mrg effitas efficacy assessment of ransomware protection ... · backup protection and restore...
Post on 06-Oct-2020
13 Views
Preview:
TRANSCRIPT
MRGEffitasefficacyassessmentofransomwareprotectionbyBackupAssist
1
2 TableofContents1 Introduction ................................................................................................................................................................................ 3
1.1 Executive Summary ......................................................................................................................................................... 3
1.2 Final results ....................................................................................................................................................................... 4
2 Test Details ................................................................................................................................................................................. 4
2.1 Test application and version .......................................................................................................................................... 4
2.2 Test conditions ................................................................................................................................................................. 4
2.3 Test specification ............................................................................................................................................................. 4
2.4 Test environment ............................................................................................................................................................ 5
2.5 Test scenarios ................................................................................................................................................................... 5
3 Detailed results .......................................................................................................................................................................... 5
3.1 Local and network backup protection against ransomware .................................................................................. 5
3.2 Infection detection. .......................................................................................................................................................... 6
3.3 Restore functionality from local, system and network backup ............................................................................. 7
4 Overview of BackupAssist ....................................................................................................................................................... 8
4.1 Overall usage of the program ....................................................................................................................................... 8
4.2 Screenshots about how to configure BackupAssist protection against ransomware. ..................................... 9
5 Conclusion ................................................................................................................................................................................. 11
6 Appendix A - Ransomware families used ........................................................................................................................... 12
6.1 CryptoMix ....................................................................................................................................................................... 12
6.2 Osiris-Locky 2017 .......................................................................................................................................................... 13
6.3 XYZWare (MafiaWare) ............................................................................................................................................... 13
6.4 CryptoLocker ................................................................................................................................................................. 14
6.5 CryptoShield 2.0 ............................................................................................................................................................ 15
6.6 Spora ................................................................................................................................................................................. 16
6.7 Cerber .............................................................................................................................................................................. 17
6.8 Globe3 .............................................................................................................................................................................. 17
6.9 Havoc MK II .................................................................................................................................................................... 18
6.10 Dharma ............................................................................................................................................................................. 18
6.11 Sage 2.0 ............................................................................................................................................................................ 19
6.12 Petya GoldenEye ............................................................................................................................................................ 19
6.13 NotPetya .......................................................................................................................................................................... 20
6.14 AlphaCrypt ...................................................................................................................................................................... 22
6.15 TeslaCrypt ....................................................................................................................................................................... 23
6.16 CTB Locker ..................................................................................................................................................................... 24
6.17 MRG Effitas ransomware simulators ......................................................................................................................... 24
7 Appendix B - Methodology used in the assessment ........................................................................................................ 25
1 IntroductionThepurposeof this independentreport is todocumentourreviewofBackupAssistCryptoSafeGuard’sbackupprotectionandrestoreabilityagainstvariousransomwaresamples.
Endpoint backup has gone beyond a simple backup/restore process to a broader end-user dataprotection solution reducing and precluding various risks such as ransomware infection (the mostimminent threat to an average user) against the possibility of even the smallest impact on one’sproductivityandconvenience.
1.1 ExecutiveSummaryThisprivateefficacyassessmentreportisdesignedtoserveasareflectionofprotectionagainstdifferentransomwarefamiliesandpersonaldatarestoration.
Beingtheworld’slargestsupplierofearly-lifemaliciousbinariesandmaliciousURLs,andfromourownexperience in simulator development, we know that all endpoints can be infected, regardless of thesecurity solution deployed. In this test we focused on discovering the capabilities of the productprotection against both “In TheWild” ransomware and ransomware simulators. We also tested therestorebackupfunctionality(bothfilerestoreandfullsystemrestore).
Whenconductingthistest,wetriedtosimulateanaverageuser’sbehavior.Weareawarethata“RealWorld”testcannotbeconductedbyateamofprofessionalsinsidealaboratory,becauseweunderstandhow certain types of ransomware attack and know how such attacks can be prevented. SimulatingnormalusemeansthatwepaidspecialattentiontoallalertsgivenbyBackupAssistCryptoSafeGuard.ItisveryimportanttonotethatthebestchoicefortypicaluseistoleavetheCryptoSafeGuardsettingsindefault,andwedecidedtochoosetherecommendedsuggestions.
AsendpointsgetcompromisedbyRansomwareonanever-greaterscale,theabilitytoprotectbackupsfrombeingencryptedentirelyandtheprospectof restoringPCanduser filesafter infectionwerethemostimportanttestingmetricinthisefficacyassessment.
1.2 FinalresultsBackupAssist’sCryptoSafeGuardDetectorandShieldhada100%successrateagainsteveryransomwarestrainwetesteditagainst,includinghighlydestructivestrainsofLocky,CryptoLocker,andTeslaCrypt.Ineverycase,CryptoSafeGuardsuccessfully identifiedtheransomwareinfectionandensurednobackupswereoverwrittenwithencryptedfiles.
*“SMBbackup”columnshowstestresultsforbackupslocatedonNetworkshares
2 TestDetails
2.1 TestapplicationandversionBackupAssist10.1.0(t14)
2.2 TestconditionsBackupAssistwasinterestedtoachieveanindependentreviewoftheefficacyoftheirCryptoSafeGuardapplicationandhaveprovidedthelicenseandinstallerfortheproducttobetested.
2.3 TestspecificationDiscoverthecapabilitiesofBackupAssistwithCryptoSafeGuardenabled,against“InTheWild”Executionransomware, and test the restore and recovery functionality in order to rate theeffectivenessof theapplication’sbackupfunctionalitywhenprotectedbyCryptoSafeGuardShield.
BothbackupstoNetworksharesandLocalbackupsmustnot fall toransomwareencryptionandmustremain unencrypted. CryptoSafeGuard must identify a ransomware infection on the next backupexecution,andstopanyfurtherbackupsfromrunningtopreservetheexistingbackups’integrity.
Test restore functionality from Local or Network (SMB) backups, or after anMBR infection recoveryfromaSystemBackup(MBRrestore).
2.4 TestenvironmentUpontestingweagreedtochooseWindows7x64basedonfactthatthisversionisthemostcommonlyusedenvironment:
• OS: Windows7x64• CPU: IntelCorei52540M• Memory: 8GBDDR3• SSD: SATA3OCZAgility
EventhoughBackupAssistispredominantlyaWindowsServerbackupsolution,Windows7x64waschosenasthetestingenvironment.ThisisbecauseeventhoughmodernOperatingSystemscanbeequallytargetedandcorruptedbyransomware,Windows7hasthelargestnumberofknownexploits.ByusingthemostvulnerableWindowsOperatingSystemavailable,thismeantBackupAssist'sCryptoSafeGuardwassubjectedtothemostrobustandcomprehensivestresstestspossible.Duetoitsdesign,CryptoSafeGuardwillofferequalprotectionregardlessoftheWindowsOperatingSystem.
2.5 TestscenariosTo represent a detailed, relevant assessment about the product, we focused our attention on thefollowing runtime ransomware attack scenarios. The analyzed scenarios represent typical user cases,whereCryptoSafeGuardShieldneedstoprotectthebackups incaseofaransomwareinfectionandtodeterminewhetherthelocaland/ornetworkbackupsareprotectedforasuccessfulrestore.
1. Localandnetworkbackupprotectionagainstransomwareattack.Thistestisthefocusofourreport.Therearedifferentcasesofwhatcanhappenwhenaransomwareattacksacomputer.
i. ThebestcasescenarioisiftheCryptoSafeGuardShieldsolutionstopstheattackagainstthebackupanditdetectstheRansomwareinfectionandstopsanyfurtherbackupshappening.
2. Systembackupprotectionagainstransomwareattack.TherearesomeRansomware(Petya,Notpetya),thatinstallarootkitandattacktheMFT.IncaseofsuchanattackthelocalbackupwillnotbeaccessibleandSystemrestoreisneeded.
i. ThebestcasescenarioisthattheransomwareonlyattacktheSystemdriveMFTsothebackupsonotherdrivesremainintactandMBRcanberestoredbyBackupAssist..
3 Detailedresults
3.1 LocalandnetworkbackupprotectionagainstransomwareInthefirstscenario,wetriedtoemulateasituationinwhichtheuser’scomputerhasbecomeinfectedwithvarioustypesofransomwarefamilies,andwecollecteddatawhetherornotthebackupsolutiongivesprotectionineachcase.Thefollowingtableshowswhichbackupsolutionwasunaffectedbywhichransomwarefamily.
*“SMBbackup”columnshowstestresultsforbackupslocatedonNetworkshares
The reason why some backup files were not attacked/encrypted is that the ransomware was nottargetingthebackupfiletypes(markedasN/A).IncaseofPetyaandNotPetya,theLocalbackupcouldnotbereachedduetotheransomwaretype,buttheSystemBackupwasprotectedandrestorable.
Thenumberonebestpractice toprotectagainst ransomware is tohavebackups. Inmostcasesusersforget that ransomware can encrypt thebackup files if these files arenot offline, read-only or in thecloud, but as the above table shows, BackupAssist’s CryptoSafeGuard solution gives 100% backupprotectionagainstthetestedransomwarefamilies.
3.2 Infectiondetection.In this scenario, we tested the CryptoSafeGuard functionality that is designed to detect a possibleransomware infection, maintain the backup’s integrity and inform the user about the infection. Thefollowingtableshowswhichransomwarefamiliesweredetected:
PetyaandNot-PetyatargettheMFTandlockthemachine,thereforenoinfectiondetectioncanhappen.
3.3 Restorefunctionalityfromlocal,systemandnetworkbackupInthiscasewetestedtherestorefromLocalbackup,fullsystembackupandnetwork(SMB)backup
*“SMBbackup”columnshowstestresultsforbackupslocatedonNetworkshares
BackupAssistrestorewassuccessfulfromallavailablebackups.PetyaandNotPetyalockthemachine,thereforethelocalandnetworkbackup/restorefunctionisnotavailable.
4 OverviewofBackupAssist
4.1 OverallusageoftheprogramWorkingwiththeBackupAssistapplicationwasalwaysintuitive.Themenuitemsarewell-placedandtherecommendationsintheapplicationalwaysguidetheusertosetupthebestprotectionfortheirbackups.TheUIiswellthoughtout,andhasclearinstructions.
4.2 ScreenshotsabouthowtoconfigureBackupAssistprotectionagainstransomware.To set up maximum protection, which is highly recommended, CryptoSafeGuard activation isessential:
OncetheCSGisactivated,wecansetupthebackups.MRGEffitas’recommendationistosetupbothaSystem and a File Protection. NB Cloud Backup (not used) has a built in “air gap” that is effectiveprotectionforbackupsagainstallknownransomwarevariants:
SettingtheBackupuseridentityisakeyelementforthebackupstobeprotectedagainstaransomwareinfection,asadedicatedbackupaccountisaprerequisiteforgoodbackupsecuritypractices:
5 ConclusionMRGEffitasfoundBackupAssist’sCryptoSafeGuardsolutiontobeawell-designedandwellthought-outsolution against ransomware infection.Not only did it provide complete protection for user’s backupfiles against all ransomware infections in this assessment, but it also provided a System RecoverysolutionagainstMBR/MFTransomwareslikeNotPetyaandPetyaGoldenEye.
6 AppendixA-RansomwarefamiliesusedThefollowingparagraphcontainsbasicdescriptionabouttheransomwarefamiliesusedinthetest.
6.1 CryptoMix
CryptoMixRansomwareismadesimilarlytoCryptoWall3.0,CryptoWall4.0andCryptXXX.Justlikemanyother encrypting trojans, it uses AES + RSA-2048 ciphers to encrypt predetermined files but adds“.rdmk”extension.Victimshavetoemailthecybercriminalsonthegivenemailaddressandwaitaround12hoursforaresponsewhichisencryptedandpasswordprotected.Theransomfeeisusuallyaround5Bitcoins. CryptoMix claims that the collected profit is used for charity as the developers are callingthemselvestheCharityTeam,whoalsooffera"Freetechsupport"forthosewhodecidetopayup.
6.2 Osiris-Locky2017
Locky ransomware is one of the most dangerous ransomware families based on the number ofinfections.Onceitisinstalledonthevictim'scomputeritwillperformascanandencryptuserfilesusingitsRSA-2048&AES-128encryptionalgorithm.Itconvertsthefilenamestoauniquecharacterletterandnumbercombinationandappends“.locky”or“.osiris”extensions,anddeletesShadowVolumecopiesofencrypted filesaswellasSystemRestorepoints.Afterencryption,amessage (displayedontheuser'sdesktop)instructsthemtodownloadtheTorbrowserandvisitaspecificwebsiteforfurtherinformationwhereLockydemandsapaymentbetween0.5and1Bitcoin.
6.3 XYZWare(MafiaWare)XYZWare is based on the almost ready solution MafiaWare Ransomware. While the originalRansomWare is developed in Python environment, XYZWare is developed in Visual Studio 2012. TheRansomware uses RSA-2048 and AES-128 to encrypt data and add a “.XYZWare” extension. It has aweakness because it starts the infection from the folder where it executed, and if it comes to afile/folderthatiseitherNTFSprotectedorcannotbeaccessedforanyotherreason(Backupfolderwithwriteprotection),theransomwarecrasheswitha.NETframeworkerror.
6.4 CryptoLocker
Cryptolockerwasfirstseenback inSeptember2013andsincethenmanyversionshavebeencreated.It infects the computer like normal malware, placing its files in Windows directories, and creatingregistryentriesthatallowittorestartwhenyoureboot. Itthenalsotriestocontact itscommandandcontrol(C&C)server.ThemalwareusesarandomdomainnamegenerationalgorithmtotryandfindacurrentC&Cserver,suchasjkamevbxhupg.co.ukoruvpevldfpfhoipn.info.
Once Cryptolocker contacts its C&C, it generates a public/private cryptographic key for your specificcomputer,usingverystrongRSA-2048-bitencryption.Italsoaddsthe“.cryptolocker”or“.crypt0l0cker”(depending on the ransomware variation) extension. The private key is only stored on the attacker’sC&Cservers,butthepublickeyissavedinaregistryentryonyourcomputer.
6.5 CryptoShield2.0
Thebulkof this ransomware family'sactivityoccurred in the firsthalfofFebruary2017. It focusesonEnglish-speaking users, which of course does not prevent it spreading around the world. ThisransomwareencryptsuserdatawithAES-256,andthenrequiresaredemptiontoreturnthefiles.Itaddsan extra extension pattern to the encrypted files, such as: [RES_SUP@INDIA.COM] .ID[2D64A0776C78A9C3]..CRYPTOSHIELD.Thepriceitdemandsvaries,andcommunicationisviaemail.
6.6 Spora
ThisMultilanguage ransomware was first seen at the beginning of January 2017 using AES + RSA toencrypt user data and modify the folder structure. Unlike many modern ransomware, Spora worksofflineanddoesnotgenerateanynetworktraffic.Itdoesnotgenerateextrafileextensions.
6.7 Cerber
Cerberransomware,muchlikemanyotherencryption-typemalware,isknowntoencryptfileswithAES-256 encryption on the infected computer. It creates random filenames and appends the extension“.CERBER”or“.B126”andholdsthosefilesforasubstantialransomfee.Asitencryptsthevictim'sfiles,itcreatesTXT,HTML,andVBSfilesnamed'DECRYPTMYFILES'withinstructionsonhowtopay.Ithasanaudiblevoice saying, "Attention!Attention!Attention!Yourdocuments,photos,databases, andotherfileshavebeenencrypted!"Thevictimhastopaythe1-1.25BitcoinransomviaaTORbrowserwithinoneweekortheamountisdoubled.
6.8 Globe3
ThemaintargetsoftheGlobeRansomwarearesmallbusinessesbutitcausesdamagetoanycomputeritinfects.ThiscryptoTrojanencryptsuserdatausingAES-256+RSAandaddsa“.wuciwug”extensiontothefiles.ThemaindifferencefromtheprevioustwoversionsoftheGlobe3isonthelevelofencryptionoperations.ThefirstversionoftheGlobeusedtheBlowfishalgorithmtoencryptfiles,Globe2usedRC4and RC4 + XOR. After encrypting a victim's files, theGlobe3 shows a “How to restore your files.hta”ransomnotewhichadvisestheuseraboutthe0.7Bitcoinransomfeeandcontainsinstructionsonhowtopaytorecovertheencryptedfiles.
6.9 HavocMKII
TheHavocMK II Ransomware’s bright violet ransomnote first appeared in public in January 2017. ItusesRSA256encryptionand“.havokcrypt”extensionstolockthevictim'sfiles,targetingawidevarietyof files that can include video and audio files, text files, databases, images, and numerous othercommonly-used file types. However, Havoc Ransomwarewill only target specific folders andwill notencryptfilesthatarelargerthanacertainlimit,tomakesurethattheattackisasfastaspossible.Theuserhas2daystopaya0.15Bitcoinransomfeetorestorethedataortherestorekeyisdeleted.
6.10 Dharma
Dharma isavariantofCrysis - ahigh-risk ransomware-typemalware.Following successful infiltration,Dharma encrypts stored files using AES. In addition, this file-encoder usually appends the“.[webmafia@asia.com]. wallet” “.[webmafia@asia.com]. dharma" or “.[webmafia@asia.com].zzzzz”extensionandencryptsthefilenametoo.Iftheransomwareisnoteradicatedfromthesystem,itloadsitself with every reboot and will result in new encrypted files. The decryption cost varies for eachindividual.DharmaisusuallydroppedafteranRDPbrute-forceattackissuccessful.
6.11 Sage2.0
SageRansomwarebelongs to theTeslaCrypt family. This crypto ransomwareencryptsuserdatausingAES-256 and RSA-1024 ciphers and adds the “.sage” file extension to them. After encrypting, Sagedelivers its ransomnote as a text file on the victim'sDesktop and opens anHTML file in the defaultbrowser.Itwillalsochangethevictim'sDesktopimageintoitsransomnote.IttheninstructsthevictimtouseaTor-sitetopaythe2Bitcoinransom–whichisdoubledafter7days–andgetinstructionsonhowtorestorefiles.
6.12 PetyaGoldenEye
TheGoldenEyeRansomwareisanimprovedversionofthePetyaRansomware,whichsurfacedinMarch2016.GoldenEye followed its predecessoropenly inDecember2016. It encrypts local drivesusing anAES-256 cipher and adds a random 8-character extension to the file names However, it avoidsdirectories that contain system data (Windows, Program Data, Program Files, Program Files (x86),Volume Information). IfGoldenEyemanages toelevate its systemprivileges, it installsa rootkitwhichlockstheaccesstothecomputerentirelybyencryptingthedrive'sMFTdisguisingitsprogressasafakecheck disk scan. Then the custom boot screen is loaded on the screen. The ransom fee to undo theencryptionisabout1.4Bitcoins.
6.13 NotPetya
NotPetya is a modified version of the Petya Ransomware, which uses the AES-128 cipher. The keydifferenceisthatitcanspreadtroughthelocalsubnetbyusingamodifiedversionoftheNSA'sstolenandleakedEternalBlueSMBexploit,previouslyusedbyWannaCryto infectothersystemsby injectingmaliciouscodeintootherprocesses.ItalsousescredentialreusetechniquetospreadtoothersystemswhicharepatchedagainstEternalBlue.
Italso installsa rootkitwhich locks theaccess to thecomputerentirelybyencryptingthedrive'sMFTduringreboot,disguisingitsprogressasafakecheckdiskscan.
6.14 AlphaCrypt
AlphaCryptwasreleasedattheendofApril2015.After infection,AlphaCryptwillscanyourcomputerfordata filesandencrypt themusingAES-2048encryptionandadda“.ezz”extensionso theycannolongerbeopened.Oncetheinfectionhasencryptedthedatafilesonallyourcomputerdrivelettersitwill display an application that contains instructions on how to get your files back. Ransomware alsocreate a text file ransom note on theWindows desktop and in each folder in which a file has beenencrypted.
These instructions include a link to a Decryption Service site, which will inform you of the currentransomamount, thenumberof files encrypted, and instructionsonhow tomake yourpayment. Theransomcoststartsataround$500USDandispayableviabitcoins.Thebitcoinaddressthatyousubmitpaymenttoisdifferentforeveryvictim.
6.15 TeslaCrypt
TeslaCryptwasfirstreleased2monthsearlierthanAlphaCryptaroundtheendofFebruary2015.Itusesan RSA-4096 encryption to infect the personal file types like: compressed, audio, video, picturedocument.WhentheinfectionhasfinisheditwillalsodeletealltheShadowVolumeCopiesthatareontheaffectedcomputer.Itdoesthissothattheusercannotusetheshadowvolumecopiestorestoretheencryptedfiles.
6.16 CTBLocker
The name of the ransomware, CTB, comes from its main advantages: Curve-Tor-Bitcoin.Oncethemachineiscompromiseditwill installCTBLockeronthesystemwhichencryptsthepersonalfilesandaddsextensionslike“.zrvswok”,alsoencryptingsystemdatawith“EllipticCurveEncryption”.Awarningispresentedonthescreenwithinstructionsonhowtopayforthedecryptionkeyinbitcoin.
6.17 MRGEffitasransomwaresimulatorsSimulator1MRG Effitas developed a sample ransomware simulator in Python, and compiled it to an EXE file viaPy2EXE.Duetothesensitivenatureofransomware,wewillnotreleasethecodetothepublic.Asit isonly a sample to test generic protection, it uses a fixed key, AES encryption, has no C&C at all butencryptsthefollowingfiletypesrecursivelyinaspecifieddirectory:.pdf,.jpg,.docx,.txt,.xlsx,.png.Firstit creates the encrypted copy of the original file, then overwrites the original file with zeroes, anddeletesit.Simulator2Thissimulator isan in-memoryMeterpreterextension.TheDLL is loadedfromtheserverandinjectedintothehostprocesswithouttouchingthedisk.Firstitscansforthefileswhichwillbeprocessed,anditencrypts the files with AES-256 one by one. The original files are overwritten by zeroes before it isdeleted.
7 AppendixB-Methodologyusedintheassessment
1. InstallWindows764bitoperatingsystemonahardenedvirtualboxmachineandapplyallOSupdates.
2. InstalledtheBackupAssistbuild10.1.0t14.3. Createandexecutea“FileJobtolocal”tobackupthepersonaldocuments/files.
TheLocalbackupisplacedunder:“C:\!Backups\FileJob\”folder4. Create and execute a “File Job to network” to back up the personal documents/files to a
windowsNTFSnetworkshare.TheNetworkbackupismountedto“Z:\”letter
5. Createandexecutea “System Job” tobackup theentire systemdrive (necessary fordisasterrecovery).
TheSystembackupplacedonaseparatedisk,mountedto:“D:\”6. Createaseparate“DetectorJob”tobackupthesamefilesasinthe“FileJob”,buttoadifferent
locationforlateranalysis.DetectorBackupjobwaspointingto:“C:\!Backups\DetectorJob\”folder
7. Applytheinfection.8. Monitorattackactivitytoobtaindefinitiveresultsofwhetherthelocalbackupsand/ornetwork
backupareattacked.9. TestCryptoSafeGuard’s “Shield” functionalityby checking that the ransomwareunsuccessfully
attackedthebackups.10. Test CryptoSafeGuard’s “Detector” functionality by running the “Detector Job”. Thedetection
scanrunsasaprerequisiteofthebackupjob.
top related