Yorkshire Cyber Security Cluster Meeting: Ransomware
Ransomware – Daniel Dresner (University of Manchester)
- Ransomware has evolved so much that we have fake ransomware demands. Think of it as Ransomware Phishing. Once a genuine breach happens, the follow up is loads of scam phishing emails to catch people out with what they’ve seen on the news (basically a re-creation of the ransomware uh-oh message but in an email, completely harmless just a scare tactic).
- Under duress, people will click on almost anything. Click on any links and follow any prompts.
Bharat Mistry – Trend Micro (Principal Security Strategist)
- Criminal business model – looking back years ago spambots was the only way that cyber criminals did their business. Banking trojans were extremely popular until the banks introduced 2-factor authentication for security, which rendered them nullified. Ransomware then came back into fashion with cryptocurrency used for payments – a currency very hard and dependent on the currency, impossible to track. Now we’re seeing Cryptocurrency mining using slave machines (through the use of a botnet) to mine currency. Cyrptojacking is also very common which is the act of stealing currency from someone else’s wallet. When criminals mine, people think as being harmless as they’re only using the power for mining, but could easily shift to something way more malicious.
- The first three months of this year from the ‘smart protection network figures’ shows that Wannacry is still very popular and is still being detected very frequently.
- The way Wannacry was created makes it very useful, as it can self-replicate and spread across networks. Ransomware attacks are that resilient, attack vectors that were made 4+ years ago are still being detected.
- As crypto mining becomes more popular, the different types of ransomware families decline.
- Malicious apps also exist for mobile phones – nothing major in the commercial app stores but are mainly found on 3rd party app stores. For jailbroken phones such as Cydia, there are many more threats out there than just getting free music.
- Some common forms of Ransomware detection: email blocking followed by URL blocking, file detection then behaviour and machine learning detection.
- Bharat looks at the underground forums to see what people are chatting about and what their plans could be. Most of the chat is about cryptocurrency and what currencies/devices to use to mine. If they can get a server then great – if it’s in the cloud even better. A PC is step down from that but mobile phones and IoT devices are less popular.
- Q3 and Q4 of last year is when the spike of crypto mining started. It’s that popular Wannacry is being out detected by Coinminers.
- Types of coin miners out there:
- Local CoinMiner such as a file drop and just sits in the background and mines on auto-run.
- Web CoinMiner – mining when specific websites are open.
- Mobile CoinMiner – mining on phones
- IoT CoinMiner – mining on an IoT device.
- Coin mining itself isn’t illegal, and could easily be in the T&C’s of the website that you don’t view. So when you visit a website you’re automatically using your hardware to mine and you won’t even know it as they’re using your hardware on your device.
- Challenges with CoinMiners – no visual indications like ransomware, you have to look for computer resources and what’s using them. AI need to look for high usage clients which can easily detect false positives if you do anything intensive on your machine.
- Ransomware is delivered largely by social media by getting people to click and follow links from adverts. Malvertisements are huge for infecting with CoinMiners.
- CMS systems are also being used such as WordPress to host CoinMiners that will automatically download when you visit the website.
- Fileless Malware – doesn’t use a file compared to the usual malware which normally has to drop on your machine (a physical file which the anti-virus can easily look for and detect). Fileless uses the native tools on the machine such as powershell. It can tell powershell to go to a website and download more powershell code which technically isn’t being downloaded and can be ran like malware (I have a blog incoming about this).
- Fireless malware – not that popular but is on the rise. It will however directly correlate with mining as if criminals stop mining, they’ll turn to fileless malware.
- Simple things to do – change default passwords, set up devices for security and don’t use default usernames/passwords, change standard configs and apply timely patches for application and OS’s. Also try to deflect social engineering which will always be there which means training the human elements.
Thomas Chappelow – Data Protection People (A day out with Ransomware) | Principal Consultant, PCI and Information Security
- People still think ransomware is a new thing – but it originated from the 80’s. It’s only just become commercialised vs having to transfer it via cassette tapes.
- Not using the latest Windows 10 build as it’s very secure – not good for the demo. Using Windows 7 as it does still reflect upon what businesses are using.
- Using the teslacrypt cryptolocker malware whilst using Wireshark for packet sniffing and sysinternals for process inspection.
- Fresh installed Windows 7 with nothing special installed really. No antivirus installed but bitdefender is turned on.
- Malware disguised as a PDF, UAC has prompted for control permissions to make changes to the registry. The PDF is actually impersonating a trusted signed version of a windows prompt. The program has already been launched way before the UAC prompt as it wasn’t fast enough. The files are already encrypted.
- User denied access to the malware and it still encrypted the files. Even when users clicked no and were trained to look at all the prompts, it didn’t matter as it got through anyway.
- Unix/Mac platforms are still susceptible so don’t deny how vulnerable you still are.
- Indecisiveness is the number one cause of large spreading as noone has the authority to stand up and say just shut them all down. Could end up with large scale revenue loss due to a lack of leadership.
- Make sure to take all the backup systems offline so they don’t get infected either.
- The first responder should capture as much information as possible in order to try and preserve any data that may still be left.
- Try to get an impartial forensics team externally as may be bias towards their own system and cloud judgement if your job is on the line as you’re meant to protect the business. At the very least have an external audit.
- Also think about was the malware infection a cover for a real attack, what was the main agenda? Large organisations such as nuclear power stations might have a malware attack which covers a targeted attack such as messages on the screen and blocking computers, yet behind the scenes it was a targeted attack yet the actual purpose was to make the plant go nuclear.