Ransomware: Malware that kidnaps your data to extort money from you
Transcription
Ransomware: Malware that kidnaps your data to extort money from you
Ransomware: Malware that kidnaps your data to extort money from you The type of malware from which you simply can’t recover includes Cryptolocker, Cryptowall, Reveton, Winlocker, FBI Virus, Moneypak, and more. June 2014 Table of Contents Summary ................................................................................................................................................... 3 Holding you hostage ................................................................................................................................. 3 Cryptolocker .............................................................................................................................................. 4 What’s the Big Deal, I’ll Just Pay the Ransom ........................................................................................... 6 What Can I Do About It? ........................................................................................................................... 7 An Ounce of Prevention really is worth a Pound of Cure ......................................................................... 8 A Different Approach to Ransomware Protection .................................................................................... 8 Containment ......................................................................................................................................... 8 Detection............................................................................................................................................... 9 Prevention ............................................................................................................................................. 9 Intelligence ............................................................................................................................................ 9 Invincea Platform for User-Oriented Threats ........................................................................................... 9 Conclusion and more information .......................................................................................................... 10 Invincea, Inc. 3975 University Drive, Suite 460 Fairfax, VA 22030 USA Tel: +1-855-511-5967 info@invincea.com www.invincea.com © 2014, Invincea, Inc. All rights reserved. Invincea, the Invincea Logo, Invincea FreeSpace, Invincea Management Service are trademarks of Invincea, Inc. All other product or company names may be trademarks of their respective owners. All specifications are subject to change without notice. Invincea assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. INV_WP_RANSOM_06162014 Page 2 of 10 Summary Of all the classes of malware, “ransomware” may be the most destructive because often it’s not possible to recover from its negative effects. While most malware is disruptive in nature (including general nuisanceware, banking Trojans that steal financial data and credentials, malware that targets information like intellectual property, and those that turn your machines into bots to send out spam campaigns), an organization can eventually recover from their damage after significant cost, effort, and time. Not so with ransomware – your important business data can be lost forever. Holding you hostage Ransomware’s goal is to hold you hostage through a variety of lock-out mechanisms, the most successful is by encrypting your data forcing you to pay for the decryption key. The nature of this ransom can cause your data to be lost forever. Since this malware can even encrypt your backup files across network share drives and mounted file systems, if you lose your information without backups, it could cause irreparable damage to your company. Ransomware does not describe a specific infection mechanism but rather the impact on the infected user. Ransomware can be distributed and infect targeted users through a variety of infection mechanisms: Page 3 of 10 Spear-phishing1 emails that deliver the employee to malicious websites that run drive-by download exploits or include weaponized document attachments Watering hole attacks2 that involve hijacking legitimate, trusted sites to push malware to unsuspecting users Poisoning search results3 behind trending news items on popular engines, such as Google, Yahoo!, and Bing Pushing malware4 through popular social networks such as Twitter and Facebook As recently as June 6, 2014, authors of the Cryptowall ransomware variant successfully infected hundreds of thousands of users by paying to have malicious ads displayed on popular websites like Facebook, Disney, and The Guardian5. Those websites were not hacked to serve the malicious code, but distributed through legitimate advertising networks. Examples of common ransomware include Cryptolocker, Reveton6, Winlocker, FBI Virus, and Moneypak Virus. We’ll explore Cryptolocker, the most prevalent ransomware malware, in more detail. Cryptolocker Cryptolocker is the name of a malware family that infects end user computers via spearphishing email attacks posing as legitimate business correspondence from FedEx, UPS, a bank or other trusted institutions, and from infected websites through watering hole attacks and drive-by downloads. 1 http://www.invincea.com/spear-phishing-protection http://www.invincea.com/watering-hole-attacks/ 3 http://usatoday30.usatoday.com/tech/news/story/2012-06-17/poisoned-search-results/55654796/1 4 http://mashable.com/2013/04/22/twitter-malware-financial-fraud/ 5 http://thehackernews.com/2014/06/new-cryptowall-ransomware-spreading.html 6 http://www.invincea.com/2013/03/kia-reveton-ransomware-java-7-exploit-cve-2013-0431 2 Page 4 of 10 Example of forged spear-phish email used to infect with Cryptolocker When users get infected, the malware silently encrypts all documents on the local machine and attempts to pivot and spread over mounted file systems, network shares, USB drives, and other connected systems. Once all files have been encrypted, Cryptolocker displays a dialog box describing what it did to the user’s files along with details of the ransom. Files are encrypted with an asymmetric 2,048-bit key – virtually impossible to crack. The only person that has the key to unencrypt your files are the malware authors, and they will sell it to you: this is the ransom payment. Page 5 of 10 Cryptolocker dialog screen By the time users get this message on their machine, it’s too late! Cryptolocker has successfully encrypted all the data files on that user’s machine (and possibly across your network). The average ransom amount is around $300, and the Cryptolocker authors have started accepting Bitcoin for payment as this is not traceable by law enforcement. The ransom must be paid within a specified period, often less than 96 hours, or the unique private key that encrypted the files will be destroyed rendering your data unrecoverable. What’s the Big Deal, I’ll Just Pay the Ransom As with most kidnapping crimes, paying the ransom is no guarantee that you will get your key to recover your files. In some cases, the authors take your money and do not respond. In others, they ask for more money since they know that you’re willing and desperate to pay. There have also been documented cases where applying the decryption key actually re-infects the user’s machines! Surprisingly, it’s estimated that about 3% of impacted users pay the ransom, totaling to just over $1M in ransom fees in the last three months of 2013 alone and $100M for all ransomware variants since inception – certainly enough to encourage the Cryptolocker authors to continue their ransomware campaigns. Unfortunately, this type of crimes does pay… and pays well. Page 6 of 10 What Can I Do About It? Cryptolocker spread very quickly after it was first discovered in Sept 2013. It infected over 250,000 machines in the first 100 days, mostly targeting small and medium businesses in English-speaking countries. There are new variants of Cryptolocker being created to spread its infection rate even wider and further reduce its ability to be detected by traditional signature-based anti-virus systems. Signature-based security requires that the anti-virus vendors have already discovered the malware variant in order to write a signature, a classic chicken-and-the-egg problem, resulting in a never-ending escalation of signatures and new exploits coming out. You can see from this analysis by VirusTotal.com (a free service that measures the effectiveness rate of anti-virus scanners) that only 58% of anti-virus tools tested can detect this single variant of Cryptolocker months after it was first introduced. Organizations are taking a risk if they believe that legacy anti-virus technology can detect modern malware. VirusTotal.com detection results for a single Cryptolocker variant Sadly, if you’re already infected, there’s not much you can do. (We are not recommending whether you should pay the ransom or not.) Hopefully, you have a good backup system in place that wasn’t impacted by the infection, you were able to quickly identify and isolate that infected user, re-image their machine to remove all traces of the malware, verify that other users haven’t been infected, and start the painful processing of identifying the exposure to your lost data. Page 7 of 10 An Ounce of Prevention really is worth a Pound of Cure Invincea realized years ago after conducting advanced research on modern malware activity that a new type of technology approach is needed to combat the explosive rise in user-targeted threats, including spear-phishing, watering holes, drive-by downloads, and other attacks of opportunities that spread ransomware and other malware. There are over 200,000+ malware variants being released every day, plus over 60,000+ malicious URLs and hijacked websites are created each day that far outpaces the ability of legacy signature-based anti-virus systems to keep up. There simply is too much malware being created for anti-virus vendors to develop and release signatures every minute of the day. And what happens if the organization is not able to push new signatures to its users in a timely manner? The user and the organization are at risk from malware like Cryptolocker. A Different Approach to Ransomware Protection Invincea has taken a different approach to user protection based on over eight years of advanced malware research, protecting nearly 15,000 organizations in 112 countries, and single deployments as large as 70,000 endpoints. It is not a single technology that is able to provide this capability, but rather an innovative approach composed of multiple techniques operating in tandem to address the problem domain. Invincea offers an integrated platform providing mission-critical user protection, enterprise scalable deployment and management, and real-time threat intelligence. Containment The core of the Invincea platform is the FreeSpace™ user protection client. This software completely isolates vulnerable applications (Java, web browsers, PDF readers, Microsoft Office suite, Adobe Flash, Adobe Reader, and more) from the host operating system, registry, disk, running processes, threads, and memory into a secure virtual container. One can think of this as “application virtualization.” The containment allows for a unique capability: it doesn’t prevent vulnerable applications from running (unlike application whitelisting), and lets them operate as they normally do for legitimate uses. As applications are launched and run inside the secure container, if they start to behave in a malicious manner, their activity does not impact the host since all application executions occur in this segregated virtual container fully isolated from the host. The secure virtual container is an innovative approach as it allows for the integration of behavioral activity scanners, forensics instrumentation, and user policy controls. Page 8 of 10 Detection The client component running on end user machines integrates signature-free behavioral sensors within the container to automatically detect all forms of malware activity: known, unknown, and zero-day. This far exceeds the limitations of signaturebased systems that require one signature for each unique exploit. Invincea’s behavioral sensors understand the legitimate behavior of how applications run inside the secure container, thus detecting malicious activity regardless of how many variants of exploits try to take advantage of a vulnerability. This approach also significantly reduces false positives commonly found in other traditional behavioral detection technologies when trying to detect unknown and zero-day attacks. Prevention The prevention capabilities provided by the system greatly exceed the benefits provided by detection-only systems. While having knowledge of breaches is important, the cost of remediation, lost employee productivity, and the risk of having lost valuable intellectual property or financial loss after a breach occurs is something that is not possible to roll-back. Once the breach occurs, regardless of how fast it is detected, the organization incurs a loss. Invincea’s policy-based prevention rules enable an organization to stop a breach before it occurs, and contain the forensics evidence to be used for further risk analysis, adversarial attribution, legal proceedings, and further hardening of the security infrastructure. Intelligence Rich forensics of malware activity captured during the containment, detection, and prevention cycles on the endpoint can be investigated to provide actionable intelligence and investigation into the current risk posture against the organization. One can easily determine if this is simply an attack of opportunity (i.e. a watering hole or drive-by attack) or if the organization is the target of a concerted attack effort. Data forensics and incident responders (DFIR) have the ability to trace the attack lifecycle, investigate the artifacts from the prevented malware attempt, and fuse this information with other threat intelligence services and security information event management systems, without the pressure of responding to an active breach in progress that can spin out of control as malware pivots throughout the organization. Invincea Platform for User-Oriented Threats The protection capabilities of the Invincea platform delivers a comprehensive framework for all user-oriented attack vectors: Browser-based attacks Page 9 of 10 o Spear-phishing7 o Watering hole attacks8 o Attacks of Opportunity9 o Poisoned Search Engine Optimizations o Infected advertisements PDF documents Adobe Flash Adobe Acrobat Microsoft Office documents (Word, Excel, PowerPoint) Microsoft Outlook email helper applications Microsoft Silverlight Apple QuickTime Custom browser plug-ins User channel operating system attack vectors (Windows XP, 7, 8.110) And many more attack vectors Organizations select the Invincea platform for a comprehensive set of user protection, prevention, and analysis capabilities across multiple attack vectors as part of their unified security infrastructure. Conclusion and more information This paper presents the business and security realities of user-targeted ransomware threats across an organization. Legacy technologies are not adequate in addressing the modern issues with user threats, and organizations should seriously evaluate if repurposing point-solutions can meet their current and future needs specific to advanced malware threats. For more information on the Invincea platform and protecting against user-targeted exploits and other forms of security threats, please contact: Website: www.invincea.com Email: info@invincea.com Phone: +1-855-511-5967 or +1-703-352-7680 7 http://www.invincea.com/why-invincea/spear-phishing-protection http://www.invincea.com/why-invincea/watering-hole-attacks 9 http://www.invincea.com/why-invincea/attacks-of-opportunity 10 Invincea FreeSpace client version 4, July 2014 release 8 Page 10 of 10