on August 3, 2016

Ransomware – How to defend yourself against it

What is Ransomware?

Ransomware is a type of malware that has lately been increasingly in use by the cyber criminals. In order to profit from the distribution of Ransomware, the bad guys have been targeting numerous businesses and large organizations around the world. In essence, the Ransomware malware is a piece of malicious software that usually encrypts your files or locks your computer and then requires payment in exchange for returning you the access to your files again. Regrettably, there is often little one can do except to pay the requested amount of money – the ransom.

How is Ransomware distributed?

Nowadays, such malware pieces are basically distributed using pre-built infrastructures that enable malware owners to send their binaries by email (using crypters to obfuscate the sample against AV systems), droppers & malicious or compromised websites using Exploit Kits.

What does Ransomware do to your computer?

What such malware does to your computer will depend on the specific techniques used i.e. locking or cryptographic techniques, or a combination of both. Ransomware is not really a new concept and has been in the wild since 2005 in two distinct varieties namely, the cryptographic variants and the locking variants. But we can state that between 2013, 2014 and 2015, there was a huge increase in the amount of new cryptographic Ransomware families on the malware threat landscape. This was mainly due to a new Ransomware type called CryptoLocker, which considerably differed from its two predecessors in the way it proceeded to ask for a ransom, proving that its new technique of encrypting files and asking for bitcoins was an effective method to profit from such an infection.

There were many other types of malware observed in the years leading up to today. Some of them are shown in the following image:

TimelineHorizontal2

Although some of them might slightly change their behavior in terms of the procedure to encrypt files, or to lock the computer, in general, Ransomware takes advantage of legitimate system features like the Crypto API Calls and eliminates the need for Command and Control (C&C) communications for the botnet management.
Some of the Crypto-Ransomware types simply target files to encrypt once they are loaded and executed in the target computer.

A few examples of the target files are:

xls, wpd, wb2, txt, tex, swf, sql, rtf, RAW, ppt, png, pem, pdf, pdb, odt, obj, msg, mpg, mp3, lua, key, jpg, hpp, gif, eps, DTD, doc, der, crt, cpp, cer, bmp, bay, avi, ava, ass, asp, js, py, pl, db, c, h, ps, cs, m, rm.

In cases like Locky ransom, we’ve seen that the sample exchanges an encryption key with the C&C server, and if successful it proceeds to encrypt files from the hard disk using AES algorithm.
In other cases, such as TeslaCrypt, it seems that it simply starts encrypting files of the hard disk even if there’s no communication with the C&C server. This means that if for one reason or another, the key is not stored correctly on the C&C side, the files would be unrecoverable, even by malware owners after paying the ransom.
Some types of locking ransomware try to block the computer, using a combination of techniques that might block the startup of the windows operating system.

Who is the target?

Large corporations as well as small and midsize businesses (SMB) are targets of Ransomware attacks, but SMBs are potentially more impacted because of their lower capacity to mitigate such advanced types of threats with the appropriate disaster recovery plans.

How can you defend yourself against Ransomware?

Depending on the type of Ransomware involved, the user may be able to take some actions. In most cases however, the encryption used to hold the content or the infected computer is very difficult to break, thus making recovery often impossible unless:

• The ransomware has any type of issue in its process so that forensically speaking you might be able to recover the files by analyzing the file system or using carving techniques.
• There’s a clean backup of the hijacked content or computer.
• By some way it would be possible to obtain a copy of the encryption key used to cipher the files or by some other techniques you’re able to unlock critical files of the computer.

From an end-user perspective, Blueliv can provide some generic tips to face these types of threats by considering the following:

• Installing and keeping an AV system updated (maybe that wouldn’t be enough because viruses are constantly morphing to evade signatures)
• Be aware of what you receive as an email attachment and verify files before clicking them
• Verify the source of the email and think about whether you were waiting to receive such an e-mail

From a corporate perspective it might be quite a lot more complex, since IT administrators and security departments have to deal with many assets. We advise large corporations however, to protect themselves against Ransomware with a multi-layered based security, combining multiple strategically placed measures within the corporate network.
Specifically, large corporations could think about:

• Performing App whitelisting in order to allow or block program execution
• Improving and boosting their Backup and Restoring system
Blueliv MRTI Feed Solution: Our feed is based on a large scale malware analysis engine that constantly analyzes malware samples, performs classification & identification of malicious content, extracts C&C URLs and all of this is compiled into one single feed that provides you information about C&C, Exploit Kits, Malware Hashes and Bad Reputation IPs.

Ransomware chronology horizontal

 With such intelligence information you can feed different engines in your organization in order to improve effectiveness of your security controls:

  • Anti-spam Systems & Sandboxing email: Enabling a set of malicious URLs, attachments and hashes to be filtered before the mailing campaigns arrive to the end-users.
  • Proxies and IPs: Blocking the communication of your users before the infected machine reaches the C&C server to exchange the encryption key.
  • Performing forensic investigations, correlating information about communication and malicious content. Observing, identifying, taking actions and improving your controls.

 

Blueliv Labs


Community Trial Demo