Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
avecto.com
Whitepaper
Know your threats series
Ransomware uncovered
1
Whitepaper
Know your threats series: Ransomware uncovered
Contents
Introduction � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 2
What ransomware is and how it behaves � � � � � � � � � � � � � � � � � � � � � � � � � � 3
A typical ransomware attack chain � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 5
A brief history of ransomware � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 6
The current state of play � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 7
Who are the victims and where are they from? � � � � � � � � � � � � � � � � � � � � � 9
Hottest targets in business � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 9
Ransomware hits the headlines � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 11
Ransomware stats � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 12
What lies ahead? The experts have their say � � � � � � � � � � � � � � � � � � � � � � 13
What can you do to protect yourself? � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 17
How Defendpoint can help � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 18
Defense in depth – reduce the attack surface � � � � � � � � � � � � � � � � � � � � � 20
About Avecto � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 21
Know your threats series: Ransomware uncovered 2
Whitepaper
Introduction
Ransomware has generated plenty of headlines in the last
few years, and for good reason, as organizations, as well as
individuals, found themselves falling victim, meaning it’s now
thought to be the most profitable type of malware in history.[1]
The story of ransomware goes as far back as 1989, but only
in more recent years has it really emerged as the malware of
choice for cyber criminals.
But why the surge in popularity? The emergence of the dark web,
and cryptocurrencies such as Bitcoin, have played a huge part,
as they make it easier for criminals to achieve the profit they
desire, while also retaining anonymity.
It also requires less effort to set up and distribute than other
forms of malware, with free ransomware kits available online to
aid those wanting to get up and running as quickly as possible.
This ease of set up and potential to make money, while proving
almost impossible to trace, explains ransomware’s appeal, but
what exactly is it and how do attackers make their money?
1 https://www.cisco.com/c/dam/assets/offers/pdfs/midyear-security-report-2016.pdf
Know your threats series: Ransomware uncovered 3
Whitepaper
What ransomware is and how it behaves
Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.
[It is] unique among cybercrime because in order for the attack to be successful, it requires the victim to become a willing accomplice after the fact
James Scott, senior fellow at the Institute for Critical Infrastructure Technology
Ransomware is a type of malicious software which installs
covertly and gives cyber criminals access to a computer and
demands a sum of money to regain access to the encrypted
files. Often a short time limit (such as 96 hours) for payment is
imposed, with an added threat that failing to pay within this time
will see the files permanently encrypted, or destroyed.
Usually ransomware arrives as a phishing attack via email
attachment (although it can also be planted on websites as a
“drive by download”). Often it takes the form of an executable
file, document or archive, with many attachments posing as an
invoice or similar in an attempt to entice the recipient to open it.
Know your threats series: Ransomware uncovered 4
Whitepaper
The malware runs when the attachment is opened. This can be
a process as simple as the user opening a seemingly harmless
Word document and enabling macros. Users typically only know
they’ve been infected once their data has been encrypted/stolen
and they’re hit with the ransom demand to pay to regain access.
In this report, we’ll take a closer look what lies ahead, with
predictions from a range of cyber security experts to help you
better understand ransomware and the steps you can take to
defeat it.
Know your threats series: Ransomware uncovered 5
Whitepaper
A typical ransomware attack chain
Urgent invoice
Phishingemail
Ransom
$
Script
InternetPayload
EraseEncrypt Persist
One reason that ransomware is so effective is that the cybersecurity field is not entirely prepared for its resurgence. Attacks are more successful when effective countermeasures are not in place.
The Institute for Critical Infrastructure Technology Ransomware Report
Know your threats series: Ransomware uncovered 6
Whitepaper
A brief history of ransomware
1989
2006
2012
20142013
Cryptolocker (the �rst cryptographic malware) is released
Extortion ransomware appears
First instance AIDS/PC Cyborg
Reveton instructs users to pay a �ne, claiming the user’s machine has downloaded copyright material or accessed child pornography
First waveof modern ransomware – Archiveus Trojan uses RSA encryption
FactBy August 2014 Cryptolocker claimed more than half a million victims
�
�
2016
2005
F E B R U A R Y 2 016
Locky hides ransomware in infected Word �les
M A R C H 2 016
MedStar Hospital Chain hit with $18,500 demand
A P R I L 2 016
FBI estimates ransomware on course to become a billion dollar industry by the end of the year
FactThe Hollywood Presbyterian Medical Center decided to paya $17,000 ransomware demand after being hit by Locky
�
�
�
¤
�
F E B R U A R Y 2 014
CryptoDefense released using Tor and Bitcoin
A P R I L 2 014
CryptoWall exploits a Java vulnerability. Places malicious adverts on domains belonging to Disney, Facebook, The Guardian newspaper and others
A U G U S T 2 014
Symantec reports 700% year-on-year increase in crypto-ransomware
��
http://www.trendmicro.com.ph/vinfo/ph/security/news/cybercrime-and-digital-threats/by-the-numbers-ransomware-rising#http://blog.trendmicro.com/ransomware-one-of-the-biggest-threats-in-2016/https://blog.knowbe4.com/a-short-history-evolution-of-ransomware
Know your threats series: Ransomware uncovered 7
Whitepaper
The current state of play
Ransomware is a hot topic for a reason. Since the start of 2016
an average of 4,000 ransomware attacks have occurred each
day, a 300% increase on the 1,000 daily attacks seen in 2015.[2]
Ransomware and crypto malware are rising at an alarming rate and show no signs of stopping.
Raj Samani, European technology head for Intel Security
According to recent research, 93% of phishing emails sent in the
first three months of 2016 contained ransomware. That’s a 789%
year-on-year increase.[3]
Attackers are asking for more money too, with the average
ransom demand now $679, up from $294 at the end of last
year.[4]
The FBI suggests that in the first three months of 2016 alone,
ransomware attacks generated $209 million for criminals. To put
this in perspective, it estimates payments of $24 million were
made during the whole of 2015[5].
2 https://www.justice.gov/criminal-ccips/file/872771/download3 http://phishme.com/q1-2016-sees-93-phishing-emails-contain-ransomware/ 4 http://www.symantec.com/content/en/us/enterprise/media/security_response/
whitepapers/ISTR2016_Ransomware_and_Businesses.pdf5 http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/
Know your threats series: Ransomware uncovered 8
Whitepaper
When businesses are hit by ransomware, there’s likely to be
some consideration for the best course of action to take to
protect the business, customers, shareholders and employees.
It’s understandable that some will be tempted to pay what could
be considered a relatively small sum of money to the attackers,
in the hope that doing so will allow them to get back up and
running as soon as possible.
The challenge here is there’s no guarantee payment will change
a thing. It is possible no encryption key will ever be provided
from the cyber criminals, whose main focus is on making money.
There are even some reports of users paying a ransom and then
being hit with another demand for even more money.
Beyond the ransom demand, there is also reputational damage
to consider. This makes it difficult to put a true figure on the
total financial impact of ransomware.
And then there’s the issue of encouraging the ransomware
business model. The more demands that are met, the more
appealing ransomware becomes to the organized crime gangs
behind the attacks.
Some ransomware even offers ‘helpful’ customer service to
guide users through the process of making payment, with
research suggesting as many as three out of four cryto-
ransomware gangs are willing to negotiate the fee paid or extend
the deadline.[6]
6 http://www.marketwired.com/press-release/f-secures-new-ransomware-study-ex-plores-customer-journey-getting-your-files-back-2143033.htm
Know your threats series: Ransomware uncovered 9
Whitepaper
Who are the victims and where are they from?
Symantec’s Ransomware and Businesses report revealed
28% of infections between January 2015 and April 2016 were
in the US.
Canada saw 16%, Australia 11%, India 9% and the rest of
the top 10 rounded off by Japan, Italy, the UK, Germany, the
Netherlands, and Malaysia respectively.
Consumers remain most likely to be a victim and accounted for
57% of all infections in the first quarter of 2016. This is perhaps
because businesses are becoming more aware of the risks and
are more likely to have security strategies in place
Hottest targets in business
There is evidence to suggest some sectors are more popular
targets than others, with 38% of infections hitting those in the
services sector.
Manufacturing was the next most likely to be hit (17%), while
finance, insurance and real estate collectively accounted for
10% of infections.
The Hollywood Presbyterian Medical Center was a notable
victim of ransomware in February 2016. It was hit with a $17,000
demand to regain control of its systems and admitted to paying
it. Patient medical records were at risk, putting the organization
in a difficult situation.
Know your threats series: Ransomware uncovered 10
Whitepaper
High profile attacks such as this mean that the need for security
solutions that proactively protect against ransomware are vital.
The need to deal with ransomware effectively, particularly
for businesses handling sensitive data, is highlighted by new
United States Department of Health and Human Services (HHS)
guidelines stating most attacks of this kind are a breach
and should be reported by Health Insurance Portability and
Accountability Act (HIPAA) regulated organizations.
The fact is that ransomware (and particularly successful attacks
against major organizations) is big news, and not just in the
cyber security sector. Threats such as Locky and TeslaCrypt
have only increased its presence since the end of 2015. Can we
expect more headlines in the coming months?
Know your threats series: Ransomware uncovered 11
Whitepaper
Ransomware hits the headlines
Know your threats series: Ransomware uncovered 12
Whitepaper
Ransomware in numbers
$679 the AVERAGE RANSOM DEMANDup from $294 at the end of 2015
ATTACKS
PER DAY of PHISHING EMAILS contain RANSOMWARE
93%
$209 MILLION generated by
ransomware attacks in 3 months
✉✉✉✉✉✉✉✉
✉✉✉✉
✉✉✉✉ 4,000
💵💵
Just 34% of IT professionals
'very confident' they could recover
from ransomware
2% Germany
3% United Kingdom
4% Italy
4% Japan
9% India
11% Australia
Netherlands 2%
Malaysia 2%
United States 28%
Canada 16%
Other Regions 19%
🌎🌎
38%
1%
4%
10%
Mining 1%
4%
10%
9%
7%
Agriculture,Forestry & Fishing
Sectors hit byransomware
Whereransomware
infectionsstrike
Finance, Insurance,& Estate Trade
Transportation,Communications, &
Utilities
17%
Retail trade
Manufacturing
Construction
Public AdministrationWholesale Trade
Services
http://www.tripwire.com/state-of-security/security-data-protection/survey-only-34-of-it-pros-very-confident-they-could-recover-from-ransomware/http://www.symantec.com/content/en/us/enterprise/media/security_response/white-papers/ISTR2016_Ransomware_and_Businesses.pdf)
Know your threats series: Ransomware uncovered 13
Whitepaper
What lies ahead? The experts have their say
If figures from the FBI are anything to go by, ransomware is on
course to becoming a billion dollar industry by the end of the
year. In an interview with CNN, it was reported that the actual
figure could be even higher once related costs and those who
pay without reporting the crime are considered.
But what else can we expect? We asked a number of cyber
security experts to tell us what they think lies ahead for
ransomware. Here’s what they told us, in their own words:
James Maude, Avecto Senior Security Engineer
Attackers will continue to use the simplest techniques to hit as many people as possible and increase the chances of a return.
I expect to see even more
variation. It won’t just be
endpoints that are targeted, but
web servers too, as these also
appeal to attackers looking to
encrypt all data and backups.
The Internet of Things is playing
a part. Connected devices,
banking systems and even digital
thermostats can be targeted –
anything to cause disruption.
Know your threats series: Ransomware uncovered 14
Whitepaper
Criminals are also seeing the value in profiling organizations and
hitting them with targeted attacks. If they know the value of the
data they can assess how much victims are likely to pay to get it
back.
At the same time, there’s also a trend for ‘dumbing down’ that
I’d expect to see continue. Many attackers will use the simplest
techniques to cast a wide net and increase the chances of a
return.
Sami Laiho, ethical hacker and Microsoft MVP
The easiest part of security to compromise will no doubt always be the human sitting between the monitor and the chair.
Security is 20% technology and
80% psychology. Threatening
loved ones or reputation have
always been favorite tools of any
bad guy.
It is actually quite easy for us to
technically prevent people from
having modify access to their
computer’s operating system and
thus block traditional malware
from infecting it. What we can’t do is block people from
modifying their own documents and thus being able to encrypt
them and being held for ransom.
Know your threats series: Ransomware uncovered 15
Whitepaper
The same goes for one’s camera – as long as you are allowed
to Skype someone, that person can record you and threaten to
release that footage. The easiest part of security to compromise
will no doubt always be the human sitting between the monitor
and the chair. I predict that different sorts of ransomware are
going to get even more common than ever before. The thing that
will change is the increase of creativity of the malware designers
on coming up with new ways to threaten people for money.
Paula Januszkiewicz, independent security expert and Microsoft MVP
Nothing works better than blackmailing people using their own selfies or data and threatening to publish it online.
There is one thing we know for
sure: there will be more kinds of
ransomware and you will be
affected, if not by your data
getting encrypted then by just
getting an email which can affect
your peaceful afternoon.
There are four things really that in
my opinion will be seen in future
versions of ransomware:
Know your threats series: Ransomware uncovered 16
Whitepaper
1� Ransoms will be up. We can see the trend already.
Cybercriminals will focus on the low-hanging fruits and as
long as there are people on this planet and the popularly
used methods of ransomware delivery (email etc) work, it will
still be the easiest way to make profit, so why not to raise the
price?
2� Public shaming. Nothing works better than blackmailing
people using their own selfies or data and threatening to
publish it online. Especially when data has clear business
value and simply cannot go online.
3� Development of ransomware for Mac. This process has
already started and there are some pieces of ransomware
found working pretty well. Unfortunately, Mac may no longer
maintain its reputation as security untouched platform and
it will bring a lot of concern for organizations that use Macs
for business. Ransomware becomes a multi-platform threat,
it has been seen widely on Windows, but also Linux and
Android.
4� Targeted attacks. It is common knowledge how much one
can earn on releasing a piece of ransom that nobody has
heard about. It is easy to create it and it is difficult to prevent
it if you do not have code execution prevention implemented.
People you will get emails from will present good language
skills and they will be well informed about what your
company does and what are the possible service providers to
refer to when conducting the attacks.
Know your threats series: Ransomware uncovered 17
Whitepaper
James Scott, senior fellow at the Institute for Critical Infrastructure Security (ICIT), expects attacks on organizations in critical infrastructure sectors to increase.
Hospitals are an easy target for many reasons. Employees
typically lack cyber hygiene training and their technology
landscape, in most cases, is eerily absent of layered security
centric protocols.
What can you do to protect yourself?
The first step is to ensure that the cyber security basics are in
place, from keeping up to date with the latest patches (operating
system and application patching), to having appropriate back up
for your data.
The US Government advises: “Prevention is the most effective
defense against ransomware and it is critical to take precautions
for protection. Infections can be devastating to an individual or
organization, and recovery may be a difficult process requiring
the services of a reputable data recovery specialist.”
It sets out a number of preventative measures, including the
following recommendations that Defendpoint (Avecto’s endpoint
security software) can help you achieve:
> Manage the use of privileged accounts based on the principle
of least privilege: no users should be assigned administrative
Know your threats series: Ransomware uncovered 18
Whitepaper
access unless absolutely needed; and those with a need
for administrator accounts should only use them when
necessary
> Configure access controls – including file, directory, and
network share permissions –with least privilege in mind. If
a user only needs to read specific files, the user should not
have write access to those files, directories, or shares
> Use application whitelisting, which only allows systems to
execute programs known and permitted by security policy
How proactive endpoint security can help
Defendpoint is a multi-layered prevention engine that stops
cyber attacks including ransomware by combining proactive
capabilities that reduce the attack surface and disrupt the
attack chain.
To stay ahead of ransomware threats, Defendpoint isolates
unstrusted content in a sandbox, a secure environment with no
access to user data or privileges. This prevents data from being
encrypted or stolen.
Uniquely, Defendpoint leverages the sandbox execution context
to apply stricter whitelisting and privilege management rules.
The result is that any attempt to drop and launch a ransomware
payload or launch a malicious script is automatically blocked.
Know your threats series: Ransomware uncovered 19
Whitepaper
This context is important as it allows the user to launch the
applications and scripts they need, without granting the same
freedom to malware. It is this proactive approach that allows
security to become a great user experience and not a barrier to
productivity.
Simply put, when a user is tricked into opening a malicious
document, the attack is seamlessly isolated from the user’s
data and any attempts to launch payloads or persist are
blocked. The malware doesn’t run, your data is not exposed and
the threat cannot persist.
Know your threats series: Ransomware uncovered 20
Whitepaper
Defense in depth – reduce the attack surface
DataCredentials
Intellectual property
Known exploits
Known threats
Java & Flash
Browser zero days
Email attachments
Trusted corporate apps
Pass the harsh
Disabling of security
Privileged attacks
Insider threats
Root kits
APTs
Unknown/unapproved apps
Executables
Drive by downloads
Exploit kits
Patching
Anti-malwareEndpoint and network
Privilege management
Application whitelisting
Content isolation
21
Whitepaper
Know your threats series: Ransomware uncovered
About Avecto
Avecto is an innovator in endpoint security. Founded in 2008, the company exists to protect businesses from cyber attacks.
Its endpoint security software, Defendpoint, is a multi-layered prevention engine that stops malware at the endpoint. It takes a proactive approach, uniquely integrating three core capabilities of privilege management, application control and content isolation in one lightweight agent.
This unique and award-winning combination makes prevention possible, allowing businesses to build solid security foundations that protect over 6 million endpoints at many of the world’s most recognizable brands. This proactive strategy is advocated by analysts, industry experts and security professionals alike.
Avecto’s simpler and smarter approach to security makes organizations more secure from day one. For more bespoke requirements, an experienced and qualified team of consultants is available to guide the implementation and ensure project success.
UK 2014
Americas / Germany / UK avecto.com / [email protected]
Defendpoint by Avecto is a security software solution that makes prevention possible. For the fi rst time, it uniquely integrates three proactive technologies to stop malware at the endpoint. It’s this innovative approach that protects the operating system, software environment and your data from internal and external threats.