WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
Ransomware Trends 2017 & Mitigation Techniques
1. Ransomware -Trends 2017
Ransomware is a type of malicious software that blocks access to the victim's data
or threatens to publish or delete it until a ransom is paid. While some simple
ransomware may lock the system in a way which is not difficult for a knowledgeable
person to reverse, more advanced malware uses a technique called cryptoviral
extortion, in which it encrypts the victim's files, making them inaccessible, and
demands a ransom payment to decrypt them. In a properly implemented cryptoviral
extortion attack, recovering the files without the decryption key is an intractable
problem - and difficult to trace digital currencies such as Ukash and Bitcoin are used
for the ransoms, making tracing and prosecuting the perpetrators difficult.
Ransomware attacks are typically carried out using a Trojan that is disguised as a
legitimate file that the user is tricked into downloading, or opening when it arrives
as an email attachment. However, one high profile example, the "WannaCry worm",
traveled automatically between computers without user interaction.
Advanced Ransomware can include functionality like Data Corruption, Exfiltration
and Disruption
Top trending Ransomwares
1. LOCKY
Researchers detected the first sample of Locky in February 2016. Shortly thereafter,
it made a name for itself when it infected the computer systems at Hollywood
Presbyterian Medical Center in southern California. Officials chose to temporarily
shut down the hospital’s IT system while they worked to remove the ransomware, a
decision which caused several departments to close and patients to be diverted
elsewhere. But without working data backups, the executives at Hollywood
Presbyterian ultimately decided to pay the ransom of 40 Bitcoin (70,000 USD).
In the months that followed, Locky went through at least seven different iterations:
“. zepto,” “. odin,” “.shit,” “.thor,” “.aesir,” “.zzzzz,” and “.osiris.” It also leveraged
unique distribution channels like SVG images in Facebook Messenger and fake
Flash Player update websites.
2. 2. EREBUS
Erebus ransomware could be distributed via different tactics. The payload file that
initiates the malicious script for the ransomware that infects your personal computer
thrives in the wild. Moreover, there were malvertising campaigns in the past that had
spread it via the RIG Exploit Kit.
On top of that, the payload file might have a description that is an old, classic RPG
game with the file being less than 1 MB in size.
Erebus ransomware might also be distributing that payload file on social media sites
and file-sharing networks. Freeware programs found on the Web might be promoted
as useful but also could be hiding the malicious script for the cryptovirus. Do not
open files right after you have downloaded them, especially if they come from
dubious sources like links and emails. Instead, you should first scan them. Run a
security tool and scan them, while also do a check of the size and signatures for each
of the files for anything suspicious.
3.WannaCry
WannaCry propagates using EternalBlue, an exploit of Windows' Server Message
Block (SMB) protocol. Much of the attention and comment around the event was
occasioned by the fact that the U.S. National Security Agency (NSA) had already
discovered the vulnerability, but used it to create an exploit for its own offensive
work, rather than report it to Microsoft .It was only when the existence of this
vulnerability was revealed by The Shadow Brokers that Microsoft became aware of
the issue, and issued a "critical" security patch on 14 March 2017 to remove the
underlying vulnerability on supported versions of Windows, though many
organizations had not yet applied it.
4. Zeus/Zbot
Zeus has been created to steal private data from the infected systems, such as system
information, passwords, banking credentials or other financial details and it can be
customized to gather banking details in specific countries and by using various
methods. Using the retrieved information, cybercriminals log into banking accounts
and make unauthorized money transfers through a complex network of computers.
Zbot/Zeus is based on the client-server model and requires a Command and Control
server to send and receive information across the network. The single Command and
Control server is considered to be the weak point in the malware architecture and it
3. is the target of law enforcement agencies when dealing with Zeus. Types of Zeus
Family malwares.
5. Javascript Malware/Adware Malware
Cyber criminals have injected malicious JavaScript code in the website
attackers have compromised, through malicious JavaScript code, the online
ads/banners displayed on the website. Online criminals have injected malicious
JavaScript code into the website’s database
cyber attackers have loaded malicious content or malicious software from a remote
server.
Consequently, malicious JavaScript files will be downloaded onto your PC when
you unknowingly browse an infected website.
This is called a drive-by attack and it generally includes 9 stages:
You, as a user, unwittingly browse the compromised website.
The malicious JavaScript files are downloaded on your system.
They are executed through your browser, triggering the malware infection.
The infected JavaScript files silently redirect your Internet traffic to an exploit
server.
The exploit kit used in the attack (hosted on the exploit server) probes your
system for software vulnerabilities.
Once the exploit finds the vulnerability, it uses it to gain access to your PC’s
functions.
This grants the exploit kit the right to execute code and download additional
files from the Internet with administrator privileges.
In the next step, malware will be downloaded onto the PC and executed.
The malware can perform damaging functions on the PC. It can also collect
information from the infected system and send it to the servers controlled by
cyber criminals
4. 6. Microsoft Tech Scam Malware
Technical support scams are built on the deception that your computer is
somehow broken, and you need to contact technical support to fix it. You may
then be asked to pay for support. In some cases, the tech support agent may ask
you to install other software or malware disguised as support tools on your
computer, bringing in more threats that can cause even more damage.
You may come across these threats while browsing dubious websites, most
notably those that host illegal copies of media and software, crack applications,
or malware. Links or ads on these sites may lead you to tech support scam
websites, which display pages that are designed to look like error messages and
serve pop-up messages indicating fictitious errors. Some tech support scam
threats take the form of executable programs like other malware.
7.Other
Ransom:Win32/Cerber
Ransom: Win32/Spora
Ransom:Win32/HydraCrypt
Ransom:Win32/Critroni
Ransom:Win32/Teerac
Ransom: Win32/Troldesh
Ransomware Mitigation Recommendations
While ransomware infections may not be entirely preventable due to the
effectiveness of well-crafted phishing emails or drive-by downloads from otherwise
legitimate sites, the most effective strategy to mitigate the impact of ransomware is
having a comprehensive data backup protocol. In order to increase the likelihood of
preventing ransomware infections, organizations must conduct regular training and
awareness exercises with all employees to ensure common understanding safe-
browsing techniques and how to identify and avoid phishing attempts.
The following is a list of ransomware mitigation recommendations:
Data Protection:
- Schedule backups of data often and ensure they are kept offline in a
separate and secure location. Consider maintaining multiple backups in
different locations for redundancy. Test your backups regularly.
5. - If an online backup and recovery service is used, contact the service
immediately after a ransomware infection is suspected to prevent the
malware from overwriting previous file versions with the newly encrypted
versions.
System Management
- Ensure anti-virus software is up-to-date with the latest definitions and
schedule scans as often as permitted.
- Enable automated patches for operating systems, software, plugins, and web
browsers.
- Follow the Principle of Least Privilege for all user accounts; enable User
Access Control (UAC) to prevent unauthorized changes.
- Turn off unused wireless connections.
- Disable macros on Microsoft Office software. Enterprise administrators
managing Microsoft Office 2016 should use Group Policy to block macros
for end users. Microsoft provides detailed instructions here.
- Use ad blocking extensions in browsers to prevent “drive-by” infections from
ads containing malicious code.
- Disable the vssadmin.exe tool by renaming it to prevent ransomware from
deleting Shadow Volume Copies. Instructions on how to rename this tool
are included here.
- Disable Windows Script Host and Windows PowerShell.
- Disable Remote Desktop Protocol (RDP) on systems and servers if it is not
needed in your environment.
- Use web and email protection to block access to malicious websites and
scan all emails, attachments, and downloads and configure email servers
to proactively block emails containing suspicious attachments such as
.exe, .vbs, and.scr.
- Configure systems by modifying the Group Policy Editor to prevent
executables (.exe, .rar, .pdf.exe, .zip) from running in %appdata%,
%localappdata%, %temp%, and the Recycle Bin. CryptoPrevent is a free
tool that can help automate this process and prevent ransomware from
executing. Download it here.
- Implement a behavior blocker to prevent ransomware from executing or
making any unauthorized changes to systems or files.
- Consider utilizing a free or commercially available anti-ransomware tool by
any of the leading computer security software vendors.
- To counteract ransomware variants that modify the Master Boot Record
(MRB) and encrypt the Master File Table (MFT), Cisco Talos has released a
Windows disk filter driver called MBRFilter, available on GitHub here.
6. - Modify the policy for execution in PowerShell, using the administrative
templates.
- Allow the execution only of signed PowerShell scripts.
- Do not allow the saving of unknown .exe files in the %TEMP% folder.
- Do not allow the execution on unknown .exe files.
- Apply Windows restrictions such as AppLocker.
- For Mac OS X users, consider installing the free tool, RansomWhere?
Information about this tool is available on the Objective-See website here
and the tool itself can be downloaded here.
- Use No-Script/SafeScript while browsing on firefox and Chrome
- Updated Antivirus -End Point Protection
- Advanced malware detection using AI- ex Cylance
- Harden the systems as per CIS benchmark and NIST GuideLines.
- Submit sample of Malwares and IOC to CERT
Network Management
- Keep firewall turned on and properly configured.
- Close and monitor unused ports.
- Block known malicious Tor IP addresses. A list of active Tor nodes updated
every 30 minutes can be found here.
- Lateral Movement Detection Software
- Real Time Monitoring of malicious traffic using behavioral analytics
- Apply Defense in Depth Approach
- Network Segregation
- During any malware outbreak in industry, go to Lock down mode in terms
of Entry point. Restrict end user activity to social media sites and use Web
Security Appliance /OpenDNS
- Restrict outbound traffic between different zones
Mobile Device Management
- For Apple iOS users: ensure your data is backed up on iCloud and
enable two-factor authentication, only download media and apps from
the official iTunes and App Stores, and avoid “jailbreaking” the
device.
- For Android users: disable the “unknown sources” option in the Android
security settings menu, only install apps from the official Google Play store,
and avoid "rooting" the device.
Post-Infection Remediation
7. - Alert the appropriate information security contact within your
organization if unusual activity is seen on networks, computers, or
mobile devices.
- Disconnect from networks immediately if an infection is suspected and
do not reconnect until the computer or device has been thoroughly
scanned and cleaned.
- Depending on the variant, a free decryption tool may be available. To
determine which variant infected your system, please see the
Appendix of this product or use the ID Ransomware website.
- If an infection occurs, after removing the malware and cleaning the
machine, make sure to change all system, network, and online account
passwords.
- Contingency Planning & establishing a SOC Center & 3rd
party Red
Teaming Exercises including APT simulation attacks.
Avinash Sinha:- Experienced Security Researcher with a demonstrated history of
working in the information technology and services industry. Skilled in Penetration
Testing, Vulnerability Assessments, Project Management, Health Care, IoT,
Payment Card Industry Data Security Standard (PCI DSS), Linux, HIPPA, FDA,
Information Security, and Integration. Strong Emphasis on Enterprise Security and
information technology with a Corporate-PGDBA focused in International Business
from Symbiosis.
Source: Microsoft, TrendMicro, NJSecurity & NIST.