Machine learning protects against APTs

Protecting against APTs with Machine learning

Machine learning is a science that uses existing data on a subject to train a computer how to identify related data.  Just like with humans, the more training a machine learning algorithm gets, the more likely it is to succeed at its task.  We have an extensive amount of information on attacks that can be used to train machines.  After all, new attacks come out every day and over a hundred million malware samples have been collected each year since 2014.  This information, as well as the historical information, can be fed into machine learning algorithms to better understand the attacks that haven’t happened yet.  Machine learning systems are comprised of algorithms that determine how the program will interpret, understand, and correlate information to make decisions.  As new data is added to a machine learning system, it can produce results which are tested and then refinements can be made to the algorithm or to assumptions or predictions that were made. 

Advanced Persistent Threats (APT) are an especially big problem for enterprises.  These attacks are intelligently designed by teams of attackers and are highly targeted.  They utilize some of the latest technology and are usually based on extensive information gathered about the target from sources such as social media, the dark web, probes of public sources, dumps from previous hacks, and social engineering.  Once in place, APTs can operate covertly over an extended period of time, causing significant damage to the organization, its customers, services, and ability to do business.  Intelligent solutions are needed to combat these threats.  For example, Bitdefender’s machine learning system analyzes programs as they run to identify anomalous behavior.  It can identify potentially vulnerable software and alert administrators to this before those vulnerabilities are exploited by attackers.  This puts the enterprise on the proactive rather than the reactive side of security. 

Machine learning systems need to be quite powerful so they utilize the power of the cloud to process large amounts of data and millions of distributed clients to collect it from around the globe.  Machine learning systems are comprised of multiple machine learning algorithms that each process the data in different ways looking for patterns of attacks or anomalous behavior.  What once was science fiction is now science fact. 

Such systems are proven technologies, not futuristic fantasies.  Bitdefender’s anti-exploit technology identified 100% of the Adobe Flash exploits of 2016 and an astounding 99.99% of malware.  Microsoft is using machine learning in their SmartScreen filter and Google uses it in their Safe Browsing initiative.  When tested against traditional security systems, machine learning systems resulted in fewer false positives as well as fewer false negatives, meaning that more attacks were thwarted and less time was wasted chasing false alerts. 

For companies, this is a big savings to the bottom line and a cost-effective way to implement security.  Cybersecurity systems are more effective and keep their sensitive data away from prying eyes and key systems available for use while IT and security personnel are not distracted by as many false alarms so they can be focused on what matters, keeping the company safe. 

Does your cybersecurity strategy include machine learning technologies? 

As always, thoughts and ideas are my own. This insight wouldn’t be possible without the help of my associates at Bitdefender.

Share Button
say-no-to-ransom-demands

Backup and recovery means you can say no to ransom demands

Ransomware continues to be a huge problem for companies and consumers—and a major source of income for cybercriminals. Malicious hackers using CryptoWall ransomware extorted $18 million last year, according to the FBI, and that’s just one of many ransomware variants. Microsoft has detected a 400% increase in ransomware attacks since 2015. This sad fact is that the ransomware industry continues to grow because people continue to pay ransoms.

Logic would dictate that we simply stop paying ransoms and ransomware will end. But this is much easier said than done. Businesses, healthcare organizations, politicians and security experts debate this topic regularly, and there’s no clear consensus on what to do. Nobody wants to pay the ransom, but some are not in a position to refuse.

Healthcare organizations must consider the potential danger to patients if they do not pay a ransom. Meanwhile, banks are stockpiling bitcoins as an insurance policy against attacks. Some companies choose to pay because it’s cheaper than fixing the problem. Of course, this just makes it more likely that cybercriminals will target the company with ransomware again.

So, how do we get to a place where companies and individuals can afford to say no to ransom demands? This solution is surprisingly simple: Have a good backup of your data so that you can restore the data instead of paying a criminal to unlock it for you. Here’s a quick guide to protecting your data with a backup and recovery solution:

1. Data inventory
The first step is to understand what data you have so that you can adequately protect it. You may have data on workstations, laptops, file servers, cloud services, or within applications and databases.Try to get a good feel for what you have and what is most important—then prioritize that data for backup.

2. Data design
The second step is to identify the ideal location for the data. Workstation and laptop data may be migrated to servers; redundant data can be consolidated, and pointers or mappings created so that it is still accessible in multiple ways.

3. Backup design
Choose a backup solution that backs up data  automatically and often enough to ensure that minimal data is lost when recovery is required. Remember that backups should be segmented from production systems. There should be both a logical and a physical segmentation.

Logical segmentation places the backups in a location that cannot be reached by systems on the production network. For decades, tapes were used for offsite backups. Today, tape backups are often replaced with cloud backups.  If an incorrectly written script deletes data from the network, the tapes would be safe from harm. Similarly, if a virus like ransomware infects production systems, you will still have clean versions of your data backed up to the cloud.

Physical segmentation protects against a natural disaster such as a fire that could take out a facility. If backups are stored on a server, hard drive, or tapes located within the facility, a fire or some other disaster could destroy both production data and backups, leaving the organization with no way to recover data. Physical segmentation places backups outside the facility. Backups could be replicated to the cloud or another site, tapes could be shipped to a remote storage facility, or an employee could take backup drives to a safe deposit box.

4. Testing
A backup system cannot truly be relied upon until it is tested with a restore. Restore testing ensures that organizational data can be effectively recovered within acceptable time frames. It is often through the restore testing process that inefficiencies or complications are identified that can be resolved before the backups are required in an emergency. Restore testing also familiarizes IT staff with the recovery process. That means they’ll be ready when disaster strikes.

5. Say no
Say no when ransomware strikes. You don’t need to pay because you can restore the data. Delete the infected files, remove the virus, and restore your data from backup. With the right backup solution in place, there’s no need to deal with cybercriminals.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button
cloud-data-architecture

Cloud 2.0 – Built on security refinements from cloud technologies

In the world of technology, paradigms shift quickly.  Not long ago, we focused organizational security efforts on the perimeter of the network.  We assumed that systems would be secure if we could just keep the bad guys outside of the trusted network.  Phishing and malware, however, among other things, proved this to be a false assumption – perimeter defense alone would not be enough. 

Responses to this often included efforts to seize control of information assets.  Control implied security.   When the cloud stepped onto the stage, lack of organizational control stood out as a primary barrier to adoption. 

I am by no means diminishing the role control has in securing information, but control wasn’t really the issue with reluctance to cloud adoption.  The cloud has actually gone a long way in securing systems on-premise and in the cloud.  When key systems were decoupled from the perceived safety of the corporate network, secure methods of transmitting data between them had to be developed. Such methods also had to be easy for enterprises to adopt. 

We realized that we might not want our cloud vendors to have access to back-end data so we encrypted the data and distributed keys such that cloud providers could not access the data they hosted.  Robust APIs were created to integrate systems while providing only the minimum required service access.  Likewise, communications between system components such as databases and web services were also encrypted. 

The cloud offered a perception of insecurity that prompted a positive change in organizational security architectures, but a key fact here is that many of the organizational systems that moved to the cloud were not secure to being with.  They only became secure as they adopted secure practices.   The risks that were present in moving applications as they were to the cloud were already present in the application architectures.  Shortcuts like advertising services and ports, allowing back-end components to communicate unrestricted, and giving IT the keys to the kingdom, may have been overlooked in the organization but they were clearly a bad practice in the cloud. 

The cloud gave us the chance to re-architect the monolithic technology systems that had evolved over decades of growth and in response to the immediate threats of the era. These were replaced with scalable, virtual servers that were flexible enough yet specialized and hardened.  Cloud systems also offered effective ways to plug-in best of breed security technologies such as application whitelisting, monitoring and control, identity and access management (IAM), Data loss prevention (DLP), and robust anti-exploit anomaly detection to combat the latest Advanced Persistent Threat (APT).  

Some are still adopting these practices while others are taking it to the next level.  The cloud made us realize how big the gap was and now it is time to serve the attackers an eviction notice.  We can’t assume in our virtualized cloud environments that administrators or vendors will implement adequate malware protection on virtual machines, nor should we compromise with solutions that can only see a piece of the puzzle when technologies like hypervisor introspection analyze virtual machines at the hypervisor level. 

It is time to tell the bots and the ransomware that it’s not welcome here anymore.  The attackers have improved their tactics, but so have security partners.  We can now collectively say, “We confronted our fear in the cloud and emerged stronger.” 

As always, thoughts and ideas are my own. This insight wouldn’t be possible without the help of my associates at Bitdefender.

Share Button
cerber-ransomware-hits-you-where-it-hurts

New version of Cerber ransomware hits businesses where it hurts

The latest version of Cerber ransomware is targeting database applications and putting business’s most valuable data at risk, according to recent reports.

Large database applications such as Oracle, Microsoft SQL Server, MySQL and others contain critical data for things like Enterprise Resource Planning (ERP), Customer Relationship Management (CRM) and Electronic Medical Record system. And the latest version is aiming to encrypt all of them in addition to documents, spreadsheets and multimedia files.

How Cerber ransomware works
Ransomware victims are not chosen on an individual basis. Instead, they’re usually found within a pool of available targets organized by country, region or industry. This semi-targeted approach is often used to ensure that as many targets as possible have the means to pay the ransom, either because they live in regions with a high median income, or they work in industries that are known to pay up. Cybercriminals like those spreading the new version of Cerber may also target databases—where many businesses’ store their most important information.

Once Cerber infects a system, it checks to see if it is in a target country. It targets all countries except for Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan. Cerber then places a copy of itself in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ directory using a randomly generated executable name. Cerber then prepares to encrypt files by escalating its privileges through a UAC bypass using DLL hijacking. Cerber needs escalated privileges in order to stop certain services that, if running, would disrupt the process of database encryption.

Database files are usually written to and changed frequently, and database software typically keeps the files open so that data in memory can be flushed down to the files and applications rapidly. Data corruption can occur if the files are tampered with while they are open and criminals would lose the confidence of their victims if they were unable to decrypt files after the ransom was paid so they stop the services first.

Here are the databases that Cerber encrypts as well as the processes that it terminates. If you are running these processes and they stop unexpectedly, this could be a sign of Cerber infection. Each of the processes below is a Microsoft Windows executable. Cerber ransomware currently affects databases running on Windows only.

Database Process
Citrix MetaFrame encsvc.exe
Microsoft SQL Server msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe
Mozilla Firefox firefoxconfig.exe
Mozilla Thunderbird tbirdconfig.exe
MySQL mysqld.exe, mysqld-nt.exe, mysqld-opt.exe
Oracle agntsvc.exe, agntsvc.exeisqlplussvc.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, dbsnmp.exe, isqlplussvc.exe, mydesktopservice.exe, mydesktopqos.exe, oracle.exe, ocssd.exe, ocautoupds.exe, ocomm.exe, synctime.exe, xfssvccon.exe
Red Gate Software’s SQL Backup Pro sqbcoreservice.exe

Decryption keys were made available for earlier versions of Cerber, but they were removed when newer versions of Cerber came out. A high-quality database backup is crucial for recovering from an encrypted database. Since enterprise database systems change frequently as new transactions occur, backup systems are often continuous, or scheduled at very short intervals, so that little or no data is lost when failures occur. It’s also important to test the restore process regularly to ensure that all relevant data is captured and that the data can be recovered in a reasonable time frame.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button
3D chain breaking - isolated over a white background

Breaking Free: A list of ransomware decryption tools and keys

Security software companies and research organizations are collaborating to break the encryption codes of ransomware variants and free those who have fallen victim to cybercriminals. Unfortunately for many, these efforts take time, and that’s why decryption methods often do not exist for the newest ransomware variants. The good news for those who have been infected by older ransomware is that there may be a decryption method available to recover their data.

If backups are available, the easiest course of action is to simply remove the virus, delete the infected files and restore data that has been encrypted. But that’s not always an option. In some cases, users become infected with older ransomware that is no longer being monitored for ransom payments—so paying the ransom won’t help. If your computer is infected with ransomware, the chart below may help.

Search for the ransomware in the table below and then download the decryption tool from the URL provided.  Some tools will scan for ransomware and prompt you to decrypt the files while others require you to point the decryption tool directly at the encrypted files. You may also have the option to remove the encrypted file after a decrypted version has been created. Please note: The decryption of files could take hours and a large number of encrypted files could take weeks to decrypt. In other words, be prepared to wait.

The list below was compiled in October 2016 and it contains links to decryption tools and or scripts that can potentially set your computer free.

Ransomware Vendor URL
777 Emsisoft Download decryptor
Agent iih Kaspersky Download decryptor
Al-Namrood Emsisoft Download decryptor
Apocalypse Emsisoft Download decryptor
ApocalypseVM Emsisoft Download decryptor
Aura Kaspersky Download decryptor
AutoIt Kaspersky Download decryptor
Autolocky Emsisoft Download decryptor
BadBlock AVG Download decryptor
Bart AVG Download decryptor
Bitman Kaspersky Download decryptor
Chimera Kaspersky Download decryptor
CoinVault Nomoransom Download decryptor
Cryakl Kaspersky Download decryptor
Crybola Kaspersky Download decryptor
CrypBoss Emsisoft Download decryptor
Crypt888 AVG Download decryptor
CryptInfinite Emsisoft Download decryptor
CryptoDefense Emsisoft Download decryptor
Cryptokluchen Kaspersky Download decryptor
CryptXXX Kaspersky Download decryptor
CryptXXX v2 Kaspersky Download decryptor
DeCrypt Emsisoft Download decryptor
DecryptorMax Emsisoft Download decryptor
Democry Kaspersky Download decryptor
DMALocker2 Emsisoft Download decryptor
Fabiansomware Emsisoft Download decryptor
FenixLocker Emsisoft Download decryptor
Fury Kaspersky Download decryptor
Globe Emsisoft Download decryptor
Globe2 TechForum Download decryptor
Gomasom Emsisoft Download decryptor
Harasom Emsisoft Download decryptor
HydraCrypt Emsisoft Download decryptor
Jigsaw MalwareHunterTeam Download decryptor
KeyBTC Emsisoft Download decryptor
Lamer Kaspersky Download decryptor
LeChiffre Emsisoft Download decryptor
LECHIFFRE TrendMicro Download decryptor
Legion AVG Download decryptor
Linux Encoder 1 BitDefender Download decryptor
Lortok Kaspersky Download decryptor
MirCop TrendMicro Download decryptor
Nemucod Emsisoft Download decryptor
Operation Global III Nathan Scott Download decryptor
PCLock Emsisoft Download decryptor
Peyta Leostone Download decryptor
Philadelphia Emsisoft Download decryptor
Pletor Kaspersky Download decryptor
Radamant Emsisoft Download decryptor
Rakhni Kaspersky Download decryptor
Rannoh Kaspersky Download decryptor
Rotor Kaspersky Download decryptor
Shade Intel Download decryptor
SNSLocker TrendMicro Download decryptor
Stampado TrendMicro Download decryptor
SZFlocker AVG Download decryptor
TeslaCrypt Cisco Download decryptor
TorLocker Kaspersky Download decryptor
UmbreCrypt Emsisoft Download decryptor
WildFire Intel Download decryptor
XORBAT TrendMicro Download decryptor
Xorist Emsisoft Download decryptor
Alpha PhishLabs Download decryptor

This list contains keys that can be directly used to decrypt files encrypted by Crypt38, Locker, and NoobCrypt.  

Ransomware Vendor URL
Crypt38 Fortinet Look in your %Appdata%\Microsoft\Windows\request.bin directory
Locker Poka BrightMinds http://pastebin.com/1WZGqrUH
NoobCrypt Jakub Kroustek ZdZ8EcvP95ki6NWR2j or lsakhBVLIKAHg


For more news and information on the battle against ransomware,
visit the FightRansomware.com homepage today.

Share Button
warning

Warning: Some ransomware attacks are just a diversion

Ransomware computer viruses are becoming more sophisticated—and so are the attacks that make use of ransomware. In some cases, ransomware is used to disable access to a machine so criminals can perform further actions without being tracked. Criminals have also used ransomware to cause chaos and avoid detection after hacking into a network and stealing data.

Ransomware attacks are sometimes used to create a diversion while cybercriminals steal or exfiltrate data. While users and IT teams are busy trying to take machines offline and contain the infection, criminals are busy downloading files from users’ computers.

study on Distributed Denial of Service (DDoS) attacks by Neustar showed that ransomware was found in 15% of DDoS cases. And Dark Reading author Kelly Jackson Higgins says attackers are including ransomware with other types of attacks as well.

Ransomware can be an effective way for criminals to cover their tracks. For example, cybercriminals might install ransomware that encrypts valuable data such as log files in an effort to make those files inaccessible to investigators. Even if the files are later decrypted, investigators may not look for a second attack because ransomware incidents typically receive the most attention. Investigators need to be especially vigilant: In addition to searching for the cause of the ransomware infection, they need to look into whether more attacks were performed on the machine.

In many cases, the best practice is to wipe a machine that is infected with ransomware and then restore its files from backup. This provides assurance that backdoors and other compromised elements of the system will no longer be available for the attacker to take advantage of at a later point.

However, wiping the system can remove valuable evidence as well. In cases where additional evidence is needed, it’s important to take a forensic image of the computer prior to wiping it. This allows investigators to review data from the image when conducting the investigation. In some cases, ransomware decryption tools become available that will allow investigators to decrypt the data from an image. This data could be valuable in determining whether additional data was exposed and whether the ransomware was used to cover up other illegal activities.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button
ransomware-incident-response

Ransomware Incident Response: 7 steps to success

Ransomware infections are becoming increasingly commonplace, and companies that put a plan together before an incident are much more effective at combatting this pervasive malware.

Ransomware response can be broken down into seven steps. Here’s a cheat sheet:

Validate
The first step is to confirm whether a reported ransomware infection is an actual infection. There are cases where a user reports what they think is ransomware, but it turns out to be adware, phishing, or some other virus. Validation is important because it keeps efforts focused on important issues. But if you see a ransomware note demanding payment to unlock files, and your system or files are locked or frozen, then you’ve been hit.

Assemble
Now it’s time for the incident response team to assemble. Incident response teams often include members of your IT staff, management, public relations, and legal. The incident response plan outlines how each member should be trained on how to respond to a ransomware incident. In some cases, the primary person may be unavailable, and it will be necessary to call in a secondary resource to handle that role.

Analyze
The next step is to determine the scope of the incident, including which networks, applications and systems are impacted and whether the ransomware continues to spread. This is often the role of the IT and security point people.

Contain
Containment actions can take place concurrently with analysis activities. In this phase, infected machines are isolated to stop the spread of the ransomware by disconnecting the computers from the network or shutting them down. The scope often changes when containment is underway, and ransomware is still spreading. This phase ends when all infected machines have been isolated from clean machines.

Investigate
The investigation starts by preserving evidence. Some machines will need to be returned to service as soon as possible while others might be less critical. Evidence such as log files or system images is taken of the affected machines along with documentation of serial numbers and asset identifiers.

Eradicate
The eradication phase removes the ransomware from machines and brings them back into a functioning state. Isolated machines are wiped, and then data is restored from backupto each of the machines after the evidence on the computers has been preserved. In some cases, organizations may decide to remove the ransomware and then restore files that were encrypted by the ransomware without wiping the device first.

A full machine restoration prevents other ransomware or malware from causing problems on the computer, and it also prevents backdoors or other software that the ransomware might have installed from being used to infect the machine later. For this reason, it is typically recommended that you wipe the device and restore the operating system and data from backup.

Remediate
The last step is to remediate the problem that the ransomware exploited in the first place. This is often a user training issue, so companies implement more awareness training or coaching of individuals. In other cases, new technology needs to be put in place. If backups were found to be inadequate, the company would back up more data or back up more often. The ransomware incident should result in some improvement actions that the organization can perform to be better prepared for future incidents.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button