How to beat ransomware

Click to edit Master title style

STRICTLY PRIVATE & CONFIDENTIAL © 2015

Click to edit Master text styles Second level

Third level

Fourth level

Fifth level


1

How to beat Ransomware?




Third level

Fourth level

Fifth level

2 STRICTLY PRIVATE & CONFIDENTIAL © 2015

RansomwareRansomware is a creative malware that infects systems and locks down data, preventing users from accessing it until a ransom is paid. The data is more or less lost, unless backups are available. So in these types of threats, it is better to focus on prevention and detection mechanisms before it is too late.




Third level

Fourth level

Fifth level


Anatomy of Crypto- Ransomware AttackRecon to understand target behavior e.g. social media connections, email communication patterns etc.

Preparation of the exploit in terms of a macro, java script, shell script etc.

Delivery of the exploit through malicious office files, fake software, drive by download websites etc.

User gets exploited after getting lured to click on the malicious files, software, or visit malicious websites hosting drive by downloads

Crypto Ransomware installs itself and sets registry key to start itself automatically every time at the boot

Crypto Ransomware communicates with C&C over an encrypted channel, C&C server generates a pair of crypto key, send the public key to the client to encrypt all possible files, post a ransom note with an expiry time to get the private key for decryption

Continuously searches for other file systems that can be reached through mapped network shares, USB etc.

1

2

3

4

5

6

7




Third level

Fourth level

Fifth level


7 Key Areas to Monitor for early Prevention & DetectionPresent day anti-virus software pre-dominantly relies on using signatures that malwares leave behind for detection. Due to the highly dynamic and evolving threat situation in the Ransomware space, it is very ineffective to have only signature-oriented approach to detection. Thus organizations need to look at multiple dimensions to protect against such attacks, 7 of them are listed below-

1. Use updated AV and AntiSpam.

2. Keep your Applications & OS up to date with patches.

3. Detect rogue browser plugins.

4. Detect drive by downloads.

5. Scan for indicators of compromise.

6. Regularly analyze service usage.

7. Detect internal C&C Accounts.

8. Apply threat intel on outbound connections.

9. Secure network shares.

10. Keep regular back up of your important files.




Third level

Fourth level

Fifth level


1. Use updated AV and Anti-Spam.

Many of the current victims of Crypto Ransomware are getting infected by the malware because of outdated Antivirus and Anti-Spam software. Its important for organizations & individuals to maintain an up to date version of Antivirus and Anti-spam software.




Third level

Fourth level

Fifth level


2. Keep your Applications & OS up to date with patches.

Most often then not, Ransomware sneaks into a victims machine unnoticed through known security holes. The CryptoLocker authors didn’t need to use fancy intrusion techniques in their malware because they already have a malware that have opened the door earlier for others. Its important to maintain up to date patch status for all applications and the operating system.




Third level

Fourth level

Fifth level


3. Detect rogue browser plugins.

A common entry point for Ransomware is through browsers. Most of the times malwares are pushed into a system through malicious plugins that get installed by users while browsing. Tools that can continuously scan browsers across network endpoints and force its removal is needed.




Third level

Fourth level

Fifth level


4. Detect drive by downloads.

Drive by Downloads is one of the most common vectors for propagation of Ransomware. The indicators of Drive by Download are available in Proxy, Net Flow and DNS logs. Tools that can analyze such logs to determine patterns or outliers indicating Drive by Download behavior is needed.




Third level

Fourth level

Fifth level


5. Scan for indicators of compromise.

There is usually a delay in anti-virus signatures of new malwares and variants. Till the signatures are established you are at a risk. Some Ransomware type of malware does not have fixed signatures. They keep changing their signatures very frequently to avoid detection. In such a situation, other Indicator of Compromises (IOCs) should be used for detecting malware. There is a need for IOC-based scans rather than signature-based scans. You should use such IOC-based scanning tools to protect your networks.




Third level

Fourth level

Fifth level


6. Regularly analyze service usage.

If you are not using any services\daemons, then it is better to stop them. Unused services are often not monitored and tend to remain unpatched. Malwares look for such gaps and use them to piggyback and maintain stealth. Tools to detect such unused services will enable you to make decisions on stopping such services.




Third level

Fourth level

Fifth level


7. Detect internal C&C Accounts.

Malwares create local accounts to conduct activities in a stealth mode. Once a malware gets hold of a local account, its activities become authorized and an antivirus may not be able to flag it. The solution is to run periodic discovery tools for user accounts across the systems and detect such Command & Control accounts. Detecting such C&C accounts can enable you to take remedial action before it is too late.




Third level

Fourth level

Fifth level


8. Apply threat intel on outbound connections.

Firewall, IPS, WAF, and Proxy are devices through which outbound traffic of your organization goes through. The need of the hour is to have a tool that can sift through this outbound data across these technologies. Such centralized monitoring tools of all outbound traffic combined with the ability of the tools to apply Threat Intelligence on malware sites, IP addresses, C&C and Botnet URLs to the outbound traffic data will help in detecting malicious network activities. Such detection will go a long way in protecting the network from Ransomware and other such deadly malwares.




Third level

Fourth level

Fifth level


9. Secure network shares.

At a very basic level, none of the shared folders should have read\write rights to the "Everyone" group. Malware needs to propagate further to maintain stealth and persistence in the network. It will have to find a mechanism to copy files to the connected target machines; network shares are used for this. Ensuring shared folders do not have open ended permissions can prevent this from happening. Tools to warn you of such violations should be deployed.




Third level

Fourth level

Fifth level


10. Keep regular back up of your important files.

If you can, store your backups offline, for example in a safe-deposit box, where they can’t be affected in the event of an attack on your active files. Your backups will be rendered useless if they are scrambled by CryptoLocker along with the primary copies of the files.




Third level

Fourth level

Fifth level


Simulate Cyber Kill Chain of Ransomware with RisqVU IST & ADR

How to beat ransomware

Technology

Transcript of How to beat ransomware