How ransomware extortionists hide their tracks

Cybercriminals extorted about one billion dollars from ransomware victims last year, according to the FBI. And nearly all of those perpetrators went unprosecuted because of the innovative methods they use to protect their identities and hide their funds. They go to great lengths to keep authorities from seizing or freezing their money. By and large, their efforts have paid off. Here’s how they do it:

Hidden identities, disposable email
Extortionists protect their identities whenever interacting with victims. This generally occurs when they distribute ransomware, and when they collect ransom payments from victims in exchange for decryption keys.

Extortionists use disposable email accounts and when sending out phishing emails that target victims. These accounts have fake names associated with them and no useful contact information. In some cases, the accounts are owned by another individual—a person whose account was compromised, taken over and used to send malicious emails.

Layered like an onion
Extortionists often protect themselves during the collection phase by using so-called “onion routing” tools like Tor, which use multiple layers of encryption to ensure anonymous networking and communications. Tor is a network of computers that exchange encrypted data among themselves to obscure the source of the data. This prevents researchers and law enforcement from identifying where the decryption keys are stored.

Cryptocurrency enables anonymity
The cybercriminals responsible for disseminating ransomware typically demand payment in some form of cryptocurrency. Bitcoin is the most popular cryptocurrency with Litecoin and Dogecoin coming in second and third place, respectively. Bitcoin currency is stored in a digital wallet and bought and sold over bitcoin exchanges, through peer-to-peer marketplaces, and via person-to-person trades using an intermediary. Bitcoin transactions are logged publically but transactions only reference the wallet IDs of each partner in the transaction, not the names of the individuals themselves. Wallet IDs have no identifying information associated with them other than their number.

Cybercriminals typically keep a wallet ID for a short period of time and may only use it for a few transactions before switching to a new wallet ID. This ensures that specific wallet IDs are not identified as major bitcoin traders. They also use bitcoin laundering services or anonymizers like bitmixer.

Gift cards and money mules
Some forms of ransomware accept vouchers for payment. These include gift cards and CashU, MoneyPak, MoneXy, Paysafecard and UKash vouchers. These may be used to purchase goods that “money mules” then sell over the internet for cash. Money mules are also used to liquidate cards by selling them to individuals at less than face value. Cybercriminals prefer cryptocurrency because it allows them to keep a greater percentage of the profits.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

5 steps to a winning incident response team

People are the core of any incident response effort.  You must have the right people to provide the right response.  Incident response teams should include a diverse set of individuals across the organization including executives, information technology, security, public relations, legal and relevant 3rd parties.  Here is what makes a winning incident response team.

  1. Winning teams have top level support

Top level support is essential in an incident response team, and executives can provide it.  Executives are the ones who will be able to allocate the resources necessary to take action during a breach, and they can rally support and establish budgets for planning and preparation activities.  Executives also bring legitimacy to incident response plans and procedures.

  1. Winning teams have the technical skills

Almost every incident will require some level of technical skill to resolve it and most incidents will require significant technical effort.  Information technology (IT) team members are usually the first to find out about an incident.  Sometimes users report an incident to IT and in other cases, IT learns about the incident through detective security controls such as log monitoring or intrusion detection systems, or antivirus.  IT is also responsible for making technical changes as incident response activities progress.

  1. Winning teams have a security perspective

A keen understanding of the risks, impact, and scope are needed in incident response.  This is where members of the incident response team responsible for security step in.  Security team members take point on validating reported events and determining if they constitute an incident.  They analyze information collected by technology tools and assess the scope and impact of the incident.

  1. Winning teams know how to communicate

Communication, both internally and externally, is a fundamental component of incident response.  Public relations team members communicate with employees, partners, law enforcement, the media, or investors regarding the incident.  They work with the legal team to understand the compliance and contractual liability and cyber breach notification requirements.

  1. Winning teams cross organizational boundaries

Teams may include both internal employees and contractors.  Incident response is not something most companies do every day, and an effective response requires individuals who have the unique skills, tools, and techniques required to address the incident.  Some third parties that may be part of the incident response team include forensics, security consultants, attorneys, insurance, law enforcement, or upstream providers such as Internet Service Providers (ISP), datacenters, or cloud providers.

Team makeup is critical for successful incident response.  A winning team needs to have adequate support, the required technical and security skills, effective communicators, and outside expertise.  So who is on your team?

This post is sponsored by AT&T Security.

Pokemon Go ransomware virus is out to catch’em all

A Pokemon Go-themed ransomware virus has appeared on Windows computers, tablets, and phones. The ransomware is the latest in a series of malicious applications that have popped up in the wake of the global Pokemon Go obsession.

This particular piece of malware is known as POGO Tear and it’s based on open source ransomware code called Hidden Tear. POGO Tear encrypts the files on victims’ computers, changes the extension to “.locked” and then demands a ransom on a screen emblazoned with famed character Pikachu’s picture.

POGO Tear is currently coded to display its ransom message in Arabic only as shown below. The text informs users that their data has been encrypted and instructs them to contact blackhat20152015@gmail.com to decrypt their files. It also thanks them for their generosity.

POGOTear

What’s interesting about this malware is that it incorporates several features not usually found in other ransomware viruses. POGO Tear creates an administrative user account called Hack3r on the victim’s machine and then hides it from the logon screen so the user can’t tell it’s there.

It also creates a network share on the victim’s computer and copies itself to all available network drives. The ransomware automatically executes when Windows starts.

How to recover from POGO Tear
When your computer is attacked with POGO Tear, it’s not enough to simply remove the infected files and restore from backup. Victims must also remove the backdoor administrator account and ensure that it has been cleaned from all removable drives and connected computers before performing restore operations. Otherwise, the administrative account could allow an attacker to install additional ransomware, or even steal data using more traditional attack methods.

It appears that POGO Tear is still in a beta or development stage. It uses a static decryption key which will most likely be replaced with a random key when it’s fully deployed. Currently, files encrypted by POGO Tear can be decrypted with the following AES encryption key: 123vivalalgerie

POGO Tear has a private IP address of 10.25.0.169 coded into it for command and control, indicating that the developer of it is still testing out command and control functionality since a private IP address cannot be directly referenced by other computers over the internet. This will most likely be replaced with a set of internet-accessible dynamic DNS names once the full version is released. POGO Tear does not exist in any other languages besides Arabic and it currently does not specify a value for the ransom.

If you are infected with POGO Tear, you can decrypt your files with the key mentioned above. But be sure to have adequate backups, endpoint protection, and network security controls in place to guard against the future release of the full version.  And if you’re interested in playing Pokemon Go, be sure to download the official version from Niantic when visiting your favorite online app store.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Securing Hybrid IT the Right Way

The average company today is a hybrid collection of traditional on-premise and cloud-based IT solutions.  On-premise solutions may include identity and authorization servers, custom applications, packaged applications, and local data repositories. Cloud services fulfill a wide variety of business tasks such as document sharing, group collaboration, customer relationship management, payment processing, marketing, and communication.  This combination of on-premise and cloud services is called Hybrid IT.

On-premise applications require equipment purchases, software deployment, and user training but cloud services can be purchased with a credit card and used almost immediately.  As a result, the same rigor in assessing the business need, risk, and other factors is not often conducted with adopting cloud applications.

Getting up to speed

Hybrid IT can be difficult to manage when different users who may or may not be tech savvy utilize cloud systems in whatever way they deem best for the situation.  Many organizations are in a hybrid IT situation now that was somewhat unplanned for.  Follow these steps to get up to speed.

  1. Identify the cloud solutions in place.
  2. Determine if it is feasible to continue using the solutions.
  3. Transfer administrative credentials to IT.
  4. Create an approved application list
  5. Enforce restrictions through network and endpoint controls on which cloud services can be utilized for organizational data.
  6. Standardize security controls on systems including those in organizational private clouds.

Identify a security solutions provider that can deploy consistent security onto your on-premise equipment, private clouds, and other assets. For example, Bitdefender delivers solutions that have solved the technical challenges of Advanced Persistent Threats (APT) and zero-day exploits.  These same solutions meet the increasingly stringent compliance requirements and give datacenter owners the ability to know what they don’t know, and act on information from below the operating system.

Maintaining control

The most frequently cited risk in hybrid IT is the potential for a lack of organizational control over customer, employee, and business data.  Without effective endpoint and network security controls, a single user may adopt a cloud platform using their personal email address. They can then load organizational data to it and leave the organization.  At this point, his or her successor tries to assume control over the system but realizes that they have no ability to do so.

Organizations need to strike a balance between agility and administration.  There needs to be a level of control over which cloud applications are used for business purposes, but the process for evaluating and approving applications needs to be able to keep pace with today’s fast-paced business. See the suggested steps below.

  1. Establish a procedure for requesting a cloud application.
  2. Create a semi-automated workflow from the procedure.
  3. Establish a cross-functional approval group that will respond to requests through the workflow.
  4. Educate employees on the process.

Risk mitigation

Hybrid solutions are often user or department initiated with little or no involvement of the IT department or those responsible for security within the organization.  Cloud applications may change the organizational risk profile, but the business as a whole is not often aware of this change in risk and therefore cannot evaluate whether actions are required to reduce the risk to an acceptable level. One good way for data center administrators to be as informed as possible about risks is to deploy solutions such as Hypervisor Introspection which can evaluate security independent of the virtual machine and analyze system memory at the hypervisor level.  This ensures consistent security management and awareness even when users or administrators deploy non-standard virtual machines.

From there, a combination of endpoint and network controls such as software restrictions on agents on user machines and traffic filtering on the network can be used to restrict access to unapproved cloud services and applications.  This way, users will be required to utilize the process to request applications.

Next, using the workflow developed earlier, users can take the information collected on the approved cloud applications and services and compile into a report for risk management.  The entire process of creating this document can be automated in the workflow.  The cross-functional approval team should have included someone from risk management but this portion of the process involves a more in-depth review of the hybrid IT portfolio of applications against the organizational risk tolerance threshold.  Risk management can then make recommendations to ensure that risk is kept to acceptable levels.

Reducing attack surface

In some cases, a cloud application is adopted by a user or department when another cloud application has already been adopted to satisfy the same need.  Redundant cloud services increase management costs as well as the attack surface because they create additional potential avenues for attackers to obtain access to organizational data or systems.

  1. Determine which cloud service offers the greatest fit for the organization
  2. Train users of the redundant service on how to use the preferred one
  3. Transfer data from one service to the other
  4. Terminate the redundant service.

Hybrid IT offers organizations an excellent way to augment existing on-premise IT offerings with cutting-edge cloud services.  However, it can also be a nightmare if not management properly.  Some companies are in a precarious security position. Yet, the problem is not insurmountable.  With some planning, automation, discipline and the right mix of endpoint and network security controls, organizations can deploy and manage hybrid IT so that attack surfaces, cloud costs, and management time and efforts are minimized.

Continue reading

Adding Ransomware to Security Radars

Ransomware is the quickest way to turn your valuable data into garbage.  Ransomware is a form of malicious software that blocks access to user data such as documents, spreadsheets, pictures, music, or videos, typically by encrypting those files.  At this point, the ransomware will display a demand for payment in order to send the victim the decryption keys to the data.

Businesses and consumers often do not know what they have until it is encrypted.  It is then that they realize their Christmas list, family photos, and personal financials are inaccessible.  It can be much worse for companies.  Imagine the impact when payroll data, product formulas, or inventory records are suddenly unavailable.  Now imagine a doctor who is unable to prescribe medicine or perform an operation because the prescription information or patient records they need are encrypted.  As you can see, the impact of ransomware can be severe.

Despite ransomware’s severe impact, its attack vectors are more mundane.  Ransomware is obtained through a variety of well-known routes including email, websites, online advertising, exploits on system vulnerabilities, and infected files on shared folders or cloud file sharing services.

Email

Emails, particularly phishing emails, frequently entice users to open attachments that contain ransomware or to click links leading to infected websites.  The techniques used here are the same ones used by scammers, hackers, and other malware distributors.  Protection techniques include screening attachments with antivirus tools and utilizing email gateway scanning and filtering tools.  It is also important to educate employees or family members on how to recognize suspicious emails.

Infected websites and online advertising

Ransomware is also distributed from infected websites and through online ads.  Extortionists seed websites with malicious code and then wait for unsuspecting Internet users to visit a compromised site and get infected with their ransomware.  The likelihood of infection from such sites can be greatly reduced by utilizing a web filter, scanning web sites for malware or by browsing the web in a virtual machine.

Extortionists also create ads on social media or in search engines that download the malware.  Ads might pretend to be a flash player update, help or chat ads, or fake antivirus.  These ads are collectively known as malvertising.  The best way to protect against ransomware distributed through malvertising is by using an ad blocker.  There are many extensions for common browsers or standalone applications that can perform this activity.

Shared folders or cloud file sharing

Ransomware can also be obtained when a computer is connected to a network share that has ransomware on it.  Many ransomware variants are capable of spreading to shares that a computer is connected through, typically through mapped drives.  Ransomware can also infect your machine if you are using a cloud file sharing service that synchronizes files between machines.  If a personal computer is infected and has the cloud file sharing software on it, it can replicate the malware to other computers that are part of the sharing relationship, infecting them all in the process.  Monitor file servers for mass file changes to detect ransomware behavior and scan files that are placed on network shares.  Similarly, equip each computer that utilizes cloud file sharing applications with antivirus software and segment business cloud file stores from personal ones.

System vulnerabilities

Vulnerabilities in operating systems, applications and browser plugins are well documented once they have been discovered.  Attackers create exploit kits to target these vulnerabilities and then other malicious actors utilize these exploit kits to deliver malware to your machine.  The most common exploits are those related to operating systems such as Windows, applications such as Adobe Acrobat, or browser plugins such as Java, Flash, or Silverlight.  The best way to protect against the exploitation of such vulnerabilities is to keep systems, applications, and plugins updated to the latest version.  Vendors frequently release new versions or patches to software that fix the vulnerabilities that have been discovered.  Applying these updates can prevent those vulnerabilities from being exploited.

Exceptions

There will always be exceptions in a security system.  No system will protect you one hundred percent of the time and that is why it is important to have contingency plans.  When ransomware gets past your defenses, and it will at some point, be sure you have up-to-date backups of critical files so that you can remove the malware and encrypted files and then restore clean versions of the files back to computers.  Backup solutions should be distinct from production systems.  For example, a hard drive connected to a computer or a network attached storage device are both accessible from an infected machine so they are likely to be infected too.  However, tape backups or online backup services are distinct from production storage and can be relied upon to restore clean copies of data if the restore points predate the infection date.

Continue reading

The human brain vs. computers in the identity challenge

The concept of identity is core to the protection of data.  Data and other computing resources exist to be used by individuals, each of whom has an identity that is used to grant of deny access to such resources.  However, identity is not limited to humans.  Computer services also have an identity that allows them to interact with other services and data.

As humans, we understand identity as all the characteristics that are representative and unique of an individual and our method of validating identity comes naturally in the course of interaction.  We recognize and associate these characteristics with a unique person and our ability to associate characteristics with a person increases with our exposure to the individual.  Exposure does not need to be direct, such as spending time with them, but can be gained indirectly through activities such as reading or talking about them or seeing them on TV.  This is why some persons are more easily recognizable than others.  Consider how you recognize the touch of a loved one or the voice of your mother whereas a former acquaintance’s name may be unfamiliar to you, even when encountering them face to face.  Similarly, popular personalities such as actors or politicians are easily recognized by each of us even if we have never met them personally.  Similar methods are used to build trust.  You wouldn’t let a stranger borrow your car, but this might change as strangers become friends.

Computers, likewise, can use a variety of characteristics to validate a claimed identity but the methods of recognizing that identity differ from humans.   Users validate their identity to a computer by claiming an identity and then providing credentials to back up that claim in a process called authentication.  For example, a username claims an identity while the correct corresponding password validates it.

However, there are several important distinctions between the identification that occurs on a computer system and identification between persons.  Computers have an advantage over humans in that they do not forget user identities over time but their methods of identifying a person are much more limited.  Whereas a human can use hundreds of characteristics to make an identity and they can associate a different set of characteristics with different people, a computer system typically only supports a few very structured methods of identification.  The most familiar method of authenticating to a computer system is the traditional username and password, but other methods such as fingerprints, facial recognition, proximity cards and secret questions can also be used.

There are further distinctions between computers and humans in terms of trust.  Humans trust an individual based on their experience, knowledge and interactions with the individual, but computers trust an individual only as far as the user’s permissions dictate.  Permissions determine how an identity can interface with data including viewing, modifying, creating or deleting it.  Other permissions might allow a user to issue commands to a computer system, run a program, or utilize a service.

Mitigating computer-based identity weaknesses

Both human and computer identification systems suffer from inherent weaknesses.  A computer’s limited methods of identification and the structured method used to evaluate identity make it relatively straightforward for an individual to programmatically exploit these methods and fraudulently authenticate.  These characteristics are also an advantage since a computer will always stick to the rules and enforce the identity requirements for an individual when identity systems are implemented properly.  Computer weaknesses are commonly exploited through credential cracking, credential theft, and the exploitation of authentication system vulnerabilities.

The overly simplistic solution to the problem would be to combine the advantages of both systems together.  However, this does not work well in practice.  Multi-factor authentication — utilizing multiple methods for validating a claimed identity — is a well-accepted method for improving authentication over single-factor authentication, but this is often limited to a small handful of identifying characteristics.  This limitation primarily lies in resistance from users of computing systems who resent the time required to present multiple credentials or the need to carry items on their person in order to authenticate.  Some of the most effective systems utilize a combination of user provided credentials and data the computer system can collect on its own such as the location, device initiating the connection, and time and date, but still fall short of what can be utilized by a human in identification.  Furthermore, these credentials can still be faked or fraudulently obtained.

Human interaction typically detects a change in identity or behavior naturally in the course of interaction, but computers validate identity once and then trust the identity has not changed between a user’s logon to a system and their logoff, also known as a session.  This presents a problem for enterprise security since malware, shared sessions, or idle sessions that have not been locked, allow for misuse by others.  The computer system cannot differentiate between activities taken by a coworker on another user’s computer or malware running in a user’s session and legitimate activities performed by the user.  This risk is somewhat mitigated by automatically logging off idle sessions and by locking out computers at specific intervals, but this still leaves a lot of room for session compromise.

Some systems are beginning to revalidate credentials periodically to protect against a compromised session.  The most basic systems simply revalidate at predefined intervals while more advanced systems utilize a variety of variables and complex algorithms to evaluate the level of assurance they have in the identity.  For example, user interaction may be abnormal which could trigger reauthentication or the user could change location, or login in two locations simultaneously, also prompting reauthentication.

A variety of systems under the umbrella of Identity and Access Management (IAM) have been created to handle computer identity based on the scope and complexity of the need.

Mitigating human-based identity weaknesses

Humans are not as disciplined in validating identity and humans can become distracted.  A pretty smile or a few friendly words will not be enough to get past a computer, but they work just fine and quite often with humans.  Other techniques such as making oneself appear to be an authority figure, playing on emotions, or asking for help, exploit general human characteristics.  I refrain from calling them weaknesses because they are vital to positive social interaction but they can present a threat when exploited by a malicious individual such as a social engineer.

Human weaknesses are the targets of social engineering, cyber persuasion schemes that entice users to divulge their credentials or perform actions on the social engineer’s behalf.  This threat is reduced through security awareness training, documentation and enforcement of policies and procedures, and a culture of security.

The threats to identity compromise, both with computers and humans, have been the force behind many of the security controls in place today.  Humans and computers handle identity very differently but both access and interface with organizational data and both are potential targets for identity compromise when they are protected independently. However, when humans and computers are integrated into a human-centric security strategy, their strengths and weaknesses can reinforce one another.  When humans lack consistency, a computer assists and when computers have difficulty validating, humans add context and experience.  As a result of this increased understanding of human-computer strengths and weaknesses, the security controls that comprise a human-centric strategy are easier and more intuitive for users.  This results in fewer mistakes or security workarounds and it increases productivity by reducing security complexity.  Simply put, humans and computers combined are a winning combination.

Continue reading

The missing leg – integrity in the CIA triad

Information security is often described using the CIA Triad. The CIA stands for Confidentiality, Integrity, and Availability and these are the three elements of data that information security tries to protect. If we look at the CIA triad from the attacker’s viewpoint, they would seek to compromise confidentiality by stealing data, integrity by manipulating data and availability by deleting data or taking down the systems that host the data.

By and far, most attacks have been focused on disrupting confidentiality or availability so defense mechanisms and training has also been focused there. The number of data breaches has skyrocketed and there is a flourishing market for stolen data including personal health information, credit card numbers, social security numbers, advertising lists, and proprietary technology. We also see many attacks on availability through Denial of Service.

Integrity attacks are much less commonplace, but they still represent a threat. Organizations must protect more than just confidentiality to be secure (see Overly and Howell’s Myth #3).

So what does an attack on integrity look like? Let’s look at three examples

  1. Enticing an opponent to make a bad decision

There is a software development saying that goes, “Garbage in, garbage out,” meaning if you let junk data into your program, it will produce junk for output. Similarly, junk data used in decision making will result in bad decisions. Integrity attacks of this sort aim to sabotage competitors or opponents by poisoning information stores that their competitors use to make critical decisions.

  1. Exploiting temporary data inconsistencies

Attackers modify the time on a Network Time Protocol server so that door access control systems think it is the middle of the day instead of the middle of the night. Consequently, the doors unlock or require only a pin instead of multi-factor authentication.

In another example, thieves momentarily inflate the balance of accounts before performing a wire transfer or stock ticker symbols are changed in a trading company database resulting in many incorrect stock transactions and inflated or deflated stock valuation by the market.

  1. Online Vandalism

Hacktivists or cyber activists often employ online vandalism to spread their message and others vandalize sites for fun or to hurt brand image. For example, the FBI issued a warning in April that ISIL was mass-defacing WordPress websites using known vulnerabilities.

The good news is that many of the technical controls organizations already have in place to protect the confidentiality and availability of data can also be used to protect its integrity since attackers must exploit similar vulnerabilities or access the same systems on which they perform other attacks. However, procedures and training may need to be updated so that employees are aware of such threats and how to recognize them. Furthermore, the data that goes into critical decisions should be validated through alternate sources. Consider the following:

  • Require application security assessments to address integrity as well as confidentiality and availability.
  • Conduct a risk analysis of the loss of data integrity for key information systems and use these risk calculations to ensure that controls adequately address risk levels.
  • Update security awareness training to include sections on data integrity, validation and incident reporting.
  • Ensure that security policies and procedures address integrity as well as confidentiality and availability.

Continue reading