Prepare for Ransomware: Delivery and Defense (Part 3 in a Series on Ransomware)
Updated: Jul 24
*This blog entry was originally published on January 13, 2017 on the original Polito Blog by Roman Romanenco. It was re-posted on October 3, 2017 due to migrating to a new blog platform.
In this ongoing series on the proliferation of ransomware, Part One scratched the surface and provided background information on the growing ransomware threat. In Part Two we went deeper and explored the kill chain for a typical ransomware sample, illustrating the multiple phases of a ransomware infection. As we security practitioners often remind others, good cyber hygiene and best practices in security controls will go a long way in effectively defending against ransomware and malware in general. In this follow up blog post, we will dive even deeper and focus on several key kill chain techniques utilized by most ransomware variants and corresponding “best bang for your buck” counter-measures that can often be implemented relatively quickly and cheaply. The following recommendations are not intended to be an exhaustive resource for ransomware detection and defense, but instead to provide a roadmap for mitigating malicious activity with effective security controls.
Even if your environment lacks a “next-gen” security product or service, there are many low cost / high impact measures that can readily be deployed and utilized to improve endpoint and network security. Malware would be much less of a serious threat today if enterprises proactively implemented critical security controls that are proven to stand up to a variety of attack vectors and threats, ransomware or otherwise. Ransomware is a booming criminal enterprise and an interesting type of threat, but we need to avoid tunnel vision. If a common ransomware variant can readily progress through all its phases of the kill chain unimpeded in order to encrypt critical user files saved on the local machine and on networks shares, imagine how easy it would be for a more advanced adversary to perform a targeted attack to delete or exfiltrate those critical user files. The BlackEnergy attack on the Ukrainian electric power industry this past year caused a physical, real-world effect.
In this blog post we will cover the delivery and obscuring techniques used by commonly encountered ransomware in the wild and security controls that can be implemented as preventative measures to ransomware’s delivery onto the target system. Post-delivery and exploitation security controls will be discussed in a follow-up post.
Delivery Methods and Tactics
To deliver the initial exploit, an attacker often uses bait to launch the attack; this can be achieved by sending the payload to the victim via phishing emails, malicious links, infected attachments, malicious ads, or a compromised website. The following are the most common techniques ransomware has been observed to leverage to find its way onto a victim’s computer.
Phishing emails and spam are still a dominating vector of ransomware delivery going into 2017, now with 97% of phishing emails containing ransomware. Typically, a victim receives a message that appears to have been sent by a known contact or organization, containing an attachment or a link. Phishing is a popular method as it is far easier to trick someone into clicking a malicious link or opening an attachment in a seemingly legitimate email than trying to break through a computer’s defenses.
Figure 1: Email with attached invoice Office document from Indian domain - Locky ransomware email sample. Credit: Adrian Santangelo
Phishing emails often use financial-themed subjects which trick a user to open them without thinking such as:
FW:Expenses Report # xxxx
RE: Additional Information Needed # xxxxxx
The Locky phishing email above has a document attachment. These email attachments, typically purporting to be documents or spreadsheets, are weaponized with malware. In other variations, other commonly abused file formats could be attached to the message such as executable, ZIP, RAR, 7z, scripts, and other high-risk file formats.
VirusTotal detection for attached Invoice Office document.
Office documents can contain code embedded with a payload written in Visual Basic for Applications (VBA) macros, as in the sample from the email. Once the victim opens the document and allows macros to run, this code can assist in compromising workstations by running an exploit to deliver a payload.
Figure 2: Malicious macro-enabled document.
The Office document from the phishing email discussed earlier advises the user to enable macros if the data encoding is incorrect. Once the user enables macros, it doesn’t actually correct the text encoding.
Figure 3: Network traffic after enabling macros (.EXE download)
Instead the macro downloads an executable from a remote server and executes it, completing the infection chain – Download traffic captured with Wireshark
File Extension Hiding
Another favorite technique of attackers is to deliver an executable file inside of a compressed archive attachment such as a ZIP file. Scammers usually name the executable inside the ZIP file something like “deposit.pdf.exe” or “document001.pdf.exe” to trick you into thinking it is safe. Since file extensions are hidden by default in Windows, and the genuine extension is always the last extension, the attachment would appear to the user as “deposit.pdf”.
Figure 4: Shortcut document with stored command posing as PDF invoice.
POC: “C:\Windows\System32\cmd.exe /c echo WScript.Echo(“Hello”)>s.js & s.js”
Another variation of obscuring the real file extension uses numerous spaces before the “.exe” in the filename, like:
“deposit.pdf .exe” - so the “.exe” does not appear on the screen and tricks the victim into thinking it is a PDF file. In this scenario, once the executable file or script is run, it completes the infection chain.
2. Malicious Links
Other variations of ransomware delivery rely on the user clicking a link from the phishing email. The link then may take the user to a website that infects the system via a series of redirects (such as an exploit kit or malvertising-induced drive-by download) or downloads the malware directly with the click of the embedded link (such as embedded link to http://website.com/evil.exe).
Drive-by downloads focus on un-patched vulnerabilities in Windows and other installed software to silently infect your machine with little to no user interaction required, this malware “auto-installs” without the usual prompts about saving or running downloaded files. Even when visiting a legitimate website, users must remain vigilant as legitimate websites can be compromised to host malicious scripts or ads that redirect to exploit kits and malware payloads.
Figure 5: Network traffic from visiting a compromised website with injected script. PCAP credit: firstname.lastname@example.org
Page from the compromised website “www.dannabananas.com” with injected script leading to a redirect URL.
“mybook.bookinturkey.net” – GET /scripts/comments_simple.js - Afraidgate redirect URL leading to a Rig-V landing page.
AV detected and blocked script on the compromised website.
“red.happyeyeusa.com” Rig-V Flash exploit landing page traffic.
POST /checkupdate Locky post-infection callback traffic to 220.127.116.11
Similar to visiting a compromised website as shown above, malvertising is executed by hiding malicious code within online advertisements. These ads include active scripts that are built to download malware or force undesirable content to the victim’s computer when once page is loaded with ads. Ads usually appearing as banners or pop-ups contain an iframe, an invisible box that can navigate to additional web pages. Malvertisers and the exploit kits they often rely upon primarily use Adobe Flash, Adobe PDF, and Java vulnerabilities to spread malware because these browser plugins are highly prone to security vulnerabilities.
Figure 6: Infection blocked from Spotify application (and web application) loading a free-version ad. Ads in Desktop applications pose a threat too, and are independent from browser-based adblockers.
Defenses that can be implemented to defend against such common delivery methods:
Spam Filters - Enabling filters won’t catch every malicious email, but can stop a significant number of malicious emails, especially if the filter rules are tuned and updated.
External Tags - If your mail server allows such functionality, configure email messages received from external systems to be marked with a tag in the subject line (such as “[External]” and “[Attachment]” to make users aware that the message originated from an external party and to treat anything contained in or attached to that message with caution. Accordingly, if an employee receives an email purporting to be from another employee, but with an [External] tag, that should raise a red flag.
Block High-Risk File Types - Block email messages with commonly abused file formats attached to the message such as executable, ZIP, RAR, 7z, Office documents with macros, scripts, and other high-risk file formats. Check out this list of high-risk file types to block based on extension. As extensions can be easily manipulated or obfuscated, blocking file formats based on content inspection (e.g. file headers) is more effectively than blocking solely based on extension.
Always Show File Extensions - Windows Explorer hides file name extensions by default, however you can make file name extensions visible by following this simple solution.
Training - Focus on user awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware and how it is delivered, and trained on basic information security principles and techniques including how to spot phishing emails and other social engineering techniques.
Configure Ad Blocker - Install and configure an ad blocker plugin in browsers, which can help disrupt malvertising and other drive-by download vectors. For example, navigate to ADBlockPlus in your browser, AdBlock Plus will recognize your browser and issue installation instructions depending on the browser you are using. Alternatively, if web filtering at the network perimeter is possible, block any ad-related categories.
Disable/Uninstall Flash – find “Adobe Flash Player” in the “Programs and Features” and bring up the uninstall dialog. Google Chrome provides a built-in (and arguably more secure) version of Flash Player which can be disabled by accessing the Chrome plugins page by typing chrome://plugins in the address bar.
Disable Java Browser Integration - This will prevent malicious websites from loading the Java browser plugin to silently install malware. In Java’s settings on the Security tab, uncheck the “Enable Java content in the browser” checkbox. This will disable the Java plug-in in all browsers on your computer, although downloaded applications will still be able to use Java (such as Android SDK).
Disable PDF Reader plug-ins - Disabling the PDF Reader plug-in will result in your downloading PDFs to view in a PDF Reader application rather than viewing it in your browser, saving the user from loading a page with code that attacks PDF Reader vulnerabilities. Alternatively, there are non-Adobe PDF Reader software such as Sumatra PDF and Foxit Reader, which are not 100% secure but not commonly targeted as Adobe.
Maintain Up-to-Date Patch Management - Patch all endpoint device operating systems, software (including web browsers), and firmware as vulnerabilities are discovered. The danger is that patches have already been released, which means the attackers know exactly what’s vulnerable with an unpatched machine.
Enable AppLocker – Allows the organization to specify which users or groups can run particular applications based on unique identities of files. This allows to create rules for your desktops to prevent execution of unknown executables. Windows AppLocker
File and Share Permissions – Least privilege access should be enforced for users' ability to run and install software and access network shares. Users should not be allowed to run or install software as local admin by default. Permitting users to run their web browsers and any downloaded or attached files as local admin facilitates malware such as ransomware executing unimpeded as local admin. Similarly, share permissions should be as granular as possible. For example, if an infected user is restricted to read-only permissions for critical network shares, ransomware will be unable to encrypt or delete the files in that share from the infected user's workstation.
Anti-Virus Protection Software - Maintain up-to-date antivirus, but do not rely on antivirus as it is trivial for ransomware to evade detection, hence the best malware and antivirus tool is prevention.
Understanding the individualized ransomware delivery tactics allows us to determine what countermeasures and defense techniques can be put in place to obstruct the delivery process.
Polito, Inc. offers a wide range of security consulting services including penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.