SlideShare a Scribd company logo

Ransomware Trends 2017 & Mitigation Techniques

Avinash Sinha, profile picture
Avinash Sinha

Ransomware is malicious software that encrypts a victim's files and demands ransom payment to decrypt them. It is typically delivered via phishing emails or drive-by downloads. The document discusses trends in ransomware in 2017, including popular ransomware families like Locky, Erebus, and WannaCry. It provides recommendations to mitigate ransomware risks, such as regular backups, anti-virus software, patching systems, and access controls.

Software
1 of 7
Downloaded 57 times
1
2
3
4
5
6
7
Ransomware -Trends 2017 Ransomware is a type of malicious software that blocks access to the victim's data or threatens to publish or delete it until a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem - and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading, or opening when it arrives as an email attachment. However, one high profile example, the "WannaCry worm", traveled automatically between computers without user interaction. Advanced Ransomware can include functionality like Data Corruption, Exfiltration and Disruption Top trending Ransomwares 1. LOCKY Researchers detected the first sample of Locky in February 2016. Shortly thereafter, it made a name for itself when it infected the computer systems at Hollywood Presbyterian Medical Center in southern California. Officials chose to temporarily shut down the hospital’s IT system while they worked to remove the ransomware, a decision which caused several departments to close and patients to be diverted elsewhere. But without working data backups, the executives at Hollywood Presbyterian ultimately decided to pay the ransom of 40 Bitcoin (70,000 USD). In the months that followed, Locky went through at least seven different iterations: “. zepto,” “. odin,” “.shit,” “.thor,” “.aesir,” “.zzzzz,” and “.osiris.” It also leveraged unique distribution channels like SVG images in Facebook Messenger and fake Flash Player update websites.
2. EREBUS Erebus ransomware could be distributed via different tactics. The payload file that initiates the malicious script for the ransomware that infects your personal computer thrives in the wild. Moreover, there were malvertising campaigns in the past that had spread it via the RIG Exploit Kit. On top of that, the payload file might have a description that is an old, classic RPG game with the file being less than 1 MB in size. Erebus ransomware might also be distributing that payload file on social media sites and file-sharing networks. Freeware programs found on the Web might be promoted as useful but also could be hiding the malicious script for the cryptovirus. Do not open files right after you have downloaded them, especially if they come from dubious sources like links and emails. Instead, you should first scan them. Run a security tool and scan them, while also do a check of the size and signatures for each of the files for anything suspicious. 3.WannaCry WannaCry propagates using EternalBlue, an exploit of Windows' Server Message Block (SMB) protocol. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft .It was only when the existence of this vulnerability was revealed by The Shadow Brokers that Microsoft became aware of the issue, and issued a "critical" security patch on 14 March 2017 to remove the underlying vulnerability on supported versions of Windows, though many organizations had not yet applied it. 4. Zeus/Zbot Zeus has been created to steal private data from the infected systems, such as system information, passwords, banking credentials or other financial details and it can be customized to gather banking details in specific countries and by using various methods. Using the retrieved information, cybercriminals log into banking accounts and make unauthorized money transfers through a complex network of computers. Zbot/Zeus is based on the client-server model and requires a Command and Control server to send and receive information across the network. The single Command and Control server is considered to be the weak point in the malware architecture and it
is the target of law enforcement agencies when dealing with Zeus. Types of Zeus Family malwares. 5. Javascript Malware/Adware Malware Cyber criminals have injected malicious JavaScript code in the website attackers have compromised, through malicious JavaScript code, the online ads/banners displayed on the website. Online criminals have injected malicious JavaScript code into the website’s database cyber attackers have loaded malicious content or malicious software from a remote server. Consequently, malicious JavaScript files will be downloaded onto your PC when you unknowingly browse an infected website. This is called a drive-by attack and it generally includes 9 stages:  You, as a user, unwittingly browse the compromised website.  The malicious JavaScript files are downloaded on your system.  They are executed through your browser, triggering the malware infection.  The infected JavaScript files silently redirect your Internet traffic to an exploit server.  The exploit kit used in the attack (hosted on the exploit server) probes your system for software vulnerabilities.  Once the exploit finds the vulnerability, it uses it to gain access to your PC’s functions.  This grants the exploit kit the right to execute code and download additional files from the Internet with administrator privileges.  In the next step, malware will be downloaded onto the PC and executed.  The malware can perform damaging functions on the PC. It can also collect information from the infected system and send it to the servers controlled by cyber criminals
6. Microsoft Tech Scam Malware Technical support scams are built on the deception that your computer is somehow broken, and you need to contact technical support to fix it. You may then be asked to pay for support. In some cases, the tech support agent may ask you to install other software or malware disguised as support tools on your computer, bringing in more threats that can cause even more damage. You may come across these threats while browsing dubious websites, most notably those that host illegal copies of media and software, crack applications, or malware. Links or ads on these sites may lead you to tech support scam websites, which display pages that are designed to look like error messages and serve pop-up messages indicating fictitious errors. Some tech support scam threats take the form of executable programs like other malware. 7.Other  Ransom:Win32/Cerber  Ransom: Win32/Spora  Ransom:Win32/HydraCrypt  Ransom:Win32/Critroni  Ransom:Win32/Teerac  Ransom: Win32/Troldesh Ransomware Mitigation Recommendations While ransomware infections may not be entirely preventable due to the effectiveness of well-crafted phishing emails or drive-by downloads from otherwise legitimate sites, the most effective strategy to mitigate the impact of ransomware is having a comprehensive data backup protocol. In order to increase the likelihood of preventing ransomware infections, organizations must conduct regular training and awareness exercises with all employees to ensure common understanding safe- browsing techniques and how to identify and avoid phishing attempts. The following is a list of ransomware mitigation recommendations: Data Protection: - Schedule backups of data often and ensure they are kept offline in a separate and secure location. Consider maintaining multiple backups in different locations for redundancy. Test your backups regularly.
- If an online backup and recovery service is used, contact the service immediately after a ransomware infection is suspected to prevent the malware from overwriting previous file versions with the newly encrypted versions. System Management - Ensure anti-virus software is up-to-date with the latest definitions and schedule scans as often as permitted. - Enable automated patches for operating systems, software, plugins, and web browsers. - Follow the Principle of Least Privilege for all user accounts; enable User Access Control (UAC) to prevent unauthorized changes. - Turn off unused wireless connections. - Disable macros on Microsoft Office software. Enterprise administrators managing Microsoft Office 2016 should use Group Policy to block macros for end users. Microsoft provides detailed instructions here. - Use ad blocking extensions in browsers to prevent “drive-by” infections from ads containing malicious code. - Disable the vssadmin.exe tool by renaming it to prevent ransomware from deleting Shadow Volume Copies. Instructions on how to rename this tool are included here. - Disable Windows Script Host and Windows PowerShell. - Disable Remote Desktop Protocol (RDP) on systems and servers if it is not needed in your environment. - Use web and email protection to block access to malicious websites and scan all emails, attachments, and downloads and configure email servers to proactively block emails containing suspicious attachments such as .exe, .vbs, and.scr. - Configure systems by modifying the Group Policy Editor to prevent executables (.exe, .rar, .pdf.exe, .zip) from running in %appdata%, %localappdata%, %temp%, and the Recycle Bin. CryptoPrevent is a free tool that can help automate this process and prevent ransomware from executing. Download it here. - Implement a behavior blocker to prevent ransomware from executing or making any unauthorized changes to systems or files. - Consider utilizing a free or commercially available anti-ransomware tool by any of the leading computer security software vendors. - To counteract ransomware variants that modify the Master Boot Record (MRB) and encrypt the Master File Table (MFT), Cisco Talos has released a Windows disk filter driver called MBRFilter, available on GitHub here.
- Modify the policy for execution in PowerShell, using the administrative templates. - Allow the execution only of signed PowerShell scripts. - Do not allow the saving of unknown .exe files in the %TEMP% folder. - Do not allow the execution on unknown .exe files. - Apply Windows restrictions such as AppLocker. - For Mac OS X users, consider installing the free tool, RansomWhere? Information about this tool is available on the Objective-See website here and the tool itself can be downloaded here. - Use No-Script/SafeScript while browsing on firefox and Chrome - Updated Antivirus -End Point Protection - Advanced malware detection using AI- ex Cylance - Harden the systems as per CIS benchmark and NIST GuideLines. - Submit sample of Malwares and IOC to CERT Network Management - Keep firewall turned on and properly configured. - Close and monitor unused ports. - Block known malicious Tor IP addresses. A list of active Tor nodes updated every 30 minutes can be found here. - Lateral Movement Detection Software - Real Time Monitoring of malicious traffic using behavioral analytics - Apply Defense in Depth Approach - Network Segregation - During any malware outbreak in industry, go to Lock down mode in terms of Entry point. Restrict end user activity to social media sites and use Web Security Appliance /OpenDNS - Restrict outbound traffic between different zones Mobile Device Management - For Apple iOS users: ensure your data is backed up on iCloud and enable two-factor authentication, only download media and apps from the official iTunes and App Stores, and avoid “jailbreaking” the device. - For Android users: disable the “unknown sources” option in the Android security settings menu, only install apps from the official Google Play store, and avoid "rooting" the device. Post-Infection Remediation
- Alert the appropriate information security contact within your organization if unusual activity is seen on networks, computers, or mobile devices. - Disconnect from networks immediately if an infection is suspected and do not reconnect until the computer or device has been thoroughly scanned and cleaned. - Depending on the variant, a free decryption tool may be available. To determine which variant infected your system, please see the Appendix of this product or use the ID Ransomware website. - If an infection occurs, after removing the malware and cleaning the machine, make sure to change all system, network, and online account passwords. - Contingency Planning & establishing a SOC Center & 3rd party Red Teaming Exercises including APT simulation attacks. Avinash Sinha:- Experienced Security Researcher with a demonstrated history of working in the information technology and services industry. Skilled in Penetration Testing, Vulnerability Assessments, Project Management, Health Care, IoT, Payment Card Industry Data Security Standard (PCI DSS), Linux, HIPPA, FDA, Information Security, and Integration. Strong Emphasis on Enterprise Security and information technology with a Corporate-PGDBA focused in International Business from Symbiosis. Source: Microsoft, TrendMicro, NJSecurity & NIST.

More Related Content

PDF
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Roger Hagedorn
 
PPTX
The Rise of Ransomware
Tharindu Edirisinghe
 
PDF
Ransomware
m3 Networks Limited
 
PPTX
Ransomware: WanaCry, WanCrypt
Yash Diwakar
 
PPTX
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
MavrickHost - Reliable Hosting Partner
 
PDF
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
Vijay Sarathy Rangayyan
 
PPTX
Preventing lateral spread of ransomware
Osirium Limited
 
PPTX
ITPG Secure on WannaCry
ITPG Secure Compliance and Certification Training
 
Your Money or Your Data: Ransomware, Cyber Security and Today’s Threat Landsc...
Roger Hagedorn
 
The Rise of Ransomware
Tharindu Edirisinghe
 
Ransomware
m3 Networks Limited
 
Ransomware: WanaCry, WanCrypt
Yash Diwakar
 
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
MavrickHost - Reliable Hosting Partner
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
Vijay Sarathy Rangayyan
 
Preventing lateral spread of ransomware
Osirium Limited
 
ITPG Secure on WannaCry
ITPG Secure Compliance and Certification Training
 

What's hot (20)

PPTX
Ransomware attack
Amna
 
PPT
Ransomware - The Growing Threat
Nick Miller
 
PPTX
Ransomware
Akshita Pillai
 
PPTX
WannaCry? No Thanks!
Roberto Martelloni
 
PPT
Malware by Ms. Allwood
Stavia
 
PPT
spyware
Akhil Kumar
 
PPTX
Introduction to Malwares
Abdelhamid Limami
 
PDF
10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf
Cyber security professional services- Detox techno
 
PPTX
Malwares
Claire Medolla
 
PPTX
Spyware presentation by mangesh wadibhasme
Mangesh wadibhasme
 
PPTX
MALWARE AND ITS TYPES
daniyalqureshi712
 
PDF
AI for Ransomware Detection & Prevention Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
PDF
Escan advisory wannacry ransomware
MicroWorld Software Services Pvt Ltd
 
PDF
Dyre: Emerging Threat on Financial Fraud Landscape
Symantec
 
PPTX
MALWARE AND ITS TYPES
Sagilasagi1
 
PDF
Flashpoint ransomware april2016
Andrey Apuhtin
 
PDF
Saiyed_Crypto_Article_ISSA
Carl Saiyed
 
PDF
Wannacry Virus
East West University
 
PPT
Protecting Your organization from WannaCry Ransomware
Quick Heal Technologies Ltd.
 
PPTX
Malware & Anti-Malware
Arpit Mittal
 
Ransomware attack
Amna
 
Ransomware - The Growing Threat
Nick Miller
 
Ransomware
Akshita Pillai
 
WannaCry? No Thanks!
Roberto Martelloni
 
Malware by Ms. Allwood
Stavia
 
spyware
Akhil Kumar
 
Introduction to Malwares
Abdelhamid Limami
 
10 Types Of Cyber Attacks And How They Can Affect You- Detox technologies.pdf
Cyber security professional services- Detox techno
 
Malwares
Claire Medolla
 
Spyware presentation by mangesh wadibhasme
Mangesh wadibhasme
 
MALWARE AND ITS TYPES
daniyalqureshi712
 
AI for Ransomware Detection & Prevention Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
Escan advisory wannacry ransomware
MicroWorld Software Services Pvt Ltd
 
Dyre: Emerging Threat on Financial Fraud Landscape
Symantec
 
MALWARE AND ITS TYPES
Sagilasagi1
 
Flashpoint ransomware april2016
Andrey Apuhtin
 
Saiyed_Crypto_Article_ISSA
Carl Saiyed
 
Wannacry Virus
East West University
 
Protecting Your organization from WannaCry Ransomware
Quick Heal Technologies Ltd.
 
Malware & Anti-Malware
Arpit Mittal
 
Ad

Similar to Ransomware Trends 2017 & Mitigation Techniques (20)

PPTX
Type of Malware and its different analysis and its types !
Mohammed Jaseem Tp
 
PDF
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Connecting Up
 
PPT
computervirus.ppt
PritamSahoo16
 
PDF
Computer crimes
Muniba Bukhari
 
PPTX
viruses.pptx
AsadbekAbdumannopov
 
PPTX
Ransomware by lokesh
Lokesh Bysani
 
PPTX
Ransomware: A Perilous Malware
HTS Hosting
 
PPTX
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
PPSX
Security Awareness Training
William Mann
 
PPTX
SECURITY THREATS.pptx SECURITY THREATS.pptx
anovalexter
 
PPTX
Lecture 2-1.pptx Lec 04 Risk Management.pptxLec 04 Risk Management.pptxLec 04...
1230200206
 
DOC
Malware
zelkan19
 
DOC
Malware
zelkan19
 
PPTX
Computer security threats & prevention
PriSim
 
PPTX
Computer Virus ppt.pptx
PragatiKachhi1
 
PPTX
Ransomware : A cyber crime without solution ? by Prashant Mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PPTX
Computer virus
sajeena81
 
PPT
CyberSecurity presentation for basic knowledge about this topic
piyushkamble6
 
PPTX
ransomware keylogger rootkit.pptx
dawitTerefe5
 
PDF
What is ransomware?
Milan Santana
 
Type of Malware and its different analysis and its types !
Mohammed Jaseem Tp
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Connecting Up
 
computervirus.ppt
PritamSahoo16
 
Computer crimes
Muniba Bukhari
 
viruses.pptx
AsadbekAbdumannopov
 
Ransomware by lokesh
Lokesh Bysani
 
Ransomware: A Perilous Malware
HTS Hosting
 
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
Security Awareness Training
William Mann
 
SECURITY THREATS.pptx SECURITY THREATS.pptx
anovalexter
 
Lecture 2-1.pptx Lec 04 Risk Management.pptxLec 04 Risk Management.pptxLec 04...
1230200206
 
Malware
zelkan19
 
Malware
zelkan19
 
Computer security threats & prevention
PriSim
 
Computer Virus ppt.pptx
PragatiKachhi1
 
Ransomware : A cyber crime without solution ? by Prashant Mali
Adv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Computer virus
sajeena81
 
CyberSecurity presentation for basic knowledge about this topic
piyushkamble6
 
ransomware keylogger rootkit.pptx
dawitTerefe5
 
What is ransomware?
Milan Santana
 
Ad

Recently uploaded (20)

PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
AI in Product Development-omnex systems
omnex systems
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
System and Network Administration Chapter 2
jaramharo
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 

Ransomware Trends 2017 & Mitigation Techniques

  • 1. Ransomware -Trends 2017 Ransomware is a type of malicious software that blocks access to the victim's data or threatens to publish or delete it until a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem - and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading, or opening when it arrives as an email attachment. However, one high profile example, the "WannaCry worm", traveled automatically between computers without user interaction. Advanced Ransomware can include functionality like Data Corruption, Exfiltration and Disruption Top trending Ransomwares 1. LOCKY Researchers detected the first sample of Locky in February 2016. Shortly thereafter, it made a name for itself when it infected the computer systems at Hollywood Presbyterian Medical Center in southern California. Officials chose to temporarily shut down the hospital’s IT system while they worked to remove the ransomware, a decision which caused several departments to close and patients to be diverted elsewhere. But without working data backups, the executives at Hollywood Presbyterian ultimately decided to pay the ransom of 40 Bitcoin (70,000 USD). In the months that followed, Locky went through at least seven different iterations: “. zepto,” “. odin,” “.shit,” “.thor,” “.aesir,” “.zzzzz,” and “.osiris.” It also leveraged unique distribution channels like SVG images in Facebook Messenger and fake Flash Player update websites.
  • 2. 2. EREBUS Erebus ransomware could be distributed via different tactics. The payload file that initiates the malicious script for the ransomware that infects your personal computer thrives in the wild. Moreover, there were malvertising campaigns in the past that had spread it via the RIG Exploit Kit. On top of that, the payload file might have a description that is an old, classic RPG game with the file being less than 1 MB in size. Erebus ransomware might also be distributing that payload file on social media sites and file-sharing networks. Freeware programs found on the Web might be promoted as useful but also could be hiding the malicious script for the cryptovirus. Do not open files right after you have downloaded them, especially if they come from dubious sources like links and emails. Instead, you should first scan them. Run a security tool and scan them, while also do a check of the size and signatures for each of the files for anything suspicious. 3.WannaCry WannaCry propagates using EternalBlue, an exploit of Windows' Server Message Block (SMB) protocol. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft .It was only when the existence of this vulnerability was revealed by The Shadow Brokers that Microsoft became aware of the issue, and issued a "critical" security patch on 14 March 2017 to remove the underlying vulnerability on supported versions of Windows, though many organizations had not yet applied it. 4. Zeus/Zbot Zeus has been created to steal private data from the infected systems, such as system information, passwords, banking credentials or other financial details and it can be customized to gather banking details in specific countries and by using various methods. Using the retrieved information, cybercriminals log into banking accounts and make unauthorized money transfers through a complex network of computers. Zbot/Zeus is based on the client-server model and requires a Command and Control server to send and receive information across the network. The single Command and Control server is considered to be the weak point in the malware architecture and it
  • 3. is the target of law enforcement agencies when dealing with Zeus. Types of Zeus Family malwares. 5. Javascript Malware/Adware Malware Cyber criminals have injected malicious JavaScript code in the website attackers have compromised, through malicious JavaScript code, the online ads/banners displayed on the website. Online criminals have injected malicious JavaScript code into the website’s database cyber attackers have loaded malicious content or malicious software from a remote server. Consequently, malicious JavaScript files will be downloaded onto your PC when you unknowingly browse an infected website. This is called a drive-by attack and it generally includes 9 stages:  You, as a user, unwittingly browse the compromised website.  The malicious JavaScript files are downloaded on your system.  They are executed through your browser, triggering the malware infection.  The infected JavaScript files silently redirect your Internet traffic to an exploit server.  The exploit kit used in the attack (hosted on the exploit server) probes your system for software vulnerabilities.  Once the exploit finds the vulnerability, it uses it to gain access to your PC’s functions.  This grants the exploit kit the right to execute code and download additional files from the Internet with administrator privileges.  In the next step, malware will be downloaded onto the PC and executed.  The malware can perform damaging functions on the PC. It can also collect information from the infected system and send it to the servers controlled by cyber criminals
  • 4. 6. Microsoft Tech Scam Malware Technical support scams are built on the deception that your computer is somehow broken, and you need to contact technical support to fix it. You may then be asked to pay for support. In some cases, the tech support agent may ask you to install other software or malware disguised as support tools on your computer, bringing in more threats that can cause even more damage. You may come across these threats while browsing dubious websites, most notably those that host illegal copies of media and software, crack applications, or malware. Links or ads on these sites may lead you to tech support scam websites, which display pages that are designed to look like error messages and serve pop-up messages indicating fictitious errors. Some tech support scam threats take the form of executable programs like other malware. 7.Other  Ransom:Win32/Cerber  Ransom: Win32/Spora  Ransom:Win32/HydraCrypt  Ransom:Win32/Critroni  Ransom:Win32/Teerac  Ransom: Win32/Troldesh Ransomware Mitigation Recommendations While ransomware infections may not be entirely preventable due to the effectiveness of well-crafted phishing emails or drive-by downloads from otherwise legitimate sites, the most effective strategy to mitigate the impact of ransomware is having a comprehensive data backup protocol. In order to increase the likelihood of preventing ransomware infections, organizations must conduct regular training and awareness exercises with all employees to ensure common understanding safe- browsing techniques and how to identify and avoid phishing attempts. The following is a list of ransomware mitigation recommendations: Data Protection: - Schedule backups of data often and ensure they are kept offline in a separate and secure location. Consider maintaining multiple backups in different locations for redundancy. Test your backups regularly.
  • 5. - If an online backup and recovery service is used, contact the service immediately after a ransomware infection is suspected to prevent the malware from overwriting previous file versions with the newly encrypted versions. System Management - Ensure anti-virus software is up-to-date with the latest definitions and schedule scans as often as permitted. - Enable automated patches for operating systems, software, plugins, and web browsers. - Follow the Principle of Least Privilege for all user accounts; enable User Access Control (UAC) to prevent unauthorized changes. - Turn off unused wireless connections. - Disable macros on Microsoft Office software. Enterprise administrators managing Microsoft Office 2016 should use Group Policy to block macros for end users. Microsoft provides detailed instructions here. - Use ad blocking extensions in browsers to prevent “drive-by” infections from ads containing malicious code. - Disable the vssadmin.exe tool by renaming it to prevent ransomware from deleting Shadow Volume Copies. Instructions on how to rename this tool are included here. - Disable Windows Script Host and Windows PowerShell. - Disable Remote Desktop Protocol (RDP) on systems and servers if it is not needed in your environment. - Use web and email protection to block access to malicious websites and scan all emails, attachments, and downloads and configure email servers to proactively block emails containing suspicious attachments such as .exe, .vbs, and.scr. - Configure systems by modifying the Group Policy Editor to prevent executables (.exe, .rar, .pdf.exe, .zip) from running in %appdata%, %localappdata%, %temp%, and the Recycle Bin. CryptoPrevent is a free tool that can help automate this process and prevent ransomware from executing. Download it here. - Implement a behavior blocker to prevent ransomware from executing or making any unauthorized changes to systems or files. - Consider utilizing a free or commercially available anti-ransomware tool by any of the leading computer security software vendors. - To counteract ransomware variants that modify the Master Boot Record (MRB) and encrypt the Master File Table (MFT), Cisco Talos has released a Windows disk filter driver called MBRFilter, available on GitHub here.
  • 6. - Modify the policy for execution in PowerShell, using the administrative templates. - Allow the execution only of signed PowerShell scripts. - Do not allow the saving of unknown .exe files in the %TEMP% folder. - Do not allow the execution on unknown .exe files. - Apply Windows restrictions such as AppLocker. - For Mac OS X users, consider installing the free tool, RansomWhere? Information about this tool is available on the Objective-See website here and the tool itself can be downloaded here. - Use No-Script/SafeScript while browsing on firefox and Chrome - Updated Antivirus -End Point Protection - Advanced malware detection using AI- ex Cylance - Harden the systems as per CIS benchmark and NIST GuideLines. - Submit sample of Malwares and IOC to CERT Network Management - Keep firewall turned on and properly configured. - Close and monitor unused ports. - Block known malicious Tor IP addresses. A list of active Tor nodes updated every 30 minutes can be found here. - Lateral Movement Detection Software - Real Time Monitoring of malicious traffic using behavioral analytics - Apply Defense in Depth Approach - Network Segregation - During any malware outbreak in industry, go to Lock down mode in terms of Entry point. Restrict end user activity to social media sites and use Web Security Appliance /OpenDNS - Restrict outbound traffic between different zones Mobile Device Management - For Apple iOS users: ensure your data is backed up on iCloud and enable two-factor authentication, only download media and apps from the official iTunes and App Stores, and avoid “jailbreaking” the device. - For Android users: disable the “unknown sources” option in the Android security settings menu, only install apps from the official Google Play store, and avoid "rooting" the device. Post-Infection Remediation
  • 7. - Alert the appropriate information security contact within your organization if unusual activity is seen on networks, computers, or mobile devices. - Disconnect from networks immediately if an infection is suspected and do not reconnect until the computer or device has been thoroughly scanned and cleaned. - Depending on the variant, a free decryption tool may be available. To determine which variant infected your system, please see the Appendix of this product or use the ID Ransomware website. - If an infection occurs, after removing the malware and cleaning the machine, make sure to change all system, network, and online account passwords. - Contingency Planning & establishing a SOC Center & 3rd party Red Teaming Exercises including APT simulation attacks. Avinash Sinha:- Experienced Security Researcher with a demonstrated history of working in the information technology and services industry. Skilled in Penetration Testing, Vulnerability Assessments, Project Management, Health Care, IoT, Payment Card Industry Data Security Standard (PCI DSS), Linux, HIPPA, FDA, Information Security, and Integration. Strong Emphasis on Enterprise Security and information technology with a Corporate-PGDBA focused in International Business from Symbiosis. Source: Microsoft, TrendMicro, NJSecurity & NIST.