Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Click here to load reader
-
Upload
aaron-nd-sawmadal -
Category
Documents
-
view
175 -
download
0
Transcript of Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Author: Aaron ND Sawmadal, MSc. Digital Forensics
Investigation of CryptoLocker Ransomware Trojans -
Microsoft Windows
Author: Aaron ND Sawmadal, MSc. Digital Forensics
Contents
Introduction ............................................................................................................................................ 3
How Does CryptoLocker Infect a Machine on a Network ...................................................................... 3
The Best Approach in Defending Against Cryptolocker in Corporate Network Resources .................... 4
Machines and/or Software Resources that can Help Defend the Network ........................................... 4
How to Eliminate CryptoLocker and the Strategy of Mitigation in a Post Incident Review ................... 5
Conclusion ............................................................................................................................................... 5
References .............................................................................................................................................. 6
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Author name: Aaron ND Sawmadal – MSc. Digital Forensics
Introduction The threats of CryptoLocker (ransomware) is real and this malware is frequently been used by
malicious individuals to extort money from users both private and government agencies. If the
user’s system is infected and the user refuses to pay the ransom they will lose their files on the
affected systems and other subsequent devices connected to the same network. Unfortunately, the
threat is increasing exponentially, ‘1 in 30 have been hit by CryptoLocker and 40% pay the ransom’;
with 2014 been recorded the worst year for CryptoLocker attacks from
https://nakedsecurity.sophos.com/2014/03/07/1-in-30-have-been-hit-by-cryptolocker-and-40-
pay-the-ransom-says-study/
How Does CryptoLocker Infect a Machine on a Network CryptoLocker is a malicious encryption software which uses Trojan scramble to encrypt all files
and folders on a computer network. The Trojan gets hold of the file systems on the network
resources and redirects the victim to a payment system. This malicious method is referred to as
ransomware. The victim’s network resources or devices will be under the control of the malicious
codes.
The CryptoLocker installs itself either by the faking the end user to install or execute codes. Once
the codes have been executed on the user’s system (my documents, desktop, download folder,
etc.); by using randomly generated names, it adds the names into the windows registry by random-
looking server .biz, .co.uk, .com, .info, .net, .org.au, .ru (Destructive malware “CryptoLocker” on the
loose – here’s what to do) from https://nakedsecurity.sophos.com/2013/10/12/destructive-
malware-cryptolocker-on-the-loose/.
The CryptoLocker uses the random-generated web server extensions installed on the user’s device
to make connections to the intruder’s server(s) with the extensions that have been installed on the
victim’s device; and once a successful respond is found, it uploads a small file called the
“CryptoLocker ID”. Upon the successful upload of the ID the server generates public-private key
unique to the user’s CryptoLocker ID and then send the “public key part” back to user’s device.
At a successful reception of this public-private key back to the user’s device; the Trojan malware
uses the public key to encrypt all the files it finds that matches the list of extensions on the victim’s
device. Below are extensions with files that can be exploited on the victim’s device.
From https://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/
Additionally, the malware searches and encrypt all files and all folders it can access on the victim’s
device or network. Unfortunately, if the victim’s device is on a workgroup or domain environment,
the malware will also encrypt all network resources with same extension as the victim’s.
In most instances the malware will redirect the victim to a payment option, giving the victim a
timeframe to pay the ransom, else lose all the data on the device.
The Best Approach in Defending Against Cryptolocker in Corporate Network Resources The first and foremost strategy to defend any network has been clearly stipulated by the Australian
Signals Directorate from www.asd.gov.au.
i. The first principle states do not allow end users to execute codes. This can be
implemented by applications whitelisting. This prevent end users from installing any
applications with extensions .dll, .exe, .msi, etc.
ii. User or administrator whitelisting – Specify administrator users by level of privileges;
not all administrators should have rights to install programs on all workstations and
servers.
iii. Implementation of AppLocker policy – this is a default setting called Application
Identity which was first introduced in windows server 2008. This policy can be
deployed to all Windows 7/8/10 workstations. Within the AppLocker policy all the
extensions end users should not installed must be explicitly denied and also implement
deny policy of any unknown extensions and configure the policy to send alert emails
to the administrator of any unknown applications or extensions; with the details of the
host – includes the hostname, IP address, user login to the host, date and time the
unknown application was detected.
iv. Devices running Windows XP and Vista implement group policy to block executable
and payload packages. Apply the policy by: %appdata%\*.exe;
%appdata%\*\*.exe; %localappdata%\*.exe; %localappdata%\*\*.exe.
Implement via Group policy within a domain environment or add the policy to the
standard operating environment (SOE) image for all devices.
v. Install software by versioning and review board. Any new software to be introduced
within the network must go through review and approval process.
vi. Remove domain users from administrator user groups in computer management >>
groups>> administrator settings.
vii. Ensure all default administrator and guest accounts are disabled in workgroup or
domain environment.
Machines and/or Software Resources that can Help Defend the Network
i. In a windows environment install Enhanced Mitigation Experience Toolkit (EMET). This
utility helps prevent vulnerabilities in software from https://support.microsoft.com/en-
au/kb/2458544 . EMET supports windows Vista service pack 1 and service pack 2, up to
Windows 10.
ii. Installed intrusion detection and prevention software like Sophos, Microsoft EndPoint
Protections among other software.
iii. Firewall (Intrusion detection System/Intrusion Prevention System); this will detect stateful
connections of all applications and users on the network; checks against known databases
to determine if the applications is free of malicious codes. The firewall will mitigate
transmission of the malicious into the network.
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Author name: Aaron ND Sawmadal – MSc. Digital Forensics
How to Eliminate CryptoLocker and the Strategy of Mitigation in a Post Incident Review The threat to network resources are real and should never be under-estimated. There is no such
thing as a small threat. Every threat can have significant impact if no adequate actions are taken.
For this reason the Australian Information Security Advice Cyber Security Operation Centre highly
recommends; ‘application whitelisting, patching of applications and operating systems, updated
versions of the software in deployment, and minimising administrative privileges’; from
http://asd.gov.au/publications/protect/top_4_mitigations.htm.
Other technical mitigation strategies includes but not limited to Loggings, File tracing and
auditing and or backups/restore server.
In the event whereby the worst case of CryptoLocker has been observed; the host that is
responsible for spreading vulnerability should be physically isolated from the network and ensure
to restore from backup is available. However, it is important to know if there’s no backups do not
to delay to respond to the intruder request.
Another non-technical strategy is to create an effective user awareness training and security policy.
From security perspective it is important to articulate in a document to indicate if there’s a
CryptoLocker breach should there be ransom pay or not? Security lead must get approval of the
executive managers and every incident must be dealt on a case by case basis.
Conclusion In this day and age the best protection any security expert should adopt is an in-depth security
policy which encompasses all the security protection and mitigation strategies. This should be
adopted at all levels because legacy (antivirus and spyware) mitigation strategies cannot stop the
current threat of CryptoLocker. Ransomware will continue to grow because this is a lucrative
market. The bad guys always require users to execute their codes. With effective security strategies
one can detect the bad guys beforehand.
Security experts should implement logging, file tracing, auditing, patching rule and backup/restore
server. With these in mind, do not give loopholes to the bad guys to infiltrate the network.
Restriction of user privileges and the implementation of AppLocker policies will help to mitigate
many of the CryptoLocker emerging.
References
How CryptoLocker works and how it can be mitigated;
https://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-
learn-about-prevention-cleanup-and-recovery/
Destructive malware “CryptoLocker” on the loose – here’s what to do;
https://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-
loose/
Cryptolocker Mitigation Strategies Explained; http://www.windowsecurity.com/articles-
tutorials/misc_network_security/cryptolocker-mitigation-strategies-explained.html
Enhanced Mitigation Experience Toolkit (EMET); https://support.microsoft.com/en-
au/kb/2458544
How to prevent user to install software on windows 10;
https://www.youtube.com/watch?v=N5GoNzgkm14m
Top 4 Mitigation Strategies to Protect Your ICT System;
http://asd.gov.au/publications/protect/top_4_mitigations.htm
Cryptolocker virus: Australians forced to pay as latest encryption virus is 'unbreakable', security
expert says; http://www.abc.net.au/news/2015-08-09/australians-paying-thousands-after-
ransomware-virus-infection/6683618