Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хакерами и продукты кибербезопасности.
•Download as PPTX, PDF•
1 like•700 views
Ник расскажет про типичный день антивирусного специалиста в Кремниевой Долине. Про то, как компании борются с хакерскими атаками. Он расскажет свою историю про то, как работал в Фейсбуке, как туда попасть и какой опыт эта компания даёт. Расскажет про Cyphort, и антивирусы нового поколения. И он поделится новыми трендами кибербезопасности.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (11)
Similar to Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хакерами и продукты кибербезопасности.
Similar to Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хакерами и продукты кибербезопасности. (20)
More from HackIT Ukraine
More from HackIT Ukraine (20)
Recently uploaded
Recently uploaded (20)
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хакерами и продукты кибербезопасности.
- 1. Nick Bilogorskiy o Facebook, Cyphort o Борьба с Вирусами и Киберпреступностью. o Нова Юкрейн и диаспора в Сан-Франциско.
- 2. Who am I? Nick Bilogorskiy nick@novaukraine.org Tel USA: +1-408-203-4323 Tel Ukraine: +38-063-315-7774 www.novaukraine.org
- 6. Founded In 2011 by a team of security experts. Launched our Advanced Threat Defense Platform product in Q3 2013 HQ Located in the heart of Silicon Valley Santa Clara, CA 80+ people Funding Winning!
- 8. Network-Based Next Generation APT Defense Correlated Visibility Next-Gen Perimeter Defense with Lateral Movement Virtualized Deployment Flexible Software-based Security Solution Dynamic Detection Machine Learning plus Behavioral Inspection
- 9. CYPHORT THREAT DEFENSE PLATFORM Collector Cyphort Core Inspection Analytics Correlation Collection Collector Collector
- 10. Cyphort Architecture Advantage Collector: Headquarters Web Traffic Collector: Branch Office Web Traffic Collector: Data Center Collector: Email Collect Infection Verification (Native, Carbon- Black, Tanium, Confer) Mitigation & Enforcement Publish Blocking Data To Existing: FW, IPS and SWG API based or manual { Verify infection on suspect endpoints before cleaning } Act API API Cyphort Global Security Services Cyphort Core Multi-method Inspection Machine Learning Analytics Correlation User & Asset Data Inspection Analytics Correlation Inspect Cyphort Golden Image
- 13. Цели Гражданское общество Борьба с коррупцией Гуманитарная помощь Помощь перемещённым лицам Образовательные программы Популяризация Украины в США
- 17. Помощь семьям
- 18. 100 коробок с одеждой
- 19. Деньгами PayPal donate@novaukraine.org Временем Email volunteer@novaukraine.org Рассказать о нас LIKE facebook.com/novaukraine.org novaukraine.org Как помочь
- 21. What is Ransomware Ransomware is any malware that demands the user pay a ransom. There are two types of ransomware: lockers and crypters.
- 22. Kovter
- 23. o More IOT (Internet Of Things) security incidents Prediction #4
- 24. TOR Primer
- 25. • easy to use, • fast, • publicly available, • decentralized, and • Provides anonymity, which serves to encourage extortion. Bitcoin Primer
- 26. How often do you backup? Computer Backup Frequency 2008-2015 (BackBlaze data) Frequency 2008 2009 2010 2011 2012 2013 2014 2015 Daily 6% 6% 8% 6% 10% 10% 9% 8% Other 56% 57% 58% 60% 10% 59% 63% 67% Never 38% 37% 34% 34% 31% 29% 28% 25%
- 27. The Ransomware Business Model o 90% of people do not backup daily o Data Theft in place o Anonymity (TOR, Bitcoin) o Operating with impunity in Eastern Europe o Extortion o Focus on ease of use to drive conversion o Currently 50% pay the ransom, it was 41% 2 years ago
- 28. z Bitcoin Ransom Sent C&C Server Private Key Sent Locked Files Unlocked Files The Ransomware Business Model
- 29. HOSPITALS Hollywood Presbyterian Medical Center , Kentucky Methodist Hospital, Alvarado Hospital Medical Center and King's Daughters' Health, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, Baltimore’s Union Memorial Hospital, and many others POLICE Tewksbury Police Department Swansea Police Department Chicago suburb of Midlothian Dickson County, Tennessee Durham, N.H Plainfield, N.J Collinsville, Alabama, hackers in Detroit demanded $800,000 in bitcoin after they had encrypted the city's database. Known Victims… So far SCHOOLS GOVERNMENT 321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, according to the Department of Homeland Security. South Carolina school district paid $10,000 . A New Jersey school district was hit, holding up the computerized PARCC exams. Follett Learning's Destiny library management software, which is used in US schools is vulnerable to SamSam ransomware.
- 30. Apr 30, 2016: In the past 48 hours, the House Information Security Office has seen an increase of attacks on the House Network […] focused on putting “ransomware” on users’ computers.[…] .As part of that effort, we will be blocking access to YahooMail on the House Network until further notice.
- 32. Ransomware: The Price You Pay 2014 - $24 M. | 2015 - $24 M. | 2016 - $209 M in Q1
- 33. o network mitigation o network countermeasures o loss of productivity o legal fees o IT services o purchase of credit monitoring services for employees or customers o Potential harm to an organization’s reputation. Ransomware: Additional Costs
- 34. 2016 Ransomware tricks 1. Targeting businesses (e.g. hospitals) rather than individuals. 2. Deleting files at regular intervals to increase the urgency to pay ransom faster – Jigsaw 3. Encrypting entire drives - Petya 4. Encrypting web servers data - RansomWeb, Kimcilware
- 35. 2016 Ransomware tricks 5. Encrypting data on unmapped network drives DMA Locker, CryptoFortress 6. Deleting or overwriting cloud backups. 7. Encrypting each file with its own unique key - Rokku
- 36. 2016 Ransomware tricks 8. Targeting non-Windows platforms – SimpleLocker, KeRanger 9. Using the computer speaker to speak to the victim - Cerber 10. Ransomware as a service – Tox 11. Using counter-detection malware armoring, anti-VM and anti- analysis functions - CryptXXX
- 37. Cerber Bitcoin Mixing service o Cerber distributes ransomware through affiliates o At least 150,000 victims a month o tens of thousands of Bitcoin wallets in the mixing service o 20% cut Checkpoint
- 38. IOT - Smart TV Ransomware o Flocker Ransomware infects Smart TVs o aka Frantic Locker o locks screen and demands $200 in iTunes gift cards
- 39. IOT Thermostat Ransomware o proof-of-concept ransomware for smart thermostats at DEFCON o Locks temperature at 99 degrees until the owner pays a ransom to obtain a PIN which would unlock it.
- 40. HiddenTear – PokemonGo ransomware o Hidden-Tear, is masquerading as a Pokémon GO application for Windows. o targeting Arabic users o This one spreads by copying the executable to all drives with autorun
- 41. CuteRansomware uses Google Docs
- 42. How do Users get Ransomware? Osterman research
- 43. Tips to Avoid Ransomware Infection o Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps o Use network protection o Use a comprehensive endpoint security solution with behavioral detection o Turn Windows User Access Control on o Block Macros
- 44. Tips to Avoid Ransomware Infection o Be skeptical: Don’t click on anything suspicious o Block popups and use an ad-blocker o Override your browser’s user-agent* o Consider Microsoft Office viewers o Disable Windows Script Host
- 45. Tips to Avoid Losing Data to Ransomware o Identify Ransomware and look for a decryptor: o Shadow Copies o Turn off computer at first signs of infection o Remember: the only effective ransomware defense is backup https://id-ransomware.malwarehunterteam.com/
- 46. Tips to Avoid Losing Data to Ransomware o List of free decryptors: http://bit.ly/decryptors
- 47. Malvertising
- 48. Malvertising is the use of online advertising to spread malware. Malvertising involves injecting malicious ads into legitimate online advertising networks and web pages. Anti-Malvertising.com What is Malvertising
- 49. How Malvertising works df User Visits a popular website, gets infected via exploit kit Website Serves a banner ad, sometimes malicious Attacker Creates and injects malware ads into advertising network Advertising Network Selects an ad based on auction, sends to the website
- 50. Rise of Malvertising 0 500 1000 1500 2000 2500 2014 2015 2016 Malvertising domains 910 1654 2102 Malvertising domains
- 51. Techniques to avoid detection o Enable malicious payload after a delay o Only serve exploits to every 10th user o Verifying user agents and IP addresses o HTTPS redirectors
Editor's Notes
- Cyphort was founded in 2011 by a team of security researchers with experience in government and private security companies. Cyphort advanced threat defense platform has been generally available since the Q3 of 2013 with a growing list of customers. We are head quartered in Santa Clara in the heart of silicon valley and are very well funded by top tier veanture firms. Since coming out of stealth mode, we have been named a top innovator at RSA 2014 and Network World in addition to wining Info Security Products Guide Global Excellence award.
- Slide purpose: Establish Cyphort as the next generation solution for APT defense that fixes what is broken with the 1st generation solutions. There are three areas that need to be highlighted. Cyphort is the next generation APT defense solution. We have learned from the customers and built a product that closes the gaps left open by the 1st generation solutions. 1. Cyphort can identify malware and threat activity moving across the enterprise perimeter and laterally inside the network. A correlated view of this entire threat activity provides a better understanding of what threats are active and what they are doing in your organization. 2. Cyphort has built a malware and threat detection engine that evolves as the threats evolve. Cyphort utilizes machine learning analytics engine that learns and evolves as it encounters new threats. Additionally, a behavioral inspection environment consisting of an adaptive array of sandboxes ensures highly evasive malware displays its behavior for effective detection. Custom golden image based sandbox environments add refinement and local context to detection. 3. Cyphort solution is, easily and cost-effectively deployed in single locations, across distributed enterprises and/or virtualized cloud environments for ultimate flexibility and scalability. The Cyphort solution is delivered as software and VM that can be installed on general-purpose hardware, virtual machines and cloud environments. Extensive open API helps integration with the rest of your security infrastructure to provide rapid incident response, and threat containment.
- Collection Cyphort collectors are deployed across the enterprise covering Web, Mail, Data Center, Cloud, and additional Parallel P2P data flow to Continuously Monitor traffic and objects for analysis Cyphort creates full visibility into an organization, allowing for analysis of any potential malicious object or traffic such as C&C Also as mentioned if instrumentation or file carving exists you can just push us data Inspection Cyphort has build industry first Static & Behavioral Interrogation environment. First Cyphort uses static analysis models to find indicators from objects that could help determine the user target, asset targets, and any C&C information After Static Analysis objects are moved into Behavioral Analysis environments which use multiple architecture such as: Full virtualization, emulations, and golden image modules to detonate objects and discover their full behavioral. We cover Windows & OSX Analytics The information from the Inspection Stage is then passed to Analysis engine which uses Machine Learning to turn indicators into Features (we currently have over 2000 features) which allow for highly accurate detection Correlation From there the Cyphort Correlation Module correlate all indicators, meta-data, and local asset data, to determine: The Severity of Malware The Risk of the overall Incident The Technique the attackers are using The Proper Mitigation for the right enforcement devices Infection Verification Pack Cyphort collects all the persistent artifacts from our detonation environments as IOC’s (Indicators of Compromise) and provides them as an MSI file for end point validation of active threats We also use custom algorithms to determine the possibly paths a polymorphic Malware can write to removing False-Negative possibilities on the endpoint
- 12
- 13
- 17
- 19
- type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction
- Lockers vs Cryptoware. During 2013, Kovter acted as a police ransomware –remaining on the device, listening to the user’s traffic, “waiting” for something to happen. Once a user enters their account credentials or uses file sharing applications to download unsolicited files, Kovter pops up a message stating the user violated the law, demanding they pay a fine. Another similar attack was 2012 Trojan called Reveton. It was claiming that the computer has been used for illegal activities, such as downloading pirated software or child pornography.[41] The warning informs the user that to unlock their system, they would have to pay a fine using a voucher from an anonymous prepaid cash service such as Ukash or Paysafecard. To increase the illusion that the computer is being tracked by law enforcement, the screen also displays the computer's IP address, while some versions display footage from a victim's webcam to give the illusion that the user is being recorded. This threats are very effective, convincing and dangerous. They can even claim a human life. Joseph Edwards, 17, who hanged himself after receiving a scam e-mail which he believed was from the police and referred to indecent photos.
- Ransomware encrypts files on a user’s computer and renders them unusable until the victim pays the ransom and obtains the key to decrypt. Cybercriminals are making millions of dollars from ransomware. According to forecasts and assessments made by experts, the threat of ransomware will continue to rise in the months and years to come. In many cases, victims are left with no other choice than to pay the attackers, and even the FBI often advises victims to pay the ransom as the only recourse. Traditional methods and tools no longer suffice to deal with the fast-evolving landscape of ransomware viruses, and new approaches are needed to detect and counter its devastating effects.
- Tor has become a proven means of communication and is ideal for hosting CNC and ransom payment sites. TOR is: The Tor network is used by anyone who wants to maintain their online anonymity. It does this by routing all traffic from the client to the destination through a series ofrelays called a circuit. Relays are simply Tor clients configured to also act as a router for other clients in order to provide more bandwidth to the network. By default, Tor clients send traffic through a circuit of 3 relays before reaching the final destination. Tor clients encrypt all their traffic so that routers will only know two things: where the traffic came from immediately before it, and where the next stop for the traffic will be. This is done by encrypting the traffic once for each relay in the circuit, using a different key for each layer of encryption. This way, as each relay receives the traffic, it can only strip off one layer of encryption, and then forward the data to the next destination. If the relay is forwarding the data to another relay, all it will see is encrypted ciphertext. The only relay which will see the actual data being sent to the final destination is the exit relay Hiding the command and control servers in an anonymous Tor network complicates the search for the cybercriminals
- Technologies such as bitcoin are contributing to the rising success of ransomware, enabling hackers to stage attacks with more efficiency while hiding their trace. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards — principally Greendot cards sold at retailers, convenience stores and pharmacies. But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.” What is Bitcoin? Bitcoin is a digital currency that uses consensus in a massive peer-to-peer network to verify transactions. This results in a system where payments are non-reversible, accounts cannot be frozen, and transaction fees are much lower. Where do bitcoins come from? Bitcoins are mined - Some users put their computers to work verifying transactions in the peer-to-peer network mentioned above. These users are rewarded with new bitcoins proportional to the amount of computing power they donate to the network. How to get started with Bitcoin The best way to learn about Bitcoin is to get some and experiment. We have written articles about how to set up your own Bitcoin wallet, how to acquire bitcoins, What can you buy with bitcoin today? Over 100,000 merchants accept bitcoin online. You can pay for things you buy on Dell, Microsoft, NewEgg or Expedia. You can also convert bitcoin into gift cards for Amazon, Target or Walmart. Criminals prefer Bitcoin because it’s easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.
- it’s a very successful criminal business model with many copycats. this is just one of the findings of Ransomware. A Victim’s Perspective: A study on US and European Internet Users (PDF), a report conducted by Bitdefender in November of last year. advanced cybercrime groups now mirror legitimate organisations in the way they operate, with networks of partners, associates, resellers and vendors. Some groups even deploy call centre operations to ensure maximum impact on their scamming efforts, and in some instances employees of the call centre are oblivious to the fact they are working for criminal groups executing low-level campaigns like tech support scams
- Recently, several organizations were badly hit by ransomware, including a police department in Massachusetts, a church in Oregon,schools in South Carolina schools and several medical centers in California and Kentucky,. one of which ended up paying the attackers 40 bitcoins (approximately $17,000). In a recent high-profile case, the Hollywood Presbyterian Medical Center declared an internal emergency after suffering on outbreak of ransomware. Ultimately, this hospital decided to ante up the required Bitcoin ransom payment, handing over $17,000 in order to get access to its computers. The original ransom demand was for $3.7 million in Bitcoins, so if nothing else, that is some decent negotiating on the part of the hospital.
- YahooMail Is So Bad That Congress Just Banned It In response to the attacks, the House’s IT desk blocked access to YahooMail “Until further notice.”
- how much money $24 million in hostage payments according to FBi. But experts say those figures are dwarfed by the actual payments, which likely exceed half a billion dollars per year. 24million < x < 500million cryptowall alone is $325 million (400,000 payments) according to CTA report: http://www.coindesk.com/cryptowall-325-million-bitcoin-ransom/ Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers. At that rate, ransomware is on pace to be a $1 billion a year crime this year. The FBI told CNN that the number "is quite high" because a few people "reported large losses." 2014 - 25M 2015 - 25M 2016 - 1000M (estimate)
- The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers
- *Corporations have more valuable data and more money for ransom ( ransom increases from roughly $500 per computer to $15,000 for the entire enterprise). Ransomware operates like this: for every hour that passes in which victims have not paid the ransom, another encrypted file is deleted from the computer, making it unrecoverable even if the ransom is paid or files decrypted via another method. New stats - Average ransomware demand is £525, with corporations increasingly targeted *The malware also deletes an extra 1,000 files every time victims restart their computers and log into Windows. * ransomware encrypts Master File Table. This table contains all the information about how files and folders are allocated. * are both families that takes this unusual route - instead of going after users computers, they infect web servers through vulnerabilities and encrypt website databases and hosted files, making the website unusable until ransom is paid.
- Encrypting data on network drives - even on those ones that are not mapped. DMA Locker, Locky, Cerber and CryptoFortress are all families that attempt to enumerate all open network Server Message Block (SMB) shares and encrypt any that are found. Compressing files first is to speed up the encryption process. Maktub ransomware does this. Deleting or overwriting cloud backups. In the past, backing up your data to cloud storage and file shares was safe. However, newer versions of ransomware have been able to traverse to those shared file systems making them susceptible to the attack. According to Fabian Wosar, of Emsisoft, when Rokku encrypts a victim's data it will use theSalsa20 algorithm and will encrypt each files with its own unique key. A file's key is then encrypted using RSA and stored in the last 252 bytes of the associated file. This allows the developers to provide individual decryption keys for test file decryption. This is also the first ransomware that I know of that uses the Salsa20 algorithm, which provides much greater encryption speeds compared to AES.
- Targeting non-Windows platforms. SimpleLocker encrypts files on Android, while Linux.Encode.1 encrypts files on Linux, and KeRanger on OSX. Using the computer speaker to speak audio messages to the victim. Cerber ransomware generates a VBScript, entitled “# DECRYPT MY FILES #.vbs,” which allows the computer to speak the ransom message to the victim. It can only speak English but the decryptor website it uses can be customized in twelve different languages. It says “Attention! Attention! Attention!” “Your documents, photos, databases and other important files have been encrypted!” Ransomware as a service: this model is offered on underground forums networks, it will provide the malicious code and infrastructure to facilitate the transfer of funds and the encryption key for the victim to be able to access their information. Tox ransomware does this. <BONUS> Using counter-detection malware armoring - Anti-VM and anti-analysis functions. CryptXXX does this.
- Perhaps the most intriguing aspect of the Cerber RaaS is its money flow. Cerber uses Bitcoin currency to evade tracing, and creates a unique Bitcoin wallet to receive funds from each of its victims. Upon paying the ransom (usually 1 Bitcoin, which is currently worth approximately $590), the victim receives the decryption key. The payment is transferred to the malware developer through a mixing service, which involves tens of thousands of Bitcoin wallets, making it almost impossible to track the transactions individually. At the end of the mixing process, the money reaches the developer and the affiliates receive their percentage. http://blog.checkpoint.com/2016/08/16/cerberring/
- As we know, Google Docs uses HTTPS by default and the network data transmission over SSL can easily bypass traditional security solutions such as a firewall, intrusion prevention system, or next generation firewall. We believe this is critical. As malicious actors make increasing use of the cloud for both delivering malware and exfiltrating data via command-and-control, traditional detection tools’ lack of visibility into SSL becomes a huge benefit to them. Additionally, the inability of traditional tools to look into SSL traffic of unsanctioned apps becomes important. Moreover, the use of a popular cloud app like Google Docs presents another challenge. For organizations using Google Docs as a productivity tool, it’s virtually impossible to block it outright. To prevent this ransomware from using Google Docs, you need to be able to selectively block the specific app instance associated with this ransomware while allowing your sanctioned instance of Google Docs to continue working. https://www.netskope.com/blog/cuteransomware-uses-google-docs-fly-radar/
- drive-bye's and email (ms office documents, and JS in ZIP) - Phishing emails may contain malicious attachments. These attachments are not always delivered in executable form; as security vendors and security best practices dictate that receiving executables via email is, in general, something we want to prevent, threat actors have to adapt to the changing landscape. This can be done by indirect delivery mechanisms. In Windows, for example, a malicious actor may opt for a less direct method of delivery: embed an obfuscated Javascript file into an archive, and rely on the end user for the rest. Opening a .JS file on a Windows host will launch the default browser, and the Javascript can then reach out to an external URL to grab an executable, deliver it to the victim, and execute it. At this point, preventing users from receiving executables via email is no longer effective, as the executable is delivered via HTTP. - Exploit kits (such as Angler, or Neutrino) have been known to deliver ransomware to users by exploiting vulnerable web servers and hosting malicious web scripts on them which exploit visitors when certain criteria are met, and then delivering a malicious payload (Reference)
- Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps.. A common way in for ransomware is via Exploit Kits, like Angler. These bundle many application vulnerabilities into one kit, and try drive-by exploits for each one in sequence. The more your apps are outdated, the more likely, some of these exploits might work and infect you with ransomware. Use network protection A very important part of a comprehensive security strategy is to use network traffic monitoring system that is based on machine learning and behavior analysis. As most of these attacks come in via internet channels, make sure your network protection can parse and analyze both email and web traffic. Use a comprehensive endpoint security solution with behavioral detection The endpoint (user's computer) is whether the ransomware infection takes place. So it is important to use a modern security solution here as well, with a signature-less approach. Signature-less approach, aka behavior detection is the only way to catch zero-day threats, that are new and do not have signatures written for them yet. Turn Windows User Access Control on Windows has added this security feature to help you stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. If you’re doing tasks that can be done as a standard user, such as reading e‑mail, listening to music, or creating documents, you have the permissions of a standard user—even if you’re logged on as an administrator. Take full advantage of it. Office 16 provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet.
- Be skeptical: Don’t click on anything suspicious--Don’t click on any emails or attachments you don't recognize, and avoid suspicious websites altogether. As most of the infections come from user action - opening attachments or visiting websites, being vigilant is the most effective way to minimize damage. Block popups and use an ad-blocker: Popups are regularly used by criminals to spread malicious software. To avoid accidental clicks on or within popups, it's best to prevent them from appearing in the first place. According to Statista, nearly 200 million people worldwide already followed this advice and use ad-blockers. Override your browser’s user-agent. As some Exploit Kits use your user-agent to tailor the write exploit for your Operating system, it pays to trick them by setting the wrong user-agent on purpose. For instance, when using Firefox on Windows, set your user-agent to say “Firefox on Linux” to confuse malware redirectors and exploits. Block Macros, Disable Windows Script Host
- Locky also removes any Volume Snapshot Service (VSS) files, also known asshadow copies, that you may have made. Shadow copies are the Windows way of making live backup snapshots without having to stop working – you don’t need to logout or even close your applications first – so they are a quick and popular alternative to a proper backup procedure. Shadow Copies Sometimes crypto ransomware can have weaknesses in their implementation which could allow victims to recover at least some of their files without paying. For example, Windows can be set up to make recovery points at regular intervals. These backups are called shadow copies. If this service is enabled and if a crypto ransomware does not interfere with this feature, it may be possible recover some files using this method. This blog details various Windows tools that can be useful to aid recovery in case of a crypto ransomware attack. File recovery software Another point worth noting is that when a file is deleted in Windows, the contents of the file are not usually scrubbed from the physical disk itself. Instead, the entries defining the file are removed from the disk allocation tables, freeing up the space. The original data in the freed space is not overwritten until a new file is written to the same space on the disk. This makes it possible to recover delete files if the disk space has not already been overwritten by another file. Victims can use file recovery software such as PhotoRec to scan for deleted files and recover them. No bullet-proof solution It should be noted that the more advanced crypto ransomware groups are aware of these techniques and take steps to prevent their successful use. As a result, some crypto ransomware threats delete shadow copies to prevent victims from being able to recover files. Similarly, other crypto ransomware threats such as Trojan. Ransomcrypt.R use a secure deletion tools such as SDelete to ensure that original files are securely erased from the disk after encryption. In this situation, the only answer is to have a backup of the files as there is no practical way for the files to be recovered or decrypted without the right key.
- Malvertising is the practice of injecting malicious advertisements into legitimate online advertising networks. It is served with the goal to compromises users and their devices. It can occur through deceptive advertisers or agencies running ads or compromises to the ad supply chain including ad networks, ad exchanges and ad servers. Malvertising is not new malware, just a different delivery vehicle.. Malvertising is popular because compromising websites that have high traffic is very effective for malware distrubution. And because attacking these sites ad networks is easier and requires less efforts thatn finding a vulnerability in the site software.
- Websites or web publishers unknowingly incorporate a corrupted or malicious advertisement into their page. Once the advertisement is in place, and visitors begin clicking on it, their computer can become infected. Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place "clean" advertisements on trustworthy sites first in order to gain a good reputation, then they later "insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus", thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace because the "ad network infrastructure is very complex with many linked connections between ads and click-through destinations." [8] Users visit a website and get infected by malware without any action or warning. Website loads a banner ad that has been messed with ( injected with a JavaScript to redirect to a malicious site). That site will load a pack of different drive-by exploits to penetrate the users browser or plugin, achieve remote code execution, and then to install the malware payload. So the lifecycle is: Website -> redirect -> exploit -> payload. The goal of these attacks, seen so far, is to make money , and that is achieved by loading a monetization payload. Most popular ones are Ransomware , like Cryptowall and ad-fraud Trojans like Bedep.
- Cyphort Labs crawler monitors top sites in the world 24×7 to find cases of malicious code served via drive-by exploits. Most of the sites we see serving exploits are not compromised themselves, but redirect to advertisers poisoned by malware. This technique is called malvertising and we issued a special report on the phenomenal growth of malvertising in August of 2015. Here is the latest update on the numbers of unique domains we have found per year: Year Number of unique domains 2014 910 2015 1654 2016 2102* *estimate based on the number seen so far. As you can see malvertising growth continues, and is on pace for the largest year ever
- It’s common practice to outsource the advertising on websites to third-party specialists. These companies re-sell this space, and provide software which allows people to upload their own adverts, bidding a certain amount of money to ‘win’ the right for more people to see them. This often provides a weak point, and cyber criminals have numerous clever ways of inserting their own malicious adverts into this self-service platform. Once loaded, all they have to do is set a price per advert, to compete with legitimate advertisers, and push it live. The ad networks get millions of ads submitted to them and any one of those could be malvertising. They try to detect and filter malicious ads from their systems, but it is challenging. The potential damage is high, as ad networks have a very deep reach and can infect many people quickly. The attackers are accustomed to tricking the networks by making "armored" malverts, where they use various techniques to appear legitimate to the analysts, but infect the users nonetheless. For instance they will enable the malicious payload after a delay of several days after the ad is approved. Another way is to only serve the exploits to every 10th user, or every 20th user who views the ad. Verifying user agents and ip addresses also is a common strategy to hide from analysts and automated malware detection. The attackers can implement various targeting strategies for malware infection, which appear normal in the context of advertisement, but in effect evade certain security detection. The use of redirection via HTTPS is unique (Hypertext Transfer Protocol Secure, a communications protocol for secure encrypted communication). It makes it harder to analyse the origin of attack because even if a security company has the recorded network traffic it is impossible to decrypt and reconstruct the origin of the malware redirect.