Ransomware: Security Tips

 

Author: Eduardo Gaeta
Revision: Daniel Mauser

 

Introduction:

Due the high volume of LATAM customers being infected with Ransomware and other malwares we decide to write this article to share some mitigation steps to help prevent malware infections like Ransomware. Besides the malware mitigations, we would like to share a sample of why it´s “impossible” decrypt files without Private Key and a little image of the thought of a malware creator.

Note: Although this article is focus in Ransomware it can be applied also to other types of malware that work in similar way.

Ransomware Attack Vectors:

Most of Ransomware cases has as main source a phishing email with a malicious attachment.  The other potential attack vector is the use of an Exploit Kit (EK) on an infected website. An exploit kit is basically a utility program or toolkit that can deliver an exploit to its corresponding target program. If the exploit is successful, the kit can then deliver a malicious payload to the compromised computer or mobile device. If you think of a single exploit as being an “arrow” that can only hit one “sweet spot” on a target, then an exploit kit is the “bow” that can launch entire quiversful of arrows at any target that happens to be within range.

Here’s a few links with more information about EK:

• Analyzing Angler: The world's most sophisticated exploit kit
• CryptoWall 4.0 Spreading via Angler Exploit Kit
• Angler Exploit Kit Learns New Tricks, Finds Home On Popular Website
• Bad Ads? Angler-Based Malvertising Reels in Mainstream Sites

Ransomware Mitigations:

Based on our Support experience here are some useful steps that can help you to mitigate ransomwares:

• Keeping all applications that connect to the outside world, especially the Internet, up to date.  This prevents attackers from leveraging vulnerabilities in aging applications.  This includes Java, Shockwave, Silverlight, etc., so it is more than just keeping the Operational System (OS) up to date.   The point about being up to date on all Internet facing applications, while being the hardest to enforce is currently the most common form of entry due to the widespread use of the Angler Exploit kit.
• Regularly backup your important files for another location (offline location).
• Use Microsoft File Server Resource Manager (FSRM).
• End user awareness training, spear phishing, don't enable macros in Word/Excel documents

• • This ransomware,  Locky (including all the variants), that will not only encrypt mapped shares, but also unmapped shares through enumeration.  This particular ransomware is preventable, if you do NOT enable macros within Word or Excel documents which is the vector in which it spreads.
  • Here’s more information about Locky and how to block macros:
    · https://medium.com/\@networksecurity/locky-ransomware-virus-spreading-via-word-documents-51fcb75618d2#.5dhw18z3g
    · https://medium.com/@networksecurity/it-s-time-to-secure-microsoft-office-be50ec2797e3#.oylj64z9q

 

• Email Hygiene: Block all e-mail attachments that contain: .exe, .cmd, .scr, .lnk, any script extension (i.e. .vbs, .js, see below).  This will allow you to accept .zip files if the mail scanning tool you have will examine zipped files.
  • Exchange online filtering options
  • Specifically: “For increased protection, we also recommend using Transport rules to block some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh. This can be done by using the Any attachment file extension includes these words condition. “
  • For the emails with links you will want to use SPF records - O365 or Exchange.
• Implement AppLocker or Software Restriction Policies (SRP) to prevent the execution of applications within the c:\users\<username>\Appdata folders.  You can use this to prevent over 90% of the ransomware (and other popular malware) causing the most problems currently.
  • Windows 7 AppLocker Executive Overview.
  • AppLocker Step-by-Step Guide.
• Use of strong passwords to prevent Brute Force attacks
• Add all of your SCEP clients to the MAPS “Advanced membership” as this is now detecting 20% of new variants that do not have definitions.  You can see this setting under the SCEP client’s “Settings” tab under the MAPS category.  This setting can be controlled in the same way other settings are controlled with the client. 
• Configure the Group Policy Settings for your Internet Explorer SmartScreen.
  • One method of dealing with possible vulnerabilities and their exploits above is adding Enhanced Mitigation Experience Toolkit (EMET) to your clients:
    · https://www.microsoft.com/en-us/download/details.aspx?id=50766 (Download)
    · https://www.microsoft.com/en-us/download/details.aspx?id=50802 (User Guide)
    · https://blogs.technet.com/b/srd/archive/2016/02/02/enhanced-mitigation-experience-toolkit-emet-version-5-5-is-now-available.aspx
    Note: It is important to note that EMET helps prevent exploits from unknown exploits. It would prevent the exploit from dropping the Trojan, however, if you double click on a file EMET it won't help in that situation.

1024 bit RSA encryption breaking involves four steps:

As mentioned at introduction, here we show the process and the cost to decrypt a 1024 bit RSA encryption. The reason to say that it’s “impossible” decrypt it without the Private Key is based on the cost and time spend on this task as you can see below.

1.       Sieving – Sieving allows full and virtually communication-free parallelization and can be run at any number of locations on any number of independent processors. It has always been the step that requires the bulk of computation. For a 1024-bit RSA modulus, the sieving time extrapolates to 2 to 4 million core years. 32 or 64 GB per multi-core or multi-threaded processor should work for this. 

2.       Filtering – Transforming the sieving data into a matrix. Trivial compared to steps 1 and 3. It would require a few hundred terabytes of disk space.

3.       Matrix – The Matrix requires time and memory growing as fast as it is for sieving. For a 1024-bit RSA modulus between half a million and a million core years should suffice. For each tightly coupled cluster participating in this step, a combined memory of 10 terabytes should be adequate.

4.       Final Square Root – Trivial compared to steps 1 and 3. 

At this point in time a brute-force attack against 1024-bit RSA would require about two years on a few million compute cores with many tens of gigabytes of memory per processor or mainboard. 

Cost estimate: US $20,000,000 and 2 years, assuming free development.

(Source On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography version 2.1, September 1, 2009)

A Day in the Life of a Malware Author:

Each morning when this person gets up ready to release their newest tool of destruction on the world, the very first thing they do is scan it with every major antimalware vendor’s latest signatures to make sure that this newest piece of malware is not detected.  This first step guarantees that the malware can be attached to e-mails and copied to file shares without detection by any current antimalware definitions.   

The second step is to ensure that the malware “plays by the rules” or make sure that it does not do anything overtly malicious so as to cause a heuristic detection by an antimalware product.  Once these two steps are completed then that malware is going to successfully get into your environment despite the presence of any antimalware application.  Then once there it can be executed with impunity as the activity is not considered “malicious” when playing by the rules. 

This is the reason that Ransomware is so effective these days.  The malware authors continually make new versions of their malware to avoid signature detection and then execute an activity that we expect and want users to perform.  We want you to encrypt your data when it is at rest so if someone steals your laptop the data is safe.  We want you to encrypt your data when it is in flight so if the file is intercepted it cannot be used by unauthorized parties. 

Therefore, when the attackers play by the rules as the example above, there is no single antimalware product that will prevent the types of infections that you are seeing.  I have said it many times, and may have actually said it to them: “If you depend on JUST your antimalware product to protect you from malware, then you will lose.”

Keeping the bad guys at bay requires a “defense in depth” policy that requires many, many layers.  This includes an antimalware, blocking specific attachment extensions, preventing execution of unsigned files, maintaining updates for applications, disabling macros in Office products to list a few.  And of all those things only the last one would have stopped the execution of this latest Locky ransomware.

Conclusion:

This article is intent to provide security tips to help to prevent Ransomware infections on your environment, following the tips described here will be more difficult to get infected. But remember:

“Antivirus up to date, Firewall, Software Updates, Block of processes are layers of defense. There's also human factor opening untrusted attachments. A classical security statement mentions that you should always be prepared and assume that you will be affected by a threat. For example, event with all layers of protection in place, plus user awareness, you may get affected because security is very dynamic and ransomware builders are very smart and every day the bad guys try to find new ways to make more victims.”

Additional References:

• Microsoft Virus and Malware  Community 
• Malware Encyclopedia
• Microsoft Malware Protection Center (MMPC) Blog
• Microsoft Security and Defense Blog
• Microsoft Security Response Center Blog
• Microsoft Cyber Trust Blog