ransomware history and monitoring tips
TRANSCRIPT
www.netfort.com
Ransomware History & Monitoring Tips
Darragh Delaney
www.netfort.comSlide 2
• The first wave of modern ransomware started in 2005 with Trojan.Gpcoder.• Ransomware is designed for direct revenue generation. The four most
prevalent direct revenue-generating risks include misleading apps, fake antivirus scams, locker ransomware, and crypto ransomware.
• The top six countries impacted by all types of ransomware in 2015 are the United States, Japan, United Kingdom, Italy, Germany, and Russia.
• The average ransom amount is US$300. Vouchers or bitcoins are the most popular payment methods.
• Between 2013 and 2014, there was a 250 percent increase in new crypto ransomware families on the threat landscape.
• Cybercriminals behind ransomware are constantly innovating.
A Brief History
www.netfort.comSlide 3
• Most common ransomware variants• Cryptolocker
• Torrentlocker
• Cryptowall (and all its variants)
• Teslacrypt
• Locky
• There are even javascript-based ransomware payloads, as well as variants intended to target Linux and OSX users
Ransomware Variants
www.netfort.comSlide 4
• Anyone can use the Ransomware and the admins/creators take a cut of the profits from pay-outs.
• Based on a figure from Forbes, it is believed that Locky manages to compromise 90,000 victims per day.
Locky – A new affiliate system
www.netfort.comSlide 5
Chain of eventsAngler
Exploit KitExploit delivery network
Compromised websites Advertising
Ransomware
Downloaded
Dialback to Ransomware
servershttp://www.malware-traffic-analysis.net/2016/01/17/index.html
www.netfort.comSlide 6
• SamSam.exe (also know as MSIL/Samas.A and RDN/Ransom) is becoming a significant problem.
• Rather than targeting individual users, SamSam attackers target enterprise networks: they encrypt all the data they can access for a larger lump-sum payout.
Enterprise attacks
www.netfort.comSlide 7
Sample Phishing Email
The infected Microsoft Office file – typically either a Word (.doc) or Excel (.xls) document – triggers a “macro”, a small embedded program, when opened. That macro downloads the main Ransomware payload, which installs and runs on the users computer.
www.netfort.comSlide 8
• Watch out for known file extensions• Watch out for an increase in file renames• Create a sacrificial network share• Update your IDS systems with exploit kit
detection rules• Use client based anti-ransomware agents
Detecting the presence of Ransomware
www.netfort.comSlide 9
Monitoring Network File Shares
http://www.networkworld.com/article/3073792/security/there-s-finally-reason-to-hope-in-the-war-against-ransomware.html
www.netfort.comSlide 10
Ransomware file extensions\.enc|.\R5A|\.R4A|\.encrypt|\.locky|\.clf|\.lock|\.cerber|\.crypt|\.txt|\.coverton|\.enigma|\.czvxce|\.{CRYPTENDBLACKDC}|\.scl|\.crinf|\.crjoker|\.encrypted|\.code|\.CryptoTorLocker2015!|\.crypt|\.ctbl|\.html|\.locked|\.ha3|\.enigma|\.html|\.cry|\.crime|\.btc|\.kkk|\.fun|\.gws|\.keybtc@inbox_com|\.kimcilware.LeChiffre|\.crime|\.oor|\.magic|\.fucked|\.KEYZ|\.KEYH0LES|\.crypted|\.LOL!|\.OMG!|\.EXE|\.porno|\.RDM|\.RRK|\.RADAMANT|\.kraken|\.darkness|\.nochance|\.oshit|\.oplata@qq_com|\.relock@qq_com|\.crypto|\.helpdecrypt@ukr|\.net|\.pizda@qq_com|\.dyatel@qq_com_ryp|\.nalog@qq_com|\.chifrator@qq_com|\.gruzin@qq_com|\.troyancoder@qq_com|\.encrypted|\.cry|\.AES256|\.enc|\.hb15|\.vscrypt|\.infected|\.bloc|\.korrektor|\.remind|\.rokku|\.encryptedAES|\.encryptedRSA|\.encedRSA|\.justbtcwillhelpyou|\.btcbtcbtc|\.btc-help-you| \.only-we_can-help_you|\.sanction|\.sport|\.surprise|\.vvv|\.ecc|\.exx|\.ezz|\.abc|\.aaa|\.zzz|\.xyz|\.biz|\.micro|\.xxx|\.ttt|\.mp3|\.Encrypted|\.better_call_saul|\.xtbl|\.enc|\.vault|\.xort|\.trun|\.CrySiS|\.EnCiPhErEd|\.73i87A|\.p5tkjw|\.PoAr2w|\.xrtn|\.vault|\.PORNO
https://docs.google.com/spreadsheets/u/1/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
www.netfort.comSlide 11
Lab creating custom report
Create a custom report to focus on Ransomware file extensions
www.netfort.comSlide 12
• File renames are not a common action when it comes to activity on network file shares
• If you see a sudden increase in renames, check for Ransomware activity
Watch out for an increase in file renames
www.netfort.comSlide 13
Lab creating a custom trend
Create a custom trend to focus on file renames and setup an alert if more than 4 per second are detected
www.netfort.comSlide 14
• Ransomware-Locky removes the volume shadow copies from the compromised system, thereby preventing the user from restoring the encrypted files.
• Filecoder.Jigsaw is really aggressive and deletes some of the encrypted files every hour. Newer variants of Jigsaw are branded CryptoHitman and displays a series of pornographic images on the victim’s computer.
• Latest variant of the TeslaCrypt ransomware no longer uses an extension for encrypted files, making it more difficult for victims to identify the threat. However, a master decryption key for TeslaCrypt was released in May 2016 that unlocks files encrypted by the malware.
• Master boot record killers like Petya have the ability to install a second file-encrypting program. However, if you can extract some data from the disk you may be able to get your data back without paying the ransom.
• The authors of the CryptMix Ransomware are offering to donate ransom fees to a children’s charity but this is believed to be another scam to dupe victims into paying the ransom.
• Tech support scammers have begun using Ransomware tools to increase their chances of extracting money from victims. New variants warn the user that they cannot access their computer due to an expired license key.
Ransomware attacks on the rise
www.netfort.comSlide 15
• Expect to see an increase in Ransomware variants which target websites instead of file stores. Linux.Encoder.1 is an example of this threat. When a website is attacked the Ransomware will hold the site’s files, pages and images for ransom.
• Ransomware is also a growing problem for users of mobile devices. Lock-screen types and file-encrypting variants: lock screen Ransomware will stop you from accessing anything on your mobile device and file encrypting variants will encrypt data stored on the device. You can decrease you chances of an attack, by avoiding unofficial app stores and by keeping your mobile device and apps updated.
Future trends?
www.netfort.comSlide 16
www.netfort.comSlide 17
Download LANGuardian Trial
www.net for t .com