know your threats series · better understand ransomware and the steps you can take to defeat it....

avecto.com

Whitepaper

Know your threats series

Ransomware uncovered

1

Whitepaper

Know your threats series: Ransomware uncovered

Contents

Introduction � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 2

What ransomware is and how it behaves � � � � � � � � � � � � � � � � � � � � � � � � � � 3

A typical ransomware attack chain � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 5

A brief history of ransomware � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 6

The current state of play � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 7

Who are the victims and where are they from? � � � � � � � � � � � � � � � � � � � � � 9

Hottest targets in business � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 9

Ransomware hits the headlines � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 11

Ransomware stats � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 12

What lies ahead? The experts have their say � � � � � � � � � � � � � � � � � � � � � � 13

What can you do to protect yourself? � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 17

How Defendpoint can help � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 18

Defense in depth – reduce the attack surface � � � � � � � � � � � � � � � � � � � � � 20

About Avecto � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 21

Know your threats series: Ransomware uncovered 2

Whitepaper

Introduction

Ransomware has generated plenty of headlines in the last

few years, and for good reason, as organizations, as well as

individuals, found themselves falling victim, meaning it’s now

thought to be the most profitable type of malware in history.[1]

The story of ransomware goes as far back as 1989, but only

in more recent years has it really emerged as the malware of

choice for cyber criminals.

But why the surge in popularity? The emergence of the dark web,

and cryptocurrencies such as Bitcoin, have played a huge part,

as they make it easier for criminals to achieve the profit they

desire, while also retaining anonymity.

It also requires less effort to set up and distribute than other

forms of malware, with free ransomware kits available online to

aid those wanting to get up and running as quickly as possible.

This ease of set up and potential to make money, while proving

almost impossible to trace, explains ransomware’s appeal, but

what exactly is it and how do attackers make their money?

1 https://www.cisco.com/c/dam/assets/offers/pdfs/midyear-security-report-2016.pdf


Whitepaper

What ransomware is and how it behaves

Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.

[It is] unique among cybercrime because in order for the attack to be successful, it requires the victim to become a willing accomplice after the fact

James Scott, senior fellow at the Institute for Critical Infrastructure Technology

Ransomware is a type of malicious software which installs

covertly and gives cyber criminals access to a computer and

demands a sum of money to regain access to the encrypted

files. Often a short time limit (such as 96 hours) for payment is

imposed, with an added threat that failing to pay within this time

will see the files permanently encrypted, or destroyed.

Usually ransomware arrives as a phishing attack via email

attachment (although it can also be planted on websites as a

“drive by download”). Often it takes the form of an executable

file, document or archive, with many attachments posing as an

invoice or similar in an attempt to entice the recipient to open it.


Whitepaper

The malware runs when the attachment is opened. This can be

a process as simple as the user opening a seemingly harmless

Word document and enabling macros. Users typically only know

they’ve been infected once their data has been encrypted/stolen

and they’re hit with the ransom demand to pay to regain access.

In this report, we’ll take a closer look what lies ahead, with

predictions from a range of cyber security experts to help you

better understand ransomware and the steps you can take to

defeat it.


Whitepaper

A typical ransomware attack chain

Urgent invoice

Phishingemail

Ransom

$

Script

InternetPayload

EraseEncrypt Persist

One reason that ransomware is so effective is that the cybersecurity field is not entirely prepared for its resurgence. Attacks are more successful when effective countermeasures are not in place.

The Institute for Critical Infrastructure Technology Ransomware Report


Whitepaper

A brief history of ransomware

1989

2006

2012

20142013

Cryptolocker (the �rst cryptographic malware) is released

Extortion ransomware appears

First instance AIDS/PC Cyborg

Reveton instructs users to pay a �ne, claiming the user’s machine has downloaded copyright material or accessed child pornography

First waveof modern ransomware – Archiveus Trojan uses RSA encryption

FactBy August 2014 Cryptolocker claimed more than half a million victims

�

�

2016

2005

F E B R U A R Y 2 016

Locky hides ransomware in infected Word �les

M A R C H 2 016

MedStar Hospital Chain hit with $18,500 demand

A P R I L 2 016

FBI estimates ransomware on course to become a billion dollar industry by the end of the year

FactThe Hollywood Presbyterian Medical Center decided to paya $17,000 ransomware demand after being hit by Locky

�

�

�

¤

�

F E B R U A R Y 2 014

CryptoDefense released using Tor and Bitcoin

A P R I L 2 014

CryptoWall exploits a Java vulnerability. Places malicious adverts on domains belonging to Disney, Facebook, The Guardian newspaper and others

A U G U S T 2 014

Symantec reports 700% year-on-year increase in crypto-ransomware

��

http://www.trendmicro.com.ph/vinfo/ph/security/news/cybercrime-and-digital-threats/by-the-numbers-ransomware-rising#http://blog.trendmicro.com/ransomware-one-of-the-biggest-threats-in-2016/https://blog.knowbe4.com/a-short-history-evolution-of-ransomware


Whitepaper

The current state of play

Ransomware is a hot topic for a reason. Since the start of 2016

an average of 4,000 ransomware attacks have occurred each

day, a 300% increase on the 1,000 daily attacks seen in 2015.[2]

Ransomware and crypto malware are rising at an alarming rate and show no signs of stopping.

Raj Samani, European technology head for Intel Security

According to recent research, 93% of phishing emails sent in the

first three months of 2016 contained ransomware. That’s a 789%

year-on-year increase.[3]

Attackers are asking for more money too, with the average

ransom demand now $679, up from $294 at the end of last

year.[4]

The FBI suggests that in the first three months of 2016 alone,

ransomware attacks generated $209 million for criminals. To put

this in perspective, it estimates payments of $24 million were

made during the whole of 2015[5].

2 https://www.justice.gov/criminal-ccips/file/872771/download3 http://phishme.com/q1-2016-sees-93-phishing-emails-contain-ransomware/ 4 http://www.symantec.com/content/en/us/enterprise/media/security_response/

whitepapers/ISTR2016_Ransomware_and_Businesses.pdf5 http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/


Whitepaper

When businesses are hit by ransomware, there’s likely to be

some consideration for the best course of action to take to

protect the business, customers, shareholders and employees.

It’s understandable that some will be tempted to pay what could

be considered a relatively small sum of money to the attackers,

in the hope that doing so will allow them to get back up and

running as soon as possible.

The challenge here is there’s no guarantee payment will change

a thing. It is possible no encryption key will ever be provided

from the cyber criminals, whose main focus is on making money.

There are even some reports of users paying a ransom and then

being hit with another demand for even more money.

Beyond the ransom demand, there is also reputational damage

to consider. This makes it difficult to put a true figure on the

total financial impact of ransomware.

And then there’s the issue of encouraging the ransomware

business model. The more demands that are met, the more

appealing ransomware becomes to the organized crime gangs

behind the attacks.

Some ransomware even offers ‘helpful’ customer service to

guide users through the process of making payment, with

research suggesting as many as three out of four cryto-

ransomware gangs are willing to negotiate the fee paid or extend

the deadline.[6]

6 http://www.marketwired.com/press-release/f-secures-new-ransomware-study-ex-plores-customer-journey-getting-your-files-back-2143033.htm


Whitepaper

Who are the victims and where are they from?

Symantec’s Ransomware and Businesses report revealed

28% of infections between January 2015 and April 2016 were

in the US.

Canada saw 16%, Australia 11%, India 9% and the rest of

the top 10 rounded off by Japan, Italy, the UK, Germany, the

Netherlands, and Malaysia respectively.

Consumers remain most likely to be a victim and accounted for

57% of all infections in the first quarter of 2016. This is perhaps

because businesses are becoming more aware of the risks and

are more likely to have security strategies in place

Hottest targets in business

There is evidence to suggest some sectors are more popular

targets than others, with 38% of infections hitting those in the

services sector.

Manufacturing was the next most likely to be hit (17%), while

finance, insurance and real estate collectively accounted for

10% of infections.

The Hollywood Presbyterian Medical Center was a notable

victim of ransomware in February 2016. It was hit with a $17,000

demand to regain control of its systems and admitted to paying

it. Patient medical records were at risk, putting the organization

in a difficult situation.


Whitepaper

High profile attacks such as this mean that the need for security

solutions that proactively protect against ransomware are vital.

The need to deal with ransomware effectively, particularly

for businesses handling sensitive data, is highlighted by new

United States Department of Health and Human Services (HHS)

guidelines stating most attacks of this kind are a breach

and should be reported by Health Insurance Portability and

Accountability Act (HIPAA) regulated organizations.

The fact is that ransomware (and particularly successful attacks

against major organizations) is big news, and not just in the

cyber security sector. Threats such as Locky and TeslaCrypt

have only increased its presence since the end of 2015. Can we

expect more headlines in the coming months?


Whitepaper

Ransomware hits the headlines


Whitepaper

Ransomware in numbers

$679 the AVERAGE RANSOM DEMANDup from $294 at the end of 2015

ATTACKS

PER DAY of PHISHING EMAILS contain RANSOMWARE

93%

$209 MILLION generated by

ransomware attacks in 3 months

✉✉✉✉✉✉✉✉

✉✉✉✉

✉✉✉✉ 4,000

💵💵

Just 34% of IT professionals

'very confident' they could recover

from ransomware

2% Germany

3% United Kingdom

4% Italy

4% Japan

9% India

11% Australia

Netherlands 2%

Malaysia 2%

United States 28%

Canada 16%

Other Regions 19%

🌎🌎

38%

1%

4%

10%

Mining 1%

4%

10%

9%

7%

Agriculture,Forestry & Fishing

Sectors hit byransomware

Whereransomware

infectionsstrike

Finance, Insurance,& Estate Trade

Transportation,Communications, &

Utilities

17%

Retail trade

Manufacturing

Construction

Public AdministrationWholesale Trade

Services

http://www.tripwire.com/state-of-security/security-data-protection/survey-only-34-of-it-pros-very-confident-they-could-recover-from-ransomware/http://www.symantec.com/content/en/us/enterprise/media/security_response/white-papers/ISTR2016_Ransomware_and_Businesses.pdf)


Whitepaper

What lies ahead? The experts have their say

If figures from the FBI are anything to go by, ransomware is on

course to becoming a billion dollar industry by the end of the

year. In an interview with CNN, it was reported that the actual

figure could be even higher once related costs and those who

pay without reporting the crime are considered.

But what else can we expect? We asked a number of cyber

security experts to tell us what they think lies ahead for

ransomware. Here’s what they told us, in their own words:

James Maude, Avecto Senior Security Engineer

Attackers will continue to use the simplest techniques to hit as many people as possible and increase the chances of a return.

I expect to see even more

variation. It won’t just be

endpoints that are targeted, but

web servers too, as these also

appeal to attackers looking to

encrypt all data and backups.

The Internet of Things is playing

a part. Connected devices,

banking systems and even digital

thermostats can be targeted –

anything to cause disruption.


Whitepaper

Criminals are also seeing the value in profiling organizations and

hitting them with targeted attacks. If they know the value of the

data they can assess how much victims are likely to pay to get it

back.

At the same time, there’s also a trend for ‘dumbing down’ that

I’d expect to see continue. Many attackers will use the simplest

techniques to cast a wide net and increase the chances of a

return.

Sami Laiho, ethical hacker and Microsoft MVP

The easiest part of security to compromise will no doubt always be the human sitting between the monitor and the chair.

Security is 20% technology and

80% psychology. Threatening

loved ones or reputation have

always been favorite tools of any

bad guy.

It is actually quite easy for us to

technically prevent people from

having modify access to their

computer’s operating system and

thus block traditional malware

from infecting it. What we can’t do is block people from

modifying their own documents and thus being able to encrypt

them and being held for ransom.


Whitepaper

The same goes for one’s camera – as long as you are allowed

to Skype someone, that person can record you and threaten to

release that footage. The easiest part of security to compromise

will no doubt always be the human sitting between the monitor

and the chair. I predict that different sorts of ransomware are

going to get even more common than ever before. The thing that

will change is the increase of creativity of the malware designers

on coming up with new ways to threaten people for money.

Paula Januszkiewicz, independent security expert and Microsoft MVP

Nothing works better than blackmailing people using their own selfies or data and threatening to publish it online.

There is one thing we know for

sure: there will be more kinds of

ransomware and you will be

affected, if not by your data

getting encrypted then by just

getting an email which can affect

your peaceful afternoon.

There are four things really that in

my opinion will be seen in future

versions of ransomware:


Whitepaper

1� Ransoms will be up. We can see the trend already.

Cybercriminals will focus on the low-hanging fruits and as

long as there are people on this planet and the popularly

used methods of ransomware delivery (email etc) work, it will

still be the easiest way to make profit, so why not to raise the

price?

2� Public shaming. Nothing works better than blackmailing

people using their own selfies or data and threatening to

publish it online. Especially when data has clear business

value and simply cannot go online.

3� Development of ransomware for Mac. This process has

already started and there are some pieces of ransomware

found working pretty well. Unfortunately, Mac may no longer

maintain its reputation as security untouched platform and

it will bring a lot of concern for organizations that use Macs

for business. Ransomware becomes a multi-platform threat,

it has been seen widely on Windows, but also Linux and

Android.

4� Targeted attacks. It is common knowledge how much one

can earn on releasing a piece of ransom that nobody has

heard about. It is easy to create it and it is difficult to prevent

it if you do not have code execution prevention implemented.

People you will get emails from will present good language

skills and they will be well informed about what your

company does and what are the possible service providers to

refer to when conducting the attacks.


Whitepaper

James Scott, senior fellow at the Institute for Critical Infrastructure Security (ICIT), expects attacks on organizations in critical infrastructure sectors to increase.

Hospitals are an easy target for many reasons. Employees

typically lack cyber hygiene training and their technology

landscape, in most cases, is eerily absent of layered security

centric protocols.

What can you do to protect yourself?

The first step is to ensure that the cyber security basics are in

place, from keeping up to date with the latest patches (operating

system and application patching), to having appropriate back up

for your data.

The US Government advises: “Prevention is the most effective

defense against ransomware and it is critical to take precautions

for protection. Infections can be devastating to an individual or

organization, and recovery may be a difficult process requiring

the services of a reputable data recovery specialist.”

It sets out a number of preventative measures, including the

following recommendations that Defendpoint (Avecto’s endpoint

security software) can help you achieve:

> Manage the use of privileged accounts based on the principle

of least privilege: no users should be assigned administrative


Whitepaper

access unless absolutely needed; and those with a need

for administrator accounts should only use them when

necessary

> Configure access controls – including file, directory, and

network share permissions –with least privilege in mind. If

a user only needs to read specific files, the user should not

have write access to those files, directories, or shares

> Use application whitelisting, which only allows systems to

execute programs known and permitted by security policy

How proactive endpoint security can help

Defendpoint is a multi-layered prevention engine that stops

cyber attacks including ransomware by combining proactive

capabilities that reduce the attack surface and disrupt the

attack chain.

To stay ahead of ransomware threats, Defendpoint isolates

unstrusted content in a sandbox, a secure environment with no

access to user data or privileges. This prevents data from being

encrypted or stolen.

Uniquely, Defendpoint leverages the sandbox execution context

to apply stricter whitelisting and privilege management rules.

The result is that any attempt to drop and launch a ransomware

payload or launch a malicious script is automatically blocked.


Whitepaper

This context is important as it allows the user to launch the

applications and scripts they need, without granting the same

freedom to malware. It is this proactive approach that allows

security to become a great user experience and not a barrier to

productivity.

Simply put, when a user is tricked into opening a malicious

document, the attack is seamlessly isolated from the user’s

data and any attempts to launch payloads or persist are

blocked. The malware doesn’t run, your data is not exposed and

the threat cannot persist.


Whitepaper

Defense in depth – reduce the attack surface

DataCredentials

Intellectual property

Known exploits

Known threats

Java & Flash

Browser zero days

Email attachments

Trusted corporate apps

Pass the harsh

Disabling of security

Privileged attacks

Insider threats

Root kits

APTs

Unknown/unapproved apps

Executables

Drive by downloads

Exploit kits

Patching

Anti-malwareEndpoint and network

Privilege management

Application whitelisting

Content isolation

21

Whitepaper

Know your threats series: Ransomware uncovered

About Avecto

Avecto is an innovator in endpoint security. Founded in 2008, the company exists to protect businesses from cyber attacks.

Its endpoint security software, Defendpoint, is a multi-layered prevention engine that stops malware at the endpoint. It takes a proactive approach, uniquely integrating three core capabilities of privilege management, application control and content isolation in one lightweight agent.

This unique and award-winning combination makes prevention possible, allowing businesses to build solid security foundations that protect over 6 million endpoints at many of the world’s most recognizable brands. This proactive strategy is advocated by analysts, industry experts and security professionals alike.

Avecto’s simpler and smarter approach to security makes organizations more secure from day one. For more bespoke requirements, an experienced and qualified team of consultants is available to guide the implementation and ensure project success.

UK 2014

Americas / Germany / UK avecto.com / [email protected]

Defendpoint by Avecto is a security software solution that makes prevention possible. For the fi rst time, it uniquely integrates three proactive technologies to stop malware at the endpoint. It’s this innovative approach that protects the operating system, software environment and your data from internal and external threats.

know your threats series · better understand ransomware and the steps you can take to defeat it....

Documents