Threat intelligence and ransomware

Understanding the Latest Delivery Methods

Most ransomware only requires one thing to take action on your network—end-user interaction. An attacker can craft a single email with a malicious link or attachment and send out 100,000 emails in hopes that they get a 1% click-through rate.

Let’s do the math on this really quick: 500,000 emails with a click-through rate of 1% means 5,000 potential infections. According to Microsoft, in 2014, 23% of computers connected to the Internet were unprotected.¹ This would mean that out of 5,000 clicks, 1,150 potential infections would occur. According to Symantec’s most recent report, the average ransom request is $679.² Roughly 50% of people will pay the ransom, which means a take of $390,425 per email campaign. Given that the investment to get started is minimal, as noted in Chapter 4, we’re talking about anywhere from 500-2,000% ROI. Imagine getting that kind of return on a stock with a limited investment in time and money. It’s certainly better than robbing banks! These number are somewhat dated, but you get the point.

Since the primary means for spreading these is via email, digital criminals will use the names and logos of well-known organizations when creating their scam emails. This will increase a user’s likelihood of trusting the email and clicking the link. You should be suspicious of emails from shipping companies, postal services, and the like that require you to download a file to confirm receipt of an item or to follow a link to track the item. Another common method is tax return spam using common logos and personal information to make people think they’re getting a refund or are being audited. Another method we have seen gaining traction is invoice spam and credit card rewards spam.

The most common attachments use PDFs, but early in 2016, an increase in Windows script files (WSF) as a means to bypass traditional email filtering was observed. These WSF files are launched on a Windows system just like an executable. They are often included in zipped folders appearing to contain a Word doc. Once this zipped file is extracted, the WSF execution occurs and the ransomware once installed. JavaScript files are also posing as .doc files as well, which makes for ransomware that is potentially executable on a number of platforms, not simply Windows computers, but Macs and Linux boxes as well.

As more people become aware and effective at blocking these file types, the criminals will move to other techniques and file types.

One of the other common infection methods is via exploit kits like the Neutrino or Angler exploit kits (see Figure 1-1). Exploit kits are a way that criminals deliver malware through malvertisement networks.

The Neutrino exploit kit works via multiple layers of evaluation of a system and exploitation of vulnerabilities in the applications installed:

1. An end user will browse through to a web server that has been compromised.
2. The web server will make contact with the Neutrino infrastructure to perform a variety of checks for CVE2014-892, etc., and, will then use the outcome of these checks to generate a malicious JavaScript. Inside this JavaScript there are URLs that are dynamically generated by the backend system using DGAs.
3. The client’s browser will process and decode this malicious JavaScript. This script validates a number of client-side settings, including the browser version. If the browser version matches one that is exploitable by the criminal’s tools, a cookie will be dropped on the victim device and an iframe tag will be processed client-side.
4. The iframe tag causes the browser to generate another request to a URL that leads to the Neutrino kit landing page.
5. Once the victim lands on the Neutrino kit page, an object tag is delivered to the client’s browser, which will cause the client to load Flash player and use it to play a specific SWF.
6. The browser accepts the instruction and downloads the SWF.
7. Adobe Flash plays the downloaded file and exploits vulnerabilities, including:
   • CVE-2013-2551
   • CVE-2014-6332
   • CVE-2015-2419
   • CVE-2014-0569
   • CVE-2015-7645
8. If the exploitation is successful, the ransomware will download and begin its execution process.

Using the Latest Network Indicators

By properly researching all of the delivery methods, many of which are described in Part III of this book, about the major families of ransomware, you can get a baseline understanding of the network indicators you should begin looking for. Understanding the nature of the communications between the various ransomware families and their command-and-control channel will help you better understand what infection you have and if there are counter measures you can deploy. Additionally, by taking advantage of these indicators, you can potentially stop the spread of the infection to other systems.

For example, the Cyber Threat Alliance has a list of IPs and URLs associated with the command-and-control channels used in CryptoWall campaigns (see Table 1-1). This data is incredibly useful because you can use this information to block communication to and from the IPs and domains when you are attempting to interrupt the key exchanges. Keep in mind that data is in constant flux.

By creating proactive measures on your DNS servers, firewalls, and proxies and by preventing communications to, or resolution for, the IP addresses and URLs, you can lock down the communication channels and interrupt the kill chain associated with the ransomware.

Additional network indicators to look for that will help you move up the kill chain include email attachment and subject lines.³

Each type of indicator has a specific purpose in interrupting the chain of events that lead to infection and ultimately extortion. Collecting known subject lines, filenames, and file hashes will help you prevent the initial compromise. By blocking these files at the SMTP gateway, scanning all inbound files, and preventing macros from being executable on your end-point devices you are taking the first step in prevention.

The next place to interrupt the communications is in the outbound command-and-control communications by leveraging the channels used for redirection to malspam websites and known command-and-control channels. In Figure 1-2 you will see samples of traffic from the Zepto variant of Locky, this traffic is the type of network communications you should look to interrupt.⁴

However, compiling, maintaining, and updating the lists of known C2 channels in your various technologies is a gruesome task, as there is not a single repository for all network communications with every known ransomware command-and-control channel, email subject line, SHA256 hash, and attachment filename. This means you need to develop practices that leverage multiple sources of intelligence and extract it into a system by which you can visualize the indicators in a meaningful manner. You must also begin to look for patterns in the data, as well as develop a better understanding of the easiest sources of this information. You’ll find that there are a number of new (and established) vendors on the so-called threat intelligence platform (TIP)-based approach to intelligence analysis on the market. Each of the platforms has strengths and weaknesses, and though we are talking about them in general, your investigation into the platforms is best done by the team who will be working with the platform directly. Anomali, ThreatQ, and ThreatConnect are a few of the vendors out there marketing TIPs that will not only correlate open source data, from places like the CTA, Zeus Tracker, and the like, but will also integrate with many of the closed source or premium feeds, like those from the FS-ISAC, Retail-ISAC, Symantec, FireEye, and McAfee.

Detecting the Latest Behavioral Indicators

The other indicators you need to be concerned about are behavior-based indicators. Based on your understanding of user behavior, you can intercept activities associated with a particular ransomware variant and stop the destructive activities they attempt.

Figure 1-3 shows how CryptXXX leverages multiple processes to modify the file and watch for abnormal system behavior that halts and restarts the encryption if you are attempting to detect basic encryption on a system using traditional scanning and processes analysis methods.⁵ This means that you need to evaluate the process logs to determine the history of processes on the infected system and look for this type of behavior, which is ostensibly a meta analysis of the processes on the system.

By looking at the behavior of processes on your end-user systems, you can determine login and and resource access attempts and use this information to determine if a system has been compromised, how the compromise is attempting to traverse the network, and in what manner it is attempting to contact network drives or files to begin the encryption process.

Baselining your users’ behaviors is how you develop this understanding. First, you need to know who has access to what specific resources on your network. By leveraging the group policy features of Windows, you can determine which systems have access to which resources and when those resources get accessed. Additionally, in each user’s profile, you can set baseline working hours and then compare those baselines to real-time behavior. By collecting these metrics over time and continuously comparing the results of your collection to the established baselines, you will be able to identify outliers. These become investigation points for further analysis. Products like Darktrace Threat Visualizer will help you identify these outliers and automatically respond to these shifts.

Summary

Threat intelligence must be gathered from a variety of sources. You must also know your network and the users on it in order to identify abnormal behavior. Applying these indicators helps you minimize the effects of an attack and in some cases prevent attacks altogether.