.proxies

Patches/VulnerabilitiesWhitelist

Administratoralerted

Application interrupted

i Compromise

User|System|File

MTDrules

Malicious trafficdetected

MaliciousTraffic

Detection

38

SophosSandstorm

HowSophosSandstormworks

1. Ifthefilehasknownmalwareit’sblockedimmediately.Ifit’sotherwisesuspicious,andhasn’tbeenseenbefore,itwillbesenttothesandboxforfurtheranalysis.Whenwebbrowsing,usersseeapatiencemessagewhiletheywait.

2. Thefileisdetonatedinthesafeconfinesofthesandboxandmonitoredformaliciousbehaviour.Adecisiontoalloworblockthefilewillbesenttothesecuritysolutiononcetheanalysisiscomplete.

3. Adetailedreportisprovidedforeachfileanalyzed.

AdvancedThreatDefense MadeSimple

SecureWebGateway

SecureEmailGateway

UnifiedThreatManagement

Next-GenFirewall

3939

Questions?

40© Sophos Ltd. All rights reserved.