ransomware history and monitoring tips

18
www.netfort.com Ransomware History & Monitoring Tips Darragh Delaney

Upload: netfort

Post on 24-Jan-2017

48 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: Ransomware History and Monitoring Tips

www.netfort.com

Ransomware History & Monitoring Tips

Darragh Delaney

Page 2: Ransomware History and Monitoring Tips

www.netfort.comSlide 2

• The first wave of modern ransomware started in 2005 with Trojan.Gpcoder.• Ransomware is designed for direct revenue generation. The four most

prevalent direct revenue-generating risks include misleading apps, fake antivirus scams, locker ransomware, and crypto ransomware.

• The top six countries impacted by all types of ransomware in 2015 are the United States, Japan, United Kingdom, Italy, Germany, and Russia.

• The average ransom amount is US$300. Vouchers or bitcoins are the most popular payment methods.

• Between 2013 and 2014, there was a 250 percent increase in new crypto ransomware families on the threat landscape.

• Cybercriminals behind ransomware are constantly innovating.

A Brief History

Page 3: Ransomware History and Monitoring Tips

www.netfort.comSlide 3

• Most common ransomware variants• Cryptolocker

• Torrentlocker

• Cryptowall (and all its variants)

• Teslacrypt

• Locky

• There are even javascript-based ransomware payloads, as well as variants intended to target Linux and OSX users

Ransomware Variants

Page 4: Ransomware History and Monitoring Tips

www.netfort.comSlide 4

• Anyone can use the Ransomware and the admins/creators take a cut of the profits from pay-outs.

• Based on a figure from Forbes, it is believed that Locky manages to compromise 90,000 victims per day.

Locky – A new affiliate system

Page 5: Ransomware History and Monitoring Tips

www.netfort.comSlide 5

Chain of eventsAngler

Exploit KitExploit delivery network

Compromised websites Advertising

Ransomware

Downloaded

Dialback to Ransomware

servershttp://www.malware-traffic-analysis.net/2016/01/17/index.html

Page 6: Ransomware History and Monitoring Tips

www.netfort.comSlide 6

• SamSam.exe (also know as MSIL/Samas.A and RDN/Ransom) is becoming a significant problem.

• Rather than targeting individual users, SamSam attackers target enterprise networks: they encrypt all the data they can access for a larger lump-sum payout.

Enterprise attacks

Page 7: Ransomware History and Monitoring Tips

www.netfort.comSlide 7

Sample Phishing Email

The infected Microsoft Office file – typically either a Word (.doc) or Excel (.xls) document – triggers a “macro”, a small embedded program, when opened. That macro downloads the main Ransomware payload, which installs and runs on the users computer.

Page 8: Ransomware History and Monitoring Tips

www.netfort.comSlide 8

• Watch out for known file extensions• Watch out for an increase in file renames• Create a sacrificial network share• Update your IDS systems with exploit kit

detection rules• Use client based anti-ransomware agents

Detecting the presence of Ransomware

Page 9: Ransomware History and Monitoring Tips

www.netfort.comSlide 9

Monitoring Network File Shares

http://www.networkworld.com/article/3073792/security/there-s-finally-reason-to-hope-in-the-war-against-ransomware.html

Page 10: Ransomware History and Monitoring Tips

www.netfort.comSlide 10

Ransomware file extensions\.enc|.\R5A|\.R4A|\.encrypt|\.locky|\.clf|\.lock|\.cerber|\.crypt|\.txt|\.coverton|\.enigma|\.czvxce|\.{CRYPTENDBLACKDC}|\.scl|\.crinf|\.crjoker|\.encrypted|\.code|\.CryptoTorLocker2015!|\.crypt|\.ctbl|\.html|\.locked|\.ha3|\.enigma|\.html|\.cry|\.crime|\.btc|\.kkk|\.fun|\.gws|\.keybtc@inbox_com|\.kimcilware.LeChiffre|\.crime|\.oor|\.magic|\.fucked|\.KEYZ|\.KEYH0LES|\.crypted|\.LOL!|\.OMG!|\.EXE|\.porno|\.RDM|\.RRK|\.RADAMANT|\.kraken|\.darkness|\.nochance|\.oshit|\.oplata@qq_com|\.relock@qq_com|\.crypto|\.helpdecrypt@ukr|\.net|\.pizda@qq_com|\.dyatel@qq_com_ryp|\.nalog@qq_com|\.chifrator@qq_com|\.gruzin@qq_com|\.troyancoder@qq_com|\.encrypted|\.cry|\.AES256|\.enc|\.hb15|\.vscrypt|\.infected|\.bloc|\.korrektor|\.remind|\.rokku|\.encryptedAES|\.encryptedRSA|\.encedRSA|\.justbtcwillhelpyou|\.btcbtcbtc|\.btc-help-you| \.only-we_can-help_you|\.sanction|\.sport|\.surprise|\.vvv|\.ecc|\.exx|\.ezz|\.abc|\.aaa|\.zzz|\.xyz|\.biz|\.micro|\.xxx|\.ttt|\.mp3|\.Encrypted|\.better_call_saul|\.xtbl|\.enc|\.vault|\.xort|\.trun|\.CrySiS|\.EnCiPhErEd|\.73i87A|\.p5tkjw|\.PoAr2w|\.xrtn|\.vault|\.PORNO

https://docs.google.com/spreadsheets/u/1/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml

Page 11: Ransomware History and Monitoring Tips

www.netfort.comSlide 11

Lab creating custom report

Create a custom report to focus on Ransomware file extensions

Page 12: Ransomware History and Monitoring Tips

www.netfort.comSlide 12

• File renames are not a common action when it comes to activity on network file shares

• If you see a sudden increase in renames, check for Ransomware activity

Watch out for an increase in file renames

Page 13: Ransomware History and Monitoring Tips

www.netfort.comSlide 13

Lab creating a custom trend

Create a custom trend to focus on file renames and setup an alert if more than 4 per second are detected

Page 14: Ransomware History and Monitoring Tips

www.netfort.comSlide 14

• Ransomware-Locky removes the volume shadow copies from the compromised system, thereby preventing the user from restoring the encrypted files.

• Filecoder.Jigsaw is really aggressive and deletes some of the encrypted files every hour. Newer variants of Jigsaw are branded CryptoHitman and displays a series of pornographic images on the victim’s computer.

• Latest variant of the TeslaCrypt ransomware no longer uses an extension for encrypted files, making it more difficult for victims to identify the threat. However, a master decryption key for TeslaCrypt was released in May 2016 that unlocks files encrypted by the malware.

• Master boot record killers like Petya have the ability to install a second file-encrypting program. However, if you can extract some data from the disk you may be able to get your data back without paying the ransom.

• The authors of the CryptMix Ransomware are offering to donate ransom fees to a children’s charity but this is believed to be another scam to dupe victims into paying the ransom.

• Tech support scammers have begun using Ransomware tools to increase their chances of extracting money from victims. New variants warn the user that they cannot access their computer due to an expired license key.

Ransomware attacks on the rise

Page 15: Ransomware History and Monitoring Tips

www.netfort.comSlide 15

• Expect to see an increase in Ransomware variants which target websites instead of file stores. Linux.Encoder.1 is an example of this threat. When a website is attacked the Ransomware will hold the site’s files, pages and images for ransom.

• Ransomware is also a growing problem for users of mobile devices. Lock-screen types and file-encrypting variants: lock screen Ransomware will stop you from accessing anything on your mobile device and file encrypting variants will encrypt data stored on the device. You can decrease you chances of an attack, by avoiding unofficial app stores and by keeping your mobile device and apps updated.

Future trends?

Page 16: Ransomware History and Monitoring Tips

www.netfort.comSlide 16

Page 17: Ransomware History and Monitoring Tips

www.netfort.comSlide 17

Download LANGuardian Trial

Page 18: Ransomware History and Monitoring Tips

www.net for t .com