Ransomware Defending Against Digital Extortion Allan Liska and Timothy Gallo Ransomware by Allan Liska and Timothy Gallo Copyright © 2017 Allan Liska and Timothy Gallo. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com/safari). For more information, contact our corporate/institutional sales department: 800-998-9938 or [email protected]. Editors: Courtney Allen and Virginia Wilson Production Editor: Colleen Cole Copyeditor: Christina Edwards Proofreader: Amanda Kersey Indexer: Judith McConville Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Rebecca Demarest November 2016: First Edition Revision History for the First Edition 2016-11-18: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781491967881 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Ransomware, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. 978-1-491-96788-1 [LSI] Dedication As always, Allan dedicates this book to Kris and Bruce. Tim dedicates this book to Shelly for being patient and to his parents for buying him a VIC-20. Preface Tim and I have been in this industry a long time, in fact, we are at the point in our careers where we have been doing this longer than some of the people we work with have been on this planet. A lot has changed over that time, but one thing has remained constant: O’Reilly books. Books like DNS and BIND and Learning Perl still sit on our bookshelves, well-worn with heavily marked-up pages. So when we found out that O’Reilly wanted to publish this book we were thrilled, then a little scared. After all, this is O’Reilly—it has to be right. We hope this book lives up to the reputation that all of the O’Reilly authors have fostered over the last 40 years and that it will become as indispensable to our readers as other O’Reilly books have been to us. We do want to share a couple of quick notes before you get started. The first is that unless you buy this book the day it is released and get hit by ransomware the next day, a lot of the specifics about various ransomware families mentioned will be outdated. This book is not designed to keep you updated on minute changes in ransomware behavior, instead, it is designed to be a guide for building a strategy to protect you, your family, or the organization you are defending. Use the information to understand the tactics and techniques of ransomware authors and then to take steps to prevent those techniques from being effective. Secondly, we really want to hear from you. We hope to be able to publish multiple editions of this book until ransomware is no longer a threat. If there are things you like, and especially if there are things you don’t, please email us and let us know: [email protected] and [email protected]. Thank you. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords. Constant width bold Shows commands or other text that should be typed literally by the user. Constant width italic Shows text that should be replaced with user-supplied values or by values determined by context. TIP This element signifies a tip or suggestion. NOTE This element signifies a general note. WARNING This element indicates a warning or caution. Using Code Examples This book is here to help you get your job done. In general, if example code is offered with this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD- ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission. We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Ransomware by Allan Liska and Timothy Gallo (O’Reilly). Copyright 2017 Allan Liska and Timothy Gallo, 978-1-491-96788-1.” If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at [email protected]. O’Reilly Safari Safari (formerly Safari Books Online) is a membership-based training and reference platform for enterprise, government, educators, and individuals. Members have access to thousands of books, training videos, Learning Paths, interactive tutorials, and curated playlists from over 250 publishers, including O’Reilly Media, Harvard Business Review, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Adobe, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, and Course Technology, among others. For more information, please visit http://oreilly.com/safari. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax) We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at http://bit.ly/ransomware-oreilly. To comment or ask technical questions about this book, send email to [email protected]. For more information about our books, courses, conferences, and news, see our website at http://www.oreilly.com. Find us on Facebook: http://facebook.com/oreilly Follow us on Twitter: http://twitter.com/oreillymedia Watch us on YouTube: http://www.youtube.com/oreillymedia Acknowledgments For a project like this there are simply too many people to thank by name. But there are some people that deserve special recognition. That starts with our superstar editor, Courtney Allen. Thank you for believing in this book after a couple of other publishers rejected the idea. I also want to thank our other editor, Virginia “Word Ninja” Wilson; thank you for pushing us along to make sure we stayed on schedule and for taking your katana to any obstacles that we encountered. Thanks also to Christina Edwards and Colleen Cole for making our words that much better. I also want to thank my coauthor, Tim Gallo. This is the third book we have worked on together. I love bouncing ideas off each other, sharing thoughts on progress, and complaining when we get in the weeds. This has been a great experience and I have benefited a lot from your insight. In conjunction with Tim, I can’t thank our technical editors enough. First for catching our boneheaded mistakes, but also for asking questions that made the book better and more complete. There are a number of people that I need to thank who provided insight to specific products. Rico at Carbon Black, Scott and Sarah at SentinelOne, Jason and Levi at Recorded Future, Sean and Roy at eSentire, and Brigette, Jeremiah, and Joe at ThreatSTOP. Thank you all for your support. I would also like to thank the ransomware tiger team at FireEye. I really appreciate the insights and thoughts everyone provided and the pointers that everyone gave every time I asked a few dozen questions. Finally, I want to thank all of the researchers at security companies around the world for the great job everyone has done with publishing and sharing information about ransomware. Ransomware is a serious threat to everyone and the security industry has responded in the best possible way by making available as much information as possible so that everyone can work to better protect their customers. This is the security industry at its best, and I am very proud to be part of it. Part I. Understanding Ransomware This book is split up into three main sections, each covering a specific area of the overall ransomware threat. In Part I of this book (Chapters 1, 2, and 3) we provide information about understanding ransomware. What is it? Where did it come from? Should you pay the ransom? We also cover the operators of various ransomware families, who they are targeting, and what they are doing to increase their returns.