Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Ransomware Part 2: Technical Analysis
The concept behind ransomware simple: an attacker finds a way to run file encryption software on a machine, and then demands payment in return for a decryption key. Though the implementation of ransomware varies, it follows similar infection vectors as other types of malware. These include malicious email attachments, malicious links and web browser exploits. In this respect implementation does not vary all that much from what we are used to seeing.
Documents with malicious Microsoft Office macros have been a common vector for ransomware infection. This tactic has been widely used for ransomware since at least 2014 and includes one of the most prevalent strains through early 2016: Locky. Locky uses a document that tricks the user to enable macros to view the document properly but then the macro downloads ransomware. In March 2016 a new strain called Maktub Locker used a different tactic. It deployed an executable script that masqueraded as a text file, showed a readable document, but also executed ransomware.
Drive-by downloads also push ransomware via exploit kits to users running unpatched browsers and plugins. Last year, the Magnitude and Hanjuan kits distributed CryptoWall. The Angler exploit kit has peddled well known strains TeslaCrypt and CryptoWall 4.0. Radamant was detected in late 2015 being transmitted via the Rig exploit kit, but vulnerabilities in both version 1 and version 2 have allowed researchers to write and release decryptors.
Some ransomware effectively uses malicious web download links. For example one of the newest strains, Petya, entices users with a link claiming to be a resume on Dropbox. The link instead contains a self-extracting Petya executable.
Other attackers take a more direct approach. Recent Samas ransomware campaigns exploit vulnerable versions of JBoss and WildFly application servers. Attackers use a scanning and exploitation tool called JexBoss to identify targets and then install Samas.
Ransomware has also expanded to Linux and Macintosh. In November 2015, a strain called Linux.Encoder.1 was discovered. In March of 2016, KeRanger targeted Macintosh machines via a Trojanized version of Transmission BitTorrent Client. Optiv’s Global Threat Intelligence Center has seen KeRanger in the wild.
Finally, a more recent trend in ransomware involves encrypting open SMB shares, not just individual users’ files. This makes sense for an attacker because encrypting an entire share makes enterprises more motivated to pay the ransom. File share ransomware has been seen since at least March 2015, with TorrentLocker and CryptoFortress, and multiple strains now take this approach. For example Locky has been reported to encrypt unmapped network shares. It is worth noting that the Samas strain also aggressively targets network shares.
In our next blog post, we will look into some practical, field-tested solutions for what enterprises can do to defend against the ransomware threat.
Let us know what you need, and we will have an Optiv professional contact you shortly.