Ransomware: Malware that kidnaps your data to extort money from you

Ransomware: Malware that
kidnaps your data to extort
money from you
The type of malware from which you simply
can’t recover includes Cryptolocker, Cryptowall,
Reveton, Winlocker, FBI Virus, Moneypak, and
more.
June 2014
Table of Contents
Summary ................................................................................................................................................... 3
Holding you hostage ................................................................................................................................. 3
Cryptolocker .............................................................................................................................................. 4
What’s the Big Deal, I’ll Just Pay the Ransom ........................................................................................... 6
What Can I Do About It? ........................................................................................................................... 7
An Ounce of Prevention really is worth a Pound of Cure ......................................................................... 8
A Different Approach to Ransomware Protection .................................................................................... 8
Containment ......................................................................................................................................... 8
Detection............................................................................................................................................... 9
Prevention ............................................................................................................................................. 9
Intelligence ............................................................................................................................................ 9
Invincea Platform for User-Oriented Threats ........................................................................................... 9
Conclusion and more information .......................................................................................................... 10
Invincea, Inc.
3975 University Drive, Suite 460
Fairfax, VA 22030 USA
Tel: +1-855-511-5967
[email protected]
www.invincea.com
© 2014, Invincea, Inc. All rights reserved. Invincea, the Invincea Logo, Invincea FreeSpace, Invincea Management Service are trademarks of
Invincea, Inc. All other product or company names may be trademarks of their respective owners. All specifications are subject to change
without notice. Invincea assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this
document.
INV_WP_RANSOM_06162014
Page 2 of 10
Summary
Of all the classes of malware, “ransomware” may be the most
destructive because often it’s not possible to recover from its
negative effects.
While most malware is disruptive in nature (including general
nuisanceware, banking Trojans that steal financial data and
credentials, malware that targets information like intellectual
property, and those that turn your machines into bots to send out
spam campaigns), an organization can eventually recover from their
damage after significant cost, effort, and time.
Not so with ransomware – your important business data can be lost
forever.
Holding you hostage
Ransomware’s goal is to hold you hostage through a variety of lock-out mechanisms, the
most successful is by encrypting your data forcing you to pay for the decryption key.
The nature of this ransom can cause your data to be lost forever.
Since this malware can even encrypt your backup files across network share drives and
mounted file systems, if you lose your information without backups, it could cause
irreparable damage to your company.
Ransomware does not describe a specific infection mechanism but rather the impact on
the infected user. Ransomware can be distributed and infect targeted users through a
variety of infection mechanisms:
Page 3 of 10




Spear-phishing1 emails that deliver the employee to malicious websites that run
drive-by download exploits or include weaponized document attachments
Watering hole attacks2 that involve hijacking legitimate, trusted sites to push
malware to unsuspecting users
Poisoning search results3 behind trending news items on popular engines, such
as Google, Yahoo!, and Bing
Pushing malware4 through popular social networks such as Twitter and
Facebook
As recently as June 6, 2014, authors of the Cryptowall ransomware variant successfully
infected hundreds of thousands of users by paying to have malicious ads displayed on
popular websites like Facebook, Disney, and The Guardian5. Those websites were not
hacked to serve the malicious code, but distributed through legitimate advertising
networks.
Examples of common ransomware include Cryptolocker, Reveton6, Winlocker, FBI Virus,
and Moneypak Virus.
We’ll explore Cryptolocker, the most prevalent ransomware malware, in more detail.
Cryptolocker
Cryptolocker is the name of a malware family that infects end user computers via spearphishing email attacks posing as legitimate business correspondence from FedEx, UPS, a
bank or other trusted institutions, and from infected websites through watering hole
attacks and drive-by downloads.
1
http://www.invincea.com/spear-phishing-protection
http://www.invincea.com/watering-hole-attacks/
3 http://usatoday30.usatoday.com/tech/news/story/2012-06-17/poisoned-search-results/55654796/1
4 http://mashable.com/2013/04/22/twitter-malware-financial-fraud/
5 http://thehackernews.com/2014/06/new-cryptowall-ransomware-spreading.html
6 http://www.invincea.com/2013/03/kia-reveton-ransomware-java-7-exploit-cve-2013-0431
2
Page 4 of 10
Example of forged spear-phish email used to infect with Cryptolocker
When users get infected, the malware silently encrypts all documents on the local
machine and attempts to pivot and spread over mounted file systems, network shares,
USB drives, and other connected systems.
Once all files have been encrypted, Cryptolocker displays a dialog box describing what it
did to the user’s files along with details of the ransom. Files are encrypted with an
asymmetric 2,048-bit key – virtually impossible to crack. The only person that has the
key to unencrypt your files are the malware authors, and they will sell it to you: this is
the ransom payment.
Page 5 of 10
Cryptolocker dialog screen
By the time users get this message on their machine, it’s too late! Cryptolocker has
successfully encrypted all the data files on that user’s machine (and possibly across your
network). The average ransom amount is around $300, and the Cryptolocker authors
have started accepting Bitcoin for payment as this is not traceable by law enforcement.
The ransom must be paid within a specified period, often less than 96 hours, or the
unique private key that encrypted the files will be destroyed rendering your data
unrecoverable.
What’s the Big Deal, I’ll Just Pay the Ransom
As with most kidnapping crimes, paying the ransom is no guarantee that you will get
your key to recover your files. In some cases, the authors take your money and do not
respond. In others, they ask for more money since they know that you’re willing and
desperate to pay. There have also been documented cases where applying the
decryption key actually re-infects the user’s machines!
Surprisingly, it’s estimated that about 3% of impacted users pay the ransom, totaling to
just over $1M in ransom fees in the last three months of 2013 alone and $100M for all
ransomware variants since inception – certainly enough to encourage the Cryptolocker
authors to continue their ransomware campaigns.
Unfortunately, this type of crimes does pay… and pays well.
Page 6 of 10
What Can I Do About It?
Cryptolocker spread very quickly after it was first discovered in Sept 2013. It infected
over 250,000 machines in the first 100 days, mostly targeting small and medium
businesses in English-speaking countries. There are new variants of Cryptolocker being
created to spread its infection rate even wider and further reduce its ability to be
detected by traditional signature-based anti-virus systems.
Signature-based security requires that the anti-virus vendors have already discovered
the malware variant in order to write a signature, a classic chicken-and-the-egg
problem, resulting in a never-ending escalation of signatures and new exploits coming
out.
You can see from this analysis by VirusTotal.com (a free service that measures the
effectiveness rate of anti-virus scanners) that only 58% of anti-virus tools tested can
detect this single variant of Cryptolocker months after it was first introduced.
Organizations are taking a risk if they believe that legacy anti-virus technology can
detect modern malware.
VirusTotal.com detection results for a single Cryptolocker variant
Sadly, if you’re already infected, there’s not much you can do. (We are not
recommending whether you should pay the ransom or not.)
Hopefully, you have a good backup system in place that wasn’t impacted by the
infection, you were able to quickly identify and isolate that infected user, re-image their
machine to remove all traces of the malware, verify that other users haven’t been
infected, and start the painful processing of identifying the exposure to your lost data.
Page 7 of 10
An Ounce of Prevention really is worth a Pound of Cure
Invincea realized years ago after conducting advanced research on modern malware
activity that a new type of technology approach is needed to combat the explosive rise
in user-targeted threats, including spear-phishing, watering holes, drive-by downloads,
and other attacks of opportunities that spread ransomware and other malware.
There are over 200,000+ malware variants being released every day, plus over 60,000+
malicious URLs and hijacked websites are created each day that far outpaces the ability
of legacy signature-based anti-virus systems to keep up. There simply is too much
malware being created for anti-virus vendors to develop and release signatures every
minute of the day.
And what happens if the organization is not able to push new signatures to its users in a
timely manner? The user and the organization are at risk from malware like
Cryptolocker.
A Different Approach to Ransomware Protection
Invincea has taken a different approach to user protection based on over eight years of
advanced malware research, protecting nearly 15,000 organizations in 112 countries,
and single deployments as large as 70,000 endpoints.
It is not a single technology that is able to provide this capability, but rather an
innovative approach composed of multiple techniques operating in tandem to address
the problem domain.
Invincea offers an integrated platform providing mission-critical user protection,
enterprise scalable deployment and management, and real-time threat intelligence.
Containment
The core of the Invincea platform is the FreeSpace™ user protection client. This
software completely isolates vulnerable applications (Java, web browsers, PDF readers,
Microsoft Office suite, Adobe Flash, Adobe Reader, and more) from the host operating
system, registry, disk, running processes, threads, and memory into a secure virtual
container. One can think of this as “application virtualization.”
The containment allows for a unique capability: it doesn’t prevent vulnerable
applications from running (unlike application whitelisting), and lets them operate as
they normally do for legitimate uses. As applications are launched and run inside the
secure container, if they start to behave in a malicious manner, their activity does not
impact the host since all application executions occur in this segregated virtual
container fully isolated from the host.
The secure virtual container is an innovative approach as it allows for the integration of
behavioral activity scanners, forensics instrumentation, and user policy controls.
Page 8 of 10
Detection
The client component running on end user machines integrates signature-free
behavioral sensors within the container to automatically detect all forms of malware
activity: known, unknown, and zero-day. This far exceeds the limitations of signaturebased systems that require one signature for each unique exploit.
Invincea’s behavioral sensors understand the legitimate behavior of how applications
run inside the secure container, thus detecting malicious activity regardless of how
many variants of exploits try to take advantage of a vulnerability. This approach also
significantly reduces false positives commonly found in other traditional behavioral
detection technologies when trying to detect unknown and zero-day attacks.
Prevention
The prevention capabilities provided by the system greatly exceed the benefits provided
by detection-only systems. While having knowledge of breaches is important, the cost
of remediation, lost employee productivity, and the risk of having lost valuable
intellectual property or financial loss after a breach occurs is something that is not
possible to roll-back. Once the breach occurs, regardless of how fast it is detected, the
organization incurs a loss.
Invincea’s policy-based prevention rules enable an organization to stop a breach before
it occurs, and contain the forensics evidence to be used for further risk analysis,
adversarial attribution, legal proceedings, and further hardening of the security
infrastructure.
Intelligence
Rich forensics of malware activity captured during the containment, detection, and
prevention cycles on the endpoint can be investigated to provide actionable intelligence
and investigation into the current risk posture against the organization. One can easily
determine if this is simply an attack of opportunity (i.e. a watering hole or drive-by
attack) or if the organization is the target of a concerted attack effort.
Data forensics and incident responders (DFIR) have the ability to trace the attack
lifecycle, investigate the artifacts from the prevented malware attempt, and fuse this
information with other threat intelligence services and security information event
management systems, without the pressure of responding to an active breach in
progress that can spin out of control as malware pivots throughout the organization.
Invincea Platform for User-Oriented Threats
The protection capabilities of the Invincea platform delivers a comprehensive
framework for all user-oriented attack vectors:

Browser-based attacks
Page 9 of 10










o Spear-phishing7
o Watering hole attacks8
o Attacks of Opportunity9
o Poisoned Search Engine Optimizations
o Infected advertisements
PDF documents
Adobe Flash
Adobe Acrobat
Microsoft Office documents (Word, Excel, PowerPoint)
Microsoft Outlook email helper applications
Microsoft Silverlight
Apple QuickTime
Custom browser plug-ins
User channel operating system attack vectors (Windows XP, 7, 8.110)
And many more attack vectors
Organizations select the Invincea platform for a comprehensive set of user protection,
prevention, and analysis capabilities across multiple attack vectors as part of their
unified security infrastructure.
Conclusion and more information
This paper presents the business and security realities of user-targeted ransomware
threats across an organization. Legacy technologies are not adequate in addressing the
modern issues with user threats, and organizations should seriously evaluate if
repurposing point-solutions can meet their current and future needs specific to
advanced malware threats.
For more information on the Invincea platform and protecting against user-targeted
exploits and other forms of security threats, please contact:



Website: www.invincea.com
Email: [email protected]
Phone: +1-855-511-5967 or +1-703-352-7680
7
http://www.invincea.com/why-invincea/spear-phishing-protection
http://www.invincea.com/why-invincea/watering-hole-attacks
9
http://www.invincea.com/why-invincea/attacks-of-opportunity
10
Invincea FreeSpace client version 4, July 2014 release
8
Page 10 of 10