Monday 15 May 2017

About Ransomware !!!!

What Is Ransomware?

Ransomware is the fastest-growing malware threat today and is already an epidemic. According to a U.S. government interagency report, an average of more than 4,000 ransomware attacks have occurred daily since January 2016.

Ransomware is malicious software (malware) used in a cyberattack to encrypt the victim’s data with an encryption key that is known only to the attacker, thereby rendering the data unusable until a ransom payment (usually cryptocurrency, such as Bitcoin) is made by the victim.

Cryptocurrency is an alternative digital currency that uses encryption to regulate the “printing” of units of currency (such as bitcoins) and to verify the transfer of funds between parties, without an intermediary or central bank.

Ransom amounts are typically high, but not exorbitant. For example, demands for individuals typically range from $300 to $600, while larger organizations will typically pay more. In 2016, a South Carolina school district paid an estimated $10,000 ransom and a California hospital paid approximately $17,000 to cybercriminals.

These amounts quickly add up — more than $200 million in the first three months of 2016, according to the U.S. Federal Bureau of Investigation (FBI). This characteristic of ransomware is by design, in an effort to get victims to simply pay the ransom as quickly as possible, instead of contacting law enforcement and potentially incurring far greater direct and indirect costs due to the loss of their data and negative publicity.
Ransom amounts may also increase significantly the longer a victim waits. Again, this is by design, in an effort to limit a victim’s options and get the victim to pay the ransom as quickly as possible.

Ransomware is not new virus.



Understanding How Ransomware Operates:

Ransomware is commonly delivered through exploit kits, waterhole attacks (in which one or more websites that an organization frequently visits is infected with malware), malvertising (malicious advertising), or email phishing campaigns.

Go to https://youtu.be/4gR562GW7TI to see the anatomy of a ransomware attack.

Once delivered, ransomware typically identifies user files and data to be encrypted through some sort of an embedded file extension list. It’s also programmed to avoid interacting with certain system directories (such as the WINDOWS system directory, or certain program files directories) to ensure system stability for delivery of the ransom after the payload finishes running. Files in specific locations that match one of the listed file extensions are then encrypted. Otherwise, the file(s) are left alone. After the files have been encrypted, the ransomware typically leaves a notification for the user, with
instructions on how to pay the ransom

There is no honor among thieves. Although an attacker will usually provide the decryption key for your files if you pay the ransom, there is no guarantee that the attacker hasn’t already installed other malware and exploit kits on your endpoint or other networked systems, or that they won’t steal your data for other criminal purposes or to extort more payments in the future.

During an Attack: Detect, Block, and Defend:

If your organization is under attack, fast and effective incident response is required to limit any potential damage. The specific action steps and remediation efforts to be undertaken will be different for each unique situation. However, the time to learn the breadth and extent of your organization’s incident response capabilities is not during an attack! Your incident response efforts
should be well understood and coordinated  — which is accomplished before an attack — and well documented and repeatable, so that you can reconstruct an incident after an attack and identify lessons learned and potential areas for improvement.








A key component of effective incident response that is often overlooked is information sharing, which includes the following:

» » Communicating timely and accurate information to all stakeholders: Pertinent information needs to be provided to executives in order to ensure adequate resources are committed to response and remediation, critical and
informed business decisions can be made, and appropriate information is, in turn, communicated to employees, law enforcement, customers, shareholders, and the general public.

» » Automatically sharing new security intelligence throughout the architecture: Bringing together critical data from disparate systems, such as security information and event management (SIEM), threat intelligence, and sandboxing
tools, enables the incident response team to quickly surface and effectively triage high-impact security incidents. For example, if a new malware payload is detected on an endpoint, it should automatically be sent to a cloud-based threat intelligence platform for analysis in order to find and extract any indicators of compromise (IoCs). Then new countermeasures should automatically be deployed and enforced.

After an Attack: Scope, Contain and Remediate

Important actions after an attack has ended include the following:

» » Resuming normal business operations, including restoring backups and reimaging systems, as necessary
» » Collecting and preserving evidence for law enforcement and auditing purposes
» » Analyzing forensic data to predict and prevent future attacks, for example, by identifying related domains and malware with the associated IP addresses, file hashes, and domains
» » Performing root cause analysis, identifying lessons learned, and redeploying security assets, as necessary Predictive threat intelligence enables a proactive security posture by enabling your organization to see the C2 infrastructure that attackers are leveraging for current and future attacks, and thereby always stay ahead of the threat.

Thanks for reading.
- Parth Patel