Ransomware: Mitigation Through Preparation

Editor's Notes

• #11: Notes: If it works to identify physical presence with dots or small flags they can be placed in: CA, AZ, OR, CO, IL, TX, OK, GA, FL, MA, NC, NY, PA, MN, CT, Western Canada, Eastern Canada UK, Italy, Germany, Spain, Netherlands, Israel, Sweden Malaysia, Japan, China, India, Singapore, Australia
• #12: The victim is compromised by a phishing scam or exploit kit which downloads Cryptowall. **One of the first things Lastline’s research duo noticed about Cryptowall 4.0’s unpacked malware payload is a list of hashes it uses to resolve the addresses of all the APIs it needs to call. (One hash corresponds to exactly one API.) This choice of design, as opposed to storing the API names as strings or referring to an import table, enhances the ransomware’s ability to conceal itself from antivirus software.** 2) Binary is downloaded and executed – could be hiding in a ZIP file and a script then executed, attachment such as Macros etc 3) Injected into explorer.exe - The ransomware’s activities in explorer.exe are meant to achieve persistence and hide its tracks. 4) Makes itself persistent (registry run key) - Any infected user should remember that if persistence is successful the encryption function will run again on the next reboot to encrypt any files the user created after the initial infection. Cryptowall 4.0 sets about to achieve these objectives by copying itself to the %AppData% directory, creating a registry entry that enables it to start up at each boot, terminating the primary malware process, and deleting the original file. 5) Injecting in svchost (main malware logic) - CryptoWall 4 code injected in the svchost host process. Injection into this process is increasing the privileged level of access to the compromised machine; this allows the deletion of all available shadow copies without the end user being prompted with the UAC (User Account Control) dialog to ‘Approve’ the deletion if the user has administrator level access rights - use bcdedit to turn off Windows Startup Repair 6) Downloads RSA Public encryption key from C2 server Command and control center 7) Files are temporarily encrypted with a random AES encryption from C2 server and then the RSA key is used to encrypt that AES Key - now encrypts a file's name along with its data. Win 32 API used to encrypt 8) All files are encrypted with a temporary AES encryption key, which is later encrypted with the downloaded RSA public key and embedded in the encrypted files 9) Displays the ransomware in 3 formats, png, text and HTML to ensure the user knows 10) The only way to recover is to have access to the private key which was used to encrypt the public key, the private key can then de-crypt the AES key. CryptoWall 4 actually excludes certain file extensions and directories to ensure the OS still works and obviously the user can use that terminal to pay the ransom (end goal). Any infected user should remember that if persistence is successful the encryption function will run again on the next reboot to encrypt any files the user created after the initial infection. One of the first things Lastline’s research duo noticed about Cryptowall 4.0’s unpacked malware payload is a list of hashes it uses to resolve the addresses of all the APIs it needs to call. (One hash corresponds to exactly one API.) This choice of design, as opposed to storing the API names as strings or referring to an import table, enhances the ransomware’s ability to conceal itself from antivirus software.
• #13: The bad news is that the Crypto-locker virus shows no signs becoming weak. BUT it is if anything becoming more intelligent, that being said the program is not perfect and of course has flaws which can be exploited. Many security companies are publishing excellent white papers on the details of such attacks and walking you through exactly how they work and giving some suggestions on how to fix them. One such example is one company identified that the C&C server (Crypto) sends encrypted packets to get the encryption keys and this can be isolated from getting those keys (the software essentially goes in to a loop). BUT this list of servers is in the CryptoWall code itself and changes and is encrypted. Just an example of how difficult it is to stop this. If you were fast to remove a PC from the network during the install phase then you could save your data. If you can block the code from downloading its RSA key then at the very least it will just go in to a continuous loop RSA public key packet ID is set to 7
• #14: The bad news is that the Crypto-locker virus shows no signs becoming weak. BUT it is if anything becoming more intelligent, that being said the program is not perfect and of course has flaws which can be exploited. Many security companies are publishing excellent white papers on the details of such attacks and walking you through exactly how they work and giving some suggestions on how to fix them. One such example is one company identified that the C&C server (Crypto) sends encrypted packets to get the encryption keys and this can be isolated from getting those keys (the software essentially goes in to a loop). BUT this list of servers is in the CryptoWall code itself and changes and is encrypted. Just an example of how difficult it is to stop this. If you were fast to remove a PC from the network during the install phase then you could save your data. If you can block the code from downloading its RSA key then at the very least it will just go in to a continuous loop RSA public key packet ID is set to 7
• #17: 2 week journal covers the typically reported 90%+ of data requests being within a 2 week window
• #18: Back in 2011 replication in enterprise virtual environments was done at the storage layer, and at Zerto we saw this was in the wrong place as you were locked into replicating between 2 matching storage arrays. This meant that first of all you were unable to mix and match your storage between your sites, you had the complexity of replicating per lun, it was so complicated it even required a separate mgmt software for VM integration and couldn’t fully realize all the benefits of virtualization because you were tied into the physical layer. We revolutionized BC/DR by moving the replication into the hypervisor to make it software-defined and included all of the recovery automation, removing the need for a separate solution, and enabled the simplicity of protecting on a per VM basis. And Zerto isn’t alone in this trend, everything from your security, networking and storage is now moving into the hypervisor to realize the benefits of being software defined.
• #24: Sales Notes: No overhead in production, no TBs of space like a backup product No agent required in protected VMs for this functionality Supports crash and app consistent PITs Data is compressed in the target site (on the fly by the ZVM backup service) before being sent over the wire to minimize bandwidth utilization Instant-access means the data is immediately mounted to the ZVM in the recovery site, meaning you don’t have to wait to restore the data from backup to start using it Zerto doesn’t give the workflows in the GUI for restoring app objects (like mailboxes), this can be done by mounting the data and pulling the objects out using the app tools, but Zerto has the one thing no other solution has > the actual data from the point in time required rather than the last backup Exchange mailboxes can be mounted, with no need to download, from the ZVM with the database in recovery mode to pull mailboxes and mailbox items with no disruption to production SQL and Oracle databases can instantly be mounted from the ZVM data, again no need to download first, to pull individual table data The power and possibilities of this feature are endless and it enables IT to revolutionize their approach to data protection and recovery utilizing their existing DR solution. Its literally 2 solutions in 1. SE Notes: The disk should not be left mounted for longer than journal history configured, just like a FOT. If the disk mount is kept for longer than the journal history, then the journal will expand just like a FOT Performing a failover will automatically unmount and open mounts Multiple disks can be mounted from the same checkpoint if a log and db need to be downloaded or restored