SlideShare ist ein Scribd-Unternehmen logo

Ransomware - Hijacking Your Data

- Mark - Fullbright
- Mark - Fullbright

company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.

BildungTechnologie
1 von 12
Downloaden Sie, um offline zu lesen
Ransomware: Hijacking Your Data By Richard Wang and Anand Ajjan, SophosLabs “Federal Bureau of Investigation. Attention! Your computer has been locked.” For the last two years users have increasingly been faced with messages like this and demands for money in exchange for access to their PCs. But these are not the actions of law enforcement, quite the opposite—it’s an example of ransomware. This paper looks in depth at ransomware variants and delivery mechanisms, and how you can protect your data with a complete security strategy.
Ransomware: Hijacking Your Data Ransomware vs. fake antivirus Ransomware may often be compared to fake antivirus in the way it operates and the motivation behind it. However, what differentiates ransomware from fake antivurus is the way they manipulate human tendencies and fears. Fake antivirus plays on the security fears and calls for the user to take actions in self-preservation, whereas ransomware works either as extortion or punishment. Fake antivirus is one of the most frequently-encountered and persistent threats on the web. This malware, with over half a million variants, uses social engineering to lure users onto infected websites with a technique called Blackhat SEO (Search Engine Optimization). According to Google Trends, ransomware has recently surpassed fake antivirus in terms of user queries on Google. Fig. 1: Ransomware more popular search term than fake antivirus since late 2011 The graph above shows ransomware has been a more popular search term than fake antivirus since late 2011. This strongly suggests that malware authors find ransomware to be more profitable and convincing than fake antivirus. Another reason for ransomware's success is the fact that the makers of the Blackhole exploit kit include ransomware in their distribution system. A Sophos Whitepaper March 2013 2
Ransomware: Hijacking Your Data The ransomware timeline Early variants—SMS ransomware Some of the earliest variants lock the user’s computer and display a ransom message. The message instructs the user to send a code via text message to a premium-rate SMS number. The user would then receive a message containing the corresponding unlock code which would allow them to use their computer. In these cases the ransom paid was the cost of the premium rate text message. First-stage evolution—winlockers This variant also locks the user’s computer but rather than displaying a simple demand for payment, it also uses social engineering techniques. The message displayed to the user claims to be from a law enforcement agency and indicates that the required payment is a fine for illegal activity on the computer such as distributing copyrighted material. The fine is required to be paid using an online payment system such as Ukash or Paysafecard. This type of ransomware is commonly known as a winlocker ransomware. In this version, the cost of the “fine” is much larger than the cost of the premium rate text message as seen earlier. The payment currency is based on the region where the user is located—i.e., $100, £100 or €100, etc. Advanced evolution—file encryptors In these variants, in addition to locking the window screen, the ransomware encrypts the user’s files using various complex encryption algorithms. The user is asked for a “ransom amount” in order to decrypt the files. The user is required to make payments via online payment systems such as those mentioned above. This type of ransomware is identified as file encrypting ransomware. A Sophos Whitepaper March 2013 3
Ransomware: Hijacking Your Data Fake FBI ransomware Ransomware authors quickly realized that antivirus vendors can easily provide a solution to unlock the machine without sending an expensive SMS. Thus they changed gears and adopted a different method. This variant asks the user to make the payment via an online payment service. In reality, it is not feasible to track the recipient of the ransom amount. The warning messages in this version are delivered based on the geolocation of the user. Some of the variants also require the user to email a 19-digit code received as an acknowledgement to the payment made to Ukash, Paysafecard or MoneyPak in order to receive the unlock code. Fig. 2: Fake FBI ransomware State of play SophosLabs see winlocker ransomware more regularly than file encrypting ransomware. This could be due to the fact that encryption-decryption techniques require more development work than the usual Winlockers, which can be developed and maintained easily. A Sophos Whitepaper March 2013 4
Ransomware: Hijacking Your Data Ransomware delivery mechanisms This section describes the various means or delivery mechanisms used by the malware authors to propagate ransomware to the user, largely over the web. Exploit kits An exploit kit is a type of a tool that exploits various security holes in the software installed on a computer. A cybercriminal buys such an exploit kit and includes the malware that they wish to deliver by exploiting compromised legitimate websites. For example, Blackhole takes advantage of the vulnerabilities that exist—often Java or PDF software—to install malware on end users’ computers without their interaction, in a drive-bydownload manner. Below are the few ransomware variant names delivered via Blackhole: ÌÌ Executable binary: Troj/Ransom-ML, Troj/Reveton-BP and Troj/Katusha-CJ etc. ÌÌ Memory detection: Troj/RevetMem-A ÌÌ Javascript: Troj/JSAgent-CW ÌÌ Link files: CXmal/RnsmLnk-A Spam email attachment The ransomware arrives via spam messages containing malicious attachment as shown below. One such example asks the user to open an attachment and presents an email with a convincingly legitimate appearance. Fig. 3: Spam email attachment A Sophos Whitepaper March 2013 5
Ransomware: Hijacking Your Data Once the user opens the .zip attachment, the binary inside the .zip executes and drops a ransomware on the system. This in turn may contact a command and control (C&C) server to download the lock screen image. This particular variant is detected as Troj/Ransom-JO. Closer look: Winlockers and file encryptors To illustrate the operation of ransomware scams we’ll take a closer look at the two most common types—winlockers and file encryptors. Closer look: Winlockers The first thing a victim will see when they encounter a winlocker is a screen such as fig 4. However, even before this screen is displayed the ransomware has been at work in the background. Fig. 4: Winlocker screenshot In order for the social engineering to be believable the message displayed must be relevant to the victim. A person in France is unlikely to consider paying a fine to the FBI so the attack must match the correct police authority to the user. This is done by taking the IP address of the infected computer and using a database to convert the IP to a physical location. Once the location is known the corresponding message and graphics are downloaded and displayed. Winlockers may have a wide variety of messages available, customized for attacks around the world. A Sophos Whitepaper March 2013 6
Ransomware: Hijacking Your Data Fig. 5: Localized language versions The message is presented as a full-screen window, blocking access to any other programs and leaving the PC unusable until the lock is removed. The ransomware will typically install itself so that rebooting the PC will just result in returning the user to the ransom screen. The message accompanying the lock attempts to be as persuasive as possible in encouraging the user to pay. The payment is often presented as a fine or administrative charge, imposed in response to illegal activity on the PC. The alleged crimes range from illegal file sharing to exchange of child pornography. Some winlockers also activate the PC’s webcam and display an image of the user, presumably to reinforce the message that they are being observed. Payment is by means of a prepaid card such as Ukash or MoneyPak. The ransom message includes a list of locations where then card can be purchased. The associated payment code can then be entered directly into the ransomware, at which point it will be sent to the attacker who can collect the payment. A Sophos Whitepaper March 2013 7
Ransomware: Hijacking Your Data Fig. 6: Payment instructions Closer look: File encryptors File encryptors take a different approach to their ransom demands. Rather than using social engineering they make no pretense to be anything other than a ransom demand. Fig 7: File encryptor File encryptors do not block access to the entire PC. Instead they target files that are likely to be valuable to the user, such as documents, images, financial records, etc. The PC is left in a usable state but the user’s critical data is unavailable. The files are encrypted to prevent the user from accessing them and a payment is demanded to decrypt them. In common with winlockers the payments are often requested in the form of prepaid online payment cards or codes. However, unlike winlockers, removing a file encryptor is not the end of a user’s problem. Even if the ransomware is removed the files remain encrypted and inaccessible. A Sophos Whitepaper March 2013 8
Ransomware: Hijacking Your Data The history of file encryptors has involved progressively complex encryption methods. The earliest versions used simple, home-grown encryption that was easily reversed. Security companies responded by providing cleanup tools that would recover the encrypted files. Attackers then moved on to more robust commercial algorithms but again failed to implement them securely, allowing cleanup tools to remain effective. The latest file encryptors take advantage of multi-stage enterprise grade encryption and public key algorithms using unique encryption keys for each victim. This makes them essentially uncrackable without the private key known only to the ransomware’s author. The effectiveness of ransomware at separating a user from their files leads to an inevitable question. Should victims pay the ransom to retrieve their files? Unfortunately the evidence available to answer this question is mostly anecdotal. Many victims report paying a ransom only to be left with encrypted files. Some report that paying the ransom did indeed result in the return of their files. Occasionally the ransomware itself answers the question by not including a mechanism to reverse the encryption. In those cases it is obvious that the author has no intention of returning the files whether the ransom is paid or not. Ultimately, a victim is at the mercy of the ransomware author, someone who has already chosen an unscrupulous and illegal method of making a living. Should you trust such a person? No. Our advice is never to pay the ransom. Targeting users based on geo-specific location Most of the ransomware lock screen images target the geo-specific location of the user’s system. So far SophosLabs has seen around 20 countries that are targeted by ransomware showing warning messages in languages specific to the country. Some of the winlocker download URIs for ransom images are unencrypted and can be downloaded directly through the web browser. In some of the variants, the URIs are in encrypted form so that it can evade any standard network based rule detection from blocking these images. A Sophos Whitepaper March 2013 9
Ransomware: Hijacking Your Data The picture below shows the encoded URIs: Fig 8: Encoded URIs Some variants, as shown below, store URIs in unencrypted form: Fig 9: Unencrypted URIs A Sophos Whitepaper March 2013 10
Ransomware: Hijacking Your Data Defending against ransomware The best protection is preventing the ransomware from getting to your systems. Web-based distribution is the most common means of spreading ransomware. Web gateway protection provided by the Sophos UTM or endpoint web protection built into Sophos Anti-Virus defends against web-based attacks. Sophos Anti-Virus on the endpoint also includes HIPS behavior monitoring technology to proactively detect malware, including ransomware. Ensuring you have HIPS and full on-access protection enabled gives you the best opportunity to detect and stop ransomware. Some examples of Sophos detection for ransomware: ÌÌ HPMal/Matsnu-A ÌÌ CXmal/RnsmLnk-A ÌÌ Troj/RansmMem-A ÌÌ Troj/RevetMem-A ÌÌ Troj/Ransom-* ÌÌ Mal/Ransom-* ÌÌ Mal/Reveton-* ÌÌ Troj/Matsnu-* There are also many more generic detections such as Mal/Encpk-*, which include both ransomware and other malware that shares common properties. In addition to security tools, some data backups can help victims to recover from file encrypting ransomware. If data is backed up it can be safely restored once the ransomware is removed. The complete security system In this paper, we have discussed various types of ransomware, delivery mechanisms, and different encryption techniques deployed to lock the computer screen using Windows APIs. SophosLabs analyzes such ransomware types on a daily basis and monitors their development to ensure effective protection for users of Sophos products. Today’s fast, targeted and silent threats take advantage of our ever-more open networks and the new technologies that support an increasingly mobile workforce. To combat this, organizations need depth to their security strategy to cover endpoints, networks, servers, data, email and web usage, and mobile devices. And it’s crucial that protection is consistent and easy to administer—so it can work at every point across the entire network, just like security threats do. A Sophos Whitepaper March 2013 11
Ransomware: Hijacking Your Data This is why we recommend a complete security system to help you cover the full security lifecycle. Obviously how you achieve this will depend greatly on your environment and your specific security priorities. You should consider each of these six primary strategies of a complete security system. 1. Reduce the attack surface. Take an active approach that monitors more than malware, including threats like vulnerabilities, applications, websites and spam. Ensure that the software you use, including applications, browsers and plugins is up to date, minimizing the risk from exploit based attacks. Using the plugin on demand feature available in some browsers can also help reduce attacks from exploit kits using hidden content on websites. 2. Protect everywhere. Make sure users are protected wherever they are and whatever device they’re using and combines endpoint (including mobile), gateway and cloud technologies to share data and work together to provide better protection without impacting users and performance. 3. Stop malware attacks. Move beyond simply relying on antivirus signatures and look at layers of detection that stop threats at different stages of their execution. And ensure protection also looks at risky user behavior too, not just for malicious code. 4. Back up data. Many forms of ransomware use encryption that is effectively unbreakable. Given the untrustworthy nature of ransomware authors the only way to guarantee the return of your files is to restore them from your own backups. 5. Stop data leaks and breaches. There are three components of an information security strategy: the things you’re required to do by law; the operational processes and procedures you put into place; and the technology tools you use to get the job done. 6. Keep people working. Complexity is the enemy of security. Operational efficiency needs to be prioritized for both your users and IT staff. Consider workflows—what things that get in the way or slow your users down? By focusing on removing these barriers or problems, your security improves and your staff and users will be efficient and happier too. Complete Security Suites Sign up for a free trial at sophos.com United Kingdom and Worldwide Sales: Tel: +44 (0)8447 671131 Email: sales@sophos.com North American Sales: Toll Free: 1-866-866-2802 Email: nasales@sophos.com Boston, USA | Oxford, UK © Copyright 2013. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners. wpna.03.13 Australia and New Zealand Sales: Tel: +61 2 9409 9100 Email: sales@sophos.com.au

Empfohlen

Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013- Mark - Fullbright
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives- Mark - Fullbright
 
Training For Bank Employees
Training For Bank EmployeesTraining For Bank Employees
Training For Bank Employees- Mark - Fullbright
 
THE ABC'S of CREDIT CARD TERMINOLGY
THE ABC'S of CREDIT CARD TERMINOLGYTHE ABC'S of CREDIT CARD TERMINOLGY
THE ABC'S of CREDIT CARD TERMINOLGY- Mark - Fullbright
 
PUBLIC RECORDS ON THE INTERNET
PUBLIC RECORDS ON THE INTERNETPUBLIC RECORDS ON THE INTERNET
PUBLIC RECORDS ON THE INTERNET- Mark - Fullbright
 
Canada's Children in a Wired World - A Parents View
Canada's Children in a Wired World - A Parents ViewCanada's Children in a Wired World - A Parents View
Canada's Children in a Wired World - A Parents View- Mark - Fullbright
 
Identity Theft: Trends and Issues January 16, 2014
Identity Theft: Trends and Issues January 16, 2014Identity Theft: Trends and Issues January 16, 2014
Identity Theft: Trends and Issues January 16, 2014- Mark - Fullbright
 
Online Safety Index for Parents
Online Safety Index for ParentsOnline Safety Index for Parents
Online Safety Index for Parents- Mark - Fullbright
 

Empfohlen

Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013- Mark - Fullbright
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives- Mark - Fullbright
 
Training For Bank Employees
Training For Bank EmployeesTraining For Bank Employees
Training For Bank Employees- Mark - Fullbright
 
THE ABC'S of CREDIT CARD TERMINOLGY
THE ABC'S of CREDIT CARD TERMINOLGYTHE ABC'S of CREDIT CARD TERMINOLGY
THE ABC'S of CREDIT CARD TERMINOLGY- Mark - Fullbright
 
PUBLIC RECORDS ON THE INTERNET
PUBLIC RECORDS ON THE INTERNETPUBLIC RECORDS ON THE INTERNET
PUBLIC RECORDS ON THE INTERNET- Mark - Fullbright
 
Canada's Children in a Wired World - A Parents View
Canada's Children in a Wired World - A Parents ViewCanada's Children in a Wired World - A Parents View
Canada's Children in a Wired World - A Parents View- Mark - Fullbright
 
Identity Theft: Trends and Issues January 16, 2014
Identity Theft: Trends and Issues January 16, 2014Identity Theft: Trends and Issues January 16, 2014
Identity Theft: Trends and Issues January 16, 2014- Mark - Fullbright
 
Online Safety Index for Parents
Online Safety Index for ParentsOnline Safety Index for Parents
Online Safety Index for Parents- Mark - Fullbright
 
Chatting with Kids About Being Online
Chatting with Kids About Being OnlineChatting with Kids About Being Online
Chatting with Kids About Being Online- Mark - Fullbright
 
Help Protect your Business against Fraud and Embezzlement
Help Protect your Business against Fraud and EmbezzlementHelp Protect your Business against Fraud and Embezzlement
Help Protect your Business against Fraud and Embezzlement- Mark - Fullbright
 
Understanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and FailuresUnderstanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and Failures- Mark - Fullbright
 
Identity Theft * Canada
Identity Theft * CanadaIdentity Theft * Canada
Identity Theft * Canada- Mark - Fullbright
 
Mapping Organizational Roles & Responsibilities for Social Media Risk
Mapping Organizational Roles & Responsibilities for Social Media RiskMapping Organizational Roles & Responsibilities for Social Media Risk
Mapping Organizational Roles & Responsibilities for Social Media Risk- Mark - Fullbright
 
Divorce and Identity Theft
Divorce and Identity TheftDivorce and Identity Theft
Divorce and Identity Theft- Mark - Fullbright
 
The Little Black Book of Scams
The Little Black Book of ScamsThe Little Black Book of Scams
The Little Black Book of Scams- Mark - Fullbright
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report- Mark - Fullbright
 
Police, Protesters, Press, 2020
Police, Protesters, Press, 2020Police, Protesters, Press, 2020
Police, Protesters, Press, 2020- Mark - Fullbright
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
FCPA Guidance 2020
FCPA Guidance 2020FCPA Guidance 2020
FCPA Guidance 2020- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019- Mark - Fullbright
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019- Mark - Fullbright
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...- Mark - Fullbright
 
2018 IC3 Report
2018 IC3 Report2018 IC3 Report
2018 IC3 Report- Mark - Fullbright
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 - Mark - Fullbright
 
Credit Score Explainer
Credit Score ExplainerCredit Score Explainer
Credit Score Explainer- Mark - Fullbright
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft- Mark - Fullbright
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017- Mark - Fullbright
 

Weitere ähnliche Inhalte

Andere mochten auch

Chatting with Kids About Being Online
Chatting with Kids About Being OnlineChatting with Kids About Being Online
Chatting with Kids About Being Online- Mark - Fullbright
 
Help Protect your Business against Fraud and Embezzlement
Help Protect your Business against Fraud and EmbezzlementHelp Protect your Business against Fraud and Embezzlement
Help Protect your Business against Fraud and Embezzlement- Mark - Fullbright
 
Understanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and FailuresUnderstanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and Failures- Mark - Fullbright
 
Mapping Organizational Roles & Responsibilities for Social Media Risk
Mapping Organizational Roles & Responsibilities for Social Media RiskMapping Organizational Roles & Responsibilities for Social Media Risk
Mapping Organizational Roles & Responsibilities for Social Media Risk- Mark - Fullbright
 

Andere mochten auch (7)

Chatting with Kids About Being Online
Chatting with Kids About Being OnlineChatting with Kids About Being Online
Chatting with Kids About Being Online
 
Help Protect your Business against Fraud and Embezzlement
Help Protect your Business against Fraud and EmbezzlementHelp Protect your Business against Fraud and Embezzlement
Help Protect your Business against Fraud and Embezzlement
 
Understanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and FailuresUnderstanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and Failures
 
Identity Theft * Canada
Identity Theft * CanadaIdentity Theft * Canada
Identity Theft * Canada
 
Mapping Organizational Roles & Responsibilities for Social Media Risk
Mapping Organizational Roles & Responsibilities for Social Media RiskMapping Organizational Roles & Responsibilities for Social Media Risk
Mapping Organizational Roles & Responsibilities for Social Media Risk
 
Divorce and Identity Theft
Divorce and Identity TheftDivorce and Identity Theft
Divorce and Identity Theft
 
The Little Black Book of Scams
The Little Black Book of ScamsThe Little Black Book of Scams
The Little Black Book of Scams
 

Mehr von - Mark - Fullbright

ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019- Mark - Fullbright
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019- Mark - Fullbright
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...- Mark - Fullbright
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 - Mark - Fullbright
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft- Mark - Fullbright
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017- Mark - Fullbright
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business- Mark - Fullbright
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business- Mark - Fullbright
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report- Mark - Fullbright
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016- Mark - Fullbright
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015- Mark - Fullbright
 

Mehr von - Mark - Fullbright (20)

ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report
 
Police, Protesters, Press, 2020
Police, Protesters, Press, 2020Police, Protesters, Press, 2020
Police, Protesters, Press, 2020
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)
 
FCPA Guidance 2020
FCPA Guidance 2020FCPA Guidance 2020
FCPA Guidance 2020
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
 
2018 IC3 Report
2018 IC3 Report2018 IC3 Report
2018 IC3 Report
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018
 
Credit Score Explainer
Credit Score ExplainerCredit Score Explainer
Credit Score Explainer
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015
 

Kürzlich hochgeladen

Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxleah joy valeriano
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 

Kürzlich hochgeladen (20)

Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 

Ransomware - Hijacking Your Data

  • 1. Ransomware: Hijacking Your Data By Richard Wang and Anand Ajjan, SophosLabs “Federal Bureau of Investigation. Attention! Your computer has been locked.” For the last two years users have increasingly been faced with messages like this and demands for money in exchange for access to their PCs. But these are not the actions of law enforcement, quite the opposite—it’s an example of ransomware. This paper looks in depth at ransomware variants and delivery mechanisms, and how you can protect your data with a complete security strategy.
  • 2. Ransomware: Hijacking Your Data Ransomware vs. fake antivirus Ransomware may often be compared to fake antivirus in the way it operates and the motivation behind it. However, what differentiates ransomware from fake antivurus is the way they manipulate human tendencies and fears. Fake antivirus plays on the security fears and calls for the user to take actions in self-preservation, whereas ransomware works either as extortion or punishment. Fake antivirus is one of the most frequently-encountered and persistent threats on the web. This malware, with over half a million variants, uses social engineering to lure users onto infected websites with a technique called Blackhat SEO (Search Engine Optimization). According to Google Trends, ransomware has recently surpassed fake antivirus in terms of user queries on Google. Fig. 1: Ransomware more popular search term than fake antivirus since late 2011 The graph above shows ransomware has been a more popular search term than fake antivirus since late 2011. This strongly suggests that malware authors find ransomware to be more profitable and convincing than fake antivirus. Another reason for ransomware's success is the fact that the makers of the Blackhole exploit kit include ransomware in their distribution system. A Sophos Whitepaper March 2013 2
  • 3. Ransomware: Hijacking Your Data The ransomware timeline Early variants—SMS ransomware Some of the earliest variants lock the user’s computer and display a ransom message. The message instructs the user to send a code via text message to a premium-rate SMS number. The user would then receive a message containing the corresponding unlock code which would allow them to use their computer. In these cases the ransom paid was the cost of the premium rate text message. First-stage evolution—winlockers This variant also locks the user’s computer but rather than displaying a simple demand for payment, it also uses social engineering techniques. The message displayed to the user claims to be from a law enforcement agency and indicates that the required payment is a fine for illegal activity on the computer such as distributing copyrighted material. The fine is required to be paid using an online payment system such as Ukash or Paysafecard. This type of ransomware is commonly known as a winlocker ransomware. In this version, the cost of the “fine” is much larger than the cost of the premium rate text message as seen earlier. The payment currency is based on the region where the user is located—i.e., $100, £100 or €100, etc. Advanced evolution—file encryptors In these variants, in addition to locking the window screen, the ransomware encrypts the user’s files using various complex encryption algorithms. The user is asked for a “ransom amount” in order to decrypt the files. The user is required to make payments via online payment systems such as those mentioned above. This type of ransomware is identified as file encrypting ransomware. A Sophos Whitepaper March 2013 3
  • 4. Ransomware: Hijacking Your Data Fake FBI ransomware Ransomware authors quickly realized that antivirus vendors can easily provide a solution to unlock the machine without sending an expensive SMS. Thus they changed gears and adopted a different method. This variant asks the user to make the payment via an online payment service. In reality, it is not feasible to track the recipient of the ransom amount. The warning messages in this version are delivered based on the geolocation of the user. Some of the variants also require the user to email a 19-digit code received as an acknowledgement to the payment made to Ukash, Paysafecard or MoneyPak in order to receive the unlock code. Fig. 2: Fake FBI ransomware State of play SophosLabs see winlocker ransomware more regularly than file encrypting ransomware. This could be due to the fact that encryption-decryption techniques require more development work than the usual Winlockers, which can be developed and maintained easily. A Sophos Whitepaper March 2013 4
  • 5. Ransomware: Hijacking Your Data Ransomware delivery mechanisms This section describes the various means or delivery mechanisms used by the malware authors to propagate ransomware to the user, largely over the web. Exploit kits An exploit kit is a type of a tool that exploits various security holes in the software installed on a computer. A cybercriminal buys such an exploit kit and includes the malware that they wish to deliver by exploiting compromised legitimate websites. For example, Blackhole takes advantage of the vulnerabilities that exist—often Java or PDF software—to install malware on end users’ computers without their interaction, in a drive-bydownload manner. Below are the few ransomware variant names delivered via Blackhole: ÌÌ Executable binary: Troj/Ransom-ML, Troj/Reveton-BP and Troj/Katusha-CJ etc. ÌÌ Memory detection: Troj/RevetMem-A ÌÌ Javascript: Troj/JSAgent-CW ÌÌ Link files: CXmal/RnsmLnk-A Spam email attachment The ransomware arrives via spam messages containing malicious attachment as shown below. One such example asks the user to open an attachment and presents an email with a convincingly legitimate appearance. Fig. 3: Spam email attachment A Sophos Whitepaper March 2013 5
  • 6. Ransomware: Hijacking Your Data Once the user opens the .zip attachment, the binary inside the .zip executes and drops a ransomware on the system. This in turn may contact a command and control (C&C) server to download the lock screen image. This particular variant is detected as Troj/Ransom-JO. Closer look: Winlockers and file encryptors To illustrate the operation of ransomware scams we’ll take a closer look at the two most common types—winlockers and file encryptors. Closer look: Winlockers The first thing a victim will see when they encounter a winlocker is a screen such as fig 4. However, even before this screen is displayed the ransomware has been at work in the background. Fig. 4: Winlocker screenshot In order for the social engineering to be believable the message displayed must be relevant to the victim. A person in France is unlikely to consider paying a fine to the FBI so the attack must match the correct police authority to the user. This is done by taking the IP address of the infected computer and using a database to convert the IP to a physical location. Once the location is known the corresponding message and graphics are downloaded and displayed. Winlockers may have a wide variety of messages available, customized for attacks around the world. A Sophos Whitepaper March 2013 6
  • 7. Ransomware: Hijacking Your Data Fig. 5: Localized language versions The message is presented as a full-screen window, blocking access to any other programs and leaving the PC unusable until the lock is removed. The ransomware will typically install itself so that rebooting the PC will just result in returning the user to the ransom screen. The message accompanying the lock attempts to be as persuasive as possible in encouraging the user to pay. The payment is often presented as a fine or administrative charge, imposed in response to illegal activity on the PC. The alleged crimes range from illegal file sharing to exchange of child pornography. Some winlockers also activate the PC’s webcam and display an image of the user, presumably to reinforce the message that they are being observed. Payment is by means of a prepaid card such as Ukash or MoneyPak. The ransom message includes a list of locations where then card can be purchased. The associated payment code can then be entered directly into the ransomware, at which point it will be sent to the attacker who can collect the payment. A Sophos Whitepaper March 2013 7
  • 8. Ransomware: Hijacking Your Data Fig. 6: Payment instructions Closer look: File encryptors File encryptors take a different approach to their ransom demands. Rather than using social engineering they make no pretense to be anything other than a ransom demand. Fig 7: File encryptor File encryptors do not block access to the entire PC. Instead they target files that are likely to be valuable to the user, such as documents, images, financial records, etc. The PC is left in a usable state but the user’s critical data is unavailable. The files are encrypted to prevent the user from accessing them and a payment is demanded to decrypt them. In common with winlockers the payments are often requested in the form of prepaid online payment cards or codes. However, unlike winlockers, removing a file encryptor is not the end of a user’s problem. Even if the ransomware is removed the files remain encrypted and inaccessible. A Sophos Whitepaper March 2013 8
  • 9. Ransomware: Hijacking Your Data The history of file encryptors has involved progressively complex encryption methods. The earliest versions used simple, home-grown encryption that was easily reversed. Security companies responded by providing cleanup tools that would recover the encrypted files. Attackers then moved on to more robust commercial algorithms but again failed to implement them securely, allowing cleanup tools to remain effective. The latest file encryptors take advantage of multi-stage enterprise grade encryption and public key algorithms using unique encryption keys for each victim. This makes them essentially uncrackable without the private key known only to the ransomware’s author. The effectiveness of ransomware at separating a user from their files leads to an inevitable question. Should victims pay the ransom to retrieve their files? Unfortunately the evidence available to answer this question is mostly anecdotal. Many victims report paying a ransom only to be left with encrypted files. Some report that paying the ransom did indeed result in the return of their files. Occasionally the ransomware itself answers the question by not including a mechanism to reverse the encryption. In those cases it is obvious that the author has no intention of returning the files whether the ransom is paid or not. Ultimately, a victim is at the mercy of the ransomware author, someone who has already chosen an unscrupulous and illegal method of making a living. Should you trust such a person? No. Our advice is never to pay the ransom. Targeting users based on geo-specific location Most of the ransomware lock screen images target the geo-specific location of the user’s system. So far SophosLabs has seen around 20 countries that are targeted by ransomware showing warning messages in languages specific to the country. Some of the winlocker download URIs for ransom images are unencrypted and can be downloaded directly through the web browser. In some of the variants, the URIs are in encrypted form so that it can evade any standard network based rule detection from blocking these images. A Sophos Whitepaper March 2013 9
  • 10. Ransomware: Hijacking Your Data The picture below shows the encoded URIs: Fig 8: Encoded URIs Some variants, as shown below, store URIs in unencrypted form: Fig 9: Unencrypted URIs A Sophos Whitepaper March 2013 10
  • 11. Ransomware: Hijacking Your Data Defending against ransomware The best protection is preventing the ransomware from getting to your systems. Web-based distribution is the most common means of spreading ransomware. Web gateway protection provided by the Sophos UTM or endpoint web protection built into Sophos Anti-Virus defends against web-based attacks. Sophos Anti-Virus on the endpoint also includes HIPS behavior monitoring technology to proactively detect malware, including ransomware. Ensuring you have HIPS and full on-access protection enabled gives you the best opportunity to detect and stop ransomware. Some examples of Sophos detection for ransomware: ÌÌ HPMal/Matsnu-A ÌÌ CXmal/RnsmLnk-A ÌÌ Troj/RansmMem-A ÌÌ Troj/RevetMem-A ÌÌ Troj/Ransom-* ÌÌ Mal/Ransom-* ÌÌ Mal/Reveton-* ÌÌ Troj/Matsnu-* There are also many more generic detections such as Mal/Encpk-*, which include both ransomware and other malware that shares common properties. In addition to security tools, some data backups can help victims to recover from file encrypting ransomware. If data is backed up it can be safely restored once the ransomware is removed. The complete security system In this paper, we have discussed various types of ransomware, delivery mechanisms, and different encryption techniques deployed to lock the computer screen using Windows APIs. SophosLabs analyzes such ransomware types on a daily basis and monitors their development to ensure effective protection for users of Sophos products. Today’s fast, targeted and silent threats take advantage of our ever-more open networks and the new technologies that support an increasingly mobile workforce. To combat this, organizations need depth to their security strategy to cover endpoints, networks, servers, data, email and web usage, and mobile devices. And it’s crucial that protection is consistent and easy to administer—so it can work at every point across the entire network, just like security threats do. A Sophos Whitepaper March 2013 11
  • 12. Ransomware: Hijacking Your Data This is why we recommend a complete security system to help you cover the full security lifecycle. Obviously how you achieve this will depend greatly on your environment and your specific security priorities. You should consider each of these six primary strategies of a complete security system. 1. Reduce the attack surface. Take an active approach that monitors more than malware, including threats like vulnerabilities, applications, websites and spam. Ensure that the software you use, including applications, browsers and plugins is up to date, minimizing the risk from exploit based attacks. Using the plugin on demand feature available in some browsers can also help reduce attacks from exploit kits using hidden content on websites. 2. Protect everywhere. Make sure users are protected wherever they are and whatever device they’re using and combines endpoint (including mobile), gateway and cloud technologies to share data and work together to provide better protection without impacting users and performance. 3. Stop malware attacks. Move beyond simply relying on antivirus signatures and look at layers of detection that stop threats at different stages of their execution. And ensure protection also looks at risky user behavior too, not just for malicious code. 4. Back up data. Many forms of ransomware use encryption that is effectively unbreakable. Given the untrustworthy nature of ransomware authors the only way to guarantee the return of your files is to restore them from your own backups. 5. Stop data leaks and breaches. There are three components of an information security strategy: the things you’re required to do by law; the operational processes and procedures you put into place; and the technology tools you use to get the job done. 6. Keep people working. Complexity is the enemy of security. Operational efficiency needs to be prioritized for both your users and IT staff. Consider workflows—what things that get in the way or slow your users down? By focusing on removing these barriers or problems, your security improves and your staff and users will be efficient and happier too. Complete Security Suites Sign up for a free trial at sophos.com United Kingdom and Worldwide Sales: Tel: +44 (0)8447 671131 Email: sales@sophos.com North American Sales: Toll Free: 1-866-866-2802 Email: nasales@sophos.com Boston, USA | Oxford, UK © Copyright 2013. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners. wpna.03.13 Australia and New Zealand Sales: Tel: +61 2 9409 9100 Email: sales@sophos.com.au