Adobe Brand Red Hat Brand Fire Eye Brand Symantec Brand
Jun 2 2016

Diving Into the Dark Web - Part 3

Be sure to check out Part 1 and Part 2 of this series before you continue.

Ransomware and Cryptolocker

Ransomware, a type of malware, prevents users from accessing systems. Upon infection, it forces a payment in virtual currency like Bitcoins before access is granted. Cryptolocker, a Ransomware, encrypts victim machines and upon the ransom payment, provides a decryption key to make the instance usable again. Many within the info-sec community predict 2016 will be the year of Cryptolocker.

Traditional signature-based systems struggle to keep up with Ransomware because of the ease with which new variants are created; they take a blacklisting approach that only looks at known bad, and the unknown bad is treated the same as known good even if they exhibit malicious attributes. White-listing has not been effective either because of heavy administrative lift and GPO type enforcement. Malware developers actively follow the work of security organizations and often execute their samples against signature-based malware engines until they are undetectable. Also, new variants are complex in its composition like zCryptor (a cryptolocker variant) was also called a crypotoworm because of its ability to attach to removable drives. 

Variants of CryptoBit & Cryptolocker from 2013 are back this year and are even more vicious with damages to businesses. For example, 2016 variants of Cryptolocker spread through phishing emails and drive-by attacks. They are now served as Microsoft Office files and are sometimes compressed as ZIP objects to evade traditional signature-based detection. The payload, once served, spreads to shared drives after encrypting the local disks. Victim's social media and web presence often enables the attackers reconnaissance capability. 

Emergent received many; it was targeted, and included a sampling of the perfect resume for a hard to fill job position, a delinquent accounts receivable memo, a credit card authorization document, and payroll file marked for review.

Upon Cryptolocker infection, victims reported a time period in which they were to pay the ransom. Some, based on principal, refused to pay the note.  This led to the Cerber Cryptolocker variant, known to be generated from a malware service (Ransomware as a services) hosted on the dark web. It allows for the creation of a customized payload and provides automated back office service such as: Bitcoin payment collection, decryption key delivery, and other administrative functions for an agreed upon profit sharing model. 

Cerber infected machines are AES (Advanced Encryption Standard) encrypted and capable of connecting to a botnet for executing DdoS attacks mostly as UDP packets. Creber also has text to speech functions that will read the ransom demands to the end user. Also, some have remote administration capability like video and audio recording from the infected machines. Cerber often spreads through rich text formats embedded with visual basic scripts delivered as targeted phishing emails.

One strategy for remediation is to recover from a clean air-gapped backup, and rebuild machines. However, the most important mitigation strategy is end-user education on situational awareness, malware attacks, and social engineering campaigns. Some traditional antivirus vendors developed a Cryptolocker rescue kit, which was effective against older variants, but also ineffective in mitigating newer infections. Application white-listing, isolated -off-line backup, on-time patching, and least privilege access controls are enforceable controls - however, all of these are reactive; that rely on signatures and access restrictions hindering usability. Most advisory organizations assist with recommendations, policies, and procedures without empathy or experience for the demanding business environment. We bring to market practical, cost effective, and proven solutions for an improved security posture. A few or our experiences in managing security risk fall in the 'advanced capability' category – the following are some examples: 

  1. End-user education for improved Cyber / network hygiene
  2. Enforced - scheduled - Air gapped backup's
  3. File behavior based network & email enforcement 
  4. File based endpoint per-execution protection
  5. User behavioral analytics & Identity management 
  6. Contentions monitoring and validation

These are management and technical solutions with proactive, enforceable controls deployed in a layered architecture where every object is considered a zero day vulnerability unless proved to be clean - the key to protection is behavior based prevention. With these in-place, you can also prevent the dreaded Cryptolocker.