Ransomware attacks are not only growing and evolving but are getting more sophisticated by using advanced evasion techniques impacting individuals and organizations across verticals.
Seqrite security solutions provide multi-layered defense that prevents and blocks real-time threats and emerging ransomware infections.
2. Panelist
Rahul Sharma
Pre-sales and Business Critical
Services Lead,
Quick Heal
Presenter
Mayank Dikshit
Quality Assessment Lead -
Windows, Mac, Linux,
Quick Heal
Host
Ankita Ashesh
Enterprise Business
Communications Strategist,
Quick Heal
3. Overview of Ransomware
•Infection vectors and Targeted Files
•Industries affected
•New Techniques used by Ransomware
•Ransomware
Agenda
How Seqrite protects against Ransomware?
•Layered Protection
•Statistics
Prevention Steps
•General
•Server specific
4. Digital extortion
• Encryption
Encrypts files with a password, stopping from opening them
• Lock screen
Uses a full-screen image or webpage to stop from accessing anything on
computer
• MBR
Overview of Ransomware
5. • Email attachments
• Part of another malware's payload
• Delivered by an exploit kit
• Using phishing links
• Through Vulnerabilities in Applications/plug-ins (like Adobe, Flash
Player)
Infection Vectors
6. Office files PDF files Database files
Images & Drawings Games files
Targeted Files
8. New Techniques used by Ransomwares
• RDP (Remote Desktop) – Brute Force Attacks
• Exploiting Server Vulnerabilities
• Popular Third Party Software/Tools
9. Ransomware
• Samsam – March 2016
• Troldesh (.XTBL) – Remote Desktop – August 2016
• Cerber 3 used AmmyAdmin – Sep 2016
15. Key Highlights
The feature requires Seqrite product to be already installed and activated. It is
downloaded as part of updates and no specific user action is required.
Backup and Restore feature is lightweight and works seamlessly in the background
to back-up your data without any performance overheads.
It automatically and periodically (multiple times in a day), takes incremental
backup of all your important and well-known file formats - PDF, Microsoft Office ,
Open Office files.
Keeps a backup of your files on the local drive itself and at no point this data is
either shared or transferred to Seqrite cloud.
To restore data Seqrite Technical Support provides all assistance.
Backup and Restore
16. Preventive Steps
Regular backup of
important data
Keep your Security
product Up-to-date
Apply important
software updates
and patches
Follow best security
practices
17. • Use strong and unique passwords
• Disable RDP or change the default RDP port number
• 2-Factor Authentication for Remote Services
• Configure Account Lockout Policies
• Disable Macros in Microsoft Office via Group Policy
• Configure password protection for your security software
Preventive Steps
Ransomware is a sophisticated malware. It hijacks the victim’s system and renders it nonfunctional. The malware prevents the user from using any applications or even accessing the operating system itself, until the victim agrees to pay a certain amount of money.
Encryption: The files are encrypted using complex encryption algorithms. Decryption is impossible without private keys. Some of the latest ransomwares use strong encryption (2,048-bit RSA key pair) for encrypting the data, it is highly effective because the encryption used is practically impossible to break.
As mentioned earlier since the techniques involve all the communication happening over anonymous network TOR and use of cyber currency Bitcoin.
Lock Screen: These kind of ransomwares lock the screen and prevent access to your computer.
MBR ransomware: infects the Master Boot Record (MBR), preventing the operating system from loading. Based on analysis, this malware copies the original MBR and overwrites it with its own malicious code.
Ransomware is propagated primarily through the following three modes:
Email, Malvertising, and using exploit kits that search for system vulnerabilities and exploit them to plant malwares.
Email
Ransomware is propagated through spam email campaigns, these emails mostly appear to have important information which may draw the victim’s attention. Usually the victim performs one of the following three actions which results in the victim’s computer being compromised and ransomware being installed on the computer.
Victim opens a malicious attachment with the mail, this action results in ransomware being installed directly on the victim’s computer
Victim opens an attachment which leads to a downloader being installed, the downloader then downloads the ransomware on the computer.
Victim clicks an embedded phishing URL that points to a site with malicious code or an exploit kit which ultimately results in the ransomware being installed on the computer.
Malvertising
Involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. The user clicks on the attractive ads to visit the advertised site, instead the user is directly infected or redirected to a malicious site. These sites fool users into copying viruses that are disguised as Flash files.
Using exploit kits
Exploit kits exploit vulnerabilities in software in order to install malware. The attackers compromise third-party web servers on the Internet and inject iframes into the web pages hosted on them. The iframes direct the victim’s browsers to the exploit kit servers which install the malwares on the unsuspecting victims.
Individuals, educational institutions, government organizations, Corporates and Businesses and Hospitals; even law enforcement agencies have been victims.
While there is a rise observed in targeted attacks, but overall, the cyber criminals look for ways they can spread through easily. That’s the reason when there are big events, breaking or sensational news they hook on to launch their attacks.
Cyber criminals understand that systems are not often patched with latest security updates, effective data back strategies are still not widely used and practiced.
Across the world there is a rising trend in attacks against Hospitals.
1. Unpatched systems
There is also another set of tactics that malware creators use to avoid antivirus detection. Cyber criminals equip malware strains with the ability to detect sandboxing mechanisms by checking for specific registry entries, running processes, certain ports and additional relevant information. When malware detects that it’s running in a sandbox environment, it stops its activity making the AV believe it’s a harmless file.
We have also observed that certain recent ransomwares use brute force to break into servers through Remote Desktop by exploiting the weak passwords. Once they have entry, they uninstall the Security products.
March 2016
SAMSAM, Maktub
Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits. This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom. A particular focus appears to have been placed on the healthcare industry.
Unlike traditional ransomware samples that rely on gullible users to click on a malware-infected email attachment or visit a booby-trapped website, this new breed of ransomware is installed once attackers have exploited unpatched server vulnerabilities. To date, only hospitals have been targeted with these two malware samples. “In the past, ransomware like CryptoLocker and TeslaCrypt required someone to open an email attachment or visit a site,” said Craig Williams, senior technical leader for Cisco Talos. “SamSam targets vulnerable servers. Those are always up and always potentially vulnerable.”SamSam is able to penetrate a hospital’s network by exploiting known vulnerabilities in a company’s unpatched servers. Once the attackers gain access to the network, Williams said, hackers identify key data systems to encrypt. “The SamSam campaign is unusual in that it is taking advantage of remote execution techniques instead of targeting the userhospitals are being singled because of a perception they have weak security and rely on antiquated technology
August 2016
The Troldesh ransomware (also known as XTBL) is being spread and executed by criminals by directly gaining access to the victim’s computer through Remote Desktop. By default, Windows Remote Desktop will work only on a local network unless configured otherwise on a router or H/W firewall. This is usually seen in organizations where systems (usually servers) are accessed from multiple branches for various tasks. This explains why most of the affected systems are Windows Server OS.
Remote access to the victim’s computer is gained by using brute-force techniques which can effectively crack weak passwords. The use of this technique is nothing new but its usage as a widespread campaign for spreading ransomware is.
Typically, a brute-force attack scans IP ranges and TCP ports (3389 in the case of RDP) which are open for connection. Once an attacker finds a port, they launch the attack. The brute-force technique uses a trial and error password guessing attack with a list of commonly used credentials, dictionary words, and other combinations. Once the access is gained, criminals simply disable the system’s antivirus and run the payload directly. This means, even if the antivirus is updated and has detection against the malware, turning off its protection renders the system defenseless.
Examples:
[email_address]
.{last_centurion@aol.com}.xtbl
[email_address]
{mailrepa.lotos@aol.com}.CrySiS
Seqrite proactively detects and blocks the Troldesh/XTBL variants that are being spread through this new vector.
September 2016
AmmyAdmin Quick Heal Labs had observed that a new variant of the Cerber3 Ransomware is being spread through the Ammyy Admin software on the official Ammyy Admin website. This news, however, is not surprising as this website has been found to host malware on several other instances. In a previous case, the website was found to spread the notorious Cryptowall 4.0 Ransomware.
Add editable chart here.. So we can animate.
In 2016, on a monthly basis on an average around 1.25 million (12.5 lakh) ransomware attacks have been successfully blocked by Seqrite.
Over the last few months, there has been tremendous growth in the number of ransomware attacks that have been spotted in the wild. Cybercriminals have effectively cracked this ‘business model’ and are generating a significant amount of money through this attack mechanism. What was once an attack technique that was aimed solely at susceptible individual users has now developed the ability to afflict advanced enterprise networks as well. Ransomware attacks are capable of causing significant system downtime, loss of critical data, Intellectual Property (IP) theft and more. In several industries, a ransomware attack is now considered on par with a significant data breach.
Seqrite has been relentlessly working to keep its users secure and protected from ransomware attacks. Updates (signatures) are regularly released, heuristic solution – Behavior Detection System (BDS), Anti-Ransomware features are also enhanced to protect users from new emerging and complex ransomwares to protect the users from ransomware attacks.
Signature Based Detection
Based on the unique signature or a piece of inherent code, Seqrite identifies a virus, a signature is assigned to the virus. The signature is then distributed to the clients running the Seqrite software through updates. As hundreds of new threats are identified daily, these new signatures must be added to the Seqrite database on your computer, which helps the Seqrite software detect and block the threats to your computer in
Email Scan Protection is one of the first layer of protection. It is a known fact that vast majority of ransomwares are propagated through emails. The emails and attachments carrying the payload are not only carefully crafted but have an appealing subject line to lure the users into opening the malicious attachments. Email Scan has been successfully blocking a high percentage of ransomwares based on heuristics as well.
Internet and Network security provides protection against web-based threats such as phishing URLS, malwares such as key loggers, and other intrusion attempts. These threats are eliminated in real time and access to malicious sites, phishing URLS is blocked. It also provides a robust firewall that lets you control external traffic coming to your computer as per your requirements.
Virus Protection provides real-time protection and defense. It’s up and running all the time to keep your system secure from any potential threats.
While signature based detection is considered reactive, it’s important to note that the above features also block ransomwares based on heuristics, thereby providing zero day protection.
The indigenous DNAScan technology detects and eliminates new and unknown malicious threats and thereby, provides zero-day protection. DNAScan uses the below techniques:
1. Detection by Characteristics
2. Detection by Behavior
Behavior detection system is a dynamic, signature-less and advanced pro-active protection that helps to eliminate new and unknown malicious threats in the system. It monitors the activity on the system and if finds anything suspicious then takes immediate action by suspending the application/process from executing further. This feature also helps to protect against new and unknown ransomwares.
Quick Heal Total Security’s Anti-Ransomware feature is a robust and comprehensive solution specifically designed to detect/block ransomwares.
Based on the behavior-based detection technology, it protects your computer and data in two ways.
2. It detects ransomware and blocks it. The following prompt is displayed to the user when suspicious ransomware activity is detected.
Securely, automatically and transparently backs up your critical data, creating a secure digital locker on your computer, which is accessible only for the purpose of restoring your files.
Does not support mapped/network and removable drives. Though, files cannot be restored on a network location however, removable drives can be used to restore the data.
Note that this feature will not be effective on a system in certain cases:
Where files are already encrypted by a ransomware prior to installation of the feature.
If system is affected by a full disk encrypting ransomware attack which is however rare.
Applying important software updates and patches
Ensure that Windows Update is enabled to automatically download and apply regular security updates. Also ensure that your system has the latest Windows security patches installed. Also apply updates for important software which is regularly targeted, such as:
Microsoft Office
Java
Adobe Acrobat Reader
Web browsers like Internet Explorer, Chrome, Firefox, Opera etc.
Adobe Flash Player
Regular backup of important data
It is very important to understand the need for data backup policies for all your important data. It is highly recommended that you periodically backup your important data using the right combination of online and offline backups. Do not keep offline backups connected to your system as this data could be encrypted in case of an infection.
Follow best security practices
Do not open and execute attachments received from unknown senders. Cybercriminals use ‘Social Engineering’ techniques to allure users to open attachments or to click on links containing malware.
Keep strong passwords for login accounts and network shares.
Avoid downloading software from untrusted P2P or torrent sites. At times, they are Trojanized with malicious software.
4. Do not download cracked software as they could propagate the added risk of opening a backdoor entry for malware into your system.
Do not download pirated/free software from unknown and un-trusted sites.
It is recommended to avoid mapping of network drives in the system.
Do not use untrusted plugins/add-ons/extensions on browsers.
Do not use important Servers for daily browsing/mailing activities.
Avoid browsing, downloading when you are logged-in with complete administrator rights.
– Use strong and unique passwords on user accounts that cannot be easily breached. Weak passwords like Admin, admin123, user, 123456, password, Pass@123, etc., can be easily brute-forced in the first few attempts itself.
– Disable the Administrator account and use a different account name for administrative activities. Most brute-force attempts are done on an Administrator user account as it is present by default. Also, remove any other unused or guest accounts if configured on the system.
– Change the default RDP port from ‘3389’ to something else. Although a complete port scan would still show the open ports, this would prevent attacks that are targeting only the port 3389 by default.
– Configuring Account Lockout Policies that automatically lock the account after a specific number of failed attempts. This feature is available in Windows and the threshold can be customized as per the administrator.
Ref: https://technet.microsoft.com/en-us/library/dd277400.aspx
– Configure password protection for your security software. This would prevent any unauthorized users from disabling or uninstalling it. Quick Heal users can enable this feature from the Settings => Password Protection.