Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Why are you still getting CryptoLocker?

Cargando en…3

Eche un vistazo a continuación

1 de 42 Anuncio

Why are you still getting CryptoLocker?

Descargar para leer sin conexión

CryptoLocker is a persistent, ubiquitous and ever advancing threat to your business’ Intellectual Property (IP) and customer data which requires professional skill and a high level of effort to prevent, detect and remediate.

CryptoLocker is a persistent, ubiquitous and ever advancing threat to your business’ Intellectual Property (IP) and customer data which requires professional skill and a high level of effort to prevent, detect and remediate.


Más Contenido Relacionado

Presentaciones para usted (20)

Similares a Why are you still getting CryptoLocker? (20)


Más reciente (20)

Why are you still getting CryptoLocker?

  1. 1. CryptoLocker: The persistent, ubiquitous threat Aaron Lancaster, CISSP
  2. 2. FBI IC3 Last June, the the FBI’s Internet Crime Complaint Center (IC3) identified CryptoWall as the most current and significant ransomware threat targeting U.S. individuals and businesses. “CryptoWall and its variants have been used actively to target U.S. victims since April 2014. The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000.”
  3. 3. What is CryptoLocker ? • CryptoLocker is ransomware that encrypts your files and holds them for ransom – Released September 2013 – Targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8 – Encrypt certain files using a mixture of encryption types – When finished encrypting your files, displays a “ransom note” – Demands payment of $500 (increased from original $100) in order to decrypt the files – Provides a few days to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. – Must be paid using MoneyPak vouchers or Bitcoins (untraceable) – Once you send the payment and it is verified, the program will (maybe, theoretically) decrypt the files that it encrypted.”
  4. 4. The Problem • Encrypts EVERYTHING • “This thing hit like pretty much all the file extensions that are usable, from Mp3s to [Microsoft] Word docs,” Kessel said. “About the only thing it didn’t touch were system files and .exe’s, encrypting most everything else with 2048-bit RSA keys that would take like a quadrillion years to decrypt. Once the infection happens, it can even [spread] from someone on a home PC [using a VPN] to access their work network, and for me that’s the most scary part.” -Johnny Kessel, Computer Repair Consultant, KitRx San Diego
  5. 5. The Problem: By the Numbers • In 2014: – CryptoLocker was infecting over 50,000 computers per month (peak) – Infected over 336,000 computers in the U.S. alone • Google search results for CryptoLocker are well over 210k per month and rising quickly – Indicates quantity of users affected • Malvertizing (malicious ads containing CryptoLocker) up 325% in Aug 2015 – emergence-of-new-tech/article/434796/ Source:
  6. 6. Internet Pandemic • Research has shown approx. 1.3M malicious ads are being viewed everyday • The probability of getting infected from malvertizement is twice as likely on a weekend • 97% of Fortune 500 websites are at a high risk of getting infected with malware due to external partners such as JavaScript widget providers, ad networks, and/or packaged software providers • Fortune 500 websites have such a high risk because 69% of them use external javascript to render portions of their sites and 64% of them are running outdated web applications. • FBI issued a warning about increased activity in Jan. 2015 Source:
  7. 7. The Motivation • Money (Bitcoin, MoneyPak) – According to the 2015 McAfee Internet Threats Predictions: • A single instance of the CrytpoLocker ransomware made over $250,000 in one month • The CryptoWall resulted in a total of over $1,000,000 in paid out ransoms • Information • It’s easy! (Lack of awareness and good practices)
  8. 8. A Threat by Many Names (Variants/Clones) • CryptoLocker – v.1 ~5 Sept. 2013 – v.2.0 – a copycat – v.3.0 • CryptoLocker.F Family – CryptoWall (Sept. 2014)- Via email • 2.0 & 3.0 • CTB Locker • TeslaCrypt • Alpha Crypt – TorrentLocker (Sept. 2014) – CryptoDefense • Critroni • Reveton • Crowti (CryptoWall 3.0)
  9. 9. Crowti (CryptoWall 3.0 – “CW3”) • This threat is also detected as (Anti-virus product vendor): – Dropper/Win32.Necurs (AhnLab) – Trojan-Ransom.Win32.Cryptodef.iu (Kaspersky) – Trojan horse Inject2.AHNI (AVG) – TR/Crypt.Xpack.64673 (Avira) – Trojan.Encoder.514 (Dr.Web) – W32/Cryptodef.AHIO!tr (Fortinet) – PWSZbot-FBKQ!86B6EE398F44 (McAfee) – Troj/Agent-AHIO (Sophos) – TSPY_ZBOT.SMCC (Trend Micro) – Cryptowall (other) – Cryptodefense (other) • Encrypts files • Displays ransom or lock screen Source:
  10. 10. CryptoWall version 3 Source:
  11. 11. CryptoWall version 4 • Encrypts file names & type • HTML ransom note file name change to “help_your_files.html” • General taunting and arrogance to frustrate user Source: file-names/
  12. 12. Trends • “Ransomware using Remote Desktop to spread itself” • New Andriod ransomware communicates over XMPP • TOR switchers • Sandbox Aware • Browser Variants • Mobile Variants
  13. 13. How can you get it? • Can be transmitted as link/attachment in phishing email – .zip, .exe, .scr (sometimes disguised as .pdf or .doc) • Other malware such as Trojan Downloaders (onkods, upatre) • Slip-streamed torrent or download • Drive-by download (malvertising, other iFrame EK goodness) – Silverlight – Flash – Java
  14. 14. Phishing Email
  15. 15. Exploit Kits Source: Cyber Threat Alliance – CryptoWall
  16. 16. Drive-by Downloads
  17. 17. Happy Clicker Syndrome
  18. 18. iFrame Source:
  19. 19. Malvertizing • Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload • Simply browsing to a website that has ads (and most sites, if not all, do) is enough to start the infection chain • Complex online advertising economy makes it easy for malicious actors to abuse the system and get away with it • Necessitates industry partners working closely together to detect suspicious patterns and react very quickly to halt rogue campaigns Source:
  20. 20. File System Modifications • Saves itself with a random file name • Creates auto-start entries in the system configuration (work even in safe mode) • Hijacks .EXE extensions to delete Shadow Vol. Copies that could be used to restore files. Source:
  21. 21. How it Works – For The Techies • Downloads encryption key • Encrypts files • Demands ransom
  22. 22. Pcap FTW! Source:
  23. 23. Encryption keys • Command & Control (C2) server address established through Domain Generation Algorithm (DGA) • Malware connects and downloads public key to Windows system configuration • Private key is saved to C2 server Read more:
  24. 24. What it Encrypts • CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files with the following extensions: – .3dm .3ds .3fr .3g2 .3gp .3pr .7z .ab4 .accdb .accde .accdr .accdt .ach .acr .act .adb .agdl .ai .ait .al .apj .arw .asf .asm .asp .asx .avi .awg .back .backup .backupdb .bak .bank .bay .bdb .bgt .bik .bkp .blend .bpw .c .cdf .cdr .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .cdx .ce2 .cer .cfp .cgm .cib .class .cls .cpi .cpp .cr2 .craw .crt .crw .cs .csh .csl .csv .dac .db .db_journal .db3 .dbf .dc2 .dcr .ddd .ddoc .ddrw .dds .der .des .design .dgc .djvu .dng .doc .docm .docx .dot .dotx .drf .drw .dtd .dwg .dxb .dxf .dxg .eml .eps .erbsql .erf .exf .fdb .ffd .fff .fh .fhd .fla .flac .fpx .fxg .gray .grey .gry .h .hbk .hpp .ibank .ibd .ibz .idx .iif .iiq .incpas .indd .java .jpe .jpeg .jpg .kc2 .kdbx .kdc .key .kpdx .lua .m .m4v .max .mdb .mdc .mdf .mef .mfw .mmw .moneywell .mos .mp3 .mp4 .mpg .mrw .myd .nd .ndd .nef .nk2 .nop .nrw .ns2 .ns3 .ns4 .nsd .nsf .nsg .nsh .nwb .nx2 .nxl .nyf .obj .ods .p7c .r3d .mov .flv .wav .dcs .cmt .ce1 .odb .odc .odf .odg .odm .odp .ads .odt .oil .orf .otg .oth .otp .ots .ott .p12 .p7b .pages .pas .pat .pcd .pct .pdb .pdd .pdf .pef .pem .pfx .php .pl .plus_muhd .plc .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .prf .ps .psafe3 .psd .pspimage .ptx .py .qba .qbb .qbm .qbr .qbw .qbx .qby .raf .rar .rat .raw .rdb .rm .rtf .rw2 .rwl .rwz .s3db .sas7bdat .say .sd0 .sda .sdf .sldm .sldx .sql .sqlite .sqlite3 .sqlitedb .sr2 .srf .srt .srw .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stw .stx .svg .swf .sxc .sxd .sxg .sxi .sxm .sxw .tex .tga .thm .tlg .txt .vob .wallet .wb2 .wmv .wpd .wps .x11 .x3f .xis .xla .xlam .xlk .xlm .xlr .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .ycbcra .yuv .zip (Source: Cyber Threat Alliance Cryptowall Report 2015) – When it finds files that match one of these types, it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the Windows System Registry key (HKEY_CURRENT_USERSoftwareCryptoLocker_0388Files). • When it has finished encrypting your data files it will then show the CryptoLocker splash screen and demand a ransom of $500 dollars (or more) in order to decrypt your files. • Most recently targeting Intellectual Property (IP) such as AutoCAD Drawing files (*.DWG, *.DXF) Source:
  25. 25. Infection? • Detection • Prevention • Remediation
  26. 26. Detection • For most, you’ll see “The Screen” • Security Information and Event Management (SIEM) • Local Files (not accessible) • Server Files (not accessible)
  27. 27. Detection - SIEM • Security Onion • EmergingThreats alert for Cryptowall Check-in • Source:
  28. 28. The Screen • When it has finished encrypting your data files displays this CryptoLocker screen in web browser demanding money • $500 (this cost has gone up) • Timed: (up to) 96 hours • Private encryption key will be destroyed on the developer's servers if not paid • If you don’t pay on time the price doubles Source:
  29. 29. Detection – SIEM • Log management could be used to detect malicious activity, such as brute force attack from internally compromised host against internal servers, in this case directory traversal, high write speeds, file re-names, new executables • Log monitoring & correlation services could be used to detect the malware attempting to send specifically crafted packets • Log anomaly detection could be used to detect the malware attempting to contact a malicious remote host i.e. “phone home”
  30. 30. Detection - Local “Ransom Note” Files • Used to display the web-browser ransom note • Creates files (listed in reverse chronological order): HELP_DECRYPT.PNG HELP_DECRYPT.txt HELP_DECRYPT.html HELP_DECRYPT.url HOW_DECRYPT.HTML HOW_DECRYPT.TXT HOW_DECRYPT.URL DECRYPT_INSTRUCTION.HTML DECRYPT_INSTRUCTION.TXT • Renames encrypted target files “.locked” • Recommend Windows File Screen audit rule to alert on these & shutdown system until network is disconnected Source:
  31. 31. Detection - MS Recommendations (File Servers) • Actively scan file shares using PowerShell script on a scheduled task (CryptoWall active alerter / scanner) – file-ad91b701 – Could also be applied to desktops • Implement Windows File Screening Management with audit rule to alert/shutdown server on “Ransom File” creation limiting scope of infection- us/library/cc732074.aspx • Variants have gone undetected on files servers for over 5 days thereby infecting full backups as well
  32. 32. Prevention: Old-School Security • Not running as local admin provides some protection for other users’ data • User Account Controls (UAC) doesn’t apply to %appdata% • Antivirus is now using Domain Generation Algorithms to detect & block via desktop firewall (Ex. Avast Free/Pro, MBAM Pro)
  33. 33. Prevention - MS Recommendations Specifically: • Don’t pay the ransom • Perform regular off-line backups/restore points • Run A/V or antimalware software (FULL SCAN) – Win Defender or Security Essentials • Disable real-time scanning and run daily side-by-side with your 3rd party A/V (controversial) – MS Safety Scanner • Enable MS Active Protection Service (MAPS) • Prevent spam: – Exchange online protection – Office 365 Advanced Threat Protection – Don’t open suspicious emails esp. from untrusted sources – MS SmartScreen filter Sources:, 2015-crowti.aspx, Security Practices: • Awareness Training • Run up-to-date security software • Get the latest software updates • Understand how malware works • Turn on your firewall • Limit User Privileges
  34. 34. Prevention • DNS reputation web filtering (OpenDNS, etc.) or Install web filtering software • Don’t give users admin access to their computers or at least don’t login to windows as admin for day-to-day • Keep software up to date • Install/enable a pop-up blocker • Install CryptoLocker Prevention Kit (GPOs for Domain Members) – – Uses Software Restriction Policies to block executables in specified folders (%AppData%) – Alert on executable being blocked (Event ID 866) • Disable JAVA/Flash/Silverlight; Install NoScript on Firefox browser (versions of JAVA and Flash) • Install CryptoPrevent (workstations only) – • Install BLADE (Block All Drive-by Download Exploits) Sources:
  35. 35. Professional Remediation • Restore from incremental backup • Use utilities and regain access to your files: – RakhniDecryptor - – XoristDecryptor - – RectorDecryptor - • Attempt to retrieve your keys from: – FireEye’s website – Kaspersky’s Website:
  36. 36. Professional Remediation • REBUILD FROM GOLD IMAGE!!! • Cryptolocker comes with: – BlackShades RAT – Trojan Downloaders
  37. 37. Incident Response • Early reaction is essential 1. Disconnecting from the network has been shown to halt the encryption process 2. Better yet… HARD Shutdown! 3. Mount HD externally and 4. Decrypt & salvage files 5. Re-image and restore files
  38. 38. Save It! • As a last ditch effort keep your encrypted files in off-line storage • Cryptomalware rings are taken-down by LEO and keys recovered/made available on an on-going basis
  39. 39. Resources • IOCs • CoinVault and Bitcryptor keys & app: • CryptoWall Dashboard: dashboard.html • Scripts and Files related to the CyyptoWall v.3 threat: • CryptoLocker Scan Tool by Omnispear: • Using PowerShell to Combat CryptoLocker:
  40. 40. Questions? Thanks for listening!
  41. 41. East Tennessee Chapter of the Information Systems Security Association (ISSA) @ISSA_ETENN LinkedIn Group (Discussion, Events and more):
  42. 42. Aaron Lancaster, CISSP @aarondlancaster @TekLinks Contact Info