How to stay protected against ransomware
•Transferir como PPTX, PDF•
3 gostaram•2,414 visualizações
Ransomware has become one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (19)
Semelhante a How to stay protected against ransomware
Semelhante a How to stay protected against ransomware (20)
Mais de Sophos Benelux
Mais de Sophos Benelux (19)
Último
Último (20)
How to stay protected against ransomware
- 1. 11 Ransomware today: How to protect against Locky and friends
- 2. 2 What we’re going to cover • A bit of Background • Anatomy of a ransomware attack • The latest ransomware to rear its ugly head – introducing Locky and its friends • Why these attacks are so successful • Practical steps to protect your organization from ransomware threats • How Sophos can help
- 3. 3 A bit of background Ransomware is a form of malware that encrypts private information and demands payment in order to decrypt it. History • CryptoLocker first appeared in 2013 • New variants emerge all-too-regularly • Current wave has roots in the early days of FakeAV • Locky is one of the newest flavors to menace internet users • Common ransom demands for USD 200 – 500. • Technology used changes rapidly • Office documents with macros • CHM files • JavaScript • .bat files
- 4. 4 2 main vectors of attack • SPAM (via social engineering) ○ Seemingly plausible sender ○ Has attachment e.g. invoice, parcel delivery note ○ The attachment contains an embedded macro ○ When the attachment is opened the macro downloads and then executes the ransomware payload ○ Used by Locky, TorrentLocker, CTB-Locker • Exploit kits ○ Black market tools used to easily create attacks that exploit known or unknown vulnerabilities (zero-day) ○ Client side vulnerabilities usually target the Web browser ○ Used by CryptoWall, TeslaCrypt, CrypVault, ThreatFinder
- 5. 55 Anatomy of a ransomware attack
- 6. 6 Anatomy of a ransomware attack And gone The ransomware will then delete itself leaving just the encrypted files and ransom notes behind. Ransom demand A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to. Encryption of assets Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of the Windows OS (shadow copies) are often deleted to prevent data recovery. Contact with the command & control server of the attacker The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer. Installation via an exploit kit or spam with an infected attachment Once installed the ransomware modifies the registry keys
- 8. 8 Paying ransoms • Payment is made in Bitcoins • Instructions are available via Tor • The ransom increases the longer you take to pay • On payment of the ransom, the public encryption key is provided so you can decrypt your computer files
- 9. 99 Common ransomware: Locky and friends
- 10. 10 Locky: the new kid on the block • Nickname of a new strain of ransomware, so-called because it renames all your important files so that they have the extension .locky • Ransoms vary from BTC 0.5 to BTC 1.00 (1 BTC is worth about €380/$425/£300). • Started hitting the headlines in early 2016 • Wreaking havoc with at least 400,000 machines affected worldwide
- 11. 11 A common Locky attack • You receive an email containing an attached document. ○ The document looks like gobbledegook. ○ The document advises you to enable macros “if the data encoding is incorrect.” ○ The criminals want you to click on the 'Options' button at the top of the page. • Once you click Options, Locky will start to execute on your computer. • As soon as it is ready to ask you for the ransom, it changes your desktop wallpaper. • The format of the demand varies, but the results are the same.
- 12. 12 Example: Attached Word document
- 13. 13
- 14. 14 TorrentLocker • Almost exclusively distributed via sophisticated spam campaigns ○ High quality emails ○ Translated into multiple languages (Dutch, Japanese, Korean, Italian, Spanish …) • Highly targeted geographically • Peculiarity: Use of the victim machine’s address book to send the ransomware to other machines • Communicates with its C&C server in HTTPS (POST requests) to make detection more difficult
- 15. 15 CTB-Locker • Peculiarity: Business model based on affiliations ○ Infections are conducted by 'partners' who receive in return a portion of the takings ○ Enables faster spreading of malicious code ○ Approach notably used in the past by Fake-AV • The cyber crooks offer the option of a monthly payment to host all of the code. • Has also been widely distributed by the Rig and Nuclear exploit kits • As with TorrentLocker, the majority of infections have started via spam campaigns
- 16. 16 CTB-Locker variant that attacks websites • Same name as the ransomware that attacks Windows computers • Written in PHP • First attack in the UK on 12th February 2016 • Already many hundreds of sites have been attacked • Attacks websites by encrypting all files in their repositories • A password-protected ‘shell’ is installed on most of the affected sites, allowing attackers to connect to the server(s) via a backdoor
- 17. 17 Angler: an all-too-well-known exploit kit • Grown in notoriety since mid 2014 ○ The payload is stored in memory and the disk file is deleted ○ Detects security products and virtual machines ○ Ability to spread many infections: banking Trojans, backdoor, rootkits, ransomware • Easy to use ○ Doesn’t require any particular technical competence ○ Available for a few thousand USD on the Dark Web
- 18. 18 Angler’s evolution into the dominant exploit kit Sep 2014 Jan 2015 May 2015
- 19. 19 Chain of infection for Angler exploit kits 1. The victim accesses a compromised web server through a vulnerable browser 2. The compromised web server redirects the connection to an intermediary server 3. In turn, the intermediary server redirects the connection to the attacker’s server which hosts the destination page of the exploit kit 4. The destination page looks for vulnerable plug-ins (Java, Flash, Silverlight) and their version numbers 5. If a vulnerable browser or plug in is detected the exploit kit releases its payload and infects the system.
- 20. 2020 Why these attacks are so successful
- 21. 21 Whyare theseattacks sosuccessful? Professional attack technology • Highly professional approach e.g. usually provides the actual decryption key after payment of the ransom • Skillful social engineering • Hide malicious code in technologies that are permitted in many companies e.g. Microsoft Office macros, JavaScript, VBScript, Flash …
- 22. 22 Whyare theseattacks sosuccessful? Security weaknesses in the affected companies • Inadequate backup strategy • Updates and patches are not implemented swiftly enough • Dangerous user/ rights permissions – more than they need • Lack of user security training • Security systems are not implemented or used correctly • Lack of IT security knowledge • Conflicting priorities: security vs productivity concerns
- 23. 2323 Practical steps to protect against ransomware
- 24. 24 Best practices – do this NOW! 1. Backup regularly and keep a recent backup copy off-site. 2. Don’t enable macros in document attachments received via email. 3. Be cautious about unsolicited attachments. 4. Don’t give yourself more login power than you need. 5. Consider installing the Microsoft Office viewers. 6. Patch early, patch often. 7. Configure your security products correctly.
- 25. 25 Security solution requirements As a minimum you should: • Deploy anti malware protection • Block spam • Use a sandboxing solution • Block risky file extensions (javascript, vbscript, chm etc…) • Password protect archive files • Use URL filtering (block access to C&C servers) • Use HTTPS filtering • Use HIPS (host intrusion prevention service) • Activate your client firewalls • Use a whitelisting solution
- 26. 26 Additional steps • Employee awareness & training ○ Sophos IT Security Dos and Don’ts ○ Sophos Threatsaurus • Segment the company network ○ NAC solutions ensure only known computers can access the network ○ Separate functional areas within a firewall e.g. client and server networks • Encrypt company data ○ It doesn’t stop the ransomware but prevents damage caused by sensitive documents getting into the wrong hands • Use security analysis tools ○ If an infection does occur, it’s vital that the source is identified and contained ASAP.
- 27. 2727 How Sophos can help
- 28. 28 Complete protection: Enduser and Network Sophos Central Enduser Network Next-Gen Firewall /UTM Web Security Email Security Wireless Security SafeGuard Encryption Mobile Control Next-Gen Endpoint Protection Server Security Secure the Endpoint (PC/Mac) Next Gen Endpoint security to prevent, detect, investigate and remediate Secure the Mobile Device Secure smartphones and tablets just like any other endpoint Secure the Servers Protection optimized for server environment (physical or virtual): fast, effective, controlled Protect the Data Simple-to-use encryption for a highly effective last line of defense against data loss Secure the Perimeter Ultimate enterprise firewall performance, security, and control. Secure the Web Advanced protection, control, and insights that’s effective, affordable, and easy. Secure the Email Email threats and phishing attacks don’t stand a chance. Secure the Wireless Simple, secure Wi-Fi connection.
- 29. 29 Security as a System Synchronized Security Integrated, context-aware security where Enduser and Network technology share meaningful information to deliver better protection Security must be comprehensive The capabilities required to fully satisfy customer need Security can be made simple Platform, deployment, licensing, user experience Security is more effective as a system New possibilities through technology cooperation Next Gen Enduser Security Next Gen Network Security Sophos Cloud heartbeat SOPHOS LABS
- 30. 30 Malicious Traffic Detection SOPHOS SYSTEM PROTECTOR Application Tracking Threat Engine Application Control Emulator Device Control Web Protection IoC Collector Live Protection Security Heartbeat HIPS/ Runtime Protection Reputation Malicious Traffic Detection SophosL abs URL database Malware Identities HIPS rulesGenotypesFile look-up Reputation Apps SPAM Data Control Peripheral Types Anon. proxies Patches/ VulnerabilitiesWhitelist Administrator alerted Application interrupted i Compromise User | System | File MTD rules Malicious traffic detected Malicious Traffic Detection
- 31. 31 Sophos Sandstorm How Sophos Sandstorm works 1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait. 2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete. 3. A detailed report is provided for each file analyzed. Advanced Threat Defense Made Simple Secure Web Gateway Secure Email Gateway Unified Threat Management Next-Gen Firewall
- 32. 3232 CRYPTOGUARD
- 33. 33 Anatomy of a Ransomware Attack Exploit Kit or Spam with Infection Command & Control Established Local Files are Encrypted Ransomware deleted, Ransom Instructions delivered
- 34. 34 Ransomware Cryptowall costs users $325M in 2015 ○ 2 out of 3 infections driven by phishing attack ○ Delivered by drive by exploit kits ○ 100’s of thousands of victims world wide More variants – Locky and Samas ○ Now for MAC and Windows users Targeting bigger Phish ○ $17K payment from California hospital CryptoGuard • Simple and Comprehensive • Universally prevents spontaneous encryption of data • Simple activation in Sophos Central CRYPTOGUARD CryptoGuard – Say Goodbye to Ransomware
- 35. 35 CryptoGuard • 1. monitors file system activity • 2. when file is opened-for-write, create just-in-time backup of the file • 3. when the file is closed, compare contents • 4. when file is no longer a document, mark as suspicious • 5. if this happens on many files (3 or more), rollback files from above backup, revoke write-access from process (or client IP) that did the changes • 6. all modifications are tracked per process or per client-IP; so if a remote client modifies files, they are tracked, rolled back and blocked if needed
- 36. 36 CryptoGuard • Stops local ransomware from attacking local data • Stops local ransomware from attacking remote data (incl. mapped or unmapped shares) • Stops remote ransomware from attacking local data
- 37. 37 More information • Sophos whitepaper on how to stay protected from ransomware https://www.sophos.com/en- us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en • Sophos technical whitepaper on ransomware https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of- ransomware.pdf?la=en • Naked Security – regular stories on Locky and other ransomware attacks https://nakedsecurity.sophos.com/ • IT Security DOs and DON'Ts https://www.sophos.com/en- us/medialibrary/PDFs/employeetraining/sophosdosanddontshandbook.pdf?la=en • Threatsaurus https://www.sophos.com/en-us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en • Sophos free tools https://www.sophos.com/fr-fr/products/free-tools.aspx
- 38. 3838 Questions? Benelux: salesnetherlands@sophos.com UKI: customerteam@sophos.com Americas: nasales@sophos.com
- 39. 39© Sophos Ltd. All rights reserved.
Notas do Editor
- Welcome to our Session about Ransomware. I you have questions please type in the chat windows. Then we can gather the questions an answer them at the end or come back to you with the answers.
- What are we going to cover today. a little bit of background of the Ransomware How most ransomware attacks works. Some types of ransomware Locky and friends. Why the attacks work Some things you can do to protect yourself and minimized the risk. And last but not least, How can we, Sophos can help you.
- First of all, at bit of background on the Ransomeware As all of you know Ransomware is malware that encrypts your files and hold them Ransoms until you pay money to the bad guys to get to the key to decrypt the files. It started in 2013 with CryptoLocker. A lot of new types emerges. One of the latest ones out there is Locky. The ransom the bad guys ask is around 1 bitcoin. A bitcoin is about 380 euros or 430 USD about 300 pounds. What we’’ve seen is that the technology is changing. now it comes in office docs using macros CHM files Compiled HTML files. Javascript and bacht files. The are finding new ways to infect the target PC.
- We are seeing 2 main ways of attacks. Spam and Exploit kits. Spam : Seems to be from a plausible sender The emails are getting more sophisticated. The look very real. The attachments contain embedded macro Exploit Kits: Available in the black market You can easily create an attack that uses known or unknown vulnerabilities. They usually target the Webbrowser.
- When we look at Ransom ware attacks, we see the following pattern. Step 1 the Ransomware needs to be installed on the target computer. Usualy this is done through and Expoit kit or through a Spam campain. Once installed it’s going to change some registry key on the target. Step 2 When the Ransomware is active on the target, It’s going to connect to a command and control server and sends information about the infected computer and downloads a publickey for this computer. Step 3 Now the Ransomware has the public key is going to Encrypt files on the local computer including the networks drives that are accessible from this computer. Often the shadow copies on the Windows machine are deleted to prevent you to recover the encrypted files. Step 4 When the Ransomware has finished messing with your files it will show the ransom note, with the instructions how to pay the Ransom, often this is in Bitoins. Step 5 After the Ransom note is shown the Ransomware will delete itself and leaves you with the ransom note and the encrypted files.
- Here are some examples of the Ransom notes used. 1 bitcoin 1 Bitcoin equals 376.30 Euro 1 Bitcoin equals 427.59 US Dollar Second note. It’s 500 USD but this is only valid for 167h 58m and 54s After the key will cost you twice as much.
- The payment is normally done in Bitcoins The instructions on how to pay are availabe via Tor. They even have an FAQ and support. In this case you are seeing a countdown clock. If you do not pay before the countdown end the price to decrypt your file will be twice as much. If you deside to pay, which we are not recommending you to do. You will hopefully get the key to decrypt your files.
- Now we are going to look at some of the common Ransomware that’s around.
- One of the lastest onces Locky. Named after the extension it uses for the files that are encrypted .locky Ransoms are usually around 1 bitcoin is around 380 euro of 425 dollar or 300 pounds. Locky has surfaced a couple of months ago, early 2016.
- A Common Locky The user is receiving an email with a document. When they open the document they see all lot of characters, that doesn’t make sence. The bad guys want you to enable macros. It needs the macro to be executed. When the Ransomware is finished it will change you wallpaper and replace it with the Ransom note.
- Here is an example of a document. They want you to enable macros. But don’t do it.
- Here are the different Ransomnotes and also the amount you need to pay.
- TorrentLocker TorrentLocker spread though spam campains. High quality mails and different languages. It uses the victims address book to spread the ransomware to other machines. Communicates to the Command and Control Server using HTTPS, This makes it more difficult to detect that traffic.
- The authors of CTB-Locker are using an affiliate program to drive infections by outsourcing the infection process to a network of affiliates or partners in exchange for a cut of the profits. offering a hosted option where the operator pays a monthly fee and they will host all the code. Has been spread by Rig and Nuclear Exploits kits but most of the infectecting were through spam campains. They also has Ransom notes in different laguages.
- CTB Locker Same name as the previous ones. But this ones Attacks websites by Encrypting files in their repositories. On most sites they install a password-protected shell to get to the servers via a backdoor
- One of the Well known exploit kits is Angles It is used to spead many infections. Payload is stored in memory and the local file is deleted. It is easy to use and you can buy it on the darkweb for few thousand Dollars. In the picture you see the revenue
- Angler is gained marketshare over the last few year. Is we look at 2014 it had around 23% Half a year later in januari of 2015 is was arount 39% A couple of month after that it increased to over 82 % Just last Sunday According to Fox-IT Security Operations Center, at least 288 websites were affected, and it is believed that a compromised ad network was responsible for so many sites being affected simultaneously. A lot of the popular news site in The Netherlands were hit… nu.nl marktplaats.nl sbs6.nl rtlnieuws.nl rtlz.nl startpagina.nl buienradar.nl Angler was used in this case
- They act like a normally company, have faqs, support and usully provide the decryption key after the payment. Using social engineering And hide the code in program/document that many companies uses every day Like macros, javascripts.
- Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands. Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it! Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out. Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights. Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake! Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. Configure your security products correctly. To enable them to work effectively they need to be configured correctly. Sophos customers should check out the ‘How to stay protected against ransomware’ whitepaper which includes, amongst other good advice, optimal configuration settings for Sophos solutions.
- Employee awareness/training In addition to the immediate measures described above , it's important that all employees receive regular IT security training. The success of these measures should also be checked regularly. Sophos provides a number of free tools to help educate employees on security threats, including IT Security DOs and DON'Ts and the Threatsaurus. Segmentation of the company network Security measures at the gateway are rendered useless if a computer that is introduced to the network without authorization (private notebook, computer belonging to the service provider, company notebook with outdated virus protection) is allowed to infiltrate these measures. Network Access Control (NAC) solutions, for example, can help against the threat of an unauthorized device in the network by only allowing known computers access to the network. Therefore, in general, the principle that each system only has access to those resources that are necessary to fulfill the relevant tasks should also apply to the network design. In the network area, this also means that you separate functional areas with a firewall, e.g. the client and server networks. The relevant target systems and services can only be accessed if this is really necessary. The backup servers can then only be accessed from the work stations, for example, via the port required by the backup solution, not via Windows file system access. As a result, you must also consider applying a client firewall to work stations or servers because there is usually no reason for work stations or servers to have communication with each other, unless it relates to known services. This method can also help to prevent waves of infection within a network. Encrypting company data Suitable encryption of company documents can help to prevent malware from obtaining unencrypted access to confidential documents. This prevents damage caused by the outflow of business-relevant documents. Use security-analysis tools Even if you implement all of the above measures, you can never guarantee with 100% certainty that security incidents/infections in company computers will be prevented in the future. However, if an incident does occur, it is vital that the source of the infection and any potential effects on other company systems are identified as quickly as possible and contained. This can help to reduce the time and effort required to identify and correct the affected systems and restore functionality to the IT infrastructure drastically. In addition, by identifying the source and the method of infection, potential vulnerabilities in the security concept can be highlighted and eliminated.
- We have a complete security porfolio protection Enduser as well as the Network.
- We offer security as a system. With our Synchronized Security We integrated our different solutions and information between our products. So that we are able act inmediately on the thing happening in the network. One of the first is the integration between our XG firewall and our Cloud EndPoint by using our Security Heartbeat. We bring the Endpoint and the Firewall together and exchange information that can be used to pro actively block threats.
- Malicious Traffic Detection. Here we have infected device that is trying to communicate to a command and control server. This is detect by the Malicious Traffic detection (MTD) on the client The Administrator is Alerted and get the info on the user system en file that is responsible for the threat. The application is automatically blocked.
- Another Feature you can use is Sophos Sandstrom. Sophos Sandstorm is cloudbased sandboxing. We can the feature with our Web and Email Appliance and with the Sophos UTM v9.4 How does it work? If we have suspicious file, we create a hash and check that hash with our sandstorm. If we have seen the file before we know if the file is good of bad. Is it a bad file it’s block immediately if it’s the, the user is receiving the file. If it’s a new file the file is send to the sandbox and is detonated. Then the behaviour is monitored. And the decision Allow or block is send back. There is also a detailed report for each file that is analyzed.
- This is part of our Project Spectrum. Spectrum will integrate the technics of Hitman Pro, that we acquired late last year.
- To recap, This is basically the way Ransomware is operating. It needs to be delivered, using an exploit kit of spam infection. Then it connects to a command an Control Server. Local Files are getting Encrypted. RansomWare is deleted and the Instructions for paying the Ransom is Shown.
- CryptoGuard is the anti-ransomware component and it works independently to provide another layer of defense against your data being held hostage by the Locky/Cryptowall type of malware. I t’s a driver in the file filter stack that monitors the behaviors of the applications and processes that access your documents. If it detects that an application is encrypting a number of files it will automatically isolate that process from the file system such that it cannot do any more damage AND it will roll-back any files that have been impacted to their prior state.
- CryptoGuard is the anti-ransomware component and it works independently to provide another layer of defense against your data being held hostage by the Locky/Cryptowall type of malware. It’s a driver in the file filter stack that monitors the behaviors of the applications and processes that access your documents. If it detects that an application is encrypting a number of files it will automatically isolate that process from the file system such that it cannot do any more damage AND it will roll-back any files that have been impacted to their prior state. Lightweight and effective CryptoGuard provides another later of defense for your endpoints and data. It: a. Stops local ransomware from attacking local data b. Stops local ransomware from attacking remote data (incl. mapped or unmapped shares) c. Stops remote ransomware from attacking local data Since most ransomware inject/run from legitimate trusted processes, or even consist of or only use trusted binaries, CryptoGuard is not shy revoking write-access from legitimate/trusted processes (or client IP).