Ready to Start Your Career?

Anatomy of a Ransomware Attack - Part 6

AjayRandhawa 's profile image

By: AjayRandhawa

March 21, 2017

binary-1187198_12806. RANSOMWARE PROTECTION, PREVENTION, MITIGATIONWe don’t think paying the ransom is the best idea because there’s no guarantee the criminals won’t up the ante, or that they’ll actually follow through on their promise to send you the keys to decrypt your files. And paying the ransom also supports a cyber criminal enterprise that will ensnare more victims.6.1 RECOVER THE FILES FROM BACKUPSThe most efficient and effective way to get back the data is to restore data files from a backup. In most corporate environments files are backed up regularly so recovery should not be a problem. Normally a backup is made for shared and mapped drives. User desktop data is rarely saved. Users should backup the files to a network drive or USB drive and disconnect it after the backup. Almost all ransomware encrypt the network drives.6.2 WINDOWS VOLUME SHADOWS COPY Windows Volume Shadow Copy can be enabled on any drive. It keeps the version history of all the files on the drive and makes it possible to go back on the timeline. However, newer ransomware tries to delete all the shadow copies using a Windows command:“C:WindowsSysnativevssadmin.exe" Delete Shadows /All /Quiet”It is an interesting fact that the Volume Shadow Copy feature is also used by malware to store a malicious code and overwriting it with some innocent content to evade the anti-virus scanning even with an updated signature. This malicious code is later recovered and executed when needed.6.3 RECOVER MOST CRITICAL DATA USING FORENSIC TECHNIQUESWhen a file is opened for editing, almost all applications create a temporary copy of the original file. All the changes are made to the temporary file which overwrites the original file when saved. This is how Microsoft Office recovers files if the application closes abruptly. Once a user exits the application, the temporary file is deleted. On Windows, deleting a file means deleting the pointer to the file (not the contents) in NTFS/FAT/EFS file system. This space is then marked as free and available for overwriting. Using the advanced forensic techniques, it is possible to scavenge the free space on the disk for useful information. The longer the system is used after an attack, the greater the risk of original files being overwritten. For example, during the encryption process, Cryptolocker 2.0 creates a new .encrypt file. It reads the contents of the original file and keeps it in memory, then encrypts the contents and writes the encrypted contents to the ‘.Encrypt’ File – after which the original files are deleted. It is expected that the newer version of ransomware will use built-in Windows programs to permanently delete data. For example, in windows, a built-in tool designed to encrypt and decrypt data can also be employed to permanently delete the content using the command"cipher /w c:backup.txt".A similar command on Unix (depending upon the distribution) is “srm” or “rm - p” which can be used to delete a file to an unrecoverable state. Securely deleting a file takes more time than creating it. Normally hackers study the target’s usage pattern and perform an encryption/secure deletion process when the system is not in use.6.4 PREVENTIONChinese General, Sun Tzu said, “War is half won if you know your enemy. Additionally, if you know yourself, you may retreat, but you will never be defeated.” It is also true in the fight against ransomware. We are aware of the adversary, but we are not entirely aware of all the possible ways in which our defenses may be breached. The following are ways to overcome the most common weaknesses and enhance our defenses against cryptolocker.6.5 USER TRAININGThe majority of ransom-lockers spread through phishing and scam emails. So it is worth keeping an eye on the current scam and spam trends. One good source is the Australian government initiative scam watch. Security professionals and system administrators should follow the latest trends and educate users. In the corporate security, users are the weakest link and appropriate training plays an important factor in preventing security breaches and if a breach occurs, helps in containing the threat.6.6 EFFICIENT PATCH MANAGEMENTAccording to HP’s annual Cyber Risk Report, 44% of attacks during the last year were due to unpatched code that was two to four years old. Two most common causes of delay in patch deployment are instability and downtime. A new patch may destabilize the system and a system with a high availability requirement waits until the industry has tested it. Many times we have seen a patch being released hurriedly to fix vulnerability. These untested patches fix security vulnerabilities but occasionally cause operational issues. On a few occasions, we installed patches that were released to fix the issues caused by an earlier patch.6.7 EFFECTIVE AND MANDATED IT SECURITY TEAMIT Security is an ever-evolving field and requires continuous training and research. However, we still see IT professional’s performance being measured with traditional measurement tools focusing on utilization and billability. It is critical for a security specialist to keep up with training, conferences, and learn about new vulnerabilities in order to stay up-to-date with the latest threats. When a security team realizes a potential risk, a difficult step is convincing business management to put in the necessary time and effort to deploy the essential preventive controls. Traditional ways of measuring ROI (Return On Investment) are ineffective due to business not fully realizing the risk until it is too late. In 2014, Sony Entertainment spent tens of millions of dollars after security breaches cost the company about $1.25 billion.6.8 RESTRICT WRITE PERMISSIONAccess should be granted on a need to know basis. Restrictive ACLs significantly reduce the ransomware damage. The best way to save data is to write backup to a Drop Folder and only allow full control to a specific high-security user. To create a Drop Folder, grant the Write permission to Everyone and grant the Read/List/Delete permission to the manager who can recover files from the folder.6.9 RESTRICT THE USE OF ELEVATED PRIVILEGESWhen a corporate user is attacked, only data files that are accessible to that user are encrypted. In many cases, administrators use elevated privileges for normal operations such as browsing the internet and checking email. Any wrong click may download ransomware, running with same elevated privileges and may result in the entire organization's data (including backups) being encrypted.6.10 MULTILAYER PROTECTION USING SOFTWARE TOOLSThis section describes a multilayer layer protection approach to protect against ransomwares attack using software security tools. We have used McAfee tools as a model. However, similar or better software are also offered by other vendors. These protection measures are not foolproof but significantly reduce the risk of a ransomware the attack.6.11 PREVENT DOWNLOADCarefully crafted phishing emails can beat the best spam filters in the world and breach through an email gateway. Once a malicious has arrived in user’s inbox, McAfee Click Protect provides a highly effective protection layer to cautious users by showing unmasked URL, risk rating and a preview of the target page. Again, users can be deceived. This is when the next layer of protection kicks in. The McAfee Web Gateway using Global Threat Intelligence (GTI) and Threat Intelligence Exchange (TIE) can blockMalicious payloads and safeguard the user from known threats. 7. CONCLUSIONRansomware is fierce, smart and dangerous. As we continue to watch its evolution unfold and numerous users becoming victims of its extorting ways, we see more and more lethal functionality. Ransomware now employs the use of rootkit technology and even modifies the user’s ability to boot in safe mode. It is because of these constant upgrades that I have described a method to remove the malware from outside of the operating system and, hopefully, it will continue to remove the threats before any more victims can pay their fines and lose their hard-earned cash.  However, the best weapon against Ransomware or any malware for that matter is education.  By learning about the threat, learning how to stop it and spreading the knowledge to friends, family, colleague and even perfect strangers, you are making a dent in the pockets of the cyber-criminal organizations. Thanks for reading and safe surfing! 
References:[1]     B. Fraga. Swansea police pay $750 “ransom” after        computer virus strikes. The Herald News, 2013.[2]     G. O’Gorman and G. McDonald. Ransomware: A growing   menace. Technical report, Symantec Corporation, 2012.[3]     Anatomy of a Crypto Ransomware Attack attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/[4]     E. Arnold. Tennessee sheriff pays ransom to cybercriminals ,in bitcoin., 2014.[5]     Common type of Ransomware[6]     N. Andronio, S. Zanero, and F. Maggi. HelDroid: Dissecting and detecting mobile ransomware. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2015.[7]     A. Viswanathan, K. Tan, and C. Neuman. Deconstructing the assessment of anomaly-based intrusion detectors. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2013.[8]     R. Perdisci, A. Lanzi, and W. Lee. Classification of packed executables for accurate computer virus detection. Pattern recognition letters, 29(14), 2008.[9]     V. Roussev. Data fingerprinting with similarity digests. In Advances in Digital Forensics VI, IFIP Advances in Information and Communication Technology.Springer Berlin Heidelberg, 2010.[10]  N. Scaife, H. Carter, and P. Traynor. OnionDNS: A seizure-resistant top-level domain. In In IEEE Conference on Communications and Network Security (CNS), 2015.
  1. Tang, S. Sethumadhavan, and S. Stolfo. Unsupervised Anomaly-based Malware Detection using Hardware Features. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID)
Schedule Demo