As the impact and severity of crypto ransomware attacks has grown over the past 2½ years, Webroot has fought back -- not just by building a next-generation endpoint solution capable of preventing ransomware attacks but also by being a thought leader.
That's why we've prepared this presentation that explores ransomware's evolution, the dangers of ransomware for your business, and best practices to avoid being a crypto ransomware victim.
2. 2Friday, February 10, 2017
Agenda
Ransomware’s
evolution
Costs of ransomware
attacks
How ransomware
infects systems
Conclusion
Major threat
trends
How to avoid being a
crypto ransomware
victim
4. 4Friday, February 10, 2017
Polymorphic Malware Is the Norm
Source: Webroot – 2016 Threat Brief, February 2016
97% of new malware
is unique to a specific endpoint,
rendering signature-based
security obsolete
Malware and PUAs
have become overwhelmingly
polymorphic
5. 5Friday, February 10, 2017
“Good” and “Bad” Websites
Source: Webroot – 2016 Threat Brief, February 2016
6. 6Friday, February 10, 2017
High Success Rates of Phishing Attacks
Source: Webroot – 2016 Threat Brief, February 2016
of internet users will fall
for a zero-day phishing
attack in a year
50%
7. 7Friday, February 10, 2017
Mobile Apps Are Riskier than Ever
Source: Webroot – 2016 Threat Brief, February 2016
52%
30%
18%
22%
50%
28%
Increase indicates a shift to
malicious and unwanted apps
2014 2015
9. 9Friday, February 10, 2017
What Is Crypto Ransomware?
Classification
Trojan horse
Type
Ransomware/crypto virus
OS affected
Windows
First observed
September 2013
Drive types
Local, network, and removable
Drive types
Spam botnet lures victim
Phishing email with attachment
Attachment downloader gets Zeus
Zeus gets
CryptoLocker/CryptoDefense
10. 10Friday, February 10, 2017
Evolution of Crypto Ransomware
Increasing adoption
of IP anonymizing services
01
Ransomware-as-
a-service
02
Detection issues due to
thread injection, process
hollowing, and new exploits
03
Expanding past
Windows to macOS
04
Now a
commodity
extortion
service!
HI - CRYPTO-RANSOMWARE IS CAUSING A LOT OF ORGANIZATIONS A LOT OF ISSUES AND ITS IMPACTS CAN BE MITIGATED
THE KEY IS IN ‘KNOWING THE ENEMY’
THIS PRESENTATION IS ALL ABOUT GIVING YOU INSIGHT INTO THREAS GENERICALLY AND THEN SPECIFICALLY CRYPTO_RANSOMWARE AND ITS WORKINGS
MOST IMPORTANTLY SOME OF THE THINGS YOU CAN DO TO MITIGATE THE SIGNIFICANT DAMAGE CRYPTO-RANSOMWARE WILL LIKELY CAUSE TO YOUR BUSINESS
SO WE’RE GOING TO COVER
TODAY’s MAJOR THREAT TRENDS
HOW RANSOMWARE HAS EVOLVED
HOW IT INFECTS SYSTEMS
WHAT IT CAN COST YOU
HOW TO MITIGATE THOSE COSTS AND RISKS
AND THEN WRAP UP WITH A CONCLUSION
SO LETS KICK-OFF WITH THREAT TRENDS
WHAT WE’VE SEEN FROM EVENTS WITH OUR CUSTOMERS AND OUR OVER 40 OEM VENDOR PARTNERS
IT WILL GIVE YOU A GOOD IDEA WHY WE ARE UNDER SEIGE RIGHT NOW ON MANY FRONTS…….
WHEN WE LOOK AT ALL OUR DATA FOR ENDPOINT SECURITY ON AVERAGE EACH CUSTOMER ENCOUNTERED ABOUT 1.6 NEW AND UNIQUE INSTANCES OF MALWARE, AND 3 NEW INSTANCES OF PUA (POTENTIALLY UNWANTED APPS) IN 2015.
WE SAW EXECUTABLE THREATS CONTINUED TO EMERGE QUICKLY IN 2015 AND THEY WERE HIGHLY CUSTOMIZED AND TARGETED.
STAND OUT FINDING WAS THAT OVER 97% OF THE MALWARE ENCOUNTERED WAS SEEN ON ONLY A SINGLE ENDPOINT.
WHY? BECAUSE POLYMORPHISM – THE ABILITY TO CHANGE WITH EACH ITERATION BECAME THE NORM
THE SHEER NUMBER OF VARIATIONS AMONG MALWARE WAS DRAMATIC TOO.
IN 2014 THERE 700 FILE INSTANCES PER MALWARE FAMILY, IN 2015 LESS THAN 100
IN 2014 30,000 FILE INSTANCES PER PUA FAMILY, IN 2015 JUST OVER 260 PER FAMILY
THIS CLEARLY EMONSTRATES THAT ATTACKERS ARE MAKING MALWARE MORE DIFFICULT TO DETECT AND USING POLYMORPHIC DISTRIBUTION MODELS AND RAPID NEW VARIANT GENERATION TO CIRCUMVENT DETECTION…….SIGNATURE DATABASE AV IS NOW OFFICIALLY DEAD
WEBROOT’S BRIGHTCLOUD SECURITY INTELLIGENCE SERVICES THAT WE PROVIDE TO OUR OEM PARTNERS HARNESSES BOTH URL CATEGORIZATION AND URL REPUTATION DATA
ITS THIS THAT PROVIDES US WITH SOME REALLY INTERESTING INSIGHTS INTO THE INTERNET
ON THE LEFT WE SEE THE TOP TEN CATEGORIES OF URL VISITED
AND ON THE RIGHT, WE SEE URL CATEGORIES BY ACTUAL RISK TO USERS.
ALL THOSE CIRCLED WOULD BE CONSIDERED SAFE URLS IN ANY WORK INTERNET USAGE AND ACCESS POLICY
BUT, AS WE CAN SEE, THOSE CATEGORIES ARE FAR FROM BEING SAFE -GOOD CAN LITERALLY BE BAD AND WE ALSO FIND THE OPPOSITE THAT BAD URL CATEGORIES ARE OFTEN GOOD
THIS JUST CLARIFIES THE RISKS YOU FACE IN DAILY NORMAL USE OF THE WEB
THERE IS ONE PARTICULAR TYPE OF ATTACK I KNOW WE’RE ALL TOO FAMILIAR WITH - THE NOTORIOUS PHISHING ATTACK
WE DEVELOPED A REAL-TIME WAY OF STOPPING PHISHING WITH ANOTHER VENDOR THAT PROTECTS HIGH NET WORTH INDIVIDUALS.
PHISHING IS IT IS STILL ONE OF THE MOST EFFECTIVE METHODS OF COMPROMISE.
IN 2015 WE DETECTED MANY MORE PHISHING PAGES THAN IN 2014
AND BASED ON ALL OUR DATA WE SAW THE AVERAGE USER HAD A 50% CHANCE OF BEING THE VICTIM OF A ZERO-DAY PHISHING SITE ATTACK
WHAT MAKES PHISHING DETECTION SO DIFFICULT IS THAT SITES ARE OFTEN INDIVIDUALIZED, ONLY ACTIVE FOR A FEW HOURS, OR EXIST ONLY AS LONG AS IT TAKES FOR PRE-SPECIFIED NUMBER OF USERS TO BE PAWNED.
THIS APPROACH MEANS HAVING A BLACKLIST TO DEFEND AGAINST PHISHING DOESN’T REALLY WORK OR SCALE - THE ONLY WAY TO EFFECTIVELY DEFEND USERS IS TO HAVE A REAL TIME AWARENESS AND PREVENTION STATRATEGY IN PLACE….
GIVEN THE PREVALENCE OF SMARTPHONES AND TABLETS AND POPULARITY OF BYOD IT’S NOT SURPRISING MOBILE DEVICES ARE BEING HEAVILY TARGETED.
ANDROID IN PARTICULAR HAD A SPECTACULAR APP GROWTH IN 2015 - DOUBLING FROM 10 TO OVER 20 MILLION APPS.
(CLICK)
2014 TO 2015 SHOWED A MAJOR SHIFT IN ANDROID MALWARE - IN THE FIRST HALF OF 2014 21% OF APPS WERE MALICIOUS OR UNWANTED.
IN CONTRAST, DURING THE SECOND HALF OF 2015, 52% WERE UNWANTED OR MALICIOUS.
ANDROID APPS ARE RISKIER THAN EVER, WHILE ON THE APPLE SIDE WE SEE LITTLE MALWARE…
THE LEARNING IS SIMPLE ANDROID MOBILE DEVICES NEED PROTECTING AS THEY ARE NOW NOT ONLY EASY TO STEAL DEVICE FROM BUT ALSO COMPROMIZE NETWORKS TOO……..
SO LETS LOOK AT CRYPTO-RANSOMWARE AND ITS EVOLUTION TO WHERE WE ARE TODAY……
AT A REALLY HIGH LEVEL, CRYPTO-RANSOMWARE IS CRYPTO VIRUS TROJAN HORSE THAT TARGETS MAINLY WINDOWS OPERATING SYSTEMS – BUT MAC AND LINUX ALSO GET ATTENTION.
FROM A TIMING PERSPECTIVE THE VERY FIRST INSTANCES OF WHAT MIGHT BE CONSIDERED AN ALPHA-OR BETA-TEST VERSION WERE SEEN NEARLY 3 YEARS AGO, DURING MID-SUMMER OF 2013.
WHAT THEN MAY BE CONSIDERED A FULL PRODUCTION VERSION OF CRYPTO-RANSOMWARE WAS OBSERVED IN EARLY SEPTEMBER 2013.
THE CRYPTO INFECTIONS THEN CAME SURELY AND SWIFTLY AFTERWARDS, LEAVING UNSUSPECTING CONSUMERS AND ONLY A FEW BUSINESSES COMPLETELY BEWILDERED IN MANY CASES.
CRYPTO-RANSOMWARE BASICALLY LOOKS AT THE DATA ON YOUR DEVICE AND ENCRYPTS IT. IT WILL LOOK AT THE FULL SPECTRUM OF HARD DRIVE SOURCES IT CAN ENCRYPT - INCLUDING LOCAL HARD DRIVES, NETWORK DRIVES, REMOVABLE HARD DRIVES AND EVEN ATTACHED USB’S.
THE INFECTION VECTOR WAS TYPICALLY A MULTI-STEP PROCESS INVOLVING MULTIPLE ACTIONS AND UTILITIES INCLUDING SPAM, PHISHING, DOWNLOADERS, AND EVENTUALLY THE CRYPTO-RANSOMWARE ITSELF, WE WILL LOOK AT THAT PROCESS LATER…..
I WOULD ADD THAT CRYPT-RANSOMWARE HAS EVOLVED TO NEWER, MORE DIRECT METHODS TODAY AND AS A ONE-STEP RATHER THAN MULTI-STEP PROCESS AS IT WAS IN THE BEGINNING
SO ITS REALLY A COMBINATION OF ALL THE THREATS WE ARE SEEING THAT IS CONTRIBUTING TO HIGHER INFECTION RATES AND THE INEXORABLE RISE OF CRYPTO-RANSOMWARE.
HOWEVER THE REASON FOR THE MASSIVE ACCELERATION THIS YEAR IS THAT CRYPTO-RANSOMWARE IS NOW A MALWARE COMMODITY – RANSOMWARE AS A SERVICE - WITH THE ABILITY FOR ANYONE TO GO INTO THE EXTORTION BUSINESS
THE PICTURE ON THE RIGHT SHOWS YOU HOW EASY IT IS TO CHOOSE A WHOLE SET OF VARIANTS IN THE DESIGN OF YOUR ATTACK
THEN ATTACKERS ARE USING ANONYMIZING SERVICES SUCH AS TOR FOR DELIVERY AND KEY PROVISIONING - TO MAKE IT DIFFICULT TO IDENTIFY INDIVIDUALS OR GROUPS BEHIND ATTACKS
RANSOMWARE VARIES WIDELY IN ITS TECHNICAL SOPHISTICATION – USING THREAD INJECTION, PROCESS HOLLOWING, AND OTHER NEW EXPLOIT TECHNIQUES TO EVADE DETECTION.
WE’VE ALSO RECENTLY SEEN THE FIRST JAVASCRIPT-BASED RANSOMWARE - RANSOM32
THIS HAS A PROFOUND IMPACT TODAY SINCE JAVASCRIPT CAN EASILY BE ADAPTED FOR NUMEROUS PLATFORMS, INCLUDING SOME THAT HAVE NOT BEEN WIDELY TARGETED BEFORE - SUCH AS LINUX AND MAC OS X
SURE AS NIGHT FOLLOWS DAY WE SAW KERANGER THE FIRST BROADSCALE MAC RANSOMWARE EMERGE IN FEBRUARY THIS YEAR.
(CLICK)
IN 2016 IT HAS BECOME A BUSINESS PLAGUE - 4,000+ ATTACKS PER DAY IN Q1, (SYMANTEC) 158,000 BUSINESS TARGETTED COMPARED TO 27,000 IN 2015 (KASPERSKY)
RANSOMWARE IS NOW A SIGNIFICANT AND MAJOR THREAT TO ORGANIZATIONS AND FOLLOWS THE PRIMARY CRIMINAL RULE - FOLLOW THE EASY MONEY!
SO LET’S TAKE A DEEPER LOOK AT HOW SOME RANSOMWARE IS INFECTING SYSTEMS?
WE’RE GOING TO LOOK AT WHAT A TYPICAL USER SEES WITH ZEUS SPECIFIC CRYPTO-RANSOMWARE.
AS WE CAN SEE THE FIRST STEP, NO. 1. IS A PHISHING EMAIL THAT HAS A ZIP FILE ATTACHMENT.
INSIDE THE ZIP ARE WHAT APPEARS TO THE USER AS A PDF/DOC/TEXT ATTACHMENT, BUT THIS IS ACTUALLY THE INITIAL DROPPER.
ONCE LAUNCHED THIS SILENTLY DROPs A POLYMORPHIC EXECUTABLE INTO A RANDOM TEMP OR APPDATA FOLDER
THIS THEN COMMUNICATES TO A COMMAND AND CONTROL SEVER – WHICH RECEIVES SPECIFIC INFORMATION ALREADY GATHERED ABOUT YOUR PC AND BASED ON THAT INFO THE RIGHT CRYPTO-RANSOMWARE PRE-BUILT FOR YOUR SPECIFIC PC ENVIRONMENTS IS DELIVERED.
(THIS STEP IS NEEDED BECAUSE DIFFERENT OPERATING SYSTEMS MAY HAVE DIFFERENT POLICIES AND REQUIRE DIFFERENT COMMANDS TO TAKE CONTROL.)
THE ONLY THING THE USER WILL NOTICE IS ITEM NUMBERED 2. THAT THROUGH APPLICATION BINDING, THE DROPPER WILL ALSO OPEN A CORRESPONDING “FAKE” DOCUMENT WITH GIBBERISH FILLER OR “ERROR!” IT MIGHT ALSO BE ACCOMPANIED WITH A SIMPLE DIALOG POP UP BOX (ITEM 3) WITH ERRORS TELLING YOU TO UPGRADE YOUR ADOBE READER, .NET FRAMEWORK, FLASH, ETC.
THE VIRUS WILL THEN DELETE THE ORIGINAL MALICIOUS DROPPER AND REPLACE IT WITH A HARMLESS SAVED COPY OF THE JUST OPENED “ERROR” PDF/DOC/TEXT FILE WITH THE SAME NAME - MAKING THE USER THINK IT WAS JUST A HARMLESS DOCUMENT THE ENTIRE TIME.
ALL OF WHAT I JUST EXPLAINED TAKES PLACE IN LESS THAN A SECOND.
IF YOU NOTICE THE LEFT AND RIGHT FILE COMPARISON ARE THE BEFORE AND AFTER OF THE ENCRYPTING RANSOMWARE DEPLOYMENT.
THE ICONS USED ON THE DROPPER (LEFT) ARE JUST BARELY OFF WHAT A LEGITIMATE DOCUMENT ICON WOULD BE IN MS WINDOWS (RIGHT).
ALL OF THESE SOCIAL ENGINEERING TACTICS ARE VERY SUCCESSFUL AT ESTABLISHING LEGITIMACY IN THE MIND TO THE AVERAGE USER, TRANSFORMING WHAT WOULD BE AN ALERT FOR MALWARE CONCERN TO SIMPLY FRUSTRATIONS OF RANDOM ISSUES WITH COMMON SOFTWARE.
THIS IS THE GOAL OF THE MALWARE AUTHOR AS IT ALLOWS THE ENCRYPTING RANSOMWARE GREATER CHANCE TO DEPLOY ON THE SYSTEM AND ENCRYPT YOUR FILES BEFORE YOUR AV WOULD HAVE SIGNATURES FOR IT.