ebook img

Ransomware. Defending Against Digital Extortion PDF

174 Pages·2017·8.23 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Ransomware. Defending Against Digital Extortion

Ransomware Defending Against Digital Extortion Allan Liska and Timothy Gallo Ransomware by Allan Liska and Timothy Gallo Copyright © 2017 Allan Liska and Timothy Gallo. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. November 2016: First Edition Revision History for the First Edition 2016-11-18: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781491967881 for release details. 978-1-491-96788-1 [LSI] Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Part I. Understanding Ransomware 1. Introduction to Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Ransomware’s Checkered Past 3 Anatomy of a Ransomware Attack 6 Deployment 6 Installation 8 Command-and-Control 10 Destruction 11 Extortion 11 Destruction Phase 12 File Encryption 12 System or Browser Locking 15 The Rapid Growth of Ransomware 17 Other Factors 18 Misleading Applications, FakeAV, and Modern CrytpoRansomware 19 Summary 21 2. Pros and Cons of Paying the Ransom. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 “Oh” 24 Knowing What Is Actually Backed Up 24 Knowing Which Ransomware Family Infected the System 25 When to Pay the Ransom 26 Ransomware and Reporting Requirements 29 PCI DSS and Ransomware 30 HIPPA 31 Summary 32 3. Ransomware Operators and Targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Criminal Organizations 35 TeslaCrypt 35 CryptXXX 36 CryptoWall 37 Locky 38 Ranscam 39 Who Are Ransomware Groups Targeting? 40 Evolving Targets 40 Advanced Hacking Groups Move In 41 Ransomware as a Service (RaaS) 43 Different RaaS Models 44 RaaS Disrupts Security Tools 47 Summary 48 Part II. Defensive Tactics 4. Protecting Workstations and Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Attack Vectors for Ransomware 52 Hardening the System and Restricting Access 54 Time to Ditch Flash 55 Asset Management, Vulnerability, Scanning, and Patching 55 Disrupting the Attack Chain 57 Looking for the Executable Post-Attack 68 Protecting Public-Facing Servers 69 Alerting and Reacting Quickly 70 Honeyfiles and Honeydirectories 72 Summary 74 5. Protecting the Workforce. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Knowing the Risks and Targets 75 Learning How to Prevent Compromises 79 Email Attachment Scanning 79 Tracking Down the Websites 80 Testing and Teaching Users 83 Security Awareness Training 83 Phishing Users 84 Post Ransomware 86 Summary 87 6. Threat Intelligence and Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Understanding the Latest Delivery Methods 90 Using the Latest Network Indicators 92 Detecting the Latest Behavioral Indicators 95 User Behavior Analytics 96 Summary 97 Part III. Ransomware Families 7. Cerber. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Who Developed Cerber? 102 The Encryption Process 104 Cerber and BITS 105 Protecting Against Cerber 106 Summary 108 8. Locky. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Who Developed Locky? 110 The Encryption Process 111 Understanding Locky’s DGA 113 Zepto and Bart Variants 113 DLL Delivery 114 Protecting Against Locky 115 Block the Spam 115 Disable Macros in Microsoft Office Documents 117 Don’t Allow JavaScript Files to Execute Locally 118 Stop the Initial Callout 120 Reverse-Engineering the DGA 123 Summary 125 9. CryptXXX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Who Developed CryptXXX? 128 Advanced Endpoint Protection Versus Sandboxing 128 Crypt + XXX 130 The Encryption Process 131 Protecting Against CryptXXX 134 Exploit Kits 135 DNS Firewalls and IDS 136 Stopping CryptXXX 141 Summary 143 10. Other Ransomware Families. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 CryptoWall 145 Who Developed CryptoWall? 146 The Encryption Process 147 PowerWare 149 The Encryption Process 150 Protecting Against PowerWare 151 Ransom32 152 KeRanger/KeyRanger 155 Hidden Tear 157 TeslaCrypt 157 Mobile Ransomware 158 Ransomware Targeting Medical Devices 160 Medical Devices 161 Summary 163 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Preface Tim and I have been in this industry a long time, in fact, we are at the point in our careers where we have been doing this longer than some of the people we work with have been on this planet. A lot has changed over that time, but one thing has remained constant: O’Reilly books. Books like DNS and BIND and Learning Perl still sit on our bookshelves, well-worn with heavily marked-up pages. So when we found out that O’Reilly wanted to publish this book we were thrilled, then a little scared. After all, this is O’Reilly—it has to be right. We hope this book lives up to the reputation that all of the O’Reilly authors have fos‐ tered over the last 40 years and that it will become as indispensable to our readers as other O’Reilly books have been to us. We do want to share a couple of quick notes before you get started. The first is that unless you buy this book the day it is released and get hit by ransomware the next day, a lot of the specifics about various ransomware families mentioned will be outdated. This book is not designed to keep you updated on minute changes in ransomware behavior, instead, it is designed to be a guide for building a strategy to protect you, your family, or the organization you are defending. Use the information to under‐ stand the tactics and techniques of ransomware authors and then to take steps to pre‐ vent those techniques from being effective. Secondly, we really want to hear from you. We hope to be able to publish multiple editions of this book until ransomware is no longer a threat. If there are things you like, and especially if there are things you don’t, please email us and let us know: [email protected] and [email protected]. Thank you. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for program listings, as well as within paragraphs to refer to program ele‐ ments such as variable or function names, databases, data types, environment variables, statements, and keywords. Constant width bold Shows commands or other text that should be typed literally by the user. Constant width italic Shows text that should be replaced with user-supplied values or by values deter‐ mined by context. This element signifies a tip or suggestion. This element signifies a general note. This element indicates a warning or caution. Using Code Examples This book is here to help you get your job done. In general, if example code is offered with this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a signifi‐ cant amount of example code from this book into your product’s documentation does require permission. We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Ransomware by Allan Liska and Timothy Gallo (O’Reilly). Copyright 2017 Allan Liska and Timothy Gallo, 978-1-491-96788-1.” If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at [email protected]. O’Reilly Safari Safari (formerly Safari Books Online) is a membership-based training and reference platform for enterprise, government, educators, and individuals. Members have access to thousands of books, training videos, Learning Paths, interac‐ tive tutorials, and curated playlists from over 250 publishers, including O’Reilly Media, Harvard Business Review, Prentice Hall Professional, Addison-Wesley Profes‐ sional, Microsoft Press, Sams, Que, Peachpit Press, Adobe, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, and Course Technology, among others. For more information, please visit http://oreilly.com/safari. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax) We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at http://bit.ly/ransomware-oreilly. To comment or ask technical questions about this book, send email to bookques‐ [email protected]. For more information about our books, courses, conferences, and news, see our web‐ site at http://www.oreilly.com. Find us on Facebook: http://facebook.com/oreilly Follow us on Twitter: http://twitter.com/oreillymedia Watch us on YouTube: http://www.youtube.com/oreillymedia PART I Understanding Ransomware This book is split up into three main sections, each covering a specific area of the overall ransomware threat. In Part I of this book (Chapters 1, 2, and 3) we provide information about under‐ standing ransomware. What is it? Where did it come from? Should you pay the ran‐ som? We also cover the operators of various ransomware families, who they are targeting, and what they are doing to increase their returns.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.