Ransomware Guide 2018
Contents What is Ransomware?
......................................................................................................
04
History and Evolution of Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 05 Moving Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 07 Common Forms of Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 08 A Rogue’s Gallery: Most Prominent Variants of Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Steps to Protect Against Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Channel Support for Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Vendor Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 The Future of Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2
|
store.exertis.co.uk
Welcome to the Exertis Ransomware Guide Ransomware presents a great opportunity for resellers to become not only the trusted advisor for their customers but also to deliver security solutions that can help reduce the risk of a ransomware attack. It’s difficult not to agree with a recent Europol report which stated that ransomware is far and away the cybercriminal weapon of choice. Whilst fear is not a marketing tactic that we embrace, it would be naive for customers, whatever their size or market, to think that it won’t happen to them. The much publicised ransomware attack on Uber illustrates that paying the ransom ($100,000) may save an immediate problem but doesn’t protect you from the reputational damage which can be more harmful than the breach itself – particularly if you choose not to report it to the regulators and are subsequently found out. Almost everything Uber did should be avoided. Firstly, paying the ransom which only perpetuates the problem – ransomware payments are set to hit record amounts. Secondly, not disclosing the breach and thirdly not having the right security to protect their assets and their customers’ data. Whilst the number of ransomware attacks declined considerably in 2017 (184 million versus 638 million) there was a 100% increase in new ransomware variants according to the 2018 SonicWall Cyber Threat Report. Cybercriminals will simply change their mode of attack with IoT and mobile devices likely targets. Furthermore, encrypted traffic is becoming an increasing problem. The need to inspect SSL and TLS traffic particularly using deep packet inspection to protect against malware is becoming vital to protect against malicious cyberattacks. In this guide, we have defined ransomware, traced some of its history and documented the most common forms of attacks. However, we have also outlined steps that resellers can undertake to help their customers be protected against ransomware, in addition to providing information on solutions from our vendor partners. We have an experienced security team at Exertis that can work with you to protect your customers, both now and in the future. Please contact a member of my team on 01782 648200 and we will be happy to assist you. Regards
Jason Hill Exertis security director
DISCLAIMER
Sources & Acknowledgements
Although Exertis uses reasonable efforts to include accurate and up-to-date information, this guide is for general information and educational purposes only. It is not intended and should not be construed to constitute legal or business advice. The information provided may not be applicable to all situations and may not reflect the most current situation. Exertis reserves the right to modify the contents of this document at any time without prior notice.
Kaspersky Labs, ESET, Portnox, ZDNet, techrepublic, cyberscoop, Computer Weekly, barkly, Digital Guardian, SonicWall Cyber Threat reports.
Stoke 01782 648200
|
3
What is Ransomware? Ransomware is the fastest growing malware that takes no account of business size, vertical market or geography. Whether it’s the 2018 Annual Threat Report from SonicWall, the Kaspersky Labs security bulletin or research from any number of security providers, one common theme prevails, ransomware is on the increase at an alarming rate and expected to continue to rise. According to SonicWall’s report ransomware increased by 167 per cent from last year. Furthermore, Kaspersky Labs reported attacks on businesses increased three fold, compared to twice the rate of increase in attacks on individuals last year. Whilst there are different strains of ransomware it is usually defined as malicious software that encrypts data on a victim’s computing device and then asks for payment before restoring the data to its original form. However, restoring data cannot be guaranteed. Payment is usually in digital currency such as bitcoin to avoid detection of the recipient. Simply put, there are two forms of ransomware: cryptor and blockers. Ransomware has some key characteristics that differentiates it from other forms of malware. As you might expect, it entails a form of unbreakable encryption that can affect all kinds of files including documents, pictures or video. Examples include CryptoLocker, Locky and CryptoWall. The recipient receives an image or message demanding payment within a certain time-period in order to restore the data. Failure to meet the demand in time may result in either an increase in the demand or the complete loss of the information. Demands can be for cash but more likely by anonymous
payment methods that enable the cybercriminals to obtain money but conceal their identity. Demands have also evolved to include exposure of data (Doxware) rather than data loss which for some institutions like hospitals can be extremely damaging with patients records at risk. Demands seemingly from government departments or law enforcement agencies have also been used to dupe victims. Some forms of ransomware don’t actually encrypt files but simply lock or block the victim out of the operating system making it impossible to open the computing device by preventing it from booting up and instead display a ransom demand. Known as Locker ransomware, examples include WinLocker, Satana and Petya More often, ransomware goes undetected. Studies in the US have estimated, the industry average for detecting a data breach is 214 days with 53 per cent of breaches discovered by an external source (M-Trends). Even if anti-virus is in place, it has the ability to spread to other devices connected on the network which creates further damage. Indeed, ransomware can infect removable drives and servers. Enterprising cybercriminals have also spread the wave of attacks by offering what some have described as a ransomware-as-a-service model where they have provided would be criminals with their malware creations for a fee or a proportion of the profits. Not only does this provide more profit for the sophisticated attackers, it also provides opportunities for those with less technical know-how. Moreover, the dark web has been able to provide a vehicle to sell ransomware do-it-yourself kits.
4
|
store.exertis.co.uk
History and Evolution of Ransomware Whilst ransomware has had some high-profile attacks recently and the sheer scale of attacks has attracted news (Kaspersky estimated the number tripled in 2016), in reality, it has a history dating back to the late 1980s. Over the last decade it has evolved and continues to add variants that avoid detection. The first recorded outbreak of ransomware involved the contamination of floppy disks given to attendees at a World Health Conference in 1989. The disks unfortunately carried a Trojan Horse virus that encrypted the user’s files after a series of reboots and demanded a ransom be paid at a post office box in Panama. Interestingly, the healthcare industry remains a key target today. However, the term ransomware became part of the security industry vocabulary in 2005 when strains of the Trojan Horse virus and payment methods became more sophisticated. Indeed, the use of digital currencies like Bitcoin, introduced in 2008, have been instrumental in escalating ransomware attacks.
Initially, ransomware was confined to eastern Europe but it quickly spread. Over the years, the type of demand has also evolved. 2012 saw the first cases in the US where victims appeared to receive demands from law enforcement agencies requesting payment for illegal on-line activity, unpaid taxes or traffic violations. Fear of exposure or additional fines led to individuals panicking and paying the demand to scam organisations. By 2013, crypto-ransom ware became more prevalent, spread by e-mail. CryptoLocker no longer encrypted files but threatened to delete the files unless payment was received in Bitcoins in exchange for the promise of a decryption key. A variant of the above, threatened to double the victim’s demand if not paid within a designated time-frame. Estimates vary on payments made but conservatively criminals earned millions of pounds.
Stoke 01782 648200
|
5
In 2016, a new type of pyramid scheme style demand was discovered that potentially could increase infections. Known as Popcorn Time, victims could either pay one bitcoin (approx. £610 at the time) or pass on a link to the malware. If two or more people installed the file and payed the fine, then the initial victim would supposedly have their files decrypted for free. Variations continue to unfold and in May, 2017, a strain of ransomware called WannaCry spread around the world. Whilst temporarily crippling parts of the UK National Health Service (NHS), it did raise the awareness of ransomware and the need to take adequate precautions, particularly in making regular security updates. It was estimated to have netted around $130,000 for the cybercriminals but caused more damage in terms of disrupting the NHS service and reputational damage. Following that outbreak, a further attack dubbed Petya, NotPetya and a few other names also affected networks in multiple corporations in different countries. Petya is a form
6
|
store.exertis.co.uk
of Locker ransomware where the entire system rather than files is encrypted. Whether that attack was made to make money or was more politically motivated to cause disruption is a matter of conjecture. Five months after the WannaCry and four months after the NotPetya global attacks, a new variant dubbed Bad Rabbit had reportedly hit almost 200 targets, including media organisations, an airport and an underground railway. Most attacks were reported to have been in Russia and spread through a bogus Adobe Flash update according to security vendor ESET. What is clear is that new variants and new modes of demands appear regularly and it’s a constant battle for security vendors, organisations and individuals to avoid ransomware attacks. As a result, ransomware remains one of the security industry’s major challenges as attacks become increasingly sophisticated, more challenging to prevent, and more damaging to their victims.
Moving Targets No-one is immune: individuals, companies, computing devices and operating systems are all potential targets to the cybercriminal. Initially, individuals were the main target but there has been a clear shift towards attacking companies of all sizes in order to capitalise on the potential rewards. A Kaspersky Security Bulletin maintained last year that an individual was attacked every 10 seconds and a business every 40 seconds. Indeed, they reported that attacks on businesses tripled in 2016, no doubt because companies can afford to pay larger sums and don’t want reputational damage caused by loss of data. There are conflicting reports about how much ransomware has been paid out but some experts believe the average attack yielded between £500 and £800 in 2017, generally reported as an increase on previous years. There were also reports of UK companies stockpiling digital currency in case of an attack. Of course, these figures could be regarded as conservative as many attacks and payments go unreported. Clearly some industries are better targets than others but the spread of sectors includes: healthcare, education, IT/ telecoms, entertainment/media and financial services. Payment isn’t necessarily the best policy. Indeed, cybersecurity experts have been urging victims not to pay as it encourages more attacks. Moreover, it doesn’t come with a guarantee. According to a survey conducted by the University of Kent’s Interdisciplinary Research Centre in Cyber Security, over 40% of the victims of CryptoLocker agreed to pay the ransom. Kaspersky claim that one in five SMBs never received their files despite paying the fines. Some demanded a further ransom even after payment. Estimating the value
that ransomware provides for cybercriminals is difficult. Some reports value it at nearly £1billon but, in reality, ransom payouts are only the tip of the iceberg. The real cost is restoring data and getting systems back up and running often taking days or weeks which costs a lot more than the demand itself. In addition, there is the reputational harm and in many cases the additional cost of employee training that is required. According to Intermedia, nearly three out of four companies infected with ransomware suffer two days or more without access to their files. The WannaCry outbreak is estimated to have cost more than £3.8 billion, not including the ransomware costs according to Cybersecurity Ventures. Small businesses and home users are perhaps the easiest of targets because they are most likely to be exploited with little or no security awareness, limited protection with perhaps just antivirus in place and no back-up. Large in numbers, cybercriminals can demand smaller amounts which are more likely to be paid from this sector. When it comes to businesses, criminals can demand more, knowing that their intrusion is likely to remain unreported to avoid any brand damage. Attackers are also aware that these businesses cannot afford major disruption and as a result are likely to pay. Organisations are also prone to human error, susceptible to social engineering tactics, may not keep up with software updates, often have outdated hardware and software in place, and have more devices to attack. Ransomware isn’t just limited to computers or notebooks. Smartphones and even cloud servers are fair game and Linux and Mac operating systems are just as vulnerable as Windows.
Stoke 01782 648200
|
7
Common Forms of Attack The most common forms of attack have been through spam email (phishing) campaigns that contain malicious links or attachments which are inadvertently opened by the user. Sent to as wide an audience as possible, the mail is made to look authentic, sometimes content targeted, to encourage its opening and creating a high probability of infection. This is certainly the objective with “land and expand” ransomware which attempts to search for and corrupt other systems connected to the victim. Spearphishing attacks are more target specific, purportedly coming from an entity or individual known to the recipient. These have also been used to coerce the victim to open a malicious link which then results in a ransomware demand. Because phishing attacks have become more known and therefore more avoidable, criminals have had to look at other techniques that can infect users without requiring them to click. Exploit kits, used by cybercriminals to infect computers with malware by exploiting vulnerabilities in
8
|
store.exertis.co.uk
browsers, operating systems and programs like Abobe Flash and Java, don’t require the use of phishing mails. Referred to as watering hole attacks or drive-by-download, victims visit a legitimate website where malicious links have been hidden or the site has already been infected with malware and subsequently attack the visitor’s device. The Angler exploit kit even appeared on the BBC, MSN and New York Times website, so they are not confined to rogue sites. Like other aspects of malware, exploit kits come and go, constantly evolving. The most well-known names include: Neutrino, RIG, Sundown and Angler. Whilst some of these are no longer active, it’s a constant battle between exploit kit developers and security vendors. Certainly, phishing emails and exploit kits have been popular methods. Both require some form of interaction with the victim. However, technology is an industry that by its very nature constantly changes and ransomware is no exception. WannaCry is an example where by-passing end user interaction provided an added dimension to its weapons of attack.
A Rogue’s Gallery: Most Prominent Variants of Ransomware Crysis Mostly proliferated using deceptive e-mail messages containing infectious attachments and fake software updates, it follows the usual ransomware path of encrypting files. Dependent on the variant it marks each file and changes its format. It uses AES and RSA algorithms to encode the data. In May 2017, 200 master keys were released to enable victims to decrypt and unlock systems. A number of security vendors including ESET and Kaspersky have provided decryption tools for this malware. CryptoLocker
Bad Rabbit A drive-by-attack where victims download a fake Adobe Flash installer from infected websites. It first appeared in Russia and Ukraine in 2017. The malicious software infects a computer and restricts user access to the infected machine until a ransom is paid to unlock it.
CryptoWall
Cerber One of the most active forms of ransomware, it has some unique features. Firstly, it works offline, so disconnecting an infected device from the internet doesn’t stop encryption. Secondly, it can encrypt database files making it a target for business. Thirdly, it talks. One of the ransomware notes it uses is a VBScript which chillingly tells the victims that their files are infected. Lastly, it is an example of the ransomwareas-a-service model where criminals can earn a percentage of the profits from an affiliate program. This has led to its widespread deployment. Typically infected via a Microsoft Office attachment, the malware encrypts files with RC4 and RSA algorithms and renames them with a.cerber extension. Once infected, there is no Cerber decryptor, so prevention is the best form of defence. Analysts believe Cerber to have been particularly lucrative for cybercriminals with security vendor Check Point estimating it could have netted $2.3 million in 2016.
10
|
Dating back to 2013, the original CryptoLocker was shut down in 2014 but not before it extorted a reported $3million from its victims. Using RSA public-key cryptography to lock down widely used file names such as doc, xls and similar, with the private key stored only on the malware’s control servers, criminals have used a variety of techniques to convince users to click on malicious links or open infected attachments. Its success has been widely copied with a number of unrelated but similarly named variants appearing which are not directly linked to the original according to security experts. Indeed the term CryptoLocker has become synonymous with ransomware.
store.exertis.co.uk
First appearing in 2014, variants of CryptoWall have appeared since using names like CryptoBit and CryptoDefense. The threat typically arrives on the affected computer through spam emails, exploit kits hosted through malicious ads or compromised sites, or other malware. Once the Trojan is executed on the compromised computer, it creates a number of registry entries to store the path of the encrypted files and run every time the computer restarts. It encrypts files with particular extensions on the computer and creates additional files with instructions on how to obtain the decryption key. It does this by encrypting a wide variety of files on the compromised computer using public/private key encryption with a strong 2048-bit RSA key. CTB-Locker Similar to other types of Crypto ransomware, CTB Locker uses encryption techniques to encrypt users’ personal data. The most prevalent method is via spam emails containing a fake invoice compressed in a “.zip” or “.cab” archive file.
CTB Locker ransomware can also attack a computer through drive-by download. Drive-by download occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge. When successfully infecting a computer, CTB Locker ransomware uses elliptic curve cryptography to lock up the user’s personal files. DoubleLocker ESET researchers discovered DoubleLocker, an innovative Android ransomware that combines a cunning infection mechanism with two powerful tools for extorting money from its victims. DoubleLocker misuses Android accessibility services, which is a popular trick among cybercriminals. Its payload can change the device’s PIN, preventing the victim from accessing their device and also encrypts the victim’s data. DoubleLocker distributed mostly as a fake Adobe Flash Player through compromised websites. Jigsaw Installing fear and creating pressure for victims to pay up is the hallmark of Jigsaw. Jigsaw encrypts and progressively deletes files on an hourly basis, increasing the demand each time. It typically features a screen background of the puppet Billy from the Saw film series, where it derives its name from, adding to the fear from the demand. While other ransomware only threatens deletion of files, Jigsaw actually deletes them if the demand isn’t met in time. Its characteristics resemble other ransomware programs, scanning the system for files and encrypting them using an AES algorithm KeRanger KeRanger is notable for being the first functional ransomware aimed at MacOS X applications. KeRanger was briefly distributed in a compromised version of the installer for the Transmission BitTorrent client. It waits three days after installation to begin the encryption cycle, in an attempt to evade some antivirus tools from detecting it as a malicious file.
continued to evolve and refine its capabilities and can encrypt more than 160 types of files, including source code and databases. The malware spreads through fake emails and infected attachments, including .doc, .xls or .zip files. The opened documents don’t display correctly, and the user is asked to ‘enable macro if data encoding is incorrect’. When macros are enabled, Locky begins encrypting using RSA2048 + AES-128 cipher with ECB mode to encrypt files. Keys are generated on the server side, making manual decryption impossible, and Locky ransomware can encrypt files on all fixed drives, removable drives, network and RAM disk drives. Locky has a habit of disappearing and reappearing with new strains like Lukitus a recent version of the malware. Petya and NonPetya Affecting thousands of computers in 2016 and 2017, these are said to be two related forms of malware. However, there is a distinct difference between the two and other forms of ransomware. Rather than searching out specific files and encrypting them, like most ransomware, Petra paralyses the hard drive rendering it inaccessible by encrypting the master file table (MFT) so that the file system becomes unreadable and Windows fails to boot. Some of its versions encrypt both files and MFT. It resurfaced again in June 2017, believed to be responsible for the massive ransomware attack that affected high profile organisations in the Ukraine (banks, airports and the Chernobyl nuclear facility) and other parts of Europe. The new variant spread rapidly across computers and networks without requiring spam emails or social engineering to gain administrative access. As a result, it was dubbed NotPetya by Kaspersky. The original Petya required the victim to
LeChiffre Unlike other ransomware, LeChiffre is not distributed by the most common methods like malicious email attachments, fake updates, or trojans, it is proliferated manually. To make LeChiffre Ransomware work, cyber criminals have to install it manually in hacked servers. Usually the hackers enter a network and look for vulnerable remote desktops through which they can run a malicious executable file. The files are encrypted using an RSA 1024 algorithm. Locky Locky is similar to other forms of ransomware but it comes with more powerful features making it more difficult to detect and to eradicate. Since its release last year, it has
Stoke 01782 648200
|
11
download it from a spam email, launch it, and give it admin permissions. NotPetya exploits several different methods to spread without human intervention, encrypting everything. What’s more, some security experts believe that NotPetya was not intended to raise revenue but to destroy data and damage systems beyond repair. More akin to cyberwarfare than ransomware. TorrentLocker Delivering targeted emails to specific regions by impersonating local post offices, energy or telecom companies and aimed at Microsoft Windows, Torrentlocker encrypts the victim’s files in a similar way to CryptoLocker using an AES algorithm. It was also said to uniquely collect email addresses from the victim’s address book to spread the infection further. WannaCry WannaCry will probably be remembered for the malware that put ransomware in the public domain. Its attack in May 2017 made headline news around the world. It was said to have hit 200,000 organisations in 150 countries including crippling parts of the UK NHS. The attack was spread by various methods including phishing emails and on systems without up-to-date security patches.
12
|
store.exertis.co.uk
It affected Windows machines through a Microsoft exploit known as EternalBlue, mainly affecting older unsupported versions of Windows. The flaw was initially discovered by the National Security Agency but was leaked by hackers. A kill switch was discovered by a young security researcher and Microsoft released an emergency patch. Despite its notoriety, its ransomware haul was relatively insignificant in comparison. It has continued to attack unpatched systems. ZCryptor ZCryptor is somewhat unique in that it exhibits worm-like behaviour, encrypting files and self-propagating to other computers and network devices without using malicious spam or an exploit kit. The malware copies itself onto connected computers and portable devices. ZCryptor uses common techniques, masquerading as an installer of a popular program (e.g., Adobe Flash) or infiltrating the system through malicious macros in a Microsoft Office file. Once inside the system, the cryptoworm infects external drives and flash drives so it can be distributed to other computers, and then starts to encrypt files.
Steps to Protect Against Ransomware When it comes to ransomware, prevention is much better than cure. Here are some steps that can be taken to reduce the chances of attack and to mitigate against loss of data.
(5) Don’t enable macros:
(1) Back-Up:
(6) Restrict admin and system access:
The only guarantee you have against loss of data is to regularly back-up and have a recovery system in place that negates any ransomware attack. A good back-up routine of all your important files and documents to an external drive or server that isn’t connected and can’t be accessed from a network is vital. Some ransomware attacks look for back-up systems on the network so maintaining the data offline is crucial. External drives should only remain connected during backup. Encrypting the backed-up data is also good practice. Some experts recommend that back-up uses a simple 3-2-1 rule: 3 back-up copies of each file on 2 different media with 1 of these in a separate location.
Some ransomware requires system admin access. This should be kept to a minimum. Whitelisting software can prevent downloading of possible malicious software.
Disabling macros reduces the chances of infections from malware. A new tool in Microsoft Office 2016 prevents enabling macros on documents downloaded from the internet.
(7) Segment the company network: Separate functional areas with a firewall. (8) Train employees: Investing time in training employees about cybersecurity could potentially save companies from malware attacks. The majority of ransomware attacks emanate from user error.
In addition, it’s also important to check that the back-up has captured the necessary data and that in the event of a breach, you can restore the information correctly. (2) Use robust anti-virus: Security vendors are working constantly to protect users from all forms of malware. Ensure that you are using the latest version. Adding another layer of endpoint security is also recommended which can detect threats such as harmful links, phishing and viruses before they get to the device. (3) Keep software up to date: By applying software patches and using up-to-date software, you are making it more difficult for the criminals to compromise your system or device. Exploit kits rely on users running vulnerable software. (4) Be alert to unsolicited spam mails and suspicious websites: Never open attachments from someone you don’t know and trawl the web with care. Stay away from file extensions such as .exe, .vbs and .scr. Robust filtering of email can prevent spam or potentially malicious mail from entering the network.
Stoke 01782 648200
|
13
Channel Support for Ransomware Security threats of any kind provide the channel with an opportunity and ransomware is no exception. Whilst fear isn’t the most productive marketing tactic, companies need to accept that the threat of ransomware is real and that prevention is certainly better than cure. Losing valuable and possibly sensitive data, business downtime, loss of reputation and in some cases business closure are reasons to take the threat seriously. Earlier this year, a survey conducted by Vanson Bourne revealed that 83 per cent of resellers believed that ransomware would be their customers’ biggest concern in 2017. More concerning was that 45 per cent of resellers thought that less than half of their customers had the proper resources in place to adequately manage incoming security alerts. Company size or industry isn’t a criteria for cybercriminals but opportunity is. Resellers also have an opportunity to be not only the trusted adviser in security matters for their customers but also to help them provide the right solutions from their vendor partners that can at least minimise the risk and, if they still fall foul to an attack, have the means to recover as quickly as possible. In turn, Exertis is also able to support resellers providing best of breed security vendors, specialist expertise and support for customers by investing in knowledgeable people and valueadded services including pre and post-sales support, training and enablement initiatives, and innovative tools. Exertis has 31 dedicated professional services staff with an average of 4 vendor accreditations per team member to deliver a range of pre and post-sales support services and training for resellers. Pre-sales support is free to resellers and their customers and includes specifying the right solution from the vendor that best fits their needs, providing a proof of concept by demonstrating the technology and loaning any hardware that may be required. Free technical and on-site support is provided, if required, during this period. Exertis can further support resellers with a post sales managed service wrap from its technical support centre – an ISO27001 accredited service. These services support resellers’ business from straightforward ‘break-fix’ through to a 24/7/365 complete, white-label, managed service with pre-defined SLAs. Exertis offers these professional services on behalf of: SonicWall, Kaspersky, ESET, Portnox, Vasco, Cyphort.
Exertis also provides JEM, a provisioning tool which customers can use to take advantage of its as-a-service portfolio. Security/software as a service offering includes: firewalls, e-mail, disaster recovery, load balancing, anti-virus, and authentication. More and more end users are looking to buy their software and use hardware on a needs basis scaling their requirements up and down accordingly. The tool provides resellers and managed service providers with full control of quoting and ordering. JEM is designed to be customer facing; resellers can build their monthly quote with the various products required, adjust margins to their liking by figure or percentage and export personalised quotations with their company’s letterhead. Adding licences or firewalls can be easily administered by the reseller safe in the knowledge that the back-end systems take care of the request.
Stoke 01782 648200
|
15
Vendor Solutions Exertis can provide resellers with propositions from vendors that can offer the following solutions.
The Fight Against Ransomware Continues 2017 – the year global enterprises and industrial systems were added to the ever-growing list of victims, and targeted attackers started taking a serious interest in the threat. It was also a year of consistently high attack numbers, but limited innovation.
download and use, regardless of the security solution they use. The company’s products include a further layer of technology: System Watcher that can block and roll back malicious changes made on a device, such as the encryption of files or blocked access to the monitor.
Through collaboration: On July 25, 2016, the No More Ransom initiative was launched by Kaspersky Lab, the Dutch National Police, Europol, and McAfee. It is a unique example of the power of joint public-private collaboration to both fight cybercriminals and help their victims with expertise, tips and decryption tools. One year on, the project has 109 partners and is available in 26 languages. The online portal carries 54 decryption tools, which between them cover 104 families of ransomware. To date, more than 28,000 devices have been decrypted, depriving cybercriminals of an estimated US$9.5 million in ransom.
In 2017, we saw ransomware apparently being used by advanced threat actors to mount attacks for data destruction rather than for pure financial gain. The number of attacks on consumers, SMBs and enterprises remained high, but they mainly involved existing or modified code from known or generic families. Is the ransomware business model starting to crack? Is there a more lucrative alternative for cybercriminals motivated by financial gain? One possibility could be cryptocurrency mining. Kaspersky Lab’s threat predictions for cryptocurrencies in 2018 suggest a rise in targeted attacks for the purpose of installing miners. While ransomware provides a potentially large but one-off income, miners can result in lower but longer earnings, and this could be a tempting prospect for many attackers in ransomware’s current turbulent landscape. But one thing’s for sure, ransomware won’t just disappear – neither as a direct threat, nor as a disguise for deeper attacks.
Through intelligence: Kaspersky Lab has monitored the ransomware threat from the start, and was one of the first to provide regular threat intelligence updates on extortion malware in order to boost industry awareness. The company publishes regular overviews of the evolving ransomware landscape. Through technology: Kaspersky Lab offers multi-layered protection against this widespread and increasing threat, including a free anti-ransomware tool that anyone can
16
|
store.exertis.co.uk
Why Cyber Criminals Hate the SonicWall Capture ATP Cloud Sandbox The growth of cyber threats is astounding. Attackers combine the opportunistic nature of automation with a software vendor’s mindset to continually evolve their threats – all in an effort to have as broad a reach as possible, without detection. Given the negative impact incurred by any organisation that suffers a data breach or ransomware attack, detecting malicious code before it has an impact within your network is imperative for organisations. The real challenge isn’t the ransomware that has already spread around the internet; it’s targeted attacks and zeroday threats. Targeted attacks involve never-before-seen code purpose-built for the organisation being attacked, while zero-day threats exploit newly discovered vulnerabilities for which vendors have yet to issue patches. Organisations need to be most concerned with these types of attacks, which are usually far more successful than their older counterparts. Mitigating ransomware So, what’s the best way to prevent a threat from emanating from within your customer’s network? You have a few choices in terms of where you choose to address malicious attacks and how you detect and eliminate them. The goal is to detect and remove malicious code as close to the source of the attack as possible. As far as where to address an attack, organisations typically fall into two camps: the endpoint security camp, in which malicious code makes its way to an endpoint and is then detected and destroyed. Then there’s the sandboxing camp, where malicious code is identified and destroyed before it enters the network. How a sandbox works The sandbox, such as the SonicWall Capture Advanced Threat Protection (ATP) services, acts as a ‘sacrificial lamb’ environment, monitoring malicious code and its interaction with the OS. Sandboxes look for the following:
• OS calls: Including monitoring system calls and API functions. • File system changes: Any kind of action, including creating, modifying, deleting and encrypting files. • Network changes: Any kind of abnormal establishment of outbound connections. • Registry changes: Any modifications to establish persistence or changes to security or network settings. • Beyond and between: Monitoring of instructions that a program executes between OS calls, to supplement context of other observations. Until there’s a 100 percent effective solution, both technologies will likely remain important layers of defence. Sandboxing can provide a pre-emptive edge – if it’s deployed in the right way. Deploy a modern cloud sandbox While protecting the endpoint is important, it can put an organisation at an even greater risk by allowing malicious code into the network. SonicWall Capture ATP provides a means to stop threats before they enter the network – and it should be a core component of any modern cybersecurity strategic. SonicWall Capture ATP is a cloud-based, multi-engine sandbox designed to discover and stop unknown, zero-day attacks, such as ransomware, at the gateway with automated remediation. Capture ATP executes suspicious code and analyses behaviour simultaneously in multiple engines. This provides your customers with comprehensive visibility into malicious activity, while resisting evasion tactics and maximising zero-day threat detection. When paired with a SonicWall next-generation firewalls, it’s the strongest defence against malware and other unknown cyber attacks. To learn more about SonicWall Capture ATP, please visit www.sonicwall.com/capture or contact Exertis on 01782 648200 today.
Stoke 01782 648200
|
17
Security Starts with the Network Portnox’s Rapid Ransomware Response and Control Solution addresses all phases of the ransomware kill chain, and together with its partners, offers a holistic ransomware solution. Faced with the increasing threat of ransomware and malware attacks, many organisations are now actively engaging in updating their cybersecurity defences and authentication procedures to avoid the attention of cyber offenders. Portnox’s solution addresses all phases of the ransomware kill chain - reconnaissance, exploitation and remediation, and together with its technology partners and integrations, offers a holistic ransomware solution. Aside from mining data from other sources, Portnox’s solution is known for its seamless deployment, even across the most complex networks and security architectures. Phase 1 – Reconnaissance: The attacker collects information on the target through research of publicly available information or social engineering. At this phase Portnox’s solutions provide a realtime picture of all network elements, so that organisations can understand the level of risk and identify vulnerabilities early-on. Endpoints that are deemed to have a high risk value (fail to uphold the network security policies, are missing the latest antivirus and OS patches, or have certain technical specifications that have been deemed vulnerable), will be blocked from accessing the network or quarantined until security updates are made. Additionally, Portnox offers the ability to see into the weakest areas of the corporate network, i.e. Internet of Things (IoT) devices. CISOs, network administrators and IT teams can discover where IoT devices are located on the organisational network and detain them in a separate VLAN network with limited access. Phase 2 – Delivery & Exploitation: Hackers use the information attained in reconnaissance to carry out attacks on vulnerable endpoints, users and different areas of the network. Portnox software receives information from third-party security vendors to actively identify anomalies and their assessments are seamlessly integrated. The system can carry out on-going sandboxing of endpoints according to defined characteristics (including for IoT devices), and it can filter endpoints according to patch, anti-virus, operating system and active applications as well as
18
|
store.exertis.co.uk
quarantining them if one or more of these aspects has been deemed vulnerable. Additionally, Portnox helps network administrators identify attempts at social engineering in the early stages of a breach. The admin can then bring that device into compliance with security policies, or quarantine it until remedial security measures are taken. Phase 3 – Remediation: Having a rapid remediation plan in place will not only help prevent further damage or the lateral spread of the attack; it will allow business continuity. Portnox uses the following: • Automated Patch Updates Across the Network – Enforces necessary patch, anti-virus, operating system and application updates across managed and unmanaged endpoints, located both on and off premise. • Immediate Incident Response – Contains ransomware events by remotely disconnecting endpoints from the network (no manual touch required). The program drills down to the level of specification: device type, operating system, anti-virus software version, switch location, and more. It performs automated actions on every device, in all locations, instantly. • Armed Incident Response Teams – Portnox arms IT professionals and network admins with the ability to remotely take actions on employees’ devices. Additionally, with Portnox’s solution, IT professionals can create an effective incident response plan for any device based on network specifications. In conclusion, ransomware and malware are considered to be the top cyber-security threats of our time. Therefore, it is imperative to significantly increase organisational security so as to be prepared, with the right response and remediation software to such frequent and wide-reaching attacks. Portnox offers network access control solutions that allow organisations to maintain the upper hand in network security, allowing business continuity, securing company assets and avoiding prohibitive financial losses.
Stopping Ransomware Before it Strikes Trends in ransomware The inherently destructive nature of ransomware keeps it grabbing headlines, like the WannaCry and EternalBlue attacks, which caused a global meltdown infecting more than 230,000 computers in over 150 countries. Some sources suggest that ransomware has made cybercriminals at least £19million in the last two years and ultimately ROI is all most cybercriminals are after. An unfortunately common trend that we are seeing in ransomware is that there is no chance to retrieve your files, even if you pay the ransom. One of the quirks of WannaCryptor was that it was never very likely that someone who paid the ransom would get all their data decrypted. That’s not unique, of course, there are all too many examples of ransomware where the criminals were unable to recover some or any data because of incompetent coding, or never intended to enable recovery. Ranscam and Hitler, for example, simply deleted files, no encryption, and no likely way the criminal can help recover them. Fortunately, these don’t seem to have been particularly widespread. Perhaps the most notorious example is the Petya semi-clone ESET detects as DiskCoder.C. Given how competently the malware is executed, the absence of a recovery mechanism doesn’t seem accidental. Rather, a case of ‘take the money and run’. Ransomware is just malware Before ransomware takes hold and encrypts your precious data it is malware like any other and can be detected as it tries to enter your system, whether it’s via a phishing attack, from an already infected drive, or other more complex means. ESET Security solutions offer amongst the highest detection rates with the lowest false positives and an extremely light system footprint, according to independent testing.
We make the only antivirus software to win over 100 VB100 awards, ESET NOD32, which forms the core of our Business solution portfolio. ESET Endpoint Security and ESET Endpoint Antivirus are a solid foundation for the rest of your IT security, without that foundation you are leaving your organisations valuable data at risk to ransomware and a whole host of other online threats. Modern IT security relies heavily on multiple layers and protecting everything that connects to your network. ESET File Security and Mail Security are the next layers in building a solid defence against ransomware and other forms of malware. Protect your mailboxes from phishing attacks and dangerous malware laden attachments, which have become a common mode of attack. All of the above and more are available to your customers as part of the ESET Secure Business bundle, which also offers Virtualisation Security, Mobile Security and our simple but powerful Remote Management. Endpoints and education In the event that ransomware does take hold your only real option is to restore from a backup, which hopefully you have. You should never consider paying the ransom: there is no guarantee your files will be restored and you are essentially funding further criminal activity. Mark James, ESET IT Security Specialist, explains that you need to “make sure you have a good regular updating internet security software package installed to stop the malware infection in the first place, and keep your operating system and applications up to date, this will limit the chance of exploits or vulnerabilities being used. “Other processes include: email and internet training for staff on stopping the scam or phishing emails getting a hold in the first place, network or traffic analysers, threat intelligence and good patching and update strategies.”
What this offers your customers, as a reseller or MSP, is the peace of mind to focus on their business, knowing that award-winning IT security solutions have their back.
Stoke 01782 648200
|
19
What is Ransomware and How Does it Affect an Enterprise? Ransomware threats such as CryptoLocker or CryptoWall are becoming more prevalent in enterprises. The goal of these threats is to extort money from their victims by encrypting their data forcing them to pay ransom. There have been many examples of where businesses paid the ransom. In some cases, they do not decrypt the data at all and walked away with the money or asked for more. Some businesses feel that paying the ransom is the quickest way to a clean resolution. In reality, they are funding the attackers, encouraging repeat attempts. Rapid Recovery protects anything – systems, applications and data – anywhere, whether workloads are physical, virtual or cloud based, with zero impact on your users, as if the outage never happened. Connect to cloud simply and easily, and protect growing virtual environments automatically. Rapid Recovery data protection is configured in just a few clicks using one friendly, comprehensive GUI. With Rapid Recovery, you get one advanced, admin-friendly solution. Rapid Recovery has 4 unique recovery options built to help combat Ransomware:
• Backup and Restore from the Cloud. Bare Metal Restores (BMR) or file-level restores (FLR) to or from a cloud environment or back to production. Cloud Connector for longer term data retention of backup sets How do I prevent this from happening again in the future? • Business Continuity Program – Purchase and utilise software that matches the needs of your business. • Make sure backup software can hit RPO and RTO goals set by the business. • Test backups monthly / Quarterly / Yearly. This will help you gain confidence that an attack like is will not cripple your business and allow you to quickly recover. • Put in place a multi-faceted security solution to protect your endpoints. • include protection for file based threats, download protection, browser protection, firewall protection, email SPAM andScanning protection. • OS and Application Updates –
• Live Recovery enables you to restore the Meta data to identify when the attack took place, recover quickly by restoring an on demand data stream.
• Robust patch management of hardware and software.
• The Universal recovery option allows you to recover anything anywhere. You can restore whole physical machines, VMware, Hyper-V, and Oracle VirtualBox VMs, files or folders, and application objects in minutes to another physical or virtual machine located anywhere.
By bringing awareness of different style attacks that are out in the world. Employees will become more aware of what to look for during their day-to-day business.
• Verified Recovery – Rapid Recovery performs automated nightly mount checks of file systems and Exchange and SQL Server instances. If it finds problems that would prevent you from restoring the data, it notifies you so that you can fix the issue proactively. From this information you will know when your application got affected and which mount point you need to restore from.
20
|
store.exertis.co.uk
• Security Awareness Program.
If you do not want to become a victim of ransomware and want to keep your business safe, look at Rapid Recovery to protect your data Please call the Exertis security team on 01782 648200.
Recovering from Ransomware Despite increasing numbers of ransomware attacks and more media coverage than ever before, we continue to see dismal statistics on how UK companies are ill-prepared in the face of rampant, cyber threats: • 54% of companies in the UK have been hit by ransomware. • 58% of UK companies pay the ransom. • 63% of UK companies experienced severe downtime following a ransomware attack. • The list goes on… Ransomware will continue to be an ongoing problem for businesses if not enough layers of defence are put in place to mitigate the threat. By not protecting data from ransomware, businesses will face risks greater than revenue loss alone— entire operations could be impacted, resulting in damaged reputation, loss of trust and customers which consequently affects bottom-line figures. Despite the best preventative measures companies may or may not take, they need to have a contingency plan if ransomware hits. All experts, including anti-virus specialists, agree that when ransomware hits, the best option is to restore data from recent backups. As a VAR or MSP you need to ensure that your customers understand why they need a robust Disaster Recover (DR) solution. When you regularly back up your files, system, and application data, you automatically circumvent the main bargaining chip cyber criminals use for leverage. The ability to recover a clean copy of your mission-critical data instantly neutralises ransomware demands. No one can threaten you when you know you can quickly restore your entire environment to your last known secure state. The best DR solutions, such as the StorageCraft Recovery Solution, will allow your customer to be back up and running, after a ransomware attack, very quickly, possibly in minutes. Your customer does not have to pay the ransom, suffers a minimum of downtime and loses minimal data.
the quickest and easiest way to get back up and running in most cases. However, backing up locally just might not be enough, should a more destructive ransomware attack shared folders on your NAS boxes. The best way to prevent this is to have uninfected, backup versions stored in an offsite location which you can spin up in minutes should you lose access to data. Don’t Forget Storage! When combating ransomware, organisations should not only look at backup strategies without considering storage. Some companies have taken advantage of the features provided by next-generation storage vendors to recover from such attacks. StorageCraft OneBlox, offering scaleout storage, features Continuous Data Protection (CDP), which takes immutable snapshots automatically every 10 seconds for the first hour, then on an hourly, daily, weekly, and monthly basis thereafter. Should a ransomware attack occur, causing data encryption and corruption of the primary file system, the snapshots remain completely unaffected, immune from any modification or deletion. The ability to take such granular snapshots at 10-second intervals is critical to ensuring recovery of the latest and most recent version of the data. Unlike with legacy RAID-based volume snapshots, users not only recover individual files and folders easily but also recover complete network shares. Multi-Layered Approach There is no silver bullet in dealing with ransomware. The best approach is a multi-layered one, incorporating educating staff; keeping your anti-virus software up-to-date; regular software patching and most importantly having a robust and tested DR plan in place. Pick a DR solution that allows you restore every time, everywhere. When combining StorageCraft OneBlox with StorageCraft ShadowProtect® software, companies can protect desktops and both physical and virtual infrastructure from ransomware with fine-grained Recovery Point Objectives (RPOs) and highperformance recovery – all in a single solution.
Local Backups First, Cloud Second A company’s best protection, in the event of data being taken hostage, is to have both local backups and replicated backups of data in the cloud. Restoring data locally will be
Stoke 01782 648200
|
21
The Future of Ransomware It’s difficult to know how ransomware will develop in the next few years. Despite a decline, new variants have evolved and as the cybercriminals become more sophisticated, the security industry is expected to respond accordingly. In 2017, more and more threats encrypted the device, newer techniques are bound to follow. Certainly, there are several factors that point to its continued presence. Firstly, the Bitcoin currency provides anonymity and is unregulated. Secondly, the ransomware-as-a-service model has enabled the crime to become more widespread and more profitable for the big boys. Thirdly, the wide availability of advanced encryption algorithms including RSA and AES
ciphers have made ransomware more robust. Fourthly, there are new markets available for the criminals with IoT potentially providing some quite frightening targets in both the medical and automotive industries. Certainly, it’s an area with less regulated security practices. Fifthly, the mobile market has experienced a huge increase in ransomware attacks and that is likely to continue with blockers the main point of attack on Android devices. Sixthly, attacks on sensitive data such as hospitals where IT budgets are often stretched is likely to continue. Extracting data prior to encryption may well increase which would place an extra burden on organisations to pay. Lastly, malware and hacking under the guise of ransomware may well continue as a cover for cyberespionage.
Glossary of Terms Antispam
Infected
Solutions that focus on blocking and mitigating the effects of spam emails (viruses, phishing attempts, denial-of-service attacks).
The condition of a file after a virus, spyware, or malware has inserted malicious code into it. Computer systems are infected if a virus or Trojan is installed and running on that system.
Blacklist
Malware
A list of items, such as usernames or IP addresses, that are denied access to a certain system or protocol. Can be used to filter out unwanted mails.
Any software specifically designed to disrupt, damage or expose a computer system. Examples of malware include viruses, ransomware, spyware etc.
Blended threat
Malvertising
A combination of multiple types of malware: viruses, worms, Trojans, etc.
This is usually executed by hiding malicious code within relatively safe-looking online advertisements. These ads can lead a victim to unreliable content or directly infect a victim’s computer with malware, which may damage a system, access sensitive information, or even control the computer through remote access.
Encryption A security method of coding or scrambling data so that it can protect the confidentiality of digital data and be decoded or read only by authorised users.
Phishing Executable file (.exe) A type of computer file that when opened runs a program or series of instructions contained in the file. These types of files have the potential to be dangerous since they run code when opened, and are often used by cybercriminals to distribute viruses, malware, and spyware.
22
|
store.exertis.co.uk
Phishers attempt to fraudulently acquire other people’s personal information, such as passwords and credit card details, by posing as a trustworthy person or business. Typically, phishing emails request that recipients click on the link in the email to verify or update contact details or credit card information.
Social engineering
Virus
Social engineering is a technique employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware or opening links to infected sites.
A computer program file capable of attaching to disks or other files and replicating itself repeatedly, typically without user knowledge or permission.
Spam
A type of fraud in which phishers find the name and email address of a company’s top executive or team of executives and attempt to trick the executives into clicking on a link that will take them to a website where malware is downloaded in order to discover sensitive information or corporate secrets.
Most commonly unsolicited bulk email, typically sent to multiple recipients who did not ask to receive it. Spear phishing As with phishing emails, spear phishing messages appear to come from a trusted source but are targeted to a small number of recipients but with the same malicious intent. Trojan (Trojan horse) Malicious programs disguised as legitimate software. Users are typically tricked into loading and executing it on their systems. One key factor that distinguishes a Trojan from viruses and worms is that Trojans don’t replicate.
Whaling
Whitelist A list of legitimate email addresses or domain names that is used for filtering spam. Messages from whitelisted addresses or domains are automatically passed to the intended recipient Worm A virus that replicates itself on drives, systems, or networks. Unlike viruses, worms do not infect other files. A selfpropagating worm does not require user intervention to spread.
Stoke 01782 648200
|
23
store.exertis.co.uk Exertis UK
ExertisIT