Listen back to our webinar on how to detect ransomware on your network https://s3.amazonaws.com/nf-streaming/webinars/Ransomware-Webinar.mp4

1. www.netfort.com
Ransomware History & Monitoring Tips
Darragh Delaney

2. www.netfort.comSlide 2
• The first wave of modern ransomware started in 2005 with
Trojan.Gpcoder.
• Ransomware is designed for direct revenue generation. The four most
prevalent direct revenue-generating risks include misleading apps,
fake antivirus scams, locker ransomware, and crypto ransomware.
• The top six countries impacted by all types of ransomware in 2015 are
the United States, Japan, United Kingdom, Italy, Germany, and Russia.
• The average ransom amount is US$300. Vouchers or bitcoins are the
most popular payment methods.
• Between 2013 and 2014, there was a 250 percent increase in new
crypto ransomware families on the threat landscape.
• Cybercriminals behind ransomware are constantly innovating.
A Brief History

3. www.netfort.comSlide 3
• Most common ransomware variants
• Cryptolocker
• Torrentlocker
• Cryptowall (and all its variants)
• Teslacrypt
• Locky
• There are even javascript-based ransomware payloads, as well
as variants intended to target Linux and OSX users
Ransomware Variants

4. www.netfort.comSlide 4
• Anyone can use the Ransomware and the admins/creators take
a cut of the profits from pay-outs.
• Based on a figure from Forbes, it is believed that Locky manages
to compromise 90,000 victims per day.
Locky – A new affiliate system

5. www.netfort.comSlide 5
Chain of events
Angler
Exploit Kit
Exploit
delivery
network
Compromised
websites
Advertising
Ransomware
Downloaded
Dialback to
Ransomware servers
http://www.malware-traffic-analysis.net/2016/01/17/index.html

6. www.netfort.comSlide 6
• SamSam.exe (also know as MSIL/Samas.A and RDN/Ransom) is
becoming a significant problem.
• Rather than targeting individual users, SamSam attackers target
enterprise networks: they encrypt all the data they can access
for a larger lump-sum payout.
Enterprise attacks

7. www.netfort.comSlide 7
Sample Phishing Email
The infected Microsoft Office file – typically either a Word (.doc) or Excel (.xls) document –
triggers a “macro”, a small embedded program, when opened. That macro downloads the
main Ransomware payload, which installs and runs on the users computer.

8. www.netfort.comSlide 8
• Watch out for known file extensions
• Watch out for an increase in file renames
• Create a sacrificial network share
• Update your IDS systems with exploit kit
detection rules
• Use client based anti-ransomware agents
Detecting the presence of Ransomware

9. www.netfort.comSlide 9
Monitoring Network File Shares
http://www.networkworld.com/article/3073792/security/there-s-finally-reason-to-hope-in-the-war-against-ransomware.html

10. www.netfort.comSlide 10
Ransomware file extensions
.enc|.R5A|.R4A|.encrypt|.locky|.clf|.lock|.cerber|.crypt|.txt|.coverton|.enigm
a|.czvxce|.{CRYPTENDBLACKDC}|.scl|.crinf|.crjoker|.encrypted|.code|.Cryp
toTorLocker2015!|.crypt|.ctbl|.html|.locked|.ha3|.enigma|.html|.cry|.crime|.bt
c|.kkk|.fun|.gws|.keybtc@inbox_com|.kimcilware.LeChiffre|.crime|.oor|.magic
|.fucked|.KEYZ|.KEYH0LES|.crypted|.LOL!|.OMG!|.EXE|.porno|.RDM|.RRK
|.RADAMANT|.kraken|.darkness|.nochance|.oshit|.oplata@qq_com|.relock@
qq_com|.crypto|.helpdecrypt@ukr|.net|.pizda@qq_com|.dyatel@qq_com_ryp|
.nalog@qq_com|.chifrator@qq_com|.gruzin@qq_com|.troyancoder@qq_com|.
encrypted|.cry|.AES256|.enc|.hb15|.vscrypt|.infected|.bloc|.korrektor|.remin
d|.rokku|.encryptedAES|.encryptedRSA|.encedRSA|.justbtcwillhelpyou|.btcbtc
btc|.btc-help-you| .only-we_can-
help_you|.sanction|.sport|.surprise|.vvv|.ecc|.exx|.ezz|.abc|.aaa|.zzz|.xyz|.
biz|.micro|.xxx|.ttt|.mp3|.Encrypted|.better_call_saul|.xtbl|.enc|.vault|.xort|.t
run|.CrySiS|.EnCiPhErEd|.73i87A|.p5tkjw|.PoAr2w|.xrtn|.vault|.PORNO
https://docs.google.com/spreadsheets/u/1/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml

11. www.netfort.comSlide 11
Lab creating custom report
Create a custom report to focus on Ransomware file extensions

12. www.netfort.comSlide 12
• File renames are not a common action
when it comes to activity on network
file shares
• If you see a sudden increase in
renames, check for Ransomware
activity
Watch out for an increase in file renames

13. www.netfort.comSlide 13
Lab creating a custom trend
Create a custom trend to focus on file renames and setup an alert if more than 4
per second are detected

14. www.netfort.comSlide 14
• Ransomware-Locky removes the volume shadow copies from the compromised system,
thereby preventing the user from restoring the encrypted files.
• Filecoder.Jigsaw is really aggressive and deletes some of the encrypted files every hour.
Newer variants of Jigsaw are branded CryptoHitman and displays a series of
pornographic images on the victim’s computer.
• Latest variant of the TeslaCrypt ransomware no longer uses an extension for encrypted
files, making it more difficult for victims to identify the threat. However, a master
decryption key for TeslaCrypt was released in May 2016 that unlocks files encrypted by
the malware.
• Master boot record killers like Petya have the ability to install a second file-encrypting
program. However, if you can extract some data from the disk you may be able to get
your data back without paying the ransom.
• The authors of the CryptMix Ransomware are offering to donate ransom fees to a
children’s charity but this is believed to be another scam to dupe victims into paying the
ransom.
• Tech support scammers have begun using Ransomware tools to increase their chances of
extracting money from victims. New variants warn the user that they cannot access their
computer due to an expired license key.
Ransomware attacks on the rise

15. www.netfort.comSlide 15
• Expect to see an increase in Ransomware variants which
target websites instead of file stores. Linux.Encoder.1 is an
example of this threat. When a website is attacked the
Ransomware will hold the site’s files, pages and images for
ransom.
• Ransomware is also a growing problem for users of mobile
devices. Lock-screen types and file-encrypting variants: lock
screen Ransomware will stop you from accessing anything on
your mobile device and file encrypting variants will encrypt
data stored on the device. You can decrease you chances of
an attack, by avoiding unofficial app stores and by keeping
your mobile device and apps updated.
Future trends?

16. www.netfort.comSlide 16

17. www.netfort.comSlide 17
Download LANGuardian Trial

18. www.netfort.com